10 matches found
EUVD-2026-44955
Grafana OnCall through 1.16.11 contains an unauthenticated access vulnerability that allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint using hardcoded default stackid and orgid values present in the public source tree...
CVE-2026-63087 Grafana OnCall 1.16.11 Unauthenticated Token Hijack via Plugin Install Endpoint
Grafana OnCall through 1.16.11 contains an unauthenticated access vulnerability that allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint using hardcoded default stackid and orgid values present in the public source tree...
PT-2026-60508
Name of the Vulnerable Software and Affected Versions Grafana OnCall versions prior to 1.16.12 Description An unauthenticated access issue exists where remote attackers can obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint. This is possible by using...
GHSA-MHGQ-XPFQ-6R66 OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes
Summary Unauthenticated plugin-auth HTTP routes receive operator runtime scopes Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still gives auth:"plugin" routes operator WRITESCOPE, but impact should stay limited to plugin routes that actually tou...
OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes
Summary Unauthenticated plugin-auth HTTP routes receive operator runtime scopes Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still gives auth:"plugin" routes operator WRITESCOPE, but impact should stay limited to plugin routes that actually tou...
MAL-2025-145489 Malicious code in nightwatch-terser-webpack-plugin-auth-callisto (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b8330b970ea27a9a8326babaa86a72618b895c2a775a610dbb6a8d80ff93ff11 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
@app-box/web (=1.0.0), @comet/cms-site (>=3.0.0-canary.160.0 <=4.0.0-canary.1049.0) +33 more potentially affected by CVE-2022-24858 via next-auth (>=0.0.0-manual.83c4ebd1 <=3.29.10)
next-auth NPM version =0.0.0-manual.83c4ebd1, =3.0.0-canary.160.0, =2.0.1-canary.24.0, =1.0.99-0.next12, =0.1.0, =0.46.0, =0.30.0, =0.3.0, =0.10.0, =0.2.0, =0.3.0, =0.3.0, =0.4.0, =0.1.0, =0.1.3 and more Source cves: CVE-2022-24858 Source advisory: OSV:GHSA-F9WG-5F46-CJMW...
Cross-Site Scripting vulnerability in @backstage/plugin-auth-backend
Impact This vulnerability allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but i...
CVE-2021-43776
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other...
CVE-2021-43776 XSS vulnerability in @backstage/plugin-auth-backend
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other...