Lucene search
K

85 matches found

NVD
NVD
added 2026/03/10 5:38 p.m.5 views

CVE-2026-28513

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

8.5CVSS0.00257EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/03/10 12:0 a.m.5 views

Pocket ID 安全漏洞

Pocket ID is an open-source identity provider that supports passwordless authentication. Versions of Pocket ID prior to 2.4.0 contained a security vulnerability. This vulnerability stemmed from the OIDC token endpoint only refusing authorization codes when the client ID was incorrect and the code...

8.5CVSS7.3AI score0.00257EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/09 10:19 p.m.4 views

CVE-2026-28513

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

8.5CVSS5.8AI score0.00257EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/03/09 10:19 p.m.5 views

EUVD-2026-10409

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

8.5CVSS5.8AI score0.00257EPSS
Exploits1References1
OSV
OSV
added 2026/03/09 10:19 p.m.6 views

CVE-2026-28513 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

8.5CVSS5.9AI score0.00257EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/09 10:19 p.m.46 views

CVE-2026-28513 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

8.5CVSS0.00257EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/09 10:19 p.m.1 views

CVE-2026-28513 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

8.5CVSS5.8AI score0.00257EPSS
Exploits1References1
CVE
CVE
added 2026/03/09 10:19 p.m.13 views

CVE-2026-28513

Pocket ID is an OIDC provider. Before version 2.4.0, the token endpoint could accept an authorization code that is expired when the client ID is correct, enabling cross-client code reuse and expired-code reuse. The issue is fixed in 2.4.0. No exploitation path details are provided beyond that, an...

8.5CVSS5.8AI score0.00257EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/03/09 5:24 p.m.5 views

EUVD-2026-10408

Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange...

8.5CVSS5.8AI score0.00257EPSS
Exploits1References1
OSV
OSV
added 2026/03/09 5:24 p.m.3 views

GHSA-QH6Q-598W-W6M2 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Summary The OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. Details backend/internal/service/oidcservice.go:407 go if authorizationCodeMetaData.ClientID != input.ClientI...

8.5CVSS5.8AI score0.00257EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/03/09 5:24 p.m.9 views

Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Summary The OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. Details backend/internal/service/oidcservice.go:407 go if authorizationCodeMetaData.ClientID != input.ClientI...

8.5CVSS5.8AI score0.00257EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/04 5:16 p.m.6 views

CVE-2026-23808

A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key GTK on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthoriz...

8.1CVSS5.8AI score0.00264EPSS
Exploits0References1
NVD
NVD
added 2026/03/04 5:16 p.m.18 views

CVE-2026-23808

A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key GTK on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthoriz...

8.1CVSS0.00264EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/04 4:9 p.m.5 views

CVE-2026-23808 Client Isolation Bypass via GTK Manipulation

A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key GTK on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthoriz...

5.4CVSS5.9AI score0.00264EPSS
Exploits0References1
CVE
CVE
added 2026/03/04 4:9 p.m.20 views

CVE-2026-23808

Summary: CVE-2026-23808 describes a vulnerability in a standardized wireless roaming protocol that could allow an attacker to install an attacker-controlled Group Temporal Key (GTK) on a client device. This could enable unauthorized frame injection, bypass of client isolation, disruption of cross...

8.1CVSS5.9AI score0.00264EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/04 4:9 p.m.5 views

CVE-2026-23808

A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key GTK on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthoriz...

5.4CVSS5.9AI score0.00264EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/04 4:9 p.m.38 views

CVE-2026-23808 Client Isolation Bypass via GTK Manipulation

A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key GTK on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthoriz...

5.4CVSS0.00264EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.16 views

PT-2026-22942

Name of the Vulnerable Software and Affected Versions affected versions not specified Description A flaw exists in a standardized wireless roaming protocol that may allow an attacker to install a manipulated Group Temporal Key GTK on a client device. Exploitation of this issue could lead to...

8.1CVSS5.8AI score0.00264EPSS
Exploits0References4
NVD
NVD
added 2026/02/04 10:15 p.m.13 views

CVE-2026-25536

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...

7.1CVSS0.00267EPSS
Exploits0References7
EUVD
EUVD
added 2026/02/04 9:29 p.m.7 views

EUVD-2026-5335

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...

7.1CVSS5.3AI score0.00267EPSS
Exploits0References3
Rows per page
Query Builder