Lucene search
K

1232 matches found

Snyk
Snyk
added 2026/03/04 10:53 p.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

8.3CVSS5.7AI score0.00318EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 10:53 p.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

8.3CVSS5.7AI score0.00318EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 10:53 p.m.1 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

8.3CVSS5.7AI score0.00318EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 10:53 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

8.3CVSS5.7AI score0.00318EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 10:53 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

8.3CVSS5.7AI score0.00318EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/04 10:47 p.m.7 views

ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint

Summary A vulnerability was discovered in Zitadel's login V2 interface that allowed a possible account takeover. Impact Zitadel exposes an HTTP endpoint named /saml-post. This endpoint is used for handling requests to SAML IdPs and accepts two HTTP GET parameters: url and id. When these parameter...

9.3CVSS6.5AI score0.00402EPSS
Exploits0References3Affected Software2
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.7 views

PT-2026-23105

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0 through 4.11.1 Description ZITADEL, an open source identity management platform, has a flaw in its login V2 interface that could allow for account takeover via Default URI Redirect. An unauthenticated remote attacker can...

9.9CVSS5.8AI score0.22162EPSS
Exploits70References140
Qualys Blog
Qualys Blog
added 2026/03/02 7:40 p.m.8 views

Cyber Essentials Plus in 2026: Strengthened Controls, UK Cyber Reality & How Qualys Supports Compliance

Key Takeaways CE+ 2026 Updates: Effective April 2026, Cyber Essentials Plus requires stronger technical proof of control effectiveness, mandatory MFA, and tighter patching windows. Cloud and Identity in Scope: Audits now explicitly include cloud services and identity configurations, demanding...

6AI score
Exploits0
Snyk
Snyk
added 2026/02/26 10:45 p.m.4 views

Improper Authentication

Overview @n8n/rest-api-client is a This package contains the REST API calls for n8n. Affected versions of this package are vulnerable to Improper Authentication via the Self-Service Settings API. An attacker can circumvent centralized identity management and multi-factor authentication by disabli...

6CVSS6AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/26 10:45 p.m.11 views

n8n has an SSO Enforcement Bypass in its Self-Service Settings API

Impact An authenticated user signed in through Single Sign-On SSO could disable SSO enforcement for their own account through the n8n API. This allowed the user to create a local password and authenticate directly with email and password, completely bypassing the organization's SSO policy,...

5.3AI score
Exploits0References4Affected Software1
The Hacker News
The Hacker News
added 2026/02/25 3:6 p.m.7 views

SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks

The notorious cybercrime collective known as Scattered LAPSUS$ Hunters SLH has been observed offering financial incentives to recruit women to pull off social engineering attacks. The idea is to hire them for voice phishing campaigns targeting IT help desks, Dataminr said in a new threat brief. T...

6AI score
Exploits0
NVD
NVD
added 2026/02/21 11:15 a.m.7 views

CVE-2026-27579

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue...

7.4CVSS0.00226EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/02/21 10:22 a.m.26 views

CVE-2026-27579 CollabPlatform : CORS Misconfiguration Allows Arbitrary Origin With Credentials Leading to Authenticated Account Data Exposure

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue...

7.4CVSS0.00226EPSS
Exploits1References1
Krebs on Security
Krebs on Security
added 2026/02/20 8:0 p.m.12 views

‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses...

5.7AI score
Exploits0
The Hacker News
The Hacker News
added 2026/02/20 10:30 a.m.10 views

Identity Cyber Scores: The New Metric Shaping Cyber Insurance in 2026

With one in three cyber-attacks now involving compromised employee accounts, insurers and regulators are placing far greater emphasis on identity posture when assessing cyber risk. For many organizations, however, these assessments remain largely opaque. Elements such as password hygiene,...

6.3AI score
Exploits0
Snyk
Snyk
added 2026/02/16 1:1 p.m.3 views

Information Exposure

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Information Exposure via the WebSocket component. An attacker can obtain sensitive information, including password hashes and MFA secrets, by...

6.9CVSS5.6AI score0.00198EPSS
Exploits0References2
The Hacker News
The Hacker News
added 2026/01/31 7:58 a.m.14 views

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

Google-owned Mandiant on Friday said it identified an "expansion in threat activity" that uses tradecraft consistent with extortion-themed attacks orchestrated by a financially motivated hacking group known as ShinyHunters. The attacks leverage advanced voice phishing aka vishing and bogus...

6AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/01/14 4:19 p.m.5 views

CVE-2025-37184 Unauthenticated Bypass Allows Multi-Factor Authentication Circumvention

A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby...

9.8CVSS6.8AI score0.00566EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/01/14 4:19 p.m.20 views

CVE-2025-37184 Unauthenticated Bypass Allows Multi-Factor Authentication Circumvention

A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby...

9.8CVSS0.00566EPSS
Exploits0References1
CVE
CVE
added 2026/01/14 4:19 p.m.32 views

CVE-2025-37184

CVE-2025-37184 affects an Orchestrator service. The issue is an unauthenticated remote bypass of multi-factor authentication, enabling an attacker to create an admin user account and potentially compromise secured access. The public documents consistently describe the vulnerability without listin...

9.8CVSS6.8AI score0.00566EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder