Lucene search
K

36 matches found

EUVD
EUVD
added 2026/06/19 1:34 p.m.13 views

EUVD-2026-37787

Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests...

9.1CVSS5.8AI score0.00297EPSS
Exploits0References4
OSV
OSV
added 2026/06/19 1:34 p.m.6 views

GHSA-R78R-RWRF-RJWP Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests

Advisory / Disclosure Network-AI — CVE-2026-46701 fix is incomplete: the "Empty Default Secret" unauth path survives Target: Jovancoding/Network-AI npm network-ai, latest v5.7.1 Status: the advisory "Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret" named three flaws. The...

9.1CVSS5.9AI score0.00297EPSS
Exploits0References5
OSV
OSV
added 2026/06/18 3:5 p.m.4 views

GHSA-W5CV-PW74-4RXC opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication

githubreceiver Silently Ignores Configured requiredheaders Authentication Summary The githubreceiver webhook handler does not enforce the requiredheaders configuration. Headers are validated at startup config rejects empty keys/values but never checked on incoming requests. This follows the same...

6.9CVSS5.5AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50743

Name of the Vulnerable Software and Affected Versions opentelemetry-collector-contrib affected versions not specified Description The githubreceiver webhook handler fails to enforce the required headers configuration. While these headers are validated during startup, they are not checked on...

6.9CVSS6AI score
Exploits0References4
CVE
CVE
added 2026/06/17 7:42 p.m.38 views

CVE-2026-48814

Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions

9.1CVSS5.3AI score0.00297EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.9 views

CVE-2026-6456

The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the rememberLogin REST API endpoint using a loose comparison != instead of !== for secret validation at app/RestAPI.php:111, combined with no validation that...

8.8CVSS5.5AI score0.00385EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/21 10:39 p.m.17 views

Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | Field | Value | | ---------------- | ----- | | Repository | Jovancoding/Network-AI | | Affected version | v5.4.4 commit c12686e181f231cf8d7bcf836a96d78f0f0877ac | Summary The MCP SSE server defaults to an empty secret...

6AI score0.00023EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.18 views

PT-2026-42703

Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | Field | Value | | ---------------- | ----- | | Repository | Jovancoding/Network-AI | | Affected version | v5.4.4 commit c12686e181f231cf8d7bcf836a96d78f0f0877ac | Summary The MCP SSE server defaults to an empty secret...

7.6CVSS6AI score0.00023EPSS
Exploits0References8
NVD
NVD
added 2026/05/20 2:16 a.m.20 views

CVE-2026-6456

The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the rememberLogin REST API endpoint using a loose comparison != instead of !== for secret validation at app/RestAPI.php:111, combined with no validation that...

8.8CVSS0.00385EPSS
Exploits0References4
CVE
CVE
added 2026/05/20 1:25 a.m.21 views

CVE-2026-6456

The CVE-2026-6456 entry documents a Privilege Escalation in the WordPress Account Switcher plugin up to version 1.0.2. The root cause is the rememberLogin REST API endpoint using a loose comparison (!=) instead of strict (!==) for secret validation at app/RestAPI.php:111, plus validation that the...

8.8CVSS5.8AI score0.00385EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.20 views

PT-2026-42068

Name of the Vulnerable Software and Affected Versions Account Switcher versions prior to 1.0.3 Description The Account Switcher plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to escalate privileges to any user account, including Administrator. This occu...

8.8CVSS5.8AI score0.00385EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/05/13 7:12 p.m.7 views

CVE-2026-44351 fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an...

9.1CVSS6AI score0.00236EPSS
Exploits0References1
CVE
CVE
added 2026/05/13 7:12 p.m.37 views

CVE-2026-44351

CVE-2026-44351 — fast-jwt auth bypass (pre-6.2.4) : The vulnerability exists in fast-jwt’s async key-resolver flow when the resolver returns an empty string or zero-length Buffer. The library may treat this as a valid secret and derive allowedAlgorithms as HS256/HS384/HS512, then verify a JWT aga...

9.1CVSS6AI score0.00236EPSS
Exploits0References1
CVE
CVE
added 2026/05/08 10:21 p.m.45 views

CVE-2026-41432

CVE-2026-41432 affects New API versions prior to 0.12.10. The Stripe webhook endpoint is exposed at /api/stripe/webhook and is vulnerable when StripeWebhookSecret is empty, enabling an unauthenticated attacker to forge webhook events and fraudulently credit quota. Root causes listed across source...

8.2CVSS5.9AI score0.00259EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/08 10:21 p.m.11 views

CVE-2026-41432 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...

7.1CVSS5.9AI score0.00259EPSS
Exploits1References2
OSV
OSV
added 2026/05/06 10:26 p.m.5 views

GHSA-GMVF-9V4P-V8JC fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver

Summary A critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string '', for example via the common keysdecoded.header.ki...

9.1CVSS6AI score0.00236EPSS
Exploits0References3
OSV
OSV
added 2026/04/24 8:36 p.m.6 views

GHSA-6X2Q-H3CR-8J2H Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware

Summary There is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-tim...

6.3CVSS5.8AI score0.00369EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/24 3:43 p.m.41 views

New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud

Summary A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. The vulnerability stems from three compounding flaws: 1. The Stripe webhook endpoint does n...

8.2CVSS5.9AI score0.00259EPSS
Exploits1References6Affected Software1
Snyk
Snyk
added 2026/04/24 3:43 p.m.5 views

Insecure Default Initialization of Resource

Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the StripeWebhook process. An attacker can gain unauthorized quota credits and perform financial fraud by forging webhook requests with a publicly computable signature when the webhook...

8.2CVSS5.8AI score0.00259EPSS
Exploits1References4
OSV
OSV
added 2026/04/24 3:43 p.m.12 views

GHSA-XFF3-5C9P-2MR4 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud

Summary A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. The vulnerability stems from three compounding flaws: 1. The Stripe webhook endpoint does n...

7.1CVSS6AI score0.00259EPSS
Exploits1References6
Rows per page
Query Builder