954 matches found
GHSA-246W-JGMQ-88FG openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access
Summary When openvpn-auth-oauth2 is deployed in the experimental plugin mode shared library loaded by OpenVPN via the plugin directive, clients that do not support WebAuth/SSO e.g., the openvpn CLI on Linux are incorrectly admitted to the VPN despite being denied by the authentication logic. The...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the handleAuthUserPassVerify process when deployed in experimental plugin mode. An attacker can gain unauthorized VPN access by connecting with a client that does not advertise WebAuth/SSO support, thereby...
openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access
Summary When openvpn-auth-oauth2 is deployed in the experimental plugin mode shared library loaded by OpenVPN via the plugin directive, clients that do not support WebAuth/SSO e.g., the openvpn CLI on Linux are incorrectly admitted to the VPN despite being denied by the authentication logic. The...
PT-2026-34452
Name of the Vulnerable Software and Affected Versions openvpn-auth-oauth2 versions 1.26.3 through 1.27.2 Description An authentication bypass exists when the software is deployed in experimental plugin mode. Clients that do not support WebAuth/SSO are incorrectly granted full network access witho...
PT-2026-34525
Summary When openvpn-auth-oauth2 is deployed in the experimental plugin mode shared library loaded by OpenVPN via the plugin directive, clients that do not support WebAuth/SSO e.g., the openvpn CLI on Linux are incorrectly admitted to the VPN despite being denied by the authentication logic. The...
com.akamai.edgegrid:edgegrid-signer-async-http-client (>=6.0.1 <=6.0.3-rc.1), com.arpnetworking.metrics:mad-experimental (>=1.2.4 <=1.2.11) +66 more potentially affected by CVE-2026-40490 via org.asynchttpclient:async-http-client (>=3.0.0.Beta1 <=3.0.7)
org.asynchttpclient:async-http-client MAVEN version =3.0.0.Beta1, =6.0.1, =1.2.4, =1.22.5, =1.13.8, =1.1.0, =0.4.8, =0.4.8, =0.4.8, =1.17.0, =1.17.0, =1.17.0, =0.5.0, =2.7.3, =218.0.0, =14.5.0, =16.0.0 and more Source cves: CVE-2026-40490 Source advisory: OSV:GHSA-CMXV-58FP-FM3G...
tinyobjloader 安全漏洞
tinyobjloader is an application developed by Dan Kiyochi. There is a security vulnerability in tinyobjloader, which stems from the experimental/tinyobjloaderopt.h file containing a stack overflow issue, potentially leading to denial-of-service attacks...
PT-2026-32357
A stack overflow in the experimental/tinyobj loader opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service DoS via supplying a crafted .mtl file...
CVE-2026-5393
Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL...
UBUNTU-CVE-2026-5393
Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the DoTls13CertificateVerify process when handling a dual-algorithm CertificateVerify message due to improper bounds checking on crafted input. An attacker can cause the application to read memory outside the...
CVE-2026-5393
Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL...
CVE-2026-5393 OOB Read in DoTls13CertificateVerify with WOLFSSL_DUAL_ALG_CERTS
Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL...
CVE-2026-5393
Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL...
CVE-2026-5393
Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL...
CVE-2026-5393
Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL...
PT-2026-31826
Name of the Vulnerable Software and Affected Versions wolfSSL affected versions not specified Description An out-of-bounds read can occur when processing a dual-algorithm CertificateVerify message on crafted input. This issue only occurs when wolfSSL is built with the --enable-experimental and...
BIT-NODE-MIN-2026-21711
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...
CVE-2026-21711
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...
UBUNTU-CVE-2026-21711
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...