Lucene search
K

67 matches found

NVD
NVD
added last week7 views

CVE-2026-56823

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the POST /api/integrations/webhooks/webhookid/ping endpoint fetches the target webhook by primary key alone without verifying that the webhook belongs to the...

5.4CVSS0.0015EPSS
Exploits0References1
EUVD
EUVD
added last week8 views

EUVD-2026-39797

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the POST /api/integrations/webhooks/webhookid/ping endpoint fetches the target webhook by primary key alone without verifying that the webhook belongs to the...

5.4CVSS5.9AI score0.0015EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/12 11:7 a.m.8 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview org.apache.cxf:cxf-rt-rs-security-oauth2 is a services framework. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition due to a race condition in the AbstractOAuthDataProvider method when handling refresh tokens if the recycleRefreshTokens...

9.1CVSS5.4AI score0.00294EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2026/06/11 2:6 a.m.59 views

Exploit for Improper Authentication in Pocketbase

CVE-2026-44166 — PocketBase OAuth2 Account Pre-Hijacking Self...

7.6CVSS5.4AI score0.00247EPSS
Exploits1
Cvelist
Cvelist
added 2026/05/22 6:52 p.m.11 views

CVE-2026-40166 authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the clientsecret of confidential OAuth2 providers they have previously authenticated against, exposing...

7.1CVSS0.00337EPSS
Exploits0References3
NVD
NVD
added 2026/05/12 6:17 p.m.15 views

CVE-2026-44166

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When th...

7.6CVSS0.00247EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/16 10:44 p.m.9 views

OAuth 2.1 Provider: Unprivileged users can register OAuth clients

Am I affected? You're affected if all of the following are true: - Using @better-auth/oauth-provider at version specified below - You configured clientPrivileges in the plugin options expecting it to gate who can create OAuth clients - The /oauth2/create-client or /admin/oauth2/create-client...

7.1CVSS5.4AI score0.00212EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/04/06 4:1 p.m.22 views

CVE-2026-34969

Nhost CVE-2026-34969 affects the Nhost project (auth service) where, before 0.48.0, the OAuth provider callback incorrectly appended the refresh token as a URL query parameter during redirect. This caused refresh tokens to be exposed in browser history, server logs, HTTP Referer headers, and prox...

7.5CVSS5.9AI score0.00267EPSS
Exploits1References1Affected Software1
Snyk
Snyk
added 2026/04/01 11:36 p.m.3 views

Use of GET Request Method With Sensitive Query Strings

Overview Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings in the OAuth provider callback flow. An attacker can gain unauthorized access to sensitive information by intercepting refresh tokens exposed in URL query parameters through browser...

7.5CVSS5.8AI score0.00267EPSS
Exploits1References2
NVD
NVD
added 2026/03/12 7:16 p.m.3 views

CVE-2026-32242

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent...

9.1CVSS0.00261EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/01/06 12:25 a.m.6 views

SUSE CVE-2025-64521

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with clientid and clientsecret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even...

4.8CVSS7AI score0.00193EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/11/20 9:37 p.m.8 views

CVE-2025-64521

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with clientid and clientsecret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even...

4.8CVSS6.9AI score0.00193EPSS
Exploits0References1
NVD
NVD
added 2025/11/19 5:15 p.m.4 views

CVE-2025-64521

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with clientid and clientsecret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even...

4.8CVSS0.00193EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2025/11/19 12:0 a.m.13 views

PT-2025-47494

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.8.5 authentik versions prior to 2025.10.2 Description authentik is an open-source Identity Provider. Before versions 2025.8.5 and 2025.10.2, when authenticating with client id and client secret to an OAuth...

9.9CVSS6.5AI score0.7654EPSS
Exploits33References90
SUSE CVE
SUSE CVE
added 2025/11/09 2:23 a.m.5 views

SUSE CVE-2017-18872

An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider...

4.3CVSS6.9AI score0.00565EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2015-7341

Malware in sbrugna...

5.4CVSS5.7AI score0.01141EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/05 12:34 a.m.6 views

EUVD-2025-32436

A vulnerability was found in LaChatterie Verger up to 1.2.10. This impacts the function redirectToAuthorization of the file /src/main/services/mcp/oauth/provider.ts. The manipulation of the argument URL results in deserialization. The attack can be executed remotely. The exploit has been made...

6.5CVSS6.2AI score0.00304EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2025/10/04 11:2 p.m.6 views

CVE-2025-11273 LaChatterie Verger provider.ts redirectToAuthorization deserialization

A vulnerability was found in LaChatterie Verger up to 1.2.10. This impacts the function redirectToAuthorization of the file /src/main/services/mcp/oauth/provider.ts. The manipulation of the argument URL results in deserialization. The attack can be executed remotely. The exploit has been made...

6.5CVSS6.4AI score0.00304EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/10/04 12:0 a.m.6 views

PT-2025-40781

Name of the Vulnerable Software and Affected Versions LaChatterie Verger versions up to 1.2.10 Description A flaw exists in LaChatterie Verger that impacts the redirectToAuthorization function within the /src/main/services/mcp/oauth/provider.ts file. Manipulation of the URL argument leads to...

6.5CVSS6AI score0.00304EPSS
Exploits0References8
EUVD
EUVD
added 2025/10/03 8:7 p.m.16 views

EUVD-2023-0931

Malicious code in bioql PyPI...

8.8CVSS8.7AI score0.00538EPSS
Exploits1References12
Rows per page
Query Builder