10 matches found
CVE-2026-39324
Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie...
SUSE CVE-2014-125112
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when...
GHSA-PPWX-5JQ7-PX2W Fleet: Device lock PIN can be predicted if lock time is known
Summary Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known. Impact Fleet’s...
Authentication Bypass Using an Alternate Path or Channel
Overview @openclaw/nostr is an OpenClaw Nostr channel plugin for NIP-04 encrypted DMs Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacke...
Authentication Bypass Using an Alternate Path or Channel
Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can impersonate authorize...
Authentication Bypass Using an Alternate Path or Channel
Overview @openclaw/msteams is an OpenClaw Microsoft Teams channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can...
CVE-2025-59870
HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk...
PT-2026-25989
Impact Some specific 1 out of 256 User Supplied Secrets USS were not used, making the resulting Compound Device Identifier CDI the same as if no USS was provided. Affected client applications: all client apps using the tkeyclient Go module. Patches Upgrade to v1.3.0. NOTE WELL: For the affected e...
CVE-2024-32482
The CVE-2024-32482 concerns the Tillitis TKey Signer device application (ed25519 signer). A vulnerability can disclose portions of the TKey’s data in RAM over the USB interface when the device is touched and a custom client is used. No secret is disclosed. Exploitation requires local access via U...
PT-2026-28191
Name of the Vulnerable Software and Affected Versions Plack::Middleware::Session::Cookie versions through 0.21 Description Plack::Middleware::Session::Cookie versions through 0.21 allows remote code execution. The issue occurs during deserialization of cookie data when no secret is used to sign t...