460 matches found
CVE-2026-7571 Keycloak: keycloak: access token disclosure and implicit flow bypass via forged client data
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...
CVE-2026-7571 Keycloak: keycloak: access token disclosure and implicit flow bypass via forged client data
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...
CVE-2026-7571
Keycloak vulnerability CVE-2026-7571 allows a low-privilege user with knowledge of user credentials and client ID to bypass a security control that disables implicit flow in OpenID Connect clients. By manipulating forged client data during a session restart, an attacker can obtain an access token...
CVE-2026-7571
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...
External Control of Assumed-Immutable Web Parameter
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter via the SessionCodeChecks restart flow in the login sessi...
PT-2026-41881
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A security control intended to disable the implicit flow in OpenID Connect OIDC clients can be bypassed. A low-privilege user with knowledge of user credentials and client ID can manipulate...
PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket
Impact Attackers can fill the body of the clientData JWT in LoginPacket with lots of junk properties, causing the server to flood warning messages, as well as wasting CPU time. This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties...
SUSE-SU-2026:1360-1 Security update for tigervnc
This update for tigervnc fixes the following issues: - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871...
SUSE-SU-2026:1303-1 Security update for tigervnc
This update for tigervnc fixes the following issues: - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871...
Security update for tigervnc
This update for tigervnc fixes the following issues: CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...
SUSE-SU-2026:1301-1 Security update for tigervnc
This update for tigervnc fixes the following issues: - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871...
SUSE-SU-2026:1252-1 Security update for tigervnc
This update for tigervnc fixes the following issues: - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871...
openSUSE 16 Security Update : tigervnc (openSUSE-SU-2026:20465-1)
The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20465-1 advisory. - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871 Tenable has...
PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket
Impact Attackers can put large and/or complex structures as a value to an unknown property in the clientData JWT body in the Minecraft LoginPacket, causing the server to generate very long log messages. Additionally, the property name is logged without any length limitations or sanitization, whic...
Protection Mechanism Failure
github.com/envoyproxy/envoy is vulnerable to Protection Mechanism Failure. The vulnerability is due to accepting and forwarding client data before a successful 2xx response in TCP proxy mode, which allows an attacker to cause desynchronization when upstream proxies reject the CONNECT request...
CVE-2026-24308
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential producti...
CVE-2025-67733 Valkey Affected by RESP Protocol Injection via Lua error_reply
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same...
CVE-2025-67733 Valkey Affected by RESP Protocol Injection via Lua error_reply
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same...
pydantic-ai 跨站脚本漏洞
Pydantic-ai is a generative AI framework developed by Pydantic for building production-level applications and workflows. Versions of pydantic-ai from 1.34.0 to 1.51.0 had a cross-site scripting vulnerability. This vulnerability stemmed from path traversal in the Web UI, which could allow attacker...
EUVD-2026-5335
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...