Lucene search
K

460 matches found

Cvelist
Cvelist
added 2026/05/19 11:1 a.m.39 views

CVE-2026-7571 Keycloak: keycloak: access token disclosure and implicit flow bypass via forged client data

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

7.1CVSS0.00344EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/19 11:1 a.m.9 views

CVE-2026-7571 Keycloak: keycloak: access token disclosure and implicit flow bypass via forged client data

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

7.1CVSS5.8AI score0.00344EPSS
Exploits0References4
CVE
CVE
added 2026/05/19 11:1 a.m.70 views

CVE-2026-7571

Keycloak vulnerability CVE-2026-7571 allows a low-privilege user with knowledge of user credentials and client ID to bypass a security control that disables implicit flow in OpenID Connect clients. By manipulating forged client data during a session restart, an attacker can obtain an access token...

7.1CVSS5.8AI score0.00344EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/19 11:1 a.m.14 views

CVE-2026-7571

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

7.1CVSS5.8AI score0.00344EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/19 10:50 a.m.10 views

External Control of Assumed-Immutable Web Parameter

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter via the SessionCodeChecks restart flow in the login sessi...

7.1CVSS5.8AI score0.00344EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.12 views

PT-2026-41881

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A security control intended to disable the implicit flow in OpenID Connect OIDC clients can be bypassed. A low-privilege user with knowledge of user credentials and client ID can manipulate...

7.1CVSS5.8AI score0.00344EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/15 7:43 p.m.8 views

PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket

Impact Attackers can fill the body of the clientData JWT in LoginPacket with lots of junk properties, causing the server to flood warning messages, as well as wasting CPU time. This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties...

5.8AI score
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/15 2:10 p.m.10 views

SUSE-SU-2026:1360-1 Security update for tigervnc

This update for tigervnc fixes the following issues: - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871...

9.8CVSS5.8AI score0.00247EPSS
Exploits0References3
OSV
OSV
added 2026/04/13 4:2 p.m.2 views

SUSE-SU-2026:1303-1 Security update for tigervnc

This update for tigervnc fixes the following issues: - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871...

9.8CVSS5.8AI score0.00247EPSS
Exploits0References3
SUSE Linux
SUSE Linux
added 2026/04/13 4:2 p.m.3 views

Security update for tigervnc

This update for tigervnc fixes the following issues: CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...

7CVSS5.8AI score0.00247EPSS
Exploits0References4
OSV
OSV
added 2026/04/13 4:1 p.m.3 views

SUSE-SU-2026:1301-1 Security update for tigervnc

This update for tigervnc fixes the following issues: - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871...

9.8CVSS5.8AI score0.00247EPSS
Exploits0References3
OSV
OSV
added 2026/04/10 11:36 a.m.2 views

SUSE-SU-2026:1252-1 Security update for tigervnc

This update for tigervnc fixes the following issues: - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871...

9.8CVSS5.8AI score0.00247EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/04/10 12:0 a.m.7 views

openSUSE 16 Security Update : tigervnc (openSUSE-SU-2026:20465-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20465-1 advisory. - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871 Tenable has...

9.8CVSS5.9AI score0.00247EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/06 10:54 p.m.7 views

PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket

Impact Attackers can put large and/or complex structures as a value to an unknown property in the clientData JWT body in the Minecraft LoginPacket, causing the server to generate very long log messages. Additionally, the property name is logged without any length limitations or sanitization, whic...

5.9AI score
Exploits0References5Affected Software1
Veracode
Veracode
added 2026/03/26 12:26 p.m.6 views

Protection Mechanism Failure

github.com/envoyproxy/envoy is vulnerable to Protection Mechanism Failure. The vulnerability is due to accepting and forwarding client data before a successful 2xx response in TCP proxy mode, which allows an attacker to cause desynchronization when upstream proxies reject the CONNECT request...

5.3CVSS5.9AI score0.00282EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/07 9:16 a.m.3 views

CVE-2026-24308

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential producti...

7.5CVSS5.7AI score
Exploits0References2
Cvelist
Cvelist
added 2026/02/23 7:39 p.m.25 views

CVE-2025-67733 Valkey Affected by RESP Protocol Injection via Lua error_reply

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same...

8.5CVSS0.00586EPSS
Exploits0References1
OSV
OSV
added 2026/02/23 7:39 p.m.6 views

CVE-2025-67733 Valkey Affected by RESP Protocol Injection via Lua error_reply

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same...

8.5CVSS5.7AI score0.00586EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/02/06 12:0 a.m.6 views

pydantic-ai 跨站脚本漏洞

Pydantic-ai is a generative AI framework developed by Pydantic for building production-level applications and workflows. Versions of pydantic-ai from 1.34.0 to 1.51.0 had a cross-site scripting vulnerability. This vulnerability stemmed from path traversal in the Web UI, which could allow attacker...

7.1CVSS5.8AI score0.00324EPSS
Exploits0References3
EUVD
EUVD
added 2026/02/04 9:29 p.m.7 views

EUVD-2026-5335

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...

7.1CVSS5.3AI score0.00267EPSS
Exploits0References3
Rows per page
Query Builder