Lucene search
+L

2409 matches found

CVE
CVE
added 2026/06/24 5:33 a.m.10 views

CVE-2026-7617

The CVE affects the WordPress plugin Secufor_OAuth (versions up to and including 1.0.7). The vulnerability stems from insufficient authorization checks when performing an action, allowing unauthenticated attackers to disconnect the WordPress site from its linked Secufor account by clearing the pl...

5.3CVSS5.8AI score0.00295EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/24 5:33 a.m.36 views

CVE-2026-7617 Secufor_OAuth <= 1.0.7 - Missing Authorization to Unauthenticated Account Logout via 'secuforoauth_unregister_action' AJAX Action

The SecuforOAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to disconnect the WordPress...

5.3CVSS0.00295EPSS
Exploits0References5
Snyk
Snyk
added 2026/06/23 11:14 p.m.5 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the construction of callback URLs in OIDC, SAML, and logout authentication flows using the attacker-controlled HTTPHOST header. An attacker can intercept authorization codes or session tokens by manipulating the...

9.6CVSS5.8AI score0.00312EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 10:9 p.m.32 views

CVE-2026-54588

Poweradmin (for PowerDNS) is affected by a Host Header Injection vulnerability in auth flows. Versions prior to 4.2.4 and 4.3.3 use the HTTP_HOST header as the authoritative source for building OIDC redirect_uri, SAML ACS/SLO URLs, and logout redirects without validation. An unauthenticated attac...

9.6CVSS6AI score0.00312EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/23 10:9 p.m.31 views

CVE-2026-54588 Poweradmin has Host Header Injection in OIDC redirect_uri, SAML ACS/SLO URL, and Logout Redirect Construction.

Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled HTTPHOST request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An...

9.6CVSS0.00312EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 10:9 p.m.3 views

CVE-2026-54588 Poweradmin has Host Header Injection in OIDC redirect_uri, SAML ACS/SLO URL, and Logout Redirect Construction.

Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled HTTPHOST request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An...

9.6CVSS6AI score0.00312EPSS
Exploits0References5
NVD
NVD
added 2026/06/23 5:17 p.m.13 views

CVE-2026-55423

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0...

6.1CVSS0.00152EPSS
Exploits1References3
Patchstack
Patchstack
added 2026/06/23 4:37 p.m.7 views

WordPress Secufor_OAuth plugin <= 1.0.7 - Missing Authorization to Unauthenticated Account Logout vulnerability

Missing Authorization to Unauthenticated Account Logout vulnerability discovered by SHIVAM KUMAR in WordPress Plugin SecuforOAuth versions = 1.0.7...

5.3CVSS5.8AI score0.00295EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/23 4:27 p.m.42 views

CVE-2026-55423 Langflow: Logout button does not clear session

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0...

6.1CVSS0.00152EPSS
Exploits1References3
OSV
OSV
added 2026/06/23 4:27 p.m.3 views

CVE-2026-55423 Langflow: Logout button does not clear session

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0...

6.1CVSS5.9AI score0.00152EPSS
Exploits1References5
CVE
CVE
added 2026/06/23 4:27 p.m.30 views

CVE-2026-55423

CVE-2026-55423 affects Langflow prior to version 1.7.0, where the /logout flow fails to clear session data. Root cause: the logout endpoint did not delete cookies with matching attributes (httponly/samesite/secure/domain), so tokens persisted in local storage and cookies even after logout. Conseq...

6.1CVSS5.9AI score0.00152EPSS
Exploits1References3Affected Software1
Debian CVE
Debian CVE
added 2026/06/22 3:42 p.m.9 views

CVE-2026-50184

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during...

6.1CVSS5.8AI score0.0015EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/06/19 9:17 p.m.12 views

Langflow: Logout button does not clear session

Summary The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. Details Not in auto login mode. Hosted on localhost. accesstokenlf remains present in both Local Storage and Cookies. refreshtokenlf remains present in Cookies. Root...

6.1CVSS5.9AI score0.00152EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/06/19 9:17 p.m.6 views

GHSA-7HW8-6Q6R-4276 Langflow: Logout button does not clear session

Summary The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. Details Not in auto login mode. Hosted on localhost. accesstokenlf remains present in both Local Storage and Cookies. refreshtokenlf remains present in Cookies. Root...

6.1CVSS5.9AI score0.00152EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.19 views

PT-2026-51100

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.7.0 Description The logout button fails to clear the user session, allowing a previous user to remain logged in unless another user explicitly authenticates. This occurs because the '/logout' endpoint deletes...

6.1CVSS5.9AI score0.00152EPSS
Exploits1References10
OSV
OSV
added 2026/06/18 1:1 p.m.9 views

GHSA-29JH-8CFQ-RR8X ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components

Summary A Server-Side Request Forgery SSRF vulnerability was discovered in Zitadel affecting: HTTP Notification Channels: Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks. OIDC BackChannel Logout: Terminates sessions across differe...

2.3CVSS6.2AI score0.00252EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.19 views

PT-2026-50740

Name of the Vulnerable Software and Affected Versions Zitadel versions 4.0.0 through 4.15.1 Zitadel versions 3.0.0 through 3.4.11 Description A Server-Side Request Forgery SSRF issue exists in components that handle outgoing HTTP requests, specifically HTTP Notification Channels, OIDC BackChannel...

2.3CVSS6AI score0.00252EPSS
Exploits0References8
OSV
OSV
added 2026/06/15 5:13 p.m.8 views

GHSA-95QP-CMMW-MGQV @angular/service-worker: Request Credential & Cache Policy Stripping

An issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During thi...

6.1CVSS5.5AI score0.0015EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.13 views

PT-2026-49563

Name of the Vulnerable Software and Affected Versions @angular/service-worker versions prior to 19.2.23 @angular/service-worker versions prior to 20.3.22 @angular/service-worker versions prior to 21.2.15 @angular/service-worker versions prior to 22.0.0-rc.2 Description An issue in the...

5.7CVSS5.8AI score0.0015EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/06/11 2:59 a.m.12 views

CVE-2026-41694

Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. Affected versions: Spring Security 5.7.0...

5.3CVSS5.5AI score0.00137EPSS
Exploits0References1
Rows per page
Query Builder