13101 matches found
EUVD-2026-23356
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::createpaymentintentfortransaction action is registered as a public action no authentication required an...
CVE-2026-5234
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::createpaymentintentfortransaction action is registered as a public action no authentication required an...
CVE-2026-5234 LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::createpaymentintentfortransaction action is registered as a public action no authentication required an...
CVE-2026-5234
The LatePoint WordPress plugin (versions
📄 MCPJam Inspector 1.4.2 Remote Code Execution
This Metasploit auxiliary module targets a remote code execution vulnerability in MCPJam Inspector version 1.4.2. The flaw exists in the /api/mcp/connect endpoint, where user-controlled input is improperly passed to a backend execution mechanism...
ROS-20260417-73-0030
A vulnerability in the JOSE implementation of the Authlib library for OAuth and OpenID Connect servers is related to improper integrity value checking. Exploitation of the vulnerability could allow an attacker acting remotely to bypass existing security mechanisms...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007286)
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007286 advisory. In the Linux kernel, the following vulnerability has been resolved: afunix: Fix garbage collector racing against connect Garbage collector does not take into accoun...
Unity Linux 20.1050e / 20.1060e Security Update: kernel (UTSA-2026-007624)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007624 advisory. In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in userclusterconnect userclusterdisconnect frees conn-ccprivate which is ...
BIT-APISIX-2026-31923 Apache APISIX: Openid-connect `tls_verify` field is disabled by default
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to sslverify in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to version 3.16.0, whic...
Security Bulletin: IBM Data Server Driver for JDBC and SQLJ is affected by a vulnerability in org.lz4 1.8.0 (CVE-2025-12183)
Summary IBM Data Server Driver for JDBC and SQLJ is affected by a vulnerability in org.lz4 1.8.0 CVE-2025-12183 Vulnerability Details CVEID:CVE-2025-12183 DESCRIPTION: Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read...
Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoriong operands are vulnerable to cross-site scripting (GHSA-h8r8-wccr-v5f2, GHSA-cjmm-f4jc-qw8r) and prototype polution (GHSA-cj63-jhhr-wcxv)
Summary Node.js module dompurify is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to cross-site scripting GHSA-h8r8-wccr-v5f2, GHSA-cjmm-f4jc-qw8r and prototype polution GHSA-cj63-jhhr-wcxv. This...
Always-Incorrect Control Flow Implementation
Overview Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to an inverted time comparison in the OIDC JWKS and token cache processes. An attacker can cause expired tokens to be reused or force repeated network requests to the OIDC provider by...
Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache
Affected Components - DSF FHIR Server with enabled bearer-token authentication or back-channel logout. - DSF BPE Server with enabled bearer-token authentication or back-channel logout. - DSF BPE Server API v2 process plugins using FHIR client connections with configured OIDC authentication. Summa...
GHSA-XMJ9-7625-F634 Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache
Affected Components - DSF FHIR Server with enabled bearer-token authentication or back-channel logout. - DSF BPE Server with enabled bearer-token authentication or back-channel logout. - DSF BPE Server API v2 process plugins using FHIR client connections with configured OIDC authentication. Summa...
Always-Incorrect Control Flow Implementation
Overview Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to an inverted time comparison in the OIDC JWKS and token cache processes. An attacker can cause expired tokens to be reused or force repeated network requests to the OIDC provider by...
Always-Incorrect Control Flow Implementation
Overview Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to an inverted time comparison in the OIDC JWKS and token cache processes. An attacker can cause expired tokens to be reused or force repeated network requests to the OIDC provider by...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the DSF FHIR and BPE Servers with enabled OIDC authentication due to the lack of session timeout enforcement in OIDC browser sessions. An attacker can gain unauthorized access to a user's session by...
Data Sharing Framework is Missing Session Timeout for OIDC Sessions
Affected Components DSF FHIR Server with enabled OIDC authentication. DSF BPE Server with enabled OIDC authentication. Summary OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. Impact If...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the DSF FHIR and BPE Servers with enabled OIDC authentication due to the lack of session timeout enforcement in OIDC browser sessions. An attacker can gain unauthorized access to a user's session by...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the DSF FHIR and BPE Servers with enabled OIDC authentication due to the lack of session timeout enforcement in OIDC browser sessions. An attacker can gain unauthorized access to a user's session by...