Lucene search
K

42 matches found

OSV
OSV
added 2026/06/30 9:34 p.m.6 views

USN-8487-1 curl vulnerabilities

Andrew Nesbitt discovered that curl could reuse an existing live connection during STARTTLS-based connection upgrades even when the TLS configuration did not match. A remote attacker could possibly use this issue to cause curl to use an unintended TLS configuration. CVE-2026-8286 Muhamad Arga...

9.8CVSS6.1AI score0.0108EPSS
Exploits10References11
Ubuntu
Ubuntu
added 2026/06/30 9:34 p.m.8 views

USN-8487-1: curl vulnerabilities

Andrew Nesbitt discovered that curl could reuse an existing live connection during STARTTLS-based connection upgrades even when the TLS configuration did not match. A remote attacker could possibly use this issue to cause curl to use an unintended TLS configuration. CVE-2026-8286 Muhamad Arga...

9.8CVSS6.1AI score0.0108EPSS
Exploits10
NVD
NVD
added 2026/06/22 2:17 p.m.11 views

CVE-2026-9162

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continu...

4.3CVSS0.00202EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/06/11 12:0 a.m.10 views

Linux Distros Unpatched Vulnerability : CVE-2026-46705

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth...

5.3CVSS5.6AI score0.00218EPSS
Exploits0References2
OSV
OSV
added 2026/06/10 10:17 p.m.6 views

DEBIAN-CVE-2026-46705

Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSHMSGUSERAUTHREQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user nam...

5.3CVSS5.4AI score0.00218EPSS
Exploits0References1
NVD
NVD
added 2026/06/10 10:17 p.m.13 views

CVE-2026-46705

Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSHMSGUSERAUTHREQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user nam...

5.3CVSS0.00218EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/10 8:21 p.m.32 views

CVE-2026-46705 russh server userauth state is not reset when authentication principal changes

Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSHMSGUSERAUTHREQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user nam...

5.3CVSS0.00218EPSS
Exploits0References1
CVE
CVE
added 2026/06/10 8:21 p.m.27 views

CVE-2026-46705

The vulnerability CVE-2026-46705 affects russh (Rust SSH client/server) versions 0.34.0-beta.1 through before 0.61.0. The server’s authentication path retained russh-owned state (e.g., remaining methods, partial_success, and in-progress state) across SSH_MSG_USERAUTH_REQUEST messages when the use...

5.3CVSS5.4AI score0.00218EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.21 views

Russh 授权问题漏洞

Russh is a Rust SSH client and server library developed by Eugene as a personal project. In versions of Russh from 0.34.0-beta.1 to 0.61.0, there was an authorization vulnerability. This vulnerability stemmed from the server authentication path not separating the internal authentication state whe...

5.3CVSS5.3AI score0.00218EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.12 views

CVE-2025-10908

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...

7.3CVSS5.5AI score0.0023EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/05 3:59 p.m.6 views

Cross-site Scripting (XSS)

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Cross-site Scripting XSS in the password reset. An attacker can execute arbitrary JavaScript in the context of the application by crafting a malicious password reset link and convincing a victim to follow it. This...

6.1CVSS5.3AI score0.00262EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/29 7:39 p.m.18 views

russh server userauth state is not reset when authentication principal changes

Summary The russh server authentication path keeps internal userauth state across SSHMSGUSERAUTHREQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user name and service name fields to change between authentication requests. The issue is not that...

5.3CVSS5.8AI score0.00218EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/05/29 6:28 p.m.30 views

CVE-2026-4387

StrongDM Desktop Application prior to 23.74.0 (Desktop Client before 53.77.0) stores authentication state in cleartext in a per-user file C:\Users.sdm\state.kv, exposing a JSON Web Token and asymmetric key material. Access requires local read to the user profile and additional deployment/executio...

2CVSS5.9AI score0.00132EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/29 6:28 p.m.32 views

CVE-2026-4387 Unencrypted storage of authentication state in StrongDM Desktop Application state.kv file

StrongDM Desktop Application before 23.74.0 Desktop Client before 53.77.0 on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\.sdm\state.kv. The file is protected only by default...

2CVSS0.00132EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.13 views

PT-2026-45018

Name of the Vulnerable Software and Affected Versions Russh versions 0.34.0-beta.1 through 0.60.x Description The server authentication path in the Russh library fails to separate internal user authentication state when the request principal changes across SSH MSG USERAUTH REQUEST messages...

5.3CVSS5.5AI score0.00218EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/01 2:15 p.m.7 views

CVE-2026-31773

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: derive legacy responder STK authentication from MITM state The legacy responder path in smprandom currently labels the stored STK as authenticated whenever pendingseclevel is BTSECURITYHIGH. That reflects what the...

8.8CVSS5.7AI score0.00282EPSS
Exploits0References9Affected Software1
NVD
NVD
added 2026/04/28 7:37 p.m.5 views

CVE-2026-41916

OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through...

5.4CVSS0.00215EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/28 6:10 p.m.4 views

CVE-2026-41916 OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload

OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through...

5.4CVSS5.2AI score0.00215EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/28 6:10 p.m.5 views

EUVD-2026-26122

OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through...

5.4CVSS5.2AI score0.00215EPSS
Exploits0References3
CVE
CVE
added 2026/04/28 6:10 p.m.10 views

CVE-2026-41916

OpenClaw vulnerability CVE-2026-41916 affects the OpenClaw npm package prior to 2026.4.8. The issue is an authentication state management flaw where the resolvedAuth closure becomes stale after a configuration reload, causing newly accepted gateway connections to continue using an outdated authen...

5.4CVSS5.3AI score0.00215EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder