CVE-2026-44166

PocketBase suffers an account pre-hijacking vulnerability via OAuth2 unverfied→verified autolinking. An attacker who knows a victim’s email can pre-create and link an unverified PocketBase user by authenticating with an OAuth2 provider (e.g., A). When the victim later signs up with a different pr...

aap-controller: aap-gateway: Account hijacking and unauthorized access via unverified email linking

A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider IDP identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a...

CVE-2026-34456

The CVE concerns Reviactyl, an open-source game server management panel (Laravel/React stack). From version 26.2.0-beta.1 to before 26.2.0-beta.5, the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email addresses, enabling an attacker to create or...

Improper Authentication

ZITADEL is vulnerable to Improper Authentication. The vulnerability is due to improper enforcement of organization login policies during the federation auto-linking process, which allows an attacker to authenticate through a disabled identity provider and link their external identity to an existi...

GHSA-J4G7-V4M4-77PX ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP

Summary A vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. Impact This vulnerability stems from the...

ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP

Summary A vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. Impact This vulnerability stems from the...

CVE-2025-64717

ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding Id...

CVE-2025-64717

ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding Id...

CVE-2025-64717

Summary of CVE-2025-64717 (ZITADEL): A flaw in ZITADEL’s federation/auto-linking during authentication allows linking an external IdP user to an existing internal user when the IdP is deactivated or not permitted for the organization. This can enable an unauthenticated account takeover, unless MF...

CVE-2025-64717 ZITADEL vulnerable to Account Takeover with deactivated Instance IdP

ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding Id...

CVE-2025-64717 ZITADEL vulnerable to Account Takeover with deactivated Instance IdP

ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding Id...

CVE-2023-28331

Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk...

CVE-2023-28331

Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk...

UBUNTU-CVE-2023-28331

Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk...

cmark-gfm 资源管理错误漏洞

cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version with canonical Markdown syntax. A resource management error vulnerability exists in versions prior to cmark-gfm 0.29.0.gfm.6, which stems from a polynomial time complexity issue in the...

PT-2023-21654 · Alt Linux · Alt Linux

Name of the Vulnerable Software and Affected Versions: Database auto-linking filter affected versions not specified Description: The issue arises from the database auto-linking filter's output requiring additional sanitizing to prevent a cross-site scripting XSS risk. This implies that without...

GitLab: Claiming package names in GitLab's automatic package referencer.

Hi team, GitLab has a pretty neat feature that auto-links packages to their respective registry. The problem is that GitLab currently assumes that packages have been uploaded to a registry by default. For example, if no homepage key is pointing to GitLab in a package.json file, Gitlab assumes tha...