Lucene search
K

22 matches found

NVD
NVD
added 2026/06/17 11:17 p.m.13 views

CVE-2026-50202

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Security.Authentication.CloudFoundryBase prior to version 3.4.0, Steeltoe.Security.Authentication.JwtBearer prior to version 4.2.0, and...

5.9CVSS0.0029EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 9:34 p.m.7 views

Improper Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the token revocation process. An attacker can maintain unauthorized access by using a stolen access token that was issued with no expiration, as the token cannot be invalidated through...

9.1CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/07 9:34 p.m.8 views

Improper Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the token revocation process. An attacker can maintain unauthorized access by using a stolen access token that was issued with no expiration, as the token cannot be invalidated through...

9.1CVSS5.8AI score
Exploits0References3
OSV
OSV
added 2026/05/07 9:34 p.m.5 views

GHSA-FPW6-HRG5-Q5X5 ech0's acess tokens with expiry=never cannot be revoked: logout panics, delete does not blacklist JTI

Summary Access tokens created with the "never expire" option have no exp JWT claim. Three independent revocation mechanisms fail for this token type. Logout at internal/handler/auth/auth.go:154 and :163 dereferences claims.ExpiresAt.Time, panicking on the nil field so the token never hits the...

7.4CVSS5.8AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/07 6:3 p.m.5 views

CVE-2026-41902

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

9.1CVSS5.8AI score0.00246EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/05/07 6:3 p.m.10 views

EUVD-2026-28405

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

9.1CVSS5.8AI score0.00246EPSS
Exploits0References2
The Hacker News
The Hacker News
added 2026/05/05 11:58 a.m.19 views

The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed

Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don't see it. Yo...

5.8AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/04/10 6:52 p.m.3 views

CVE-2026-33707 Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1$email with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the...

9.4CVSS5.8AI score0.00426EPSS
Exploits0References3
NVD
NVD
added 2026/04/03 9:17 p.m.8 views

CVE-2025-10681

Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers...

8.8CVSS0.00275EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.6 views

PT-2026-30224

Name of the Vulnerable Software and Affected Versions Storage credentials in mobile app and device firmware affected versions not specified Description The mobile app and device firmware contain hardcoded storage credentials that do not adequately limit end user permissions and do not expire with...

8.8CVSS5.9AI score0.00275EPSS
Exploits1References6
OSV
OSV
added 2026/03/05 10:16 p.m.3 views

CVE-2026-21622

Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Accounts.PasswordReset' module allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset...

9.8CVSS5.8AI score0.0039EPSS
Exploits0References2
OSV
OSV
added 2026/03/05 9:18 p.m.8 views

EEF-CVE-2026-21622 Password Reset Tokens Do Not Expire

Summary Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Accounts.PasswordReset' module allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a...

9.5CVSS5.7AI score0.0039EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/05 9:18 p.m.6 views

CVE-2026-21622

Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Accounts.PasswordReset' module allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset...

9.5CVSS6AI score0.0039EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/05 9:18 p.m.2 views

CVE-2026-21622 Password Reset Tokens Do Not Expire

Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Accounts.PasswordReset' module allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset...

9.5CVSS5.8AI score0.0039EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/05 12:0 a.m.6 views

PT-2026-23515

Name of the Vulnerable Software and Affected Versions hexpm versions prior to bb0e42091995945deef10556f58d046a52eb7884 Description A flaw exists in hexpm that allows for account takeover due to insufficient session expiration. Specifically, password reset tokens generated through the password res...

9.5CVSS5.8AI score0.0039EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2020-29671

Malware in sbrugna...

7.5CVSS7.5AI score0.01712EPSS
Exploits1References4
CNNVD
CNNVD
added 2021/11/16 12:0 a.m.6 views

Darwin Factor 代码问题漏洞

Darwin Factor is a free and open source next-generation TypeScript framework from Darwin, Inc. It is used to create blogs, login pages, and JamStack applications. Darwin Factor has a security vulnerability that stems from incorrectly invalidating a user's session even after the user logs out of t...

9.8CVSS8.2AI score0.00755EPSS
Exploits0References3
OSV
OSV
added 2020/12/18 10:15 a.m.5 views

CVE-2020-26172

Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp...

6.5CVSS6.6AI score0.00652EPSS
Exploits1References2
CNNVD
CNNVD
added 2020/12/18 12:0 a.m.6 views

Tangro Business Workflow Security Vulnerability

Tangro Business Workflow is a software from Tangro Germany that visualizes the internal control and approval processes of SAP document content. A security vulnerability exists in tangro Business Workflow before 1.18.1, which originates from the generation of the same JWT token at every login, whi...

6.5CVSS6.6AI score0.00652EPSS
Exploits1References3
Prion
Prion
added 2020/04/08 8:15 p.m.12 views

Authentication flaw

As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication...

5CVSS7.8AI score0.01712EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder