Lucene search
K

13274 matches found

OSV
OSV
added 2026/03/25 9:10 p.m.3 views

GHSA-94XM-JJ8X-3CR4 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Summary When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue...

7.1CVSS5.9AI score0.00453EPSS
Exploits1References8
Github Security Blog
Github Security Blog
added 2026/03/25 9:10 p.m.5 views

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Summary When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue...

8.1CVSS5.9AI score0.00453EPSS
Exploits1References8Affected Software1
OSV
OSV
added 2026/03/25 5:33 p.m.5 views

GHSA-8G29-8XWR-QMHR @grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling

Impact JSON.parseenv.adapterConfig is called without error handling in three locations within the gRPC service. While the data originates from the server's own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled...

2.1CVSS5.8AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/25 5:33 p.m.7 views

@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling

Impact JSON.parseenv.adapterConfig is called without error handling in three locations within the gRPC service. While the data originates from the server's own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled...

5.8AI score
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/25 4:28 p.m.19 views

CVE-2026-27656 Account Takeover via Substring Matching in OpenID Connect Authentication

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to properly validate user identity in the OpenID IsSameUser comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user...

5.7CVSS0.0018EPSS
Exploits0References1
CVE
CVE
added 2026/03/25 4:28 p.m.20 views

CVE-2026-27656

Mattermost contains a vulnerability (CVE-2026-27656) where versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, and 10.11.x

6.1CVSS5.9AI score0.0018EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/03/25 3:31 p.m.7 views

EUVD-2025-208983

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Scripting XSS vulnerability which, if exploited, can lead to unauthorized disclosure and modification of certain information...

8.5CVSS5.8AI score0.00146EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/25 3:31 p.m.5 views

EUVD-2025-208979

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special Elements vulnerability which, if exploited, can lead to unauthorized modification of certain information...

7.2CVSS5.8AI score0.00214EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/25 3:31 p.m.5 views

EUVD-2025-208981

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery CSRF vulnerability which, if exploited, can lead to unauthorized modification of certain information...

5.1CVSS5.8AI score0.00096EPSS
Exploits0References3
NVD
NVD
added 2026/03/25 2:16 p.m.5 views

CVE-2025-40842

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Scripting XSS vulnerability which, if exploited, can lead to unauthorized disclosure and modification of certain information...

8.5CVSS0.00146EPSS
Exploits0References2
NVD
NVD
added 2026/03/25 2:16 p.m.6 views

CVE-2025-27260

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special Elements vulnerability which, if exploited, can lead to unauthorized modification of certain information...

7.5CVSS0.00214EPSS
Exploits0References2
NVD
NVD
added 2026/03/25 2:16 p.m.6 views

CVE-2025-40841

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery CSRF vulnerability which, if exploited, can lead to unauthorized modification of certain information...

5.1CVSS0.00096EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/25 1:10 p.m.4 views

CVE-2025-40842 Ericsson Indoor Connect 8855 - Improper Neutralization of Input During Web Page Generation Vulnerability

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Scripting XSS vulnerability which, if exploited, can lead to unauthorized disclosure and modification of certain information...

8.5CVSS5.8AI score0.00146EPSS
Exploits0References2
CVE
CVE
added 2026/03/25 1:10 p.m.16 views

CVE-2025-40842

CVE-2025-40842 concerns Ericsson Indoor Connect 8855. The vulnerability is an Improper Neutralization of Input During Web Page Generation (XSS) in versions prior to 2025.Q3, potentially allowing unauthorized disclosure and modification of information. The CVSS v4.0 score is 8.5 (HIGH), with netwo...

8.5CVSS5.8AI score0.00146EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/25 1:10 p.m.4 views

CVE-2025-40842

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Scripting XSS vulnerability which, if exploited, can lead to unauthorized disclosure and modification of certain information...

8.5CVSS5.8AI score0.00146EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/25 1:10 p.m.20 views

CVE-2025-40842 Ericsson Indoor Connect 8855 - Improper Neutralization of Input During Web Page Generation Vulnerability

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Scripting XSS vulnerability which, if exploited, can lead to unauthorized disclosure and modification of certain information...

8.5CVSS0.00146EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/25 1:7 p.m.2 views

CVE-2025-40841

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery CSRF vulnerability which, if exploited, can lead to unauthorized modification of certain information...

5.1CVSS5.8AI score0.00096EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/25 1:7 p.m.3 views

CVE-2025-40841 Ericsson Indoor Connect 8855 - Cross-Site Request Forgery Vulnerability

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery CSRF vulnerability which, if exploited, can lead to unauthorized modification of certain information...

5.1CVSS5.8AI score0.00096EPSS
Exploits0References2
CVE
CVE
added 2026/03/25 1:7 p.m.13 views

CVE-2025-40841

Ericsson Indoor Connect 8855 is affected by a Cross-Site Request Forgery (CSRF) vulnerability in versions prior to 2025.Q3. The issue can allow unauthorized modification of certain information with a CVSS v4.0 base score of 5.1 (MEDIUM). Attack vector is network, with low attack complexity and re...

5.1CVSS5.8AI score0.00096EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/25 1:7 p.m.24 views

CVE-2025-40841 Ericsson Indoor Connect 8855 - Cross-Site Request Forgery Vulnerability

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery CSRF vulnerability which, if exploited, can lead to unauthorized modification of certain information...

5.1CVSS0.00096EPSS
Exploits0References2
Rows per page
Query Builder