CVE-2026-9800

A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...

EUVD-2026-39475

A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access UMA permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to...

CVE-2026-9799

Affects Keycloak’s authorization component (org.keycloak.authorization). The vulnerability allows an authenticated user with a granted UMA permission ticket for one resource to bypass per-resource access control by using a specific permission request prefix, granting access to all resources of th...

CVE-2026-9799

A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access UMA permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to...

CVE-2026-12027

The following flaw was identified in the Chromium browser: Insufficient policy enforcement Headless. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=517517155...

CVE-2026-12024

The following flaw was identified in the Chromium browser: Insufficient policy enforcement DevTools. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=517086161...

CVE-2026-56295 Capgo - Policy Enforcement Bypass in Webhook Management Endpoints via Non-Expiring API Keys

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the requireapikeyexpiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with...

CVE-2026-56081

Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account...

Chromium: CVE-2026-12460 Insufficient policy enforcement in File System Access

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: macvlan: The forgotten nlapolicy has been added for IFLAMACVLANBCCUTOFF. The previous commit 954d1fa1ac93, titled “macvlan: Add netlink attribute for broadcast cutoff”, added an additional attribute named IFLAMACVLANBCCUTOFF to...

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass site isolation through a malicious Chrome Extension...

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement in the File System API of Google Chrome on Windows prior to version 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions through a crafted HTML page...

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement in QR scanning in Google Chrome on iOS prior to 89.0.4389.72 allowed an attacker who convinced the user to scan a QR code to bypass navigation restrictions via a crafted QR code...

CVE-2026-12460

An insufficient policy enforcement flaw was found in the File System Access component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=517484284...

CVE-2026-12460

Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. Chromium security severity: High...

PT-2026-50499

Name of the Vulnerable Software and Affected Versions undici versions 5.15.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x Description When parsing a Set-Cookie header, the software accepts any SameSite attribute value containing Strict, Lax, or None as a...

CVE-2026-53845

OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy...

CVE-2026-53857

OpenClaw before 2026.5.3 is vulnerable: the policy enforcement flaw allows Zalo display-name changes to influence allowFrom policy matching, causing attackers with mutable display names to receive responses intended for other Zalo identities when the feature is enabled. Affected product: OpenClaw...

CVE-2026-53845

OpenClaw prior to version 2026.5.6 has a hook bypass in the skill-command dispatch path, where commands routed through the affected path skip the before-tool-call hook coverage, potentially bypassing auditing and policy enforcement. This is described in the CVE entry as a dispatch hook bypass vul...

Chromium: CVE-2026-11684 Insufficient policy enforcement in Network

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...