Lucene search
K

14 matches found

NVD
NVD
added 5 days ago8 views

CVE-2026-58122

Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to...

9.3CVSS0.00293EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 5 days ago6 views

CVE-2026-58122

Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to...

9.3CVSS6AI score0.00293EPSS
Exploits0References5
CVE
CVE
added 5 days ago8 views

CVE-2026-58122

CVE-2026-58122 affects Hermes WebUI prior to 0.51.307. An authentication bypass allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by spoofing X-Forwarded-For with a loopback address. Exploitation enables server-side request forgery against ...

9.3CVSS6AI score0.00293EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago13 views

PT-2026-56988

Name of the Vulnerable Software and Affected Versions Hermes WebUI versions prior to 0.51.307 Description An authentication bypass exists that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints. This is achieved by supplying a spoofed...

9.3CVSS6.2AI score0.00293EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 2026/07/04 12:0 a.m.11 views

Linux Distros Unpatched Vulnerability : CVE-2026-14612

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out- of-bounds memory access when processing an oversized...

4.2CVSS6AI score0.00142EPSS
Exploits0References4
OSV
OSV
added 2026/05/21 6:31 p.m.9 views

MAL-2026-4607 Malicious code in maxixy-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1b8df03da54eaa00b887a27395e7b7c42b02a982b1e9df9d82a5b0c243d0ba95 maxixy-cli is a wholesale rebrand of QwenLM/qwen-code itself a fork of google-gemini/gemini-cli with the Qwen OAuth device-flow base URL hardcoded to...

5.9AI score
Exploits0References1
The Hacker News
The Hacker News
added 2026/03/25 11:34 a.m.9 views

Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse

Cybersecurity researchers are calling attention to an active device code phishing campaign that's targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany. The activity, per Huntress, was first spotted on February 19, 2026, wit...

5.8AI score
Exploits0
Spring Security Advisories
Spring Security Advisories
added 2026/03/10 12:0 a.m.8 views

This Week in Spring - March 10th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring. As I write this, I am preparing for a trip to Rust, Germany, for one of the best Java conferences in Europe: JavaLand, along with its new companion event, DevLand. It should be fun. Will you be around? If so, say hi. We have ...

5.8AI score
Exploits0
Spring Security Advisories
Spring Security Advisories
added 2026/03/03 12:0 a.m.10 views

This Week in Spring - March 3rd, 2026

Hi Spring fans! Welcome to another rip-roaring installment of This Week in Spring! I'm writing this in an Uber en route to the airport to get to awsome Atlanta, GA, for Devnexus 2026! Who's goin'? You goin'? We - the Spring team - will be there in force! Come say hi at the boothes or come see our...

6AI score
Exploits0
CVE
CVE
added 2026/01/19 2:22 p.m.18 views

CVE-2026-21618

Summary: CVE-2026-21618 is an XSS vulnerability in hexpm (hexpm/hexpm) affecting Elixir HexpmWeb.SharedAuthorizationView. The issue stems from improper input neutralization in web page generation, specifically in lib/hexpm_web/views/shared_authorization_view.ex and the function render_grouped_sco...

8.5CVSS5.4AI score0.00217EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/01/19 2:22 p.m.28 views

CVE-2026-21618 Cross-site scripting (XSS) in OAuth Device Authorization screen

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.SharedAuthorizationView' modules allows Cross-Site Scripting XSS. This vulnerability is associated with program files...

8.5CVSS0.00217EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2024/10/16 12:32 p.m.5 views

Malicious code in auth-oauth-device (npm)

--- -= Per source details. Do not edit below this line.=-...

7AI score
Exploits0
OSV
OSV
added 2024/10/16 12:32 p.m.12 views

MAL-2024-9511 Malicious code in auth-oauth-device (npm)

--- -= Per source details. Do not edit below this line.=-...

7.1AI score
Exploits0
Kitploit
Kitploit
added 2022/12/21 1:30 p.m.161 views

Squarephish - An advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes

SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes. See PhishInSuits for more details on using OAuth Device Code flow for phishing attacks. / | | | | | | | | | | | | | \ \ / | | | |/ | '/ \ /| ' | / | ' \ | | | || | | |...

7.5AI score
Exploits0References11
Rows per page
Query Builder