Lucene search
K

21 matches found

RedHat Linux
RedHat Linux
added 2026/05/20 11:23 a.m.12 views

keycloak: Keycloak: Access token disclosure and implicit flow bypass via forged client data

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

7.1CVSS5.7AI score0.00344EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.9 views

Keycloak: Access token disclosure and implicit flow bypass via forged client data

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

7.1CVSS5.7AI score0.00344EPSS
Exploits0References10Affected Software1
OSV
OSV
added 2026/05/19 12:31 p.m.10 views

GHSA-HQ3P-W4XV-X7VP Keycloak: Access token disclosure and implicit flow bypass via forged client data

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

7.1CVSS5.7AI score0.00344EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 2026/05/19 11:1 a.m.9 views

CVE-2026-7571 Keycloak: keycloak: access token disclosure and implicit flow bypass via forged client data

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

7.1CVSS5.8AI score0.00344EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/19 11:1 a.m.40 views

CVE-2026-7571 Keycloak: keycloak: access token disclosure and implicit flow bypass via forged client data

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

7.1CVSS0.00344EPSS
Exploits0References4
CVE
CVE
added 2026/05/19 11:1 a.m.74 views

CVE-2026-7571

Keycloak vulnerability CVE-2026-7571 allows a low-privilege user with knowledge of user credentials and client ID to bypass a security control that disables implicit flow in OpenID Connect clients. By manipulating forged client data during a session restart, an attacker can obtain an access token...

7.1CVSS5.8AI score0.00344EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/19 10:53 a.m.13 views

CVE-2026-7571

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

7.1CVSS5.7AI score0.00344EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/06 9:32 p.m.3 views

CVE-2026-35410 Directus has an Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass...

6.1CVSS6.1AI score0.00256EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.5 views

PT-2026-28081

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.8.0 Description n8n is a workflow automation platform. When the N8N SKIP AUTH ON OAUTH CALLBACK environment variable is set to true, the OAuth callback handler does not verify the ownership of the OAuth state parameter...

6.3CVSS5.9AI score0.0018EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2026/02/14 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-23128

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - arm64: Set nocfi on swsusparchresume A DABT is reported1 on an android based system when resume from hiberate. This happens because swsusparchsuspendexit is...

5.5CVSS6.3AI score0.00114EPSS
Exploits0References3
CVE
CVE
added 2026/01/09 7:22 a.m.15 views

CVE-2025-13934

CVE-2025-13934 (Tutor LMS for WordPress) : The WordPress Tutor LMS plugin (versions up to 3.9.3) is affected by a missing capability check and purchasability validation in the course_enrollment() AJAX handler, enabling authenticated users with Subscriber+ to enroll in any course outside the prope...

4.3CVSS4.8AI score0.00202EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/11/21 12:18 a.m.13 views

CVE-2025-63700

An issue was discovered in clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage. NOTE: this is disputed by the Supplier because there is no available information to reproduce the issue, and because an OAuth...

7.5CVSS6.8AI score0.00095EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/11/20 12:0 a.m.5 views

PT-2025-47613

Name of the Vulnerable Software and Affected Versions Clerk-js version 5.88.0 Description An issue allows attackers to bypass the OAuth authentication flow by manipulating the request during the OTP verification stage. Recommendations At the moment, there is no information about a newer version...

7.5CVSS6.7AI score0.00095EPSS
Exploits0References9
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2022-1678

Malicious code in bioql PyPI...

9.8CVSS7.3AI score0.02829EPSS
Exploits2References11
AlpineLinux
AlpineLinux
added 2025/10/01 7:27 p.m.10 views

CVE-2025-59147

Suricata is a network IDS, IPS and NSM engine developed by the OISF Open Information Security Foundation and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different sequence numbers with...

7.5CVSS6.8AI score0.00344EPSS
Exploits0
Debian
Debian
added 2025/07/22 1:10 a.m.168 views

[SECURITY] [DLA 4246-1] libowasp-esapi-java security update

Debian LTS Advisory DLA-4246-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany July 22, 2025 https://wiki.debian.org/LTS Package : libowasp-esapi-java Version : 2.4.0.0-0+deb11u1 CVE ID : CVE-2022-23457 CVE-2022-24891 CVE-2025-5878 Debian Bug : 1010339 1109378...

9.8CVSS6.7AI score0.02829EPSS
Exploits4
Tenable Nessus
Tenable Nessus
added 2025/03/05 12:0 a.m.12 views

Linux Distros Unpatched Vulnerability : CVE-2022-23457

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ESAPI The OWASP Enterprise Security API is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation o...

9.8CVSS7AI score0.02829EPSS
Exploits2References2
RedhatCVE
RedhatCVE
added 2025/02/05 11:28 p.m.17 views

CVE-2022-23457

ESAPI The OWASP Enterprise Security API is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of Validator.getValidDirectoryPathString, String, File, boolean may incorrectly treat the tested input string as a child of the specified...

9.8CVSS6.7AI score0.02829EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2022/04/25 12:0 a.m.10 views

PT-2022-3553

Name of the Vulnerable Software and Affected Versions ESAPI versions prior to 2.3.0.0 Description The default implementation of Validator.getValidDirectoryPathString, String, File, boolean may incorrectly treat the tested input string as a child of the specified parent directory. This potentially...

9.8CVSS6.6AI score0.02829EPSS
Exploits4References26
OSV
OSV
added 2019/02/04 9:29 p.m.3 views

CVE-2019-4038

IBM Security Identity Manager 6.0 and 7.0 could allow an attacker to create unexpected control flow paths through the application, potentially bypassing security checks. Exploitation of this weakness can result in a limited form of code injection. IBM X-Force ID: 156162...

6.2CVSS6.9AI score0.00439EPSS
Exploits0References2
Rows per page
Query Builder