EUVD-2025-12788

Malicious code in bioql PyPI...

CVE-2024-23647

Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the codechallenge parameter to the authorization request and adds the codeverifier parameter to the token request. Prior to...

CVE-2024-23647 PKCE downgrade attack in Authentik

Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the codechallenge parameter to the authorization request and adds the codeverifier parameter to the token request. Prior to...

CVE-2023-50714

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the authCodeVerifier should be removed after usage similar to authStat...

yiisoft/yii2-authclient's Oauth2 PKCE implementation is vulnerable

Impact What kind of vulnerability is it? Who is impacted? Original Report: The Oauth2 PKCE implementation is vulnerable in 2 ways: 1. The authCodeVerifier should be removed after usage similar to 'authState' 2. There is a risk for a "downgrade attack" if PKCE is being relied on for CSRF protectio...