CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

71 matches found

Cvelist•added 2026/06/15 7:18 p.m.•24 views

CVE-2026-48518 MultiJuicer: Login CSRF allows attacker to force victims into their team

MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint POST /multi-juicer/api/teams/team/join accepted requests with any Content-Type, including text/plain. Because tha...

4.3CVSS0.00172EPSS

Exploits0References3

RedhatCVE•added 2026/04/20 7:23 p.m.•7 views

CVE-2026-40948

The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...

5.4CVSS5.7AI score0.00328EPSS

Exploits0References1

OSV•added 2026/04/18 3:34 p.m.•4 views

GHSA-5W6H-PJW6-WVC6 apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation

5.4CVSS5.7AI score0.00328EPSS

Exploits0References5

Cvelist•added 2026/04/18 1:22 p.m.•33 views

CVE-2026-40948 Apache Airflow Providers Keycloak: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager

0.00328EPSS

Exploits0References2

ATTACKERKB•added 2026/04/18 1:22 p.m.•1 views

CVE-2026-40948

5.7AI score0.00328EPSS

Exploits0References3Affected Software1

EUVD•added 2026/04/18 1:22 p.m.•3 views

EUVD-2026-23676

5.7AI score0.00328EPSS

Exploits0References2

Positive Technologies•added 2026/04/18 12:0 a.m.•4 views

PT-2026-33603

5.7AI score0.00328EPSS

Exploits0References5

CVE•added 2026/02/02 10:59 p.m.•18 views

CVE-2026-25221

CVE-2026-25221 (PolarLearn) affects PolarLearn prior to 0-PRERELEASE-15. The OAuth 2.0 login flow for GitHub and Google providers fails to implement/verify the state parameter, enabling a Login CSRF attack. An attacker can pre-authenticate a session and lure a victim into logging into the attacke...

8.1CVSS5.5AI score0.00203EPSS

Exploits1References2Affected Software1

RedhatCVE•added 2025/12/20 8:14 p.m.•7 views

CVE-2025-68481

FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flo...

5.9CVSS6.9AI score0.00222EPSS

Exploits1References1

NVD•added 2025/12/19 9:15 p.m.•6 views

CVE-2025-68481

8.8CVSS0.00222EPSS

Exploits1References4

OSV•added 2025/12/19 9:10 p.m.•10 views

GHSA-5J53-63W8-8625 FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO

Description The OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flow. generatestatetoken is always called with an empty statedata dict, so the resulting JWT only contains the fixed audience...

5.9CVSS6.9AI score0.00222EPSS

Exploits1References6

Cvelist•added 2025/12/19 8:14 p.m.•24 views

CVE-2025-68481 FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO

5.9CVSS0.00222EPSS

Exploits1References4