3912 matches found
CVE-2026-33506
Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting XSS vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter callbackUrl,...
CVE-2026-33758
A flaw was found in OpenBao. Installations that have an OIDC/JWT authentication method enabled with a role configured to use callbackmode=direct are vulnerable to XSS via the errordescription parameter on the page for a failed authentication. This allows an attacker to access the token used by an...
CVE-2026-33757
A flaw was found in OpenBao. A missing prompt for user confirmation when logging in via the JWT/OIDC authentication method with a role configured to use callbackmode=direct allows an attacker to initiate an authentication request and perform a "remote phishing" attack by tricking an authenticated...
CVE-2026-33757
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishin...
CVE-2026-33758
CVE-2026-33758 affects OpenBao before 2.5.2. When OIDC/JWT auth is enabled and a role has callback_mode=direct, an XSS flaw exists in the error_description parameter during failed authentication, enabling access to the token used in the Web UI. The issue is fixed in v2.5.2; mitigation is to remov...
CVE-2026-33758 OpenBao has Reflected XSS in its OIDC authentication error message
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed...
CVE-2026-33758
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed...
CVE-2026-33758 OpenBao has Reflected XSS in its OIDC authentication error message
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed...
CVE-2026-33758 OpenBao has Reflected XSS in its OIDC authentication error message
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed...
CVE-2026-33758
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed...
CVE-2026-33757 OpenBao lacks user confirmation for OIDC direct callback mode
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishin...
CVE-2026-33757
OpenBao (before 2.5.2) is vulnerable to a login flow issue when using JWT/OIDC with a role whose callback_mode is direct: no user confirmation is prompted, enabling remote phishing by auto-logging in to the attacker’s session. Version 2.5.2 adds a confirmation screen for direct logins to require ...
EUVD-2026-16624
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishin...
CVE-2026-33757 OpenBao lacks user confirmation for OIDC direct callback mode
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishin...
CVE-2026-33757
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishin...
OESA-2026-1734 pyOpenSSL security update
pyOpenSSL is a rather thin wrapper around a subset of the OpenSSL library. With thin wrapper we mean that a lot of the object methods do nothing more than calling a corresponding function in the OpenSSL library. Security Fixes: A security vulnerability exists in the PyOpenSSL library's...
OESA-2026-1733 pyOpenSSL security update
pyOpenSSL is a rather thin wrapper around a subset of the OpenSSL library. With thin wrapper we mean that a lot of the object methods do nothing more than calling a corresponding function in the OpenSSL library. Security Fixes: A security vulnerability exists in the PyOpenSSL library's...
OESA-2026-1732 pyOpenSSL security update
pyOpenSSL is a rather thin wrapper around a subset of the OpenSSL library. With thin wrapper we mean that a lot of the object methods do nothing more than calling a corresponding function in the OpenSSL library. Security Fixes: A security vulnerability exists in the PyOpenSSL library's...
OESA-2026-1731 pyOpenSSL security update
pyOpenSSL is a rather thin wrapper around a subset of the OpenSSL library. With thin wrapper we mean that a lot of the object methods do nothing more than calling a corresponding function in the OpenSSL library. Security Fixes: A security vulnerability exists in the PyOpenSSL library's...
OESA-2026-1730 pyOpenSSL security update
pyOpenSSL is a rather thin wrapper around a subset of the OpenSSL library. With thin wrapper we mean that a lot of the object methods do nothing more than calling a corresponding function in the OpenSSL library. Security Fixes: A security vulnerability exists in the PyOpenSSL library's...