Lucene search
K

87 matches found

CVE
CVE
added 2026/05/27 9:53 p.m.27 views

CVE-2026-46544

Technical details beyond the provided CVE description are not publicly available in the supplied documents. Monitor for updates from the referenced UFO advisory and CVE entry.

5.3CVSS5.8AI score0.00422EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.13 views

PT-2026-44122

Name of the Vulnerable Software and Affected Versions Microsoft UFO version 3.0.1-4-ge2626659 Description Microsoft UFO is an open-source framework for intelligent automation across devices and platforms. The software accepts client-supplied session id values in WebSocket task messages and reuses...

5.3CVSS5.8AI score0.00422EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.11 views

PT-2026-44120

Name of the Vulnerable Software and Affected Versions Microsoft UFO version 3.0.1-4-ge2626659 Description Microsoft UFO creates a single shared UFOWebSocketHandler instance that is reused across multiple authenticated WebSocket connections. The handler stores protocol objects for each connection ...

6.3CVSS5.8AI score0.00276EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.15 views

UFO³ 安全漏洞

UFO³ is an open-source cross-device collaboration multi-agent task orchestration tool developed by Microsoft. Version UFO³ 3.0.1-4-ge2626659 contains a security vulnerability. This vulnerability arises from the reuse of existing sessionid, leading to the return of expired results, which may resul...

5.3CVSS5.8AI score0.00422EPSS
Exploits0References1
OSV
OSV
added 2026/05/18 9:31 a.m.10 views

GHSA-JP3F-X449-4Q75 Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

3.1CVSS5.9AI score0.00118EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/18 9:31 a.m.10 views

Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

3.8CVSS5.9AI score0.00118EPSS
Exploits0References4Affected Software2
NVD
NVD
added 2026/05/18 8:16 a.m.26 views

CVE-2026-6334

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

3.8CVSS0.00118EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/18 6:33 a.m.7 views

CVE-2026-6334

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

3.1CVSS5.9AI score0.00118EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/18 6:33 a.m.26 views

EUVD-2026-30743

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

3.1CVSS5.9AI score0.00118EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/18 12:0 a.m.12 views

Mattermost 安全漏洞

Mattermost is an open-source collaboration platform developed by the American company Mattermost. Versions of Mattermost such as 11.5.1 and earlier 11.5.x series as well as 10.11.13 and earlier 10.11.x series have security vulnerabilities. These vulnerabilities stem from the lack of mandatory...

3.8CVSS5.9AI score0.00118EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/11 12:0 a.m.7 views

Unity Linux 20.1060e / 20.1070e Security Update: rubygem-puma (UTSA-2026-017528)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017528 advisory. In Puma RubyGem before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If th...

7.5CVSS5.7AI score0.03977EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/04/02 1:54 p.m.8 views

keycloak: Keycloak IDOR in realm client creating/deleting

A flaw was found in Keycloak. An IDOR Broken Access Control vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer client ID provided in the A...

6CVSS5.8AI score0.00315EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/03/25 12:26 a.m.3 views

SUSE CVE-2026-28513

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

8.5CVSS5.9AI score0.00257EPSS
Exploits1References3
OSV
OSV
added 2026/03/12 2:48 p.m.3 views

BIT-PARSE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid access token...

8.8CVSS5.8AI score0.00426EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/03/12 12:0 a.m.9 views

Tinyauth 安全漏洞

Tinyauth is an authentication and authorization server developed by Stavros personally. Versions of Tinyauth prior to 5.0.3 contained security vulnerabilities. These vulnerabilities stemmed from the OIDC token endpoint not verifying the identity of the client requesting the exchange of...

6.5CVSS7.3AI score0.0025EPSS
Exploits1References3
OSV
OSV
added 2026/03/11 4:0 p.m.4 views

GO-2026-4656 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange in github.com/pocket-id/pocket-id/backend

Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange in github.com/pocket-id/pocket-id/backend...

8.5CVSS5.9AI score0.00257EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/11 12:17 a.m.5 views

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the Keycloak authentication adapter due to missing validation of the azp claim in access tokens...

8.8CVSS5.8AI score0.00426EPSS
Exploits0References2
OSV
OSV
added 2026/03/11 12:17 a.m.3 views

GHSA-48MH-J4P5-7J9V Parse Server missing audience validation in Keycloak authentication adapter

Impact The Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse...

7.6CVSS5.8AI score0.00426EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/03/10 8:20 p.m.4 views

CVE-2026-30949

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...

7.6CVSS5.8AI score0.00426EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/03/10 8:20 p.m.33 views

CVE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...

7.6CVSS0.00426EPSS
Exploits0References3
Rows per page
Query Builder