Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

43 matches found

NVD
NVDadded 2 days ago8 views

CVE-2026-56425

The Azure Active Directory AAD authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier sessionid as the OAuth state...

9.3CVSS0.00303EPSS
Exploits0References1
NVD
NVDadded 2026/06/11 2:16 p.m.9 views

CVE-2026-53661

Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could...

8.8CVSS0.00259EPSS
Exploits0References3
Cvelist
Cvelistadded 2026/06/11 12:58 p.m.25 views

CVE-2026-53661 boruta-server sent sensitive session cookies without the Secure attribute

Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could...

8.8CVSS0.00259EPSS
Exploits0References3
Vulnrichment
Vulnrichmentadded 2026/06/11 12:58 p.m.8 views

CVE-2026-53661 boruta-server sent sensitive session cookies without the Secure attribute

Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could...

8.8CVSS5.5AI score0.00259EPSS
Exploits0References3
CVE
CVEadded 2026/06/11 12:58 p.m.15 views

CVE-2026-53661

CVE-2026-53661 affects Boruta (standalone OAuth2/OpenID Connect server). Prior to 0.9.1, session cookies (_boruta_web_key) and identity remember-me cookie (_boruta_identity_web_user_remember_me) were set without Secure; in plaintext HTTP this enables cookie capture and impersonation. Affected com...

8.8CVSS5.5AI score0.00259EPSS
Exploits0References3
Positive Technologies
Positive Technologiesadded 2026/06/11 12:0 a.m.8 views

PT-2026-48665

Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could...

8.8CVSS5.5AI score0.00259EPSS
Exploits0References4
OSV
OSVadded 2026/05/05 5:51 p.m.12 views

GHSA-64CV-VXPR-J6VC edx-enterprise has SSRF via SAML metadata URL in sync_provider_data endpoint

Summary The syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin role can set this field to an arbitrary URL via the SAMLProviderConfigViewSet PATCH endpoint, then trigger...

8.5CVSS6.1AI score0.00301EPSS
Exploits1References4
RedhatCVE
RedhatCVEadded 2025/10/17 7:46 p.m.2 views

CVE-2025-11492

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some...

9.6CVSS6.8AI score0.00192EPSS
Exploits0References1
EUVD
EUVDadded 2025/10/16 9:31 p.m.3 views

EUVD-2025-34826

The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by...

9.6CVSS6.2AI score0.00212EPSS
Exploits0References2
NVD
NVDadded 2025/10/16 7:15 p.m.3 views

CVE-2025-11492

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some...

9.6CVSS0.00192EPSS
Exploits0References1
CVE
CVEadded 2025/10/16 7:0 p.m.12 views

CVE-2025-11493

The CVE-2025-11493 entry concerns the ConnectWise Automate Agent. The connected sources describe that the agent does not fully verify the authenticity of files downloaded from the server (updates, dependencies, and integrations), creating a risk of a man-in-the-middle substitution of legitimate f...

8.8CVSS6.4AI score0.00212EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichmentadded 2025/10/16 6:59 p.m.1 views

CVE-2025-11492 HTTP Configuration and Encryption in Transit

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some...

9.6CVSS6.4AI score0.00192EPSS
Exploits0References1
EUVD
EUVDadded 2025/10/07 12:30 a.m.2 views

EUVD-2014-5972

Malware in sbrugna...

5CVSS6.4AI score0.01369EPSS
Exploits0References5
EUVD
EUVDadded 2025/10/07 12:30 a.m.5 views

EUVD-2016-3037

Malware in sbrugna...

5.3CVSS5.7AI score0.00452EPSS
Exploits0References6
EUVD
EUVDadded 2025/10/03 8:7 p.m.4 views

EUVD-2024-30650

Malicious code in bioql PyPI...

8.1CVSS6.6AI score0.00209EPSS
Exploits0References2
EUVD
EUVDadded 2025/10/03 8:7 p.m.18 views

EUVD-2025-23896

Malicious code in bioql PyPI...

6CVSS6.2AI score0.00199EPSS
Exploits0References3
EUVD
EUVDadded 2025/10/03 8:7 p.m.1 views

EUVD-2022-5966

Malicious code in bioql PyPI...

9.8CVSS9.4AI score0.01681EPSS
Exploits0References9
SUSE CVE
SUSE CVEadded 2025/08/07 11:22 p.m.1 views

SUSE CVE-2025-54799

Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...

6CVSS7AI score0.00199EPSS
Exploits0References4
AlpineLinux
AlpineLinuxadded 2025/08/07 1:15 a.m.10 views

CVE-2025-54799

Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...

6CVSS7.1AI score0.00199EPSS
Exploits0References2
NVD
NVDadded 2025/08/07 1:15 a.m.11 views

CVE-2025-54799

Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...

6CVSS0.00199EPSS
Exploits0References2
Rows per page
Query Builder