CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

147 matches found

EUVD-2026-38155

A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function getredirectresponsefromopenid of the file litellm/proxy/managementendpoints/uisso.py of the component SSO Authentication Flow. The manipulation leads to session expiration. The attack is possible to be carri...

6.5CVSS6.2AI score

Exploits0References5

EUVD•added 2026/06/12 2:27 a.m.•7 views

EUVD-2026-36380

Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover...

8CVSS7.4AI score0.0012EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:47 p.m.•7 views

CVE-2026-9245

Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : Devolutions Server 2026.1.6.0 through 2026.1.16.0 Devolutions...

5CVSS5.5AI score0.00169EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:45 p.m.•5 views

CVE-2026-31052

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Checkout Authentication Flow component...

5.3CVSS5.5AI score0.00541EPSS

Exploits0References1

NVD•added 2026/06/02 5:16 p.m.•10 views

CVE-2026-42073

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter...

6.5CVSS0.00199EPSS

Exploits1References3

EUVD•added 2026/05/28 4:31 p.m.•7 views

EUVD-2026-32952

In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP...

5.8AI score0.002EPSS

Exploits0References1

NVD•added 2026/05/22 4:16 p.m.•11 views

CVE-2026-9245

5CVSS0.00169EPSS

Exploits0References1

ATTACKERKB•added 2026/05/22 3:24 p.m.•7 views

CVE-2026-9245

5CVSS5.8AI score0.00169EPSS

Exploits0References2Affected Software1

EUVD•added 2026/05/22 3:24 p.m.•10 views

EUVD-2026-31459

5CVSS5.8AI score0.00169EPSS

Exploits0References1

Vulnrichment•added 2026/05/22 3:24 p.m.•7 views

CVE-2026-9245

5.8AI score0.00169EPSS

Exploits0References1

Cvelist•added 2026/05/22 3:24 p.m.•7 views

CVE-2026-9245

0.00169EPSS

Exploits0References1

CVE•added 2026/05/22 3:24 p.m.•27 views

CVE-2026-9245

CVE-2026-9245 describes an improper input validation vulnerability in the external authentication provider flow of Devolutions Server. An unauthenticated remote attacker can coerce victims of Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier to be redirected to an attacker‑con...

5CVSS5.8AI score0.00169EPSS

Exploits0References1Affected Software1

Positive Technologies•added 2026/05/22 12:0 a.m.•8 views

PT-2026-42791

5.8AI score0.00169EPSS

Exploits0References1

Github Security Blog•added 2026/05/21 8:35 p.m.•8 views

NocoDB: Shared-base link access can invite arbitrary users as persistent base members

Summary Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID xc-shared-base-id, an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the...

5.9AI score0.00037EPSS

Exploits0References2Affected Software1

Positive Technologies•added 2026/05/21 12:0 a.m.•8 views

PT-2026-42526

Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT SSL VERIFYPEER to false and not setting CURLOPT SSL VERIFYHOST when issuing outbound HTTPS requests for outbound HTTPS requests issued during the login/authentication flow. An attacker...

8.2CVSS5.9AI score0.00205EPSS

Exploits0References4

CVE•added 2026/05/20 5:51 p.m.•13 views

CVE-2026-2813

ArcGIS Server (affected: ArcGIS Server 11.5) has a client-side input validation weakness in the login redirection workflow. A authenticated attacker could send a crafted request that may cause the browser to be redirected to an unintended, untrusted site, resulting in a limited confidentiality im...

4.7CVSS5.6AI score0.003EPSS

Exploits0References1Affected Software1

RedHat Linux•added 2026/05/20 11:23 a.m.•8 views

org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover

A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which...

7.5CVSS5.8AI score0.00409EPSS

Exploits0References4