3946 matches found
EUVD-2026-10824
Feathers has an OAuth Callback Account Takeover issue...
EUVD-2026-10825
Feathers has an OAuth Callback Account Takeover issue...
GHSA-WG9X-QFGW-PXHJ Feathers has an OAuth Callback Account Takeover issue
An unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query the raw request query when Grant's session/state responses are empt...
Feathers has an OAuth Callback Account Takeover issue
An unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query the raw request query when Grant's session/state responses are empt...
CVE-2026-29792
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...
CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...
CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...
CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...
CVE-2026-29792
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...
CVE-2026-29792
Feathersjs (v5.0.0–5.0.41) is vulnerable to an unauthenticated bypass in the OAuth callback endpoint. A forged profile sent via the query string to /oauth/:provider/callback can trigger a fallback path that reads params.query when Grant’s session/state is empty, allowing an attacker to drive enti...
CVE-2026-30920
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the...
CVE-2026-28512
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...
Malicious code in @web-monorepo/fetchers (npm)
Package is malware. It exfiltrates data to a suspicious domain via callback.js, triggered by a preinstall script in package.json. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a3faaa666cb666785670b3a638b1f832d4492f7eb2c999f41f7bb551cde2aa86 The package...
MAL-2026-1318 Malicious code in @web-monorepo/fetchers (npm)
Package is malware. It exfiltrates data to a suspicious domain via callback.js, triggered by a preinstall script in package.json. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a3faaa666cb666785670b3a638b1f832d4492f7eb2c999f41f7bb551cde2aa86 The package...
Pocket ID 输入验证错误漏洞
Pocket ID is an open-source identity provider that supports passwordless authentication. Versions of Pocket ID from 2.0.0 to 2.4.0 had a vulnerability related to input validation errors. This vulnerability stemmed from defects in the callback URL validation process, which could lead to the...
PT-2026-24639
An unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query the raw request query when Grant's session/state responses are empt...
SUSE kubewarden 安全漏洞
SUSE Kubewarden is a policy engine developed by the German company SUSE. There is a security vulnerability in Kubewarden, which allows attackers with specific permissions to deploy policies using deprecated host callback APIs. This vulnerability may lead to the reading of Ingresses, Namespaces, a...
CVE-2026-29773
Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner,...
CVE-2026-29773 kubewarden-controller cross-namespace data exfiltration via deprecated host callback binding
Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner,...
CVE-2026-29773
Technical details for CVE-2026-29773 are not provided in the connected documents. The available materials mention read-only access via deprecated APIs but do not specify affected versions, fixes, or explicit exploit details.