Lucene search
K

9204 matches found

Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.4 views

PT-2026-30761

Name of the Vulnerable Software and Affected Versions Strawberry GraphQL versions through 0.312.3 Description Strawberry GraphQL is susceptible to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify completion of a connection ini...

7.5CVSS5.2AI score0.00424EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.6 views

PT-2026-30329

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.16.1 Description Directus' TUS resumable upload endpoint /files/tus allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only...

7.1CVSS6AI score0.00302EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/03 11:33 p.m.3 views

CVE-2026-34769

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, an undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Ap...

8.8CVSS5.9AI score0.00295EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/03 11:33 p.m.26 views

CVE-2026-34769

CVE-2026-34769 (Electron) affects Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8. An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. When apps construct webPreferences from external or untrusted i...

8.8CVSS5.9AI score0.00295EPSS
Exploits0References4Affected Software1
SUSE CVE
SUSE CVE
added 2026/04/03 11:27 p.m.6 views

SUSE CVE-2026-23470

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix deadlock in soft reset sequence The soft reset sequence is currently executed from the threaded IRQ handler, hence it cannot call disableirq which internally waits for IRQ handlers, i.e. itself, to complete...

5.5CVSS5.7AI score0.00094EPSS
Exploits0References9
Github Security Blog
Github Security Blog
added 2026/04/03 9:59 p.m.16 views

LiteLLM: Authentication bypass via OIDC userinfo cache key collision

Impact When JWT authentication is enabled enablejwtauth: true, the OIDC userinfo cache uses token:20 as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. A...

9.4CVSS5.9AI score0.0049EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/04/03 6:31 p.m.3 views

EUVD-2026-18740

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix deadlock in soft reset sequence The soft reset sequence is currently executed from the threaded IRQ handler, hence it cannot call disableirq which internally waits for IRQ handlers, i.e. itself, to complete...

5.7AI score0.00094EPSS
Exploits0References5
UbuntuCve
UbuntuCve
added 2026/04/03 4:16 p.m.3 views

CVE-2026-23466

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Open-code GGTT MMIO access protection GGTT MMIO access is currently protected by hotplug drmdeventer, which works correctly when the driver loads successfully and is later unbound or unloaded. However, if driver load fail...

7.8CVSS5.7AI score0.00129EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/04/03 3:15 p.m.16 views

CVE-2026-23470 drm/imagination: Fix deadlock in soft reset sequence

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix deadlock in soft reset sequence The soft reset sequence is currently executed from the threaded IRQ handler, hence it cannot call disableirq which internally waits for IRQ handlers, i.e. itself, to complete...

0.00094EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/03 3:15 p.m.3 views

CVE-2026-23470

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix deadlock in soft reset sequence The soft reset sequence is currently executed from the threaded IRQ handler, hence it cannot call disableirq which internally waits for IRQ handlers, i.e. itself, to complete...

5.7AI score0.00094EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/04/03 3:15 p.m.13 views

CVE-2026-23470

CVE-2026-23470 concerns the Linux kernel’s DRM/imagination path where the soft reset sequence can deadlock because it runs in a threaded IRQ handler and cannot call disable_irq() (which would wait on IRQ handlers). The fix is to use disable_irq_nosync() during the soft reset to avoid waiting on t...

5.5CVSS5.7AI score0.00094EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/04/03 3:29 a.m.7 views

Authentication Bypass Using an Alternate Path or Channel

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the session.cookieCache component. An attacker can gain unauthorized access to protected...

9.1CVSS5.9AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/03 3:29 a.m.20 views

Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)

Summary Under certain configurations, sessions may be considered valid before two-factor authentication 2FA is fully completed. This can allow access to authenticated routes without verifying the second factor. --- Description When two-factor authentication is enabled, the authentication flow...

5.9AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/04/03 3:29 a.m.4 views

GHSA-XG6X-H9C9-2M83 Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)

Summary Under certain configurations, sessions may be considered valid before two-factor authentication 2FA is fully completed. This can allow access to authenticated routes without verifying the second factor. --- Description When two-factor authentication is enabled, the authentication flow...

9.1CVSS5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.5 views

PT-2026-30164

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix deadlock in soft reset sequence The soft reset sequence is currently executed from the threaded IRQ handler, hence it cannot call disable irq which internally waits for IRQ handlers, i.e. itself, to complete...

5.7AI score0.00094EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/02 4:57 p.m.5 views

CVE-2026-34235

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure SS data. Insufficient bounds checking on the payload...

9.1CVSS5.8AI score0.00405EPSS
Exploits0References1
Microsoft Secure
Microsoft Secure
added 2026/04/01 9:0 p.m.7 views

Mitigating the Axios npm supply chain compromise

In this article 1. Analysis of the attack 2. Mitigation and protection guidance 3. Microsoft Defender detections 4. Indicators of compromise 5. Hunting queries On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP...

6.6AI score
Exploits0
Microsoft Secure
Microsoft Secure
added 2026/04/01 9:0 p.m.13 views

Mitigating the Axios npm supply chain compromise

In this article 1. Analysis of the attack 2. Mitigation and protection guidance 3. Microsoft Defender detections 4. Indicators of compromise 5. Hunting queries On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP...

6.6AI score
Exploits0
OSV
OSV
added 2026/04/01 8:54 p.m.4 views

GHSA-HQXF-MHFW-RC44 AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

Summary The AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck,...

6.5CVSS6AI score0.00201EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/04/01 8:54 p.m.13 views

AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

Summary The AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck,...

6.5CVSS6AI score0.00201EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder