Lucene search
K

957 matches found

OSV
OSV
added 2026/03/12 2:51 p.m.4 views

GHSA-QP4C-XG64-7C6X @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

Impact A Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid hostname against private IP ranges but does not apply the same validation...

6.3CVSS5.8AI score0.00292EPSS
Exploits0References4
Snyk
Snyk
added 2026/03/12 2:50 p.m.8 views

Open Redirect

Overview @backstage/plugin-auth-backend is an A Backstage backend plugin that handles authentication Affected versions of this package are vulnerable to Open Redirect via the OAuth redirect URI validation bypass. An attacker can intercept authorization codes by crafting a redirect URI that bypass...

5.9CVSS5.8AI score0.00139EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/12 12:0 a.m.9 views

PT-2026-25052

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 0.27.1 Description Backstage is an open framework for building developer portals. A Server-Side Request Forgery SSRF issue exists in the @backstage/plugin-auth-backend component when the...

7.5CVSS5.2AI score0.00292EPSS
Exploits0References9
CNNVD
CNNVD
added 2026/03/12 12:0 a.m.24 views

Backstage 代码问题漏洞

Backstage is an open-source application developed by Backstage. It serves as an open platform for building developer portals. Versions of Backstage prior to 0.27.1 contained code-related vulnerabilities. These vulnerabilities stemmed from server-side request forgeing when the experimental client ...

7.5CVSS5.8AI score0.00292EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/12 12:0 a.m.5 views

PT-2026-25051

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 0.27.1 Description Backstage, an open framework for building developer portals, has an issue in the experimental OIDC provider within the @backstage/plugin-auth-backend component. Specifically, a redirect URI...

5.9CVSS6AI score0.00139EPSS
Exploits0References9
Packet Storm News
Packet Storm News
added 2026/03/11 12:0 a.m.3 views

Layered Performance Analysis of TLS 1.3 Handshakes: Classical, Hybrid, and Pure Post-Quantum Key Exchange

In this paper, we present a laboratory study focused on the impact of post-quantum cryptography PQC algorithms on multiple layers of stateful HTTP over TLS transactions: the TCP handshake, the intermediate TCP-TLS layer, the TLS handshake, the intermediate TLS layer, and the HTTP application laye...

5.8AI score
Exploits0
OSV
OSV
added 2026/03/02 8:42 a.m.8 views

BIT-MASTODON-2026-27477 Mastodon has SSRF via unvalidated FASP Provider base_url

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen baseurl that includes or...

8.2CVSS6AI score0.0027EPSS
Exploits0References3
OSV
OSV
added 2026/03/02 8:42 a.m.3 views

BIT-MASTODON-2026-27468 Mastodon may allow unconfirmed FASP to make subscriptions

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...

8.3CVSS6AI score0.00244EPSS
Exploits0References3
OSV
OSV
added 2026/02/28 2:4 a.m.2 views

GHSA-FPG4-JHQR-589C SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)

Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service. Only users with experimental.remoteFunctions:...

6.3CVSS6AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/28 2:4 a.m.12 views

SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)

Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service. Only users with experimental.remoteFunctions:...

6AI score
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/25 10:18 p.m.7 views

CVE-2026-27468

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...

8.3CVSS5.5AI score0.00244EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/24 7:0 p.m.2 views

CVE-2026-27477

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen baseurl that includes or...

8.2CVSS5.9AI score0.0027EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/02/24 7:0 p.m.18 views

CVE-2026-27477

Mastodon CVE-2026-27477 describes an SSRF risk in the FASP feature: unauthenticated registration of a FASP with a base_url that can resolve to an internal address, when the server has EXPERIMENTAL_FEATURES including fasp enabled. Affected: Mastodon versions 4.4.0–4.4.13 and 4.5.0–4.5.6. Impact: s...

8.2CVSS5.7AI score0.0027EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/02/24 7:0 p.m.7 views

CVE-2026-27477 Mastodon has SSRF via unvalidated FASP Provider base_url

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen baseurl that includes or...

8.2CVSS5.8AI score0.0027EPSS
Exploits0References4
NVD
NVD
added 2026/02/24 6:29 p.m.7 views

CVE-2026-27468

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...

8.3CVSS0.00244EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/24 5:12 p.m.29 views

CVE-2026-27468 Mastodon may allow unconfirmed FASP to make subscriptions

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...

8.3CVSS0.00244EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/02/24 5:12 p.m.3 views

CVE-2026-27468

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...

8.3CVSS5.9AI score0.00244EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/24 5:12 p.m.3 views

CVE-2026-27468 Mastodon may allow unconfirmed FASP to make subscriptions

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...

8.3CVSS6AI score0.00244EPSS
Exploits0References2
OSV
OSV
added 2026/02/24 5:12 p.m.6 views

CVE-2026-27468 Mastodon may allow unconfirmed FASP to make subscriptions

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...

8.3CVSS5.6AI score0.00244EPSS
Exploits0References4
CVE
CVE
added 2026/02/24 5:12 p.m.18 views

CVE-2026-27468

CVE-2026-27468 (Mastodon) affects Mastodon servers that have enabled the experimental FASP feature via EXPERIMENTAL_FEATURES including “fasp”. In versions 4.4.0–4.4.13 and 4.5.0–4.5.6, actions by a FASP to subscribe to account/content lifecycle events or to backfill content did not verify adminis...

8.3CVSS5.5AI score0.00244EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder