51 matches found
CVE-2026-28428
Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by...
CVE-2026-28428 Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions
Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by...
CVE-2026-28428 Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions
Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by...
CVE-2026-28428 Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions
Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by...
CVE-2026-28428
Talishar is affected by an authentication bypass in its game endpoint validation. Before commit a9c218e, a loose string comparison allowed an empty authKey (authKey=) to be treated as valid, enabling unauthenticated users to perform authenticated actions such as sending chat messages and submitti...
Talishar 授权问题漏洞
Talishar is an open-source game client developed by Talishar. Previous versions of Talishar had vulnerabilities related to authorization. These vulnerabilities stemmed from authentication bypasses, allowing unverified attackers to execute authenticated game operations by providing an empty authKe...
CVE-2022-35508
Proxmox Virtual Environment PVE and Proxmox Mail Gateway PMG are vulnerable to SSRF when proxying HTTP requests between pvepmgproxy and pvepmgdaemon. An attacker with an unprivileged account can craft an HTTP request to achieve SSRF and file disclosure of any files on the server. Also, in Proxmox...
AZL-70079 CVE-2025-40187 affecting package kernel for versions less than 6.6.117.1-1
In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctpdisposition sctpsfdo51Dce If newasoc-peer.adaptationind=0 and sctpulpeventmakeauthkey=0 and sctpulpeventmakeauthkey returns 0, then the variable aiev remains zero and the zero will be...
CVE-2025-40187
In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctpdisposition sctpsfdo51Dce If newasoc-peer.adaptationind=0 and sctpulpeventmakeauthkey=0 and sctpulpeventmakeauthkey returns 0, then the variable aiev remains zero and the zero will be...
CVE-2025-40187
CVE-2025-40187 affects the Linux kernel SCTP implementation. The issue is a possible NULL pointer dereference in net/sctp during disposition handling (sctp_disposition; sctp_sf_do_5_1D_ce) when new_asoc->peer.adaptation_ind==0 and sctp_ulpevent_make_authkey==0, and sctp_ulpevent_make_authkey()...
EUVD-2020-21934
Malware in sbrugna...
EUVD-2025-6997
Malicious code in bioql PyPI...
PT-2025-46744
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the Linux kernel's SCTP Socket Control Transport Protocol implementation. Specifically, a null dereference can occur within the sctp disposition function, specifically...
CVE-2020-29572
app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field...
CVE-2024-12433
A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the serve...
CVE-2024-12433
A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the serve...
CVE-2024-12433 Remote Code Execution in infiniflow/ragflow
A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the serve...
CVE-2024-12433
CVE-2024-12433 affects infiniflow/ragflow v0.12.0. The RPC server uses a hard-coded AuthKey (authkey=b'infiniflow-token4kevinhu') and deserializes incoming data with pickle.loads() on connection.recv(), enabling remote code execution. Fixed in v0.14.0. A PoC/proof-of-concept is available in publi...
Remote Code Execution via Pickle Deserialization with Hard-Coded AuthKey in RPC Server
Description RagFlow implements an RPC server using Python's native multiprocessing package. It fully understands the use of AuthKey to access and control the group communication when applying multiprocessing for network conditions via socket, but the current implementation hard-coded the AuthKey ...
ThroughTek Kalay P2P SDK Improper Access Control (CVE-2021-28372)
ThroughTek's Kalay Platform 2.0 network allows an attacker to impersonate an arbitrary ThroughTek TUTK device given a valid 20-byte uniquely assigned identifier UID. This could result in an attacker hijacking a victim's connection and forcing them into supplying credentials needed to access the...