Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

267 matches found

NVD
NVDadded 6 days ago6 views

CVE-2026-44237

FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid clientid is required. The validateClient method in ClientRepository.php unconditionally returns true,...

8.1CVSS0.00031EPSS
Exploits0References1
EUVD
EUVDadded 6 days ago4 views

EUVD-2026-33300

FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid clientid is required. The validateClient method in ClientRepository.php unconditionally returns true,...

7.6CVSS5.8AI score0.00031EPSS
Exploits0References1
ATTACKERKB
ATTACKERKBadded 6 days ago6 views

CVE-2026-44237

FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid clientid is required. The validateClient method in ClientRepository.php unconditionally returns true,...

7.6CVSS5.8AI score0.00031EPSS
Exploits0References2Affected Software1
Cvelist
Cvelistadded 6 days ago23 views

CVE-2026-44237 FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module

FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid clientid is required. The validateClient method in ClientRepository.php unconditionally returns true,...

7.6CVSS0.00031EPSS
Exploits0References1
CVE
CVEadded 6 days ago9 views

CVE-2026-44237

Summary: CVE-2026-44237 affects FreePBX before 17.0.8. The api module’s OAuth2 flow does not validate client credentials during token issuance; validateClient() in ClientRepository.php unconditionally returns true. This allows any party with a valid client_id to obtain OAuth2 access tokens withou...

8.1CVSS5.8AI score0.00031EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichmentadded 6 days ago6 views

CVE-2026-44237 FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module

FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid clientid is required. The validateClient method in ClientRepository.php unconditionally returns true,...

7.6CVSS5.8AI score0.00031EPSS
Exploits0References1
Positive Technologies
Positive Technologiesadded 6 days ago4 views

PT-2026-44842

FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client id is required. The validateClient method in ClientRepository.php unconditionally returns true,...

7.6CVSS5.8AI score0.00031EPSS
Exploits0References2
CNNVD
CNNVDadded 6 days ago3 views

FreePBX 安全漏洞

FreePBX is a set of tools from the FreePBX project that allow configuration of Asterisk an IP telephony system through a GUI-based web interface. Versions of FreePBX prior to 17.0.8 contained a security vulnerability. This vulnerability stemmed from the OAuth2 implementation in the API module,...

8.1CVSS5.8AI score0.00031EPSS
Exploits0References1
Cvelist
Cvelistadded last week24 views

CVE-2026-9096 CVE-2026-9096

Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse never reads this field, meaning that time bounds are...

0.00054EPSS
Exploits0References1
NVD
NVDadded 2026/05/28 6:16 a.m.7 views

CVE-2026-9798

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

4.3CVSS0.00058EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/05/28 4:37 a.m.5 views

CVE-2026-9798

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

4.3CVSS5.7AI score0.00058EPSS
Exploits0References3
CVE
CVEadded 2026/05/28 4:37 a.m.21 views

CVE-2026-9798

Keycloak is affected by a flaw where, after a user account is temporarily locked due to repeated failed logins, an attacker with valid client credentials can abuse the Client-Initiated Backchannel Authentication (CIBA) flow to bypass the lock. This allows continued authentication attempts and tok...

4.3CVSS5.7AI score0.00058EPSS
Exploits0References2Affected Software1
EUVD
EUVDadded 2026/05/28 4:37 a.m.5 views

EUVD-2026-32717

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

4.3CVSS5.7AI score0.00058EPSS
Exploits0References2
CNNVD
CNNVDadded 2026/05/28 12:0 a.m.4 views

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. There is a security vulnerability in Keycloak. This vulnerability arises when user accounts are temporarily locked due to failed login attempts. Attackers with valid client credentials can exploit the revers...

4.3CVSS5.8AI score0.00058EPSS
Exploits0References2
RedhatCVE
RedhatCVEadded 2026/05/22 3:46 p.m.7 views

CVE-2026-43001

A flaw was found in OpenStack Keystone. An attacker holding an unrestricted application credential could exploit a vulnerability in the POST /v3/credentials endpoint where the caller-supplied projectid for an EC2-type credential was not validated against the project of the authenticating...

8CVSS5.8AI score0.00018EPSS
Exploits1References5
EUVD
EUVDadded 2026/05/22 12:31 a.m.5 views

EUVD-2026-31364

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...

2.3CVSS5.8AI score0.00037EPSS
Exploits0References2
Cvelist
Cvelistadded 2026/05/21 9:20 p.m.22 views

CVE-2026-7887 For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...

2.3CVSS0.00037EPSS
Exploits0References1
Positive Technologies
Positive Technologiesadded 2026/05/21 12:0 a.m.7 views

PT-2026-42557

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description The OAuth 2.0 Authorization-Code Handler fails to verify account status. This allows users who are suspended, banned, or terminated employees, specifically those with the uIsActive variable set ...

2.3CVSS5.8AI score0.00037EPSS
Exploits0References4
RedHat Linux
RedHat Linuxadded 2026/05/14 6:54 a.m.10 views

Important: Red Hat Security Advisory: zero trust workload identity manager for Red Hat OpenShift 1.0.1

zero trust workload identity manager for Red Hat OpenShift 1.0.1 The Zero Trust Workload Identity Manager ZTWIM is a day-2 operator. The operator manages lifecycle of operand components from SPIRE project. The goal of ZTWIM is to provide secure, verifiable workload identities for workloads in...

8.9CVSS6.8AI score0.00032EPSS
Exploits0References3
RedHat Linux
RedHat Linuxadded 2026/05/14 6:53 a.m.6 views

Important: Red Hat Security Advisory: zero trust workload identity manager for Red Hat OpenShift 1.0.1

zero trust workload identity manager for Red Hat OpenShift 1.0.1 The Zero Trust Workload Identity Manager ZTWIM is a day-2 operator. The operator manages lifecycle of operand components from SPIRE project. The goal of ZTWIM is to provide secure, verifiable workload identities for workloads in...

8.9CVSS6.8AI score0.00032EPSS
Exploits0References3
Rows per page
Query Builder