721 matches found
SecurEnvoy Two Factor Authentication - LDAP Injection
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the...
Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Bouncy Castle (CVE-2026-0636,CVE-2026-5598,CVE-2026-5588&CVE-2026-3505)
Summary IBM App Connect Enterprise Toolkit and Runtime are vulnerable to multiple vulnerabilities due to Bouncy Castle. Vulnerability Details CVEID:CVE-2026-0636 DESCRIPTION: Improper neutralization of special elements used in an LDAP query 'LDAP injection' vulnerability in Legion of the Bouncy...
Security Bulletin: Multiple vulnerabilities in IBM DevOps Solution Workbench
Summary Multiple vulnerabilities were addressed in IBM DevOps Solution Workbench version 5.2.0 Vulnerability Details CVEID:CVE-2026-40895 DESCRIPTION: follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0,...
CVE-2026-57288
Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native ADSI authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a...
CVE-2026-57288
Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native ADSI authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a...
Security Bulletin: Multiple Security Vulnerabilities in third-Party libraries used by IBM Tivoli Netcool Configuration Manager
Summary Multiple vulnerabilities in the third-party Bouncy Castle libraries used by IBM Tivoli Netcool Configuration Manager have been addressed. Vulnerability Details CVEID:CVE-2026-5588 DESCRIPTION: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle In...
Security Bulletin: IBM ApplinX is vulnerable to multiple vulnerabilities due to the use of Bouncy Castle library (CVE-2023-33202, CVE-2025-8916, CVE-2026-5588, CVE-2025-14813, CVE-2026-5598, CVE-2026-0636)
Summary IBM ApplinX is vulnerable to an Uncontrolled Resource Consumption vulnerability, an Allocation of Resources Without Limits or Throttling vulnerability, a Use of a Broken or Risky Cryptographic Algorithm, a Covert Timing Channel vulnerability and an Improper Neutralization of Special...
LDAP Injection
Overview org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to LDAP Injection in the DefaultLdapRealm class. An attacker can bypass...
CVE-2026-49268
A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate th...
Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CVE-2026-0636)
Summary There are vulnerabilities in bcprov-jdk18on-1.83.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-0636. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-0636 DESCRIPTION: Improper neutralization of special elements used in an LDAP query 'LDAP...
SolarWinds Web Help Desk < 2026.2 Multiple Vulnerabilities
The version of SolarWinds Web Help Desk installed on the remote host is prior to 2026.2. It is, therefore, affected by multiple vulnerabilities. - pgAdmin versions up to 9.9 are affected by a Remote Code Execution RCE vulnerability that occurs when running in server mode and performing restores...
Security Bulletin: Multiple vulnerabilities in IBM Tivoli Network Manager IP Edition
Summary Multiple vulnerabilities were addressed in IBM Tivoli Network Manager IP Edition 4.2.0.24 IFix 1 Vulnerability Details CVEID:CVE-2025-11143 DESCRIPTION: The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of...
CVE-2026-42568 Yamcs Vulnerable to LDAP Injection in LdapAuthModule
Yamcs is a mission control framework. Prior to versions 5.13.0 and 5.12.7, an LDAP injection vulnerability exists in org.yamcs.security.LdapAuthModule when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping. Versions 5.13...
CVE-2026-45559 Roxy-WI: LDAP injection in /user/ldap/<username> (admin-only)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, getldapemail app/modules/roxywi/user.py:120-157 builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim — no checkAjaxInput, no...
Security Bulletin: Multiple vulnerabilities in IBM Rational Developer for i (CVE-2026-3505, CVE-2025-14813, CVE-2026-0636, CVE-2026-5598, CVE-2026-33671, CVE-2026-33672, CVE-2026-5588, CVE-2026-40175)
Summary IBM Rational Developer for i is affected by an uncontrolled resource consumption vulnerability in Bcpg CVE-2026-3505, a broken or risky cryptographic vulnerability in Bcprov CVE-2025-14813, an LDAP injection vulnerability in Bcprov CVE-2026-0636, a covert timing channel vulnerability in...
Security Bulletin: IBM Technical Support Appliance is affected by an LDAP Injection Vulnerability in Bouncy Castle BC-JAVA
Summary IBM Technical Support Appliance TSA includes a vulnerable version of the Bouncy Castle BC-JAVA provider library bcprov-jdk18on-1.78.1.jar. A flaw in the BC-JAVA LDAP certificate store implementation LDAPStoreHelper could allow improper neutralization of special elements used in LDAP...
CVE-2026-41919
Improper Neutralization of Special Elements used in an LDAP Query 'LDAP Injection' vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...
CVE-2026-44930
A flaw was found in Apache CXF. A remote attacker could exploit an LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server. This vulnerability allows the attacker to retrieve arbitrary certificates from the repository, leading to information disclosure. Mitigation...
CVE-2026-34578
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldapescape. An unauthenticated attacker can inject LDAP filter metacharacters into the username field ...
CVE-2026-40459
PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations. This issue was fixed in PAC4J versions 4.5.10, 5.7.10...