Note Mark: OIDC-registered users authenticated by submitting password "null"

Summary IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the IsPasswordMatch function. An attacker can gain unauthorized access to accounts registered through OIDC by submitting the password "null" to the internal login endpoint, which results in a valid session...

CVE-2026-6992

A vulnerability was identified in Linksys MR9600 2.0.6.206937. This affects the function BTRequestGetSmartConnectStatus of the file /etc/init.d/runcentral2.sh of the component JNAP Action Handler. The manipulation of the argument pin leads to os command injection. The attack may be initiated...

CVE-2026-6992

CVE-2026-6992 affects Linksys MR9600 (firmware 2.0.6.206937). The vulnerability lies in BTRequestGetSmartConnectStatus within /etc/init.d/run_central2.sh (JNAP Action Handler), where manipulating the argument pin enables OS command injection. The attack can be initiated remotely and public exploi...

CVE-2026-6992

A vulnerability was identified in Linksys MR9600 2.0.6.206937. This affects the function BTRequestGetSmartConnectStatus of the file /etc/init.d/runcentral2.sh of the component JNAP Action Handler. The manipulation of the argument pin leads to os command injection. The attack may be initiated...

CVE-2026-6981

A vulnerability was found in IhateCreatingUserNames2 AiraHub2 up to 3e4b77fd7d48ed811ffe5b8d222068c17c76495e. Affected is the function connectstreamendpoint/syncagents of the file AiraHub.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack ma...

CVE-2026-6981

A vulnerability was found in IhateCreatingUserNames2 AiraHub2 up to 3e4b77fd7d48ed811ffe5b8d222068c17c76495e. Affected is the function connectstreamendpoint/syncagents of the file AiraHub.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack ma...

EUVD-2026-25657

A vulnerability was found in IhateCreatingUserNames2 AiraHub2 up to 3e4b77fd7d48ed811ffe5b8d222068c17c76495e. Affected is the function connectstreamendpoint/syncagents of the file AiraHub.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack ma...

CVE-2026-6981 IhateCreatingUserNames2 AiraHub2 Endpoint AiraHub.py sync_agents server-side request forgery

A vulnerability was found in IhateCreatingUserNames2 AiraHub2 up to 3e4b77fd7d48ed811ffe5b8d222068c17c76495e. Affected is the function connectstreamendpoint/syncagents of the file AiraHub.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack ma...

OESA-2026-2029 libsoup security update

libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop, to integrate well with GNOME applications, and also has a synchronous API, for use in threaded applications. Security Fixes: A flaw was found in libsoup. When establishing HTTPS tunnels through a configur...

OESA-2026-2028 libsoup security update

libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop, to integrate well with GNOME applications, and also has a synchronous API, for use in threaded applications. Security Fixes: A flaw was found in libsoup. When establishing HTTPS tunnels through a configur...

OESA-2026-2026 libsoup security update

libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop, to integrate well with GNOME applications, and also has a synchronous API, for use in threaded applications. Security Fixes: A flaw was found in libsoup. When establishing HTTPS tunnels through a configur...

[SECURITY] Fedora 44 Update: opkssh-0.13.0-8.fc44

OpenPubkey SSH is a tool which enables ssh to be used with OpenID Connect allowing SSH access to be managed via identities like aliceaexample.com ins tead of long-lived SSH keys...

[SECURITY] Fedora 44 Update: python-msal-1.36.0-1.fc44

The Microsoft Authentication Library for Python enables applications to integrate with the Microsoft identity platform. It allows you to sign in users or apps with Microsoft identities Azure AD, Microsoft Accounts and Azure AD B2C accounts and obtain tokens to call Microsoft APIs such as Microsof...

PT-2026-35165

A vulnerability was identified in Linksys MR9600 2.0.6.206937. This affects the function BTRequestGetSmartConnectStatus of the file /etc/init.d/run central2.sh of the component JNAP Action Handler. The manipulation of the argument pin leads to os command injection. The attack may be initiated...

PT-2026-35152

A vulnerability was found in IhateCreatingUserNames2 AiraHub2 up to 3e4b77fd7d48ed811ffe5b8d222068c17c76495e. Affected is the function connect stream endpoint/sync agents of the file AiraHub.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack...

Linksys MR9600 命令注入漏洞

The Linksys MR9600 is a wireless router produced by the American company Linksys. The Linksys MR9600 2.0.6.206937 version has a command injection vulnerability. This vulnerability stems from an improper handling of the parameter pin in the function BTRequestGetSmartConnectStatus within the JNAP...

PYSEC-2026-25

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starletteclient.OAuth. This vulnerability is fixed in 1.6.11...

DEBIAN-CVE-2026-41425

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starletteclient.OAuth. This vulnerability is fixed in 1.6.11...

UBUNTU-CVE-2026-41425

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starletteclient.OAuth. This vulnerability is fixed in 1.6.11...