Lucene search
+L

13479 matches found

Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.9 views

PT-2026-56542

Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.83.10-stable Description LiteLLM is a proxy server that functions as an AI Gateway for calling LLM APIs. The '/health/test connection' endpoint resolves request-supplied environment and OIDC file references within t...

2.1CVSS6.1AI score0.00258EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/07/07 10:23 p.m.28 views

CVE-2026-55076 Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string...

7.4CVSS0.00479EPSS
Exploits0References7
CVE
CVE
added 2026/07/07 10:23 p.m.14 views

CVE-2026-55076

Coder’s CVE-2026-55076 describes an OIDC callback flaw where the email_verified claim was checked with a direct Go bool assertion. If an IdP returns a non-boolean value (e.g., "false") or omits the claim, the check can pass incorrectly, in combination with an unconditional email-based account fal...

7.4CVSS6AI score0.00479EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/07/07 10:23 p.m.8 views

CVE-2026-55076 Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string...

7.4CVSS6AI score0.00479EPSS
Exploits0References9
NVD
NVD
added 2026/07/07 10:16 p.m.12 views

CVE-2026-55075

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link...

7.4CVSS0.00479EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/07/07 9:33 p.m.27 views

CVE-2026-55075 Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link...

7.4CVSS0.00479EPSS
Exploits0References7
CVE
CVE
added 2026/07/07 9:33 p.m.14 views

CVE-2026-55075

Coder’s OIDC login flaw leads to account takeover via email-based user matching and improper handling of email_verified. Before versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two issues exist: (1) email-based matching could link by email without confirming an existing link to a different IdP subjec...

7.4CVSS6AI score0.00479EPSS
Exploits0References7Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/07 9:33 p.m.6 views

CVE-2026-55075

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link...

7.4CVSS6AI score0.00479EPSS
Exploits0References8Affected Software1
Snyk
Snyk
added 2026/07/07 8:56 p.m.5 views

Server-side Request Forgery (SSRF)

Overview @better-auth/sso is a SSO plugin for Better Auth Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /sso/register and POST /sso/update-provider endpoints when attacker-controlled OIDC endpoint URLs are accepted without proper validation if...

9.6CVSS6.2AI score0.00252EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/07/07 8:11 p.m.6 views

NPM: Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins

NPM: Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins vulnerability discovered by ? in WordPress Npm better-auth versions 1.6.11...

9.1CVSS5.9AI score0.00303EPSS
Exploits0References3Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/07/07 6:34 p.m.9 views

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect version v12.1.1.0 Vulnerability Details CVEID:CVE-2016-1000027 DESCRIPTION: Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution RCE issue if used for Java deserialization of untrusted data...

9.8CVSS7.5AI score0.51547EPSS
Exploits7Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/07/07 6:33 p.m.7 views

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect version v10.0.8.10 Vulnerability Details CVEID:CVE-2026-33244 DESCRIPTION: React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the...

8.1CVSS7.1AI score0.00808EPSS
Exploits3Affected Software1
OSV
OSV
added 2026/07/07 3:26 p.m.6 views

GO-2026-5908 Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder

Coder vulnerable to OIDC account takeover via email-based user matching and emailverified bypass in github.com/coder/coder...

7.4CVSS5.9AI score0.00479EPSS
Exploits0References3
OSV
OSV
added 2026/07/07 3:26 p.m.7 views

GO-2026-5907 Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder

Coder's OIDC emailverified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder...

7.4CVSS5.9AI score0.00479EPSS
Exploits0References1
OSV
OSV
added 2026/07/07 3:26 p.m.7 views

GO-2026-5853 Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage in github.com/sigstore/fulcio

Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage in github.com/sigstore/fulcio...

5.9AI score
Exploits0References1
Veracode
Veracode
added 2026/07/07 10:5 a.m.8 views

Authentication Bypass

Coder is vulnerable to an authentication bypass. The vulnerability is due to improper validation of the emailverified claim in the OIDC callback and an unconditional email-based account fallback, which allows an attacker to take over accounts by supplying a non-boolean or missing emailverified...

7.4CVSS6AI score0.00479EPSS
Exploits0References12Affected Software2
NVD
NVD
added 2026/07/06 9:16 p.m.10 views

CVE-2026-59713

Leantime contains an OIDC login CSRF vulnerability in the verifyState method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the...

8.6CVSS0.00153EPSS
Exploits0References4
OSV
OSV
added 2026/07/06 8:52 p.m.5 views

GHSA-9R87-MVCW-X35F Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass

Summary Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the emailverified claim was only enforced when present as a boolean false so an absent or non-boolean...

7.4CVSS6AI score0.00479EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/07/06 8:52 p.m.8 views

Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass

Summary Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the emailverified claim was only enforced when present as a boolean false so an absent or non-boolean...

7.4CVSS6AI score0.00479EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/07/06 8:50 p.m.6 views

GHSA-75VM-6W67-GWVP Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking

Summary Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string "false" or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based accou...

7.4CVSS5.9AI score0.00479EPSS
Exploits0References2
Rows per page
Query Builder