Lucene search
K

46 matches found

ATTACKERKB
ATTACKERKB
added 2026/04/01 8:44 p.m.2 views

CVE-2026-34531

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token...

6.5CVSS5.8AI score0.00324EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/01 8:44 p.m.30 views

CVE-2026-34531 Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token...

6.5CVSS0.00324EPSS
Exploits0References3
CVE
CVE
added 2026/04/01 8:44 p.m.28 views

CVE-2026-34531

CVE-2026-34531 affects Flask-HTTPAuth (Python package) and concerns the token verification callback receiving an empty string when a request targets a token-protected resource without a token or with an empty token. This could allow authentication against any user whose token is an empty string. ...

8.2CVSS5.8AI score0.00324EPSS
Exploits0References4Affected Software1
Debian CVE
Debian CVE
added 2026/04/01 8:44 p.m.6 views

CVE-2026-34531

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token...

8.2CVSS5.6AI score0.00324EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.4 views

PT-2026-29829

Name of the Vulnerable Software and Affected Versions PraisonAI affected versions not specified Description A flaw exists in the token validation process, where the OAuthManager.validate token function incorrectly returns True for any token not found in its internal store. This store is empty by...

9.1CVSS6.1AI score0.00375EPSS
Exploits1References11
CNNVD
CNNVD
added 2026/04/01 12:0 a.m.7 views

Flask-HTTPAuth 授权问题漏洞

Flask-HTTPAuth is an HTTP authentication extension for the Flask framework developed by Miguel Grinberg. Versions of Flask-HTTPAuth prior to 4.8.1 had an authorization vulnerability. This vulnerability occurred when the client made a request to a resource protected by a token, but did not pass th...

8.2CVSS6.1AI score0.00324EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/31 11:48 p.m.4 views

Improper Authentication

Overview Flask-HTTPAuth is a HTTP authentication for Flask routes Affected versions of this package are vulnerable to Improper Authentication in the token verification process. An attacker can gain unauthorized access by submitting a request with a missing or empty token if the application stores...

8.3CVSS5.7AI score0.00324EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/31 11:48 p.m.9 views

Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client

Summary In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any...

8.2CVSS5.9AI score0.00324EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.5 views

PT-2026-29428

Name of the Vulnerable Software and Affected Versions Flask-HTTPAuth versions prior to 4.8.1 Description Flask-HTTPAuth, when used with token authentication, could potentially authenticate client requests against any user in the database with an empty string set as their token if the client reque...

6.5CVSS5.9AI score0.00324EPSS
Exploits0References9
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/31 12:0 a.m.12 views

Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client

In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in...

8.2CVSS5.9AI score0.00324EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/03/13 9:1 a.m.4 views

BIT-ARGO-WORKFLOWS-2026-28229 Argo Workflows has unauthorized access to Argo Workflows Template

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates and ClusterWorkflowTemplates. Any request with a Authorization: Bearer nothing...

9.8CVSS5.8AI score0.00652EPSS
Exploits1References6
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2022-7651

Malicious code in bioql PyPI...

9.1CVSS9AI score0.00811EPSS
Exploits0References5
GithubExploit
GithubExploit
added 2024/11/05 8:55 p.m.77 views

Exploit for CVE-2024-9933

CVE-2024-9933 WatchTowerHQ = 3.10.1 - Authentication Bypas...

9.8CVSS9.7AI score0.01935EPSS
Exploits2
Veracode
Veracode
added 2024/05/27 7:52 p.m.11 views

Authentication Bypass

SilverStripe is vulnerable to Authentication Bypass. The vulnerability is caused by providing an empty token parameter with secure token parameters like isDev or flush, allowing bypass of normal authentication mechanisms...

7.4AI score
Exploits0
Positive Technologies
Positive Technologies
added 2024/05/23 12:0 a.m.4 views

PT-2024-40284 · Silverstripe · Silverstripe

Name of the Vulnerable Software and Affected Versions: SilverStripe affected versions not specified Description: The issue allows bypassing normal authentication parameters by providing an empty token parameter to a SilverStripe site when a secure token parameter is given, such as isDev or flush...

6.5CVSS7.1AI score
Exploits0References6
OSV
OSV
added 2023/11/24 4:53 p.m.28 views

GHSA-FPVW-6M5V-HQFP Capsule Proxy Authentication bypass using an empty token

The privilege escalation is based on a missing check if the user is authenticated based on the TokenReview result. All the clusters running with the anonymous-auth Kubernetes API Server setting disable set to false are affected since it would be possible to bypass the token review mechanism,...

9.8CVSS9.5AI score0.00574EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2022/12/28 12:30 a.m.25 views

golang-nanoauth authentication bypass vulnerability

Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token...

9.1CVSS8.8AI score0.00811EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2022/06/13 6:15 p.m.3 views

CVE-2022-33174

Power Distribution Units running on Powertek firmware multiple brands before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface /cgi/getparam.cgi with the tmpToken cookie set to an emp...

7.5CVSS5.8AI score0.13425EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2021/04/14 12:0 a.m.5 views

PT-2021-12084 · Unknown · Golang-Nanoauth

Name of the Vulnerable Software and Affected Versions: golang-nanoauth versions v0.0.0-20160722212129-ac0cc4484ad4 through v0.0.0-20200131131040-063a3fb69896 Description: The issue concerns a global bypass of authentication in the golang-nanoauth library. When the ListenAndServe function is calle...

9.1CVSS9.1AI score0.00811EPSS
Exploits0References10
Snyk
Snyk
added 2020/11/13 5:18 p.m.4 views

Information Exposure

Overview spreeapi is a Spree Api module Affected versions of this package are vulnerable to Information Exposure. An attacker can query the API v2 Order Status endpoint with an empty string passed as an Order token. Remediation Upgrade spreeapi to version 3.7.13, 4.0.5, 4.1.12 or higher. Referenc...

7.7CVSS6.9AI score0.01111EPSS
Exploits1References2
Rows per page
Query Builder