CVE-2026-29782

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint $skippermissions = true. It loads a record from the zzoauth2 table using the attacker-controlled GET parameter...

Insufficiently Protected Credentials

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the OAuth2 authentication process when the useridField option is not set. An attacke...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the registeredStates map used during OAuth2 state handling. An attacker can cause the service to crash and become unavailable by sending multiple concurrent requests to the...

EUVD-2021-1085

Malware in sbrugna...

EUVD-2021-1179

Malware in sbrugna...

EUVD-2024-2769

Malicious code in bioql PyPI...

EUVD-2023-39925

Malicious code in bioql PyPI...

EUVD-2024-2103

Malicious code in bioql PyPI...

CVE-2025-43856

immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow...

CVE-2025-43856

immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow...

CVE-2025-43856 immich allows account hijacking through oauth2

immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow...

CVE-2025-43856 immich allows account hijacking through oauth2

immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow...

CVE-2025-21085

PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization...

CVE-2023-31580

light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token...

CVE-2023-23944

Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user...

CVE-2020-15234

ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite before version 0.34.1, the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using strings.ToLower while they should have been compared wi...

CVE-2024-52289 authentik has an insecure default configuration for OAuth2 Redirect URIs

authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no Redirect URIs are configured in a provider, authentik will automatically use the first redirecturi value received as an allowed redirect URI, without escaping...

ownCloud Security Breach

ownCloud is a personal cloud storage solution from the U.S.-based ownCloud, Inc. A security vulnerability exists in ownCloud oauth2 versions prior to 0.6.1, which stems from the ability to pass in a specially crafted redirect URL in the oauth2 application that bypasses authentication code and can...

io.micronaut.security:micronaut-security-aot (>=3.10.0 <=3.10.1) potentially affected by CVE-2023-36820 via io.micronaut.security:micronaut-security-oauth2 (>=3.10.0 <=3.10.1)

io.micronaut.security:micronaut-security-oauth2 MAVEN version =3.10.0, =3.10.0, =3.10.1 Source cves: CVE-2023-36820 Source advisory: OSV:GHSA-QW22-8W9R-864H...

CVE-2023-38878

A reflected cross-site scripting XSS vulnerability in DevCode OpenSTAManager versions 2.4.24 to 2.4.47 may allow a remote attacker to execute arbitrary JavaScript in the web browser of a victim by injecting a malicious payload into the 'error' and 'errordescription' parameters of 'oauth2.php'...