Lucene search
K

54 matches found

Cvelist
Cvelist
added 4 days ago25 views

CVE-2026-56350 n8n - SSO Enforcement Bypass via API

n8n before 2.8.0 contains an authentication bypass vulnerability allowing authenticated SSO users to disable SSO enforcement through the API. Attackers can create local password credentials to authenticate directly, bypassing organizational SSO policies and identity-provider-enforced multi-factor...

6.3CVSS0.00258EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 12:12 p.m.8 views

CVE-2026-56243

Capgo before 12.128.2 has a security control bypass in the PostgREST/RLS plane: it accepts plaintext API keys via the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext keys directly to the PostgREST/RLS plane t...

8.6CVSS5.9AI score0.00273EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/23 12:0 a.m.6 views

RHEL 9 : webkit2gtk3 (RHSA-2026:28148)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:28148 advisory. WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fixes: webkitgtk: Processing maliciously...

8.8CVSS5.9AI score0.00693EPSS
Exploits0References34
ATTACKERKB
ATTACKERKB
added 2026/06/22 9:4 p.m.5 views

CVE-2026-56306

Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header ...

6.4CVSS5.9AI score0.00251EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/20 3:24 p.m.31 views

CVE-2026-56295 Capgo - Policy Enforcement Bypass in Webhook Management Endpoints via Non-Expiring API Keys

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the requireapikeyexpiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with...

6.3CVSS0.00188EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/16 9:38 p.m.24 views

CVE-2026-48783 Postiz has an unauthenticated billing-enforcement bypass via /public/modify-subscription

Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The...

4.8CVSS0.0017EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/12 9:56 p.m.32 views

CVE-2026-53835 OpenClaw < 2026.5.6 - Config-Write Enforcement Bypass in Feishu Dynamic-Agent Bindings

OpenClaw before 2026.5.6 contains a configuration enforcement bypass vulnerability in Feishu dynamic-agent bindings that allows authenticated senders to create or update bindings without honoring configured config-write controls. Attackers can exploit this by leveraging the dynamic-agent binding...

4.3CVSS0.00166EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.15 views

PT-2026-49039

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.6 Description A configuration enforcement bypass exists in Feishu dynamic-agent bindings. This issue allows authenticated senders to create or update bindings without adhering to the configured config-write...

4.3CVSS5.2AI score0.00166EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/06 7:49 p.m.27 views

CVE-2026-43583 OpenClaw 2026.4.10 < 2026.4.14 - Loss of Group Tool-Policy Context in Delivery Queue Recovery

OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart or recovery...

6CVSS0.00214EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/27 11:24 p.m.6 views

EUVD-2026-25947

OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contexts by bypassing channel policy enforcement...

5.3CVSS5.1AI score0.00166EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/27 11:24 p.m.2 views

CVE-2026-41367 OpenClaw 2026.2.14 < 2026.3.28 - Policy Enforcement Bypass in Discord Component Interactions

OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contexts by bypassing channel policy enforcement...

5.3CVSS5.2AI score0.00166EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/23 9:58 p.m.34 views

CVE-2026-41341 OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension

OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement o...

5.4CVSS0.00125EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/26 3:6 p.m.5 views

CVE-2026-22201

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTPCLIENTIP or HTTPXFORWARDEDFOR headers to spoof their IP address and circumvent...

6.9CVSS5.8AI score0.00152EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/20 2:46 p.m.6 views

CVE-2026-33132

A flaw was found in ZITADEL, an open-source identity management platform. A user could bypass organization enforcement during authentication due to missing controls in device authorization requests and specific login and OIDC API endpoints. This allowed users to sign in with credentials from othe...

5.3CVSS5.7AI score0.00309EPSS
Exploits0References7
NVD
NVD
added 2026/03/20 11:18 a.m.4 views

CVE-2026-33132

ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes urn:zitadel:iam:org:id:...

5.3CVSS0.00309EPSS
Exploits0References4
CVE
CVE
added 2026/03/20 10:21 a.m.23 views

CVE-2026-33132

CVE-2026-33132 concerns Zitadel, an open source identity management platform. Connected advisories confirm a missing enforcement of organization scopes in Zitadel’s authentication flow, enabling a bypass of organization checks for users during sign-in. Affected components include the Zitadel core...

5.3CVSS5.7AI score0.00309EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/03/13 9:31 p.m.6 views

EUVD-2026-11746

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTPCLIENTIP or HTTPXFORWARDEDFOR headers to spoof their IP address and circumvent...

6.9CVSS5.8AI score0.00152EPSS
Exploits0References4
NVD
NVD
added 2026/03/13 7:54 p.m.4 views

CVE-2026-22201

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTPCLIENTIP or HTTPXFORWARDEDFOR headers to spoof their IP address and circumvent...

6.9CVSS0.00152EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/13 1:18 a.m.1 views

CVE-2026-22201 wpDiscuz before 7.6.47 - IP Address Spoofing in getIP()

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTPCLIENTIP or HTTPXFORWARDEDFOR headers to spoof their IP address and circumvent...

6.9CVSS5.8AI score0.00152EPSS
Exploits0References3
CVE
CVE
added 2026/03/13 1:18 a.m.15 views

CVE-2026-22201

wpDiscuz before 7.6.47 is affected by an IP spoofing vulnerability in the getIP() function. By trusting untrusted HTTP headers (HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR), an attacker can spoof their IP address and bypass IP-based rate limiting and ban enforcement. The CVE entry specifies the issue ...

6.9CVSS5.8AI score0.00152EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder