Lucene search
K

76 matches found

EUVD
EUVD
added 2 days ago7 views

EUVD-2026-40009

A vulnerability was identified in Databend up to 1.2.881 on HTTP. This affects the function ClientSessionManager::statekey of the file src/query/service/src/servers/http/v1/session/clientsessionmanager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. It is...

6.5CVSS6.2AI score0.0022EPSS
Exploits0References7
NVD
NVD
added 3 days ago8 views

CVE-2026-13512

A vulnerability was identified in Databend up to 1.2.881 on HTTP. This affects the function ClientSessionManager::statekey of the file src/query/service/src/servers/http/v1/session/clientsessionmanager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. It is...

6.5CVSS0.0022EPSS
Exploits0References6
Cvelist
Cvelist
added 3 days ago22 views

CVE-2026-13512 Databend Tenant client_session_manager.rs state_key authorization

A vulnerability was identified in Databend up to 1.2.881 on HTTP. This affects the function ClientSessionManager::statekey of the file src/query/service/src/servers/http/v1/session/clientsessionmanager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. It is...

6.5CVSS0.0022EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-53168

Name of the Vulnerable Software and Affected Versions Databend versions prior to 1.2.882 Description An authorization bypass exists in the HTTP Tenant Handler component. The issue resides in the ClientSessionManager::state key function within the src/query/service/src/servers/http/v1/session/clie...

6.5CVSS6.7AI score0.0022EPSS
Exploits0References9
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: smb: Client: Fixed issue where reference counting of @ses was missed. Use the new cifssmbsesincrefcount helper function to obtain an active reference to @ses and @ses-dfsrootses if set. This will prevent @ses-dfsrootses from...

5.3AI score0.00155EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/06/10 5:38 p.m.10 views

org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS5.4AI score0.00295EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.9 views

CVE-2026-33439

Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...

9.8CVSS6.1AI score0.1049EPSS
Exploits2References1
NVD
NVD
added 2026/04/07 9:17 p.m.3 views

CVE-2026-33439

Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...

9.8CVSS0.1049EPSS
Exploits2References1
Cvelist
Cvelist
added 2026/04/07 8:46 p.m.15 views

CVE-2026-33439 Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM

Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...

9.3CVSS0.1049EPSS
Exploits2References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 8:46 p.m.6 views

CVE-2026-33439

Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...

10CVSS7.7AI score0.99999EPSS
Exploits10References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/07 8:46 p.m.1 views

CVE-2026-33439 Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM

Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...

9.3CVSS6.3AI score0.1049EPSS
Exploits2References1
CVE
CVE
added 2026/04/07 8:46 p.m.21 views

CVE-2026-33439

CVE-2026-33439 : OpenAM/OpenIdentityPlatform before 16.0.6 is vulnerable to pre-authentication remote code execution via unsafe Java deserialization of the jato.clientSession parameter. An unauthenticated attacker can send a crafted serialized Java object to any JATO ViewBean endpoint (e.g., Pass...

9.8CVSS6.3AI score0.1049EPSS
Exploits2References1Affected Software1
EUVD
EUVD
added 2026/04/07 3:45 p.m.6 views

EUVD-2026-19941

OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via jato.clientSession Deserialization in OpenAM...

9.3CVSS6AI score0.1049EPSS
Exploits2References3
Github Security Blog
Github Security Blog
added 2026/04/07 3:45 p.m.15 views

OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM

Summary OpenIdentityPlatform OpenAM 16.0.5 and likely earlier versions is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the...

10CVSS7.6AI score0.99999EPSS
Exploits10References5Affected Software1
OSV
OSV
added 2026/04/07 3:45 p.m.3 views

GHSA-2CQQ-RPVQ-G5QJ OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM

Summary OpenIdentityPlatform OpenAM 16.0.5 and likely earlier versions is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the...

9.3CVSS6.2AI score0.1049EPSS
Exploits2References5
Snyk
Snyk
added 2026/04/07 3:45 p.m.6 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the jato.clientSession HTTP parameter of the deserializeAttributes function. An attacker can execute arbitrary code on the server by sending a crafted serialized Java object to endpoints that process...

9.8CVSS6.1AI score0.1049EPSS
Exploits2References2
Github Security Blog
Github Security Blog
added 2026/03/26 9:30 a.m.5 views

Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS5.9AI score0.00295EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/03/26 9:30 a.m.8 views

EUVD-2026-16142

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS5.8AI score0.00295EPSS
Exploits0References3
NVD
NVD
added 2026/03/26 8:16 a.m.3 views

CVE-2026-4874

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS0.00295EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/03/26 7:12 a.m.2 views

CVE-2026-4874

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS5.8AI score0.00295EPSS
Exploits0References7
Rows per page
Query Builder