CVE-2022-31142

@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750,...

acmer (>=0.0.1 <=0.0.16), auth-proxy (>=0.0.3 <=0.1.1) +413 more potentially affected by unknown CVE via aws-sdk-sso (>=0.10.1 <=0.9.0)

aws-sdk-sso CARGO version =0.10.1, =0.0.1, =0.0.3, =0.2.36, =0.0.18, =0.0.42, =0.0.14, =0.5.1, =0.0.1, =0.0.24, =0.0.1, =0.1.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.24.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-G59M-GF8J-GJF5...

pnpm vulnerable to Command Injection via environment variable substitution

Summary A command injection vulnerability exists in pnpm when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve remote code execution RCE in build environments...

CVE-2025-61782

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.3, an open redirect vulnerability exists in the OpenCTI platform's SAML authentication endpoint /auth/saml/callback. By manipulating the RelayState parameter, an attacker can...

Origin validation error vulnerability in Fujitsu Security Solution AuthConductor Client Basic V2

Overview Fujitsu Security Solution AuthConductor Client Basic V2 provided by Fujitsu Client Computing Limited contains the following vulnerability. Origin validation error CWE-346 - CVE-2026-20893 MASAHIRO IIDA of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the...

EUVD-2026-1113

Malicious code in okta-auth-js npm...

Malicious Package

Overview okta-auth-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-91 Malicious code in okta-auth-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0d2189b5df6091ef38c2619c0ed24b8814459b769da6b646901bb0d1987a440 The package okta-auth-js was found to contain malicious code. Source: ghsa-malware 65d7548ce9f766315a32892d8f9588740b8fab7cc50443598ea65e8e0ce9b2ab A...

Exploit for CVE-2025-14857

CVE-2025-14847 MongoBleed - PoC Funcional Exploração de V...

PT-2026-7016

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1., 2. before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, tha...

PT-2026-29133

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.24.2 Description FreeRDP is a free implementation of the Remote Desktop Protocol. An unvalidated auth length field read from the network triggers a WINPR ASSERT failure in the rts read auth verifier no checks...

PT-2026-4484

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The libceph component in the Linux kernel contains a flaw where an out-of-bounds read could occur in the handle auth done function. This is due to a missing bounds check on the payload l...

PT-2026-28368

Name of the Vulnerable Software and Affected Versions Dovecot versions prior to 2.4.3 Description If the auth username chars setting is empty, an attacker can inject arbitrary LDAP filters into Dovecot's LDAP authentication process. This can bypass restrictions and allow probing of the LDAP...

PT-2026-28336

Name of the Vulnerable Software and Affected Versions Dovecot affected versions not specified Description Dovecot’s SQL-based authentication mechanism can be bypassed when the auth username chars setting is cleared by an administrator. This allows an attacker to bypass authentication for any user...

CVE-2025-15398 Uasoft badaso Token BadasoAuthController.php forgetPassword password recovery

A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack...

EUVD-2025-206083

Selea CarPlateServer 4.0.1.6 contains a remote program execution vulnerability that allows attackers to execute arbitrary Windows binaries by manipulating the NOLISTEXEPATH configuration parameter. Attackers can bypass authentication through the /cps/ endpoint and modify server configuration,...

CVE-2025-69202

Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignori...

SUSE-SU-2025:4532-1 Security update for apache2-mod_auth_openidc

This update for apache2-modauthopenidc fixes the following issues: - Update to 2.4.17.1 bsc1248806 / PED-14130. - Remove many patches, as they've been merged upstream...

CVE-2025-15105

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument apikey results in use of hard-coded cryptographic key . Remote exploitation of the attack...

CVE-2025-15106 getmaxun Authentication Endpoint auth.ts router.get improper authorization

A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploi...