Authorizer: Password reset token theft and full auth token redirect via unvalidated redirect_uri

Hi, I found that 6 endpoints in Authorizer accept a user-controlled redirecturi and append sensitive tokens to it without validating the URL against AllowedOrigins. The OAuth /app handler validates redirecturi at httphandlers/app.go:46, but the GraphQL mutations and verifyemail handler skip...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect through the redirecturi parameter in multiple endpoints ForgotPassword, MagicLinkLogin, Signup, InviteMembers, OAuthLoginHandler, VerifyEmailHandler which is not validated against AllowedOrigins. An attacker can obtain...

Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation

Vulnerability Details CWE: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic All 66+ CQL queries in internal/storage/db/cassandradb/ use fmt.Sprintf to interpolate user-controlled values directly into CQL query strings without parameterization. Unauthenticated endpoints...

GHSA-5GHQ-42RG-769X CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS

An attacker can acheive Full Account Takeover & Privilege Escalation via Stored DOM Blind XSS on public-facing landing pages through the System Settings Company Information section which allows the injection of XSS payloads...

CVE-2026-0740

creationtimestamp| type| source ---|---|--- 2026-04-06 17:19:46+00:00| seen| https://bsky.app/profile/wordfenceofficial.bsky.social/post/3mitrjp4tp22q 2026-04-07 05:17:09+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3miuzmkuxzz2r 2026-04-07 05:30:31+00:00| seen|...

CVE-2025-47390

creationtimestamp| type| source ---|---|--- 2026-04-06 17:16:09+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mitrdd5ovk2r 2026-04-06 17:31:14+00:00| seen| Telegram/DvHhUeNPzeGTU1g3nAXVjr06ieUowQjpdSlFc2J0jcODus 2026-04-09 03:40:09+00:00| seen|...

CVE-2026-31063

creationtimestamp| type| source ---|---|--- 2026-04-06 16:31:06+00:00| seen| https://infosec.exchange/users/vuldb/statuses/116358713535158087...

CVE-2019-25684

creationtimestamp| type| source ---|---|--- 2026-04-06 15:14:17+00:00| seen| https://infosec.exchange/ap/users/116075764941463905/statuses/116358406102447084 2026-04-09 21:37:08+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mj3rcqekpf2f...

CVE-2026-5650

creationtimestamp| type| source ---|---|--- 2026-04-06 14:53:32+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mitjeceaet2j...

CVE-2026-5649

creationtimestamp| type| source ---|---|--- 2026-04-06 14:48:31+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mitj3dwvaa2o...

EUVD-2026-19279

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface...

CVE-2026-5641

creationtimestamp| type| source ---|---|--- 2026-04-06 14:36:30+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mitiftyufy2s...

CVE-2026-5673

creationtimestamp| type| source ---|---|--- 2026-04-06 14:03:11+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mitgkbcqxj2n...

CVE-2026-5648

creationtimestamp| type| source ---|---|--- 2026-04-06 13:15:55+00:00| published-proof-of-concept| Telegram/xB-J5caT8OaTqFu1G6vNbp6TxSF4mn8gOhVa9PlynjV1S3c 2026-04-06 14:41:30+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mitiosglpw2g...

CVE-2026-31407

creationtimestamp| type| source ---|---|--- 2026-04-06 10:16:07+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miszuar4ni2g 2026-05-31 20:00:00+00:00| seen| https://www.hkcert.org/security-bulletin/suse-linux-kernel-multiple-vulnerabilities20260601...

CVE-2026-31405

creationtimestamp| type| source ---|---|--- 2026-04-06 10:13:37+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miszprfg352j 2026-05-05 20:00:00+00:00| seen| https://www.hkcert.org/security-bulletin/debian-linux-kernel-multiple-vulnerabilities20260506 2026-05-31 20:00:00+00:00| seen...

CVE-2026-5630

creationtimestamp| type| source ---|---|--- 2026-04-06 10:11:18+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miszlmvjb525...

CVE-2026-37977

creationtimestamp| type| source ---|---|--- 2026-04-06 10:09:09+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3miszhrwzjx2i...

Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver BYOVD technique to silence security tools running on compromised hosts, according to findings from Cisco Talos and Trend Micro. Qilin attacks analyzed by Talos have...

CVE-2026-31409

creationtimestamp| type| source ---|---|--- 2026-04-06 10:03:29+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3misz5o6hu425 2026-05-05 20:00:00+00:00| seen| https://www.hkcert.org/security-bulletin/debian-linux-kernel-multiple-vulnerabilities20260506...