Lucene search
K

6 matches found

ATTACKERKB
ATTACKERKB
added 2026/03/26 6:37 p.m.5 views

CVE-2026-33505

Ory Keto is am open source authorization server for managing permissions at scale. Prior to version 26.2.0, the GetRelationships API in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in...

7.2CVSS6.2AI score0.00229EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/26 5:38 p.m.5 views

CVE-2026-33504

Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens ar...

7.2CVSS6.2AI score0.00349EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/20 8:55 p.m.2 views

GHSA-C38G-MX2C-9WF2 Ory Keto has a SQL injection via forged pagination tokens

Description The GetRelationships API in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including malicious token...

7.2CVSS6.2AI score0.00229EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/20 8:54 p.m.13 views

Ory Kratos has a SQL injection via forged pagination tokens

Description The ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including...

7.2CVSS6.2AI score0.00252EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/03/20 8:54 p.m.2 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection in the listCourierMessages function in handler.go. An attacker in possession of the configured secrets.pagination with access to the ListCourierMessages API can execute arbitrary SQL queries by forging a pagination token...

7.2CVSS6.1AI score0.00252EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.15 views

PT-2026-26787

Name of the Vulnerable Software and Affected Versions Ory Kratos affected versions not specified Description The ListCourierMessages Admin API in Ory Kratos is susceptible to SQL injection because of issues in its pagination implementation. Pagination tokens are encrypted using a secret configure...

7.2CVSS6.2AI score0.00252EPSS
Exploits0References5
Rows per page
Query Builder