751 matches found
CVE-2026-41164
nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint /auth/v1/introspectaccesstoken accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims...
EUVD-2026-31940
nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint /auth/v1/introspectaccesstoken accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims...
CVE-2026-41164 nuts-node: JWT type confusion in v1 access token introspection allows VP replay as access token
nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint /auth/v1/introspectaccesstoken accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims...
CVE-2026-41164
The CVE concerns nuts-node, the reference implementation of the Nuts spec. Prior to versions 6.2.3 (and 5.4.31 for the 5.x branch), the v1 access token introspection endpoint (/auth/v1/introspect_access_token) validates only standard JWTs, and does not enforce Nuts-specific checks such as JWT typ...
NPM: MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
NPM: MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement vulnerability discovered by ? in WordPress Npm mcp-server-kubernetes versions 3.6.0...
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
Summary mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer tools/list but not ...
EUVD-2026-30859
The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index...
ROS-20260515-73-0045
A vulnerability in the Extensions component of the Google Chrome browser is related to information presentation errors in the user interface. Exploitation of the vulnerability could allow an attacker acting remotely to spoof the user interface...
CISO Guide: Building a Business Case for CTEM
Every CISO knows the frustration: you understand the exposure risk facing your organization, you know that a Continuous Threat Exposure Management program would fundamentally change your security posture, and yet, when budget season arrives, CTEM is one of the first line items questioned. Ready t...
Microsoft Office PowerPoint 访问控制错误漏洞
Microsoft Office PowerPoint is a software tool developed by the American company Microsoft for creating presentation documents PPTs. Microsoft Office PowerPoint has a security vulnerability related to access control. Attackers can exploit this vulnerability to carry out deceptive attacks...
SUSE CVE-2026-7926
Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...
Linux Distros Unpatched Vulnerability : CVE-2026-7926
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTM...
EUVD-2026-27955
Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...
CVE-2026-7926
Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...
CVE-2026-7926
Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...
CVE-2026-7926
Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...
CVE-2026-7926
CVE-2026-7926 affects Google Chrome’s PresentationAPI prior to Chrome 148.0.7778.96. Description: use-after-free in PresentationAPI could allow a remote attacker to execute arbitrary code in the sandbox via a crafted HTML page. Connected sources indicate the fix is included in the Chrome 148 stab...
CVE-2026-7926
Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...
CVE-2026-7926
Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the /auth/v1/introspectaccesstoken endpoint, which accepts any JWT signed by a key present on the node without validating the JWT type, issuer-to-key binding, or required claims. An...