Lucene search
K

866 matches found

Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.15 views

PT-2026-44799

Name of the Vulnerable Software and Affected Versions OpenShift Router affected versions not specified Description A flaw in the HTTP frontend occurs when a Route has the insecureEdgeTerminationPolicy set to Allow. In this configuration, the router fails to remove X-SSL-Client- headers from...

7.5CVSS5.5AI score0.0023EPSS
Exploits0References12
RedhatCVE
RedhatCVE
added 2026/05/26 2:12 p.m.11 views

CVE-2026-32253

Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509VERRUNABLETOGETISSUERCERTLOCALLY,...

9.8CVSS5.7AI score0.00291EPSS
Exploits1References1
RedHat Linux
RedHat Linux
added 2026/05/26 12:59 p.m.13 views

Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration

A flaw was found in Apache Tomcat and Apache Tomcat Native. When CLIENTCERT authentication is configured with "soft fail" disabled, the authentication process may not correctly fail in certain scenarios. This vulnerability could allow an attacker to bypass expected client certificate...

9.1CVSS5.8AI score0.00715EPSS
Exploits2References5
RedHat Linux
RedHat Linux
added 2026/05/26 12:55 p.m.12 views

Apache Tomcat: Apache Tomcat: Authentication bypass via client certificate misconfiguration

A flaw was found in Apache Tomcat where OCSP-based certificate validation may incorrectly soft-fail during CLIENTCERT authentication, even when soft-fail is disabled, under certain FFM-related execution paths. This can result in client certificates being accepted despite failed or unverifiable...

6.5CVSS5.9AI score0.00469EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/05/26 12:55 p.m.19 views

Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration

A flaw was found in Apache Tomcat and Apache Tomcat Native. When CLIENTCERT authentication is configured with "soft fail" disabled, the authentication process may not correctly fail in certain scenarios. This vulnerability could allow an attacker to bypass expected client certificate...

9.1CVSS5.8AI score0.00715EPSS
Exploits2References5
Cvelist
Cvelist
added 2026/05/22 5:7 p.m.23 views

CVE-2026-32253 Sunshine: Authentication bypass via improper client certificate validation

Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509VERRUNABLETOGETISSUERCERTLOCALLY,...

9.8CVSS0.00291EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/22 5:7 p.m.11 views

CVE-2026-32253 Sunshine: Authentication bypass via improper client certificate validation

Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509VERRUNABLETOGETISSUERCERTLOCALLY,...

9.8CVSS5.7AI score0.00291EPSS
Exploits1References2
EUVD
EUVD
added 2026/05/22 5:7 p.m.13 views

EUVD-2026-31469

Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509VERRUNABLETOGETISSUERCERTLOCALLY,...

9.8CVSS5.7AI score0.00291EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.26 views

PT-2026-42801

Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509 V ERR UNABLE TO GET ISSUER CERT...

9.8CVSS5.7AI score0.00291EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.7 views

Astra Linux – Vulnerability in Golang-1.19

Verifying a certificate chain that contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/TLS clients, as well as servers that have Config.ClientAuth set to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default...

5.9CVSS6.8AI score0.00667EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.9 views

Astra Linux – Vulnerability in PostgresSQL 11

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries during the initial establishment of a connection, despite the use of SSL certificate verification and encryption...

8.1CVSS7.2AI score0.01901EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux - уязвимость в tomcat9

CLIENTCERT authentication does not fail as expected in some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: versions from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, and from 9.0.92 through 9.0.116. Users are recommended to...

6.5CVSS5.8AI score0.00469EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in Tomcat9

Improper input validation vulnerability. This issue affects Apache Tomcat: versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.49, and 9.0.0-M1 through 9.0.112. The following versions were at the end of their support lifecycles at the time the CVE was created, but are known to be affected:...

9.1CVSS6.7AI score0.00235EPSS
Exploits0References2
Hacker One
Hacker One
added 2026/05/20 1:40 a.m.38 views

curl: curl cross-origin HTTPS redirect reuses TLS client certificate for unintended second-origin mTLS authentication

Summary: When curl follows an HTTPS redirect to a different origin under normal -L / CURLOPTFOLLOWLOCATION behavior, it still presents the configured TLS client certificate to the redirected-to HTTPS server. This happens without --location-trusted / CURLOPTUNRESTRICTEDAUTH, even though curl alrea...

5.4AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/05/20 12:0 a.m.18 views

Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2026-1672)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1672 advisory. Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1...

9.1CVSS6AI score0.0504EPSS
Exploits3References20
RedhatCVE
RedhatCVE
added 2026/05/15 7:57 p.m.14 views

CVE-2026-23998

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled...

8.2CVSS5.8AI score0.00214EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/14 6:48 p.m.58 views

CVE-2026-23998 Fleet has a Windows MDM management endpoint authentication bypass

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled...

8.2CVSS0.00214EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.19 views

PT-2026-40967

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0 Description A flaw in the Windows MDM management endpoint allows requests to be processed without proper client certificate validation. The endpoint relies on mutual TLS mTLS—a process where both the client and...

8.2CVSS5.8AI score0.00214EPSS
Exploits0References7
SUSE CVE
SUSE CVE
added 2026/05/13 2:53 p.m.9 views

SUSE CVE-2024-37082

When deploying Cloud Foundry together with the haproxy-boshrelease and using a non default configuration, it might be possible to craft HTTP requests that bypass mTLS authentication to Cloud Foundry applications. You are affected if you have route-services enabled in routing-release and have...

9.1CVSS5.8AI score0.00545EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/05 12:30 a.m.20 views

EUVD-2026-27145

Boundary Community Edition and Boundary Enterprise “Boundary” workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate...

7.5CVSS5.8AI score0.002EPSS
Exploits0References2
Rows per page
Query Builder