Lucene search
K

33 matches found

RedhatCVE
RedhatCVE
added yesterday7 views

CVE-2026-54431

A flaw was found in liboauth2. The Demonstrating Proof-of-Possession DPoP verifier incorrectly accepts a malformed DPoP proof. This proof contains private key material in its JSON Web Key JWK header, which should be rejected according to RFC 9449. This vulnerability could allow an attacker to...

5.3CVSS5.8AI score0.00128EPSS
Exploits0References6
NVD
NVD
added 2 days ago8 views

CVE-2026-54431

In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...

5.1CVSS0.00128EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago33 views

CVE-2026-54431 Improper Data Validation in liboauth2

In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...

5.1CVSS0.00128EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2 days ago5 views

CVE-2026-54431

In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...

5.1CVSS5.8AI score0.00128EPSS
Exploits0
CVE
CVE
added 2 days ago10 views

CVE-2026-54431

CVE-2026-54431 affects the liboauth2 DPoP verifier. The bug allows a DPoP proof whose JWK header embeds private key material to be accepted, violating RFC 9449 section 4.3 step 7, because the function oauth2_token_verify() returns success for a malformed DPoP proof that embeds the private EC key ...

5.1CVSS5.8AI score0.00128EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/05/14 9:41 p.m.86 views

OrchidMantis

Orchid Mantis A Framework for ZKPoX — Zero-Knowledge Proof...

7.5CVSS6.9AI score0.03185EPSS
Exploits2
CVE
CVE
added 2026/05/12 1:34 p.m.19 views

CVE-2026-43930

CVE-2026-43930 affects Parse Server. A race condition in the MFA SMS OTP login path before 8.6.76 and 9.9.0-alpha.2 can allow two concurrent /login requests carrying the same OTP to succeed, producing two valid session tokens. Impact is breaking single-use OTP; attacker must already know the vict...

5.9CVSS5.8AI score0.00236EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 3:21 p.m.9 views

Auth0 Next.js SDK has Improper Proxy Cache Lookup

Description In affected versions of the Next.js SDK, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Which Projects are Affected? Users are affected if they meet all of the following preconditions: -...

5.4CVSS5.8AI score0.00214EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/20 7:22 p.m.4 views

CVE-2026-40155

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if...

5.4CVSS5.7AI score0.00214EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/17 10:39 p.m.6 views

Incorrect Authorization

Overview @auth0/nextjs-auth0 is a Next.js SDK for signing in with Auth0 Affected versions of this package are vulnerable to Incorrect Authorization in the proxy cache fetcher. An attacker can gain unauthorized access to sensitive information or perform actions with insufficient authorization by...

6CVSS5.7AI score0.00214EPSS
Exploits0References2
OSV
OSV
added 2026/02/06 8:5 p.m.7 views

GHSA-69X3-G4R3-P962 Blocklist Bypass possible via ECDSA Signature Malleability

Impact When using P256 certificates which is not the default configuration, it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. In order for this to affect a...

7.6CVSS5.7AI score0.00133EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/01/09 11:11 a.m.4 views

CVE-2016-10831

cPanel before 55.9999.141 does not perform as two-factor authentication check when possessing another account SEC-101...

7.2CVSS7.2AI score0.01393EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2025/11/24 11:34 p.m.4 views

Babylon's BIP322 signature implementation is not fully compliant to the spec

Summary The BIP-322 signature verification does not enforce the SIGHASH value to be SIGHASHALL, and therefore is not strictly following the spec. Impact Non-compliant BIP-322 signatures in proof of possessions can be accepted by the chain...

6.9AI score
Exploits0References4Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2016-7555

Malware in sbrugna...

8.8CVSS8.8AI score0.01748EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2020-1971

Malware in sbrugna...

4.6CVSS5.1AI score0.00144EPSS
Exploits0References2
CNNVD
CNNVD
added 2024/10/28 12:0 a.m.3 views

Duende IdentityServer 授权问题漏洞

Duende IdentityServer is a Duende open source, standards-compliant OpenID Connect and OAuth 2.x framework for ASP.NET Core. An authorization issue vulnerability exists in Duende IdentityServer version 7.0.0 and earlier, which stems from insufficient validation performed by the local API...

3.1CVSS6.4AI score0.0032EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2024/10/28 12:0 a.m.4 views

PT-2024-33666 · Duende · Duende Identityserver

Name of the Vulnerable Software and Affected Versions: Duende IdentityServer versions 7.0.0 through 7.0.7 Description: The local API authentication handler in Duende IdentityServer performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP...

3.1CVSS7.3AI score0.0032EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2023/02/16 6:7 p.m.11 views

CVE-2022-29054

A missing cryptographic steps vulnerability CWE-325 in the functions that encrypt the DHCP and DNS keys in Fortinet FortiOS version 7.2.0, 7.0.0 through 7.0.5, 6.4.0 through 6.4.9, 6.2.x and 6.0.x may allow an attacker in possession of the encrypted key to decipher it...

3.3CVSS6.8AI score0.00174EPSS
Exploits0References1
OSV
OSV
added 2022/09/21 11:25 a.m.26 views

CVE-2022-2888 Insufficient Session Expiration in octoprint/octoprint

If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists...

4.4CVSS4.7AI score0.00284EPSS
Exploits1References4
Fortinet
Fortinet
added 2022/09/06 12:0 a.m.52 views

Protect

A missing cryptographic steps vulnerability CWE-325 in the functions that encrypt keytab values in FortiOS & FortiProxy may allow an attacker in possession of the encrypted secret to decipher it...

1.7CVSS4.6AI score0.00255EPSS
Exploits0Affected Software2
Rows per page
Query Builder