CVE-2026-4363

GitLab has remediated an issue in GitLab EE affecting all versions from 18.1 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user to gain unauthorized access to resources due to improper caching of authorization decisio...

CVE-2026-4363

CVE-2026-4363 affects GitLab EE: versions 18.1–before 18.8.7, 18.9–before 18.9.3, and 18.10–before 18.10.1 are impacted due to improper caching of authorization decisions. This could allow an authenticated user to gain unauthorized access to resources. GitLab has released patches; upgrading to 18...

GHSA-8M3C-C723-H4P4 django-allauth's Okta and NetIQ implementations used a mutable identifier for authorization decisions

An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferredusername as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead...

CVE-2025-65431

An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferredusername as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead...

Use of Non-Canonical URL Paths for Authorization Decisions

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions due to improper URL decoding logic. The pathname validation used for...

org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions...

org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions...

EUVD-2025-29537

Malicious code in bioql PyPI...

CVE-2025-41249

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by...

DEBIAN-CVE-2025-41249

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by...

CVE-2025-41249

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by...

CVE-2025-41249

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by...

CVE-2021-41230

Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowedidpclaims as part of policy. If using allowedidpclaims and a user's claims are changed, Pomerium can make...

PT-2025-51216

Name of the Vulnerable Software and Affected Versions allauth-django versions prior to 65.13.0 Description An issue exists in allauth-django where Okta and NetIQ were utilizing the preferred username value as an identifier for third-party provider accounts. This value is mutable and should not be...

RHEL 8 : polkit (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - polkit: Improper handling of user with uid INTMAX leading to authentication bypass CVE-2018-19788 - In...

CVE-2022-43939 Hitachi Vantara Pentaho Business Analytics Server - Use of Non-Canonical URL Paths for Authorization Decisions

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented...

Hitachi Vantara Pentaho Business Analytics Server 安全漏洞

Hitachi Vantara Pentaho Business Analytics Server is a modern data blending, integration, and business analytics platform from Hitachi, Ltd Hitachi, Japan. A security vulnerability exists in Hitachi Vantara Pentaho Business Analytics Server that arises from the use of non-canonical URL paths for...

Security Bulletin: A vulnerability in Polkit affects PowerKVM

Summary PowerKVM is affected by a vulnerability in Polkit. IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2019-6133 DESCRIPTION: PolicyKit could allow a remote attacker to bypass security restrictions, caused by the lack of uid checking in...

JBoss: custom authorization module implementations shared between applications

Red Hat JBoss Enterprise Application Platform EAP before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control...

JBoss: custom authorization module implementations shared between applications

Red Hat JBoss Enterprise Application Platform EAP before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control...