13159 matches found
CVE-2026-3532
Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the OIDC authentication error message handling process. An attacker can execute arbitrary JavaScript in the context of the user's browser by crafting a malicious input that is reflected in the error message...
GO-2026-4852 Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
GO-2026-4860 OpenBao lacks user confirmation for OIDC direct callback mode in github.com/openbao/openbao
OpenBao lacks user confirmation for OIDC direct callback mode in github.com/openbao/openbao...
GO-2026-4862 OpenBao has Reflected XSS in its OIDC authentication error message in github.com/openbao/openbao
OpenBao has Reflected XSS in its OIDC authentication error message in github.com/openbao/openbao...
Cross-site Scripting (XSS)
Overview github.com/ory/hydra/oauth2 is an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the errorhint parameter. An attacker can execute arbitrary JavaScript in the context of the user's...
GO-2026-4849 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...
CVE-2026-3532
Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...
CVE-2026-3532
CVE-2026-3532 affects the Drupal OpenID Connect / OAuth client module. The Red Hat and related sources describe a flaw due to improper handling of case sensitivity that allows privilege escalation by manipulating user fields, potentially enabling unauthorized elevation of access for affected user...
CVE-2026-3532 OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...
CVE-2026-3532 OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...
CVE-2026-3531 OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...
CVE-2026-3531 OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...
CVE-2026-3531
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...
CVE-2026-3531
CVE-2026-3531 affects Drupal OpenID Connect / OAuth client prior to 1.5.0. The root cause is an authentication bypass via an alternate path or channel, enabling unauthorized access to resources protected by authentication. Public descriptions from Red Hat, ENISA/EUVD, NVD/NVD, CVE lists and the D...
CVE-2026-3530 OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025
Server-Side Request Forgery SSRF vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...
CVE-2026-3530 OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025
Server-Side Request Forgery SSRF vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...
CVE-2026-3530
Server-Side Request Forgery SSRF vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...
CVE-2026-33506
Ory Polis (formerly BoxyHQ Jackson) contains a DOM-based XSS in its login flow prior to version 26.2.0 . The vulnerability stems from trusting a URL parameter callbackUrl that is passed to router.push, allowing an attacker to lure a user into opening a malicious link, which triggers a client-side...
OpenBao has Reflected XSS in its OIDC authentication error message
Impact OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a...