Lucene search
+L

2705 matches found

Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.23 views

PT-2026-48963

Name of the Vulnerable Software and Affected Versions Actual Budget sync-server versions prior to 26.5.0 Description The POST /openid/config endpoint exposes the complete OpenID Connect configuration, which includes the OAuth2 client secret. This information is accessible to any user who possesse...

9.1CVSS5.2AI score0.004EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/12 12:0 a.m.33 views

MongoDB 8.2.x < 8.2.10 / 8.3.x < 8.3.3 Multiple Vulnerabilities

The version of MongoDB installed on the remote host is 8.2.x prior to 8.2.10, or 8.3.x prior to 8.3.3. It is, therefore, affected by multiple vulnerabilities: - When OIDC authentication is enabled in configuration, clients may set specific values in the 'mechanism' parameter of the 'authenticate'...

8.2CVSS6AI score0.00347EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/11 11:30 a.m.9 views

CVE-2026-11956 TwiN gatus OIDC Session Cookie oidc.go setSessionCookie missing secure attribute

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attac...

6.3CVSS5AI score0.00191EPSS
Exploits0References6
CVE
CVE
added 2026/06/11 11:30 a.m.47 views

CVE-2026-11956

CVE-2026-11956 affects TwiN gatus 5.36.0, specifically the OIDC Session Cookie Handler (setSessionCookie). The issue is a missing Secure attribute on the session cookie, enabling potential exposure of sensitive cookie data via remote manipulation. The description indicates high attack complexity ...

6.3CVSS4.9AI score0.00191EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/11 11:30 a.m.35 views

CVE-2026-11956 TwiN gatus OIDC Session Cookie oidc.go setSessionCookie missing secure attribute

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attac...

6.3CVSS0.00191EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/11 2:59 a.m.12 views

CVE-2026-9742

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product...

8.2CVSS5.5AI score0.00347EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.19 views

gatus 安全漏洞

Gatus is a service health monitoring and alerting tool developed by TwiN’s individual developers. Version 5.36.0 of Gatus contains a security vulnerability. This vulnerability stems from the setSessionCookie function in the OIDC session cookie handler. Performing certain operations may result in...

6.3CVSS4.9AI score0.00191EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.31 views

PT-2026-48659

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attac...

6.3CVSS4.9AI score0.00191EPSS
Exploits0References7
OSV
OSV
added 2026/06/10 1:37 p.m.9 views

GHSA-G759-4PXW-6692 @hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers

Affected: @hulumi/policies 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-697 Incorrect Comparison Summary AWS IAM trust policies can list more than one federated identity provider — for example, a role that accepts BOTH GitHub Actions OIDC and Google's OIDC. The GOIDC1 and GOIDC2 policy rules ar...

8.3CVSS5.5AI score0.0004EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/10 12:31 a.m.18 views

EUVD-2026-35860

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product...

8.2CVSS5.5AI score0.00347EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.11 views

PT-2026-48474

Affected: @hulumi/policies 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-697 Incorrect Comparison Summary AWS IAM trust policies can list more than one federated identity provider — for example, a role that accepts BOTH GitHub Actions OIDC and Google's OIDC. The G OIDC 1 and G OIDC 2 policy rule...

8.3CVSS5.5AI score0.0004EPSS
Exploits0References4
OSV
OSV
added 2026/06/09 11:17 p.m.7 views

UBUNTU-CVE-2026-9742

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product...

8.2CVSS5.3AI score0.00347EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/09 9:57 p.m.8 views

CVE-2026-9742 Authenticate command with specific mechanism parameter can trigger server crash

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product...

8.2CVSS5.5AI score0.00347EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/09 9:57 p.m.39 views

CVE-2026-9742 Authenticate command with specific mechanism parameter can trigger server crash

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product...

8.2CVSS0.00347EPSS
Exploits0References1
OSV
OSV
added 2026/06/09 9:57 p.m.2 views

CVE-2026-9742 Authenticate command with specific mechanism parameter can trigger server crash

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product...

8.2CVSS5.9AI score0.00347EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.18 views

PT-2026-48290

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description When OIDC OpenID Connect, an identity layer on top of the OAuth 2.0 protocol authentication is enabled in the configuration, unauthenticated clients can cause a...

8.2CVSS5.4AI score0.00347EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.18 views

MongoDB Server 安全漏洞

MongoDB Server is an open-source NoSQL database developed by MongoDB, a US-based company. This database offers features such as collection-oriented storage, dynamic querying, data replication, and automatic failover. There is a security vulnerability in MongoDB Server, which stems from the abilit...

8.2CVSS5.3AI score0.00347EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/08 7:9 p.m.37 views

CVE-2026-46484 Headplane: Path Traversal + RBAC Bypass in renameNode allows authenticated OIDC users to expire or rename any node/user

Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3...

8.1CVSS0.00374EPSS
Exploits0References3
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/08 4:37 p.m.9 views

Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to Server-side Request Forgery CVE-2026-1180

Summary keycloak is used by the IBM Datapower Operations Dashboard as part of their IAM and SSO implementation Vulnerability Details CVEID:CVE-2026-1180 DESCRIPTION: A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using privatekeyjw...

5.8CVSS5.6AI score0.00363EPSS
Exploits0Affected Software1
Snyk
Snyk
added 2026/06/06 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
Rows per page
Query Builder