22 matches found
CVE-2026-50202
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Security.Authentication.CloudFoundryBase prior to version 3.4.0, Steeltoe.Security.Authentication.JwtBearer prior to version 4.2.0, and...
Improper Handling of Exceptional Conditions
Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the token revocation process. An attacker can maintain unauthorized access by using a stolen access token that was issued with no expiration, as the token cannot be invalidated through...
Improper Handling of Exceptional Conditions
Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the token revocation process. An attacker can maintain unauthorized access by using a stolen access token that was issued with no expiration, as the token cannot be invalidated through...
GHSA-FPW6-HRG5-Q5X5 ech0's acess tokens with expiry=never cannot be revoked: logout panics, delete does not blacklist JTI
Summary Access tokens created with the "never expire" option have no exp JWT claim. Three independent revocation mechanisms fail for this token type. Logout at internal/handler/auth/auth.go:154 and :163 dereferences claims.ExpiresAt.Time, panicking on the nil field so the token never hits the...
CVE-2026-41902
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...
EUVD-2026-28405
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...
The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed
Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don't see it. Yo...
CVE-2026-33707 Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1$email with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the...
CVE-2025-10681
Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers...
PT-2026-30224
Name of the Vulnerable Software and Affected Versions Storage credentials in mobile app and device firmware affected versions not specified Description The mobile app and device firmware contain hardcoded storage credentials that do not adequately limit end user permissions and do not expire with...
CVE-2026-21622
Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Accounts.PasswordReset' module allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset...
EEF-CVE-2026-21622 Password Reset Tokens Do Not Expire
Summary Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Accounts.PasswordReset' module allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a...
CVE-2026-21622
Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Accounts.PasswordReset' module allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset...
CVE-2026-21622 Password Reset Tokens Do Not Expire
Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Accounts.PasswordReset' module allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset...
PT-2026-23515
Name of the Vulnerable Software and Affected Versions hexpm versions prior to bb0e42091995945deef10556f58d046a52eb7884 Description A flaw exists in hexpm that allows for account takeover due to insufficient session expiration. Specifically, password reset tokens generated through the password res...
EUVD-2020-29671
Malware in sbrugna...
Darwin Factor 代码问题漏洞
Darwin Factor is a free and open source next-generation TypeScript framework from Darwin, Inc. It is used to create blogs, login pages, and JamStack applications. Darwin Factor has a security vulnerability that stems from incorrectly invalidating a user's session even after the user logs out of t...
CVE-2020-26172
Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp...
Tangro Business Workflow Security Vulnerability
Tangro Business Workflow is a software from Tangro Germany that visualizes the internal control and approval processes of SAP document content. A security vulnerability exists in tangro Business Workflow before 1.18.1, which originates from the generation of the same JWT token at every login, whi...
Authentication flaw
As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication...