2549 matches found
BIT-PARSE-2026-34215 Parse Server: Auth data exposed via verify password endpoint
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who...
OpenAirInterface 安全漏洞
OpenAirInterface is a mobile communication network software platform developed by the French company OpenAirInterface. OpenAirInterface V2.2.0 contains a security vulnerability. This vulnerability arises from AMF crashing when receiving NGAP messages that contain invalid process codes or invalid...
MINI-Q7HM-78R7-6RWF
Bulletin has no description...
@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url
Summary The mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. Details The vulnerable code pass...
GHSA-5QHV-X9J4-C3VM @mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url
Summary The mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. Details The vulnerable code pass...
PT-2026-30323
Summary The mobile open url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. Details The vulnerable code...
CBP Facility Codes Sure Seem to Have Leaked Via Online Flashcards
The Quizlet flashcards, which WIRED found through basic Google searches, seem to include sensitive information about gate security at Customs and Border Protection locations...
GHSA-GG9V-MGCP-V6M7 OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
Summary Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing. Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real first-use bootstrap privilege-escalation bug fixed and shipped in...
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
Summary Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing. Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real first-use bootstrap privilege-escalation bug fixed and shipped in...
Improper Privilege Management
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Privilege Management via the pairing process. An attacker can gain elevated privileges by exploiting unbound bootstrap setup codes during device pairing. Remediation Upgrade...
PT-2026-35771
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description An issue exists where bootstrap setup codes are not bound to intended device roles and scopes during pairing. This allows attackers to escalate privileges beyond their intended role and scope...
CVE-2026-34083 signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...
CVE-2026-34083
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...
Improper Isolation or Compartmentalization
Overview Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization due to improper type and namespace isolation in the SingleUseObjectProvider. An attacker can obtain unauthorized access by forging authorization codes, which may result in the creation of...
Improper Isolation or Compartmentalization
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization due to improper type and namespace isolation in the...
EUVD-2026-18208
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...
GHSA-HJ93-H7PG-FH6V Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...
Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...
keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...
keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...