2345 matches found
2N Access Commander 安全漏洞
2N Access Commander is an access control solution provided by 2N Corporation. Versions of 2N Access Commander prior to 3.4.2 contained a security vulnerability. This vulnerability stemmed from improper expiration of session tokens, which could allow multiple session cookies to remain active after...
Rancher's Azure AD permission changes are not reflected on active sessions
A bug has been identified in which permission changes in Azure AD are not reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or ar...
CVE-2026-28415
A flaw was found in Gradio, an open-source Python package. The redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter. A remote attacker can exploit this vulnerability by crafting a malicious URL, leading to an open redirect. This allows the attacker to...
GHSA-PFJF-5GXR-995X Gradio has an Open Redirect in its OAuth Flow
Summary The redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled i.e. apps running on Hugging Face Spaces with...
PYSEC-2026-65
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...
CVE-2026-28415 Gradio has Open Redirect in OAuth Flow
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...
CVE-2026-28415
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...
CVE-2026-28415 Gradio has Open Redirect in OAuth Flow
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...
CVE-2026-28415
Gradio prior to 6.6.0 exposes an open redirect in the OAuth flow: _redirect_to_target() accepts an unvalidated _target_url, enabling redirection to arbitrary external URLs via /logout and /login/callback for apps using gr.LoginButton (e.g., Hugging Face Spaces). Starting with 6.6.0, the _target_u...
CVE-2026-28415 Gradio has Open Redirect in OAuth Flow
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...
EUVD-2026-9083
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...
PT-2026-22414
Name of the Vulnerable Software and Affected Versions Gradio versions prior to 6.6.0 Description Gradio is a Python package for rapid prototyping. A flaw exists in the OAuth flow where the redirect to target function does not properly validate the target url query parameter. This allows redirecti...
CVE-2026-1698
A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that manipulate server-side behavior. This vulnerability only affects the endpoints...
CVE-2026-1698 HTTP Host header vulnerability in WebClient and WebScheduler web apps
A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that manipulate server-side behavior. This vulnerability only affects the endpoints...
CVE-2026-1698
CVE-2026-1698 affects PcVue WebClient and WebScheduler web apps (versions 15.0.0–16.3.3). A HTTP Host header vulnerability could let an attacker craft requests that influence server-side behavior, specifically targeting endpoints /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCal...
PT-2026-22130
Name of the Vulnerable Software and Affected Versions PcVue WebClient and WebScheduler versions 15.0.0 through 16.3.3 Description A HTTP Host header attack affects the WebClient and WebScheduler web apps, potentially allowing a remote attacker to inject harmful payloads and manipulate server-side...
CVE-2025-64074
A path-traversal vulnerability in the logout functionality of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to delete arbitrary files on the host by supplying a crafted session cookie value...
CVE-2025-64074
A path-traversal vulnerability in the logout functionality of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to delete arbitrary files on the host by supplying a crafted session cookie value...
CVE-2025-64074
A path-traversal vulnerability in the logout functionality of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote attackers to delete arbitrary files on the host by supplying a crafted session cookie value...
IBM Concert Access Control Error Vulnerability (CNVD-2026-13787)
IBM Concert is a new tool from International Business Machines IBM Inc. that uses generative AI to help manage complex cloud-native applications. An Access Control Error vulnerability exists in IBM Concert that stems from a failure to disable a session after logging out, which could be exploited ...