@appwise/oauth2-server (>=0.0.19 <=0.2.2), @arlequins/oauth2 (>=1.0.1 <=1.0.3) +9 more potentially affected by CVE-2026-41213 via @node-oauth/oauth2-server (>=5.0.0-rc.3 <=5.2.1)

@node-oauth/oauth2-server NPM version =5.0.0-rc.3, =0.0.19, =1.0.1, =1.4.0, =1.3.0, =4.0.0, =1.16.0, =1.0.0, =1.0.0, =1.0.0, =1.0.1 Source cves: CVE-2026-41213 Source advisory: SNYK:JS-NODEOAUTHOAUTH2SERVER-16420261...

CVE-2026-41213

creationtimestamp| type| source ---|---|--- 2026-04-15 08:02:45+00:00| published-proof-of-concept| https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf...

CVE-2026-39976

Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for clientcredentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier since there's no user. The token guard then passes this value ...

CVE-2017-18924

oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...

EUVD-2021-0921

Malware in sbrugna...

EUVD-2022-6482

Malicious code in bioql PyPI...

EUVD-2022-37745

Malicious code in bioql PyPI...

EUVD-2025-9026

Malicious code in bioql PyPI...

CVE-2020-5300

In Hydra an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go, before version 1.4.0+oryOS.17, when using client authentication method 'privatekeyjwt' 1, OpenId specification says the following about assertion jti: "A unique identifier for the token, which can be used to...

CVE-2025-31691

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...

GHSA-4F8Q-MWGC-3MWC Drupal OAuth2 Server Missing Authorization vulnerability

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing. This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...

Drupal OAuth2 Server Missing Authorization vulnerability

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing. This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...

CVE-2025-31691

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...

CVE-2025-31691

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...

CVE-2025-31691

The CVE-2025-31691 issue affects Drupal OAuth2 Server, with vulnerable versions 0.0.0 through 2.0.x. The root cause is a Missing Authorization flaw that enables Forceful Browsing, effectively bypassing access controls. Impact is described as a high-severity access bypass affecting authentication ...

CVE-2025-31691 OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...

CVE-2025-31691 OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...

PT-2025-13855 · Drupal · Drupal Oauth2 Server

Name of the Vulnerable Software and Affected Versions: Drupal OAuth2 Server versions 0.0.0 through 2.0.x Description: The issue is related to a Missing Authorization vulnerability in the Drupal OAuth2 Server, which allows Forceful Browsing. Recommendations: For versions 0.0.0 through 2.0.x, updat...

Drupal OAuth2 Server module < 2.1.0 - Unauthenticated Broken Access Control vulnerability

Unauthenticated Broken Access Control vulnerability discovered by Pierre Rudloff prudloff in WordPress Module OAuth2 Server versions 2.1.0...

OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020

Provides OAuth2 server functionality based on the oauth2-server-php library. The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate...