26 matches found
PT-2026-46003
Mercusys AC12G EU V1 with firmware AC12GEU V1 200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary...
CVE-2026-40293
A flaw was found in OpenFGA, an authorization/permission engine. When OpenFGA is configured to use preshared-key authentication and the built-in playground is enabled and accessible beyond localhost or trusted networks, a remote attacker can exploit this vulnerability. The local server includes t...
CVE-2026-40293 OpenFGA Playground Preshared Key Exposure
OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...
CVE-2026-40293 OpenFGA Playground Preshared Key Exposure
OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...
CVE-2026-40293
OpenFGA OpenID/OpenFGA Playground vulnerability (CVE-2026-40293) affects OpenFGA 0.1.4–1.13.1 when preshared authentication is used and the built‑in playground is enabled with the endpoint accessible beyond localhost. The local HTML response from /playground reveals the preshared API key, enablin...
CVE-2026-40293
OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...
GHSA-68M9-983M-F3V5 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response
Description When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via the runPlaygroundServer process in cmd/run/run.go and the playground configuration in pkg/server/config/config.go. An attacker can recover the preshared API key by sending an unauthenticated request to the...
OPENSUSE-SU-2026:20446-1 Security update for gnutls
This update for gnutls fixes the following issues: - CVE-2025-14831: Fixed DoS via excessive resource consumption during certificate verification. bsc1257960 - CVE-2025-9820: Fixed a buffer overflow in gnutlspkcs11tokeninit. bsc1254132 - Add the functionality to allow to specify the hash algorith...
nodejs: Nodejs denial of service
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError and error, causing either immediate...
nodejs: Nodejs denial of service
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError and error, causing either immediate...
CVE-2026-21637
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError and error, causing either immediate...
MiracleLinux 9 : libreswan-4.12-2.el9.ML.1 (AXSA:2024-8105:03)
The remote MiracleLinux 9 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2024-8105:03 advisory. libreswan: Missing PreSharedKey for connection can cause crash CVE-2024-2357 Tenable has extracted the preceding description block directly from the...
Node.js: TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak
A flaw was discovered in Node.js TLS error handling that allowed remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback were in use. Synchronous exceptions thrown during these callbacks bypassed standard TLS error handling paths, causing either immediate...
EUVD-2005-3668
Malware in sbrugna...
CVE-2023-29193
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The spicedb serve command contains a flag named --grpc-preshared-key which is used to protect the gRPC API from being accessed by unauthorized requests. The...
libreswan: Missing PreSharedKey for connection can cause crash
A flaw was found in Libreswan. This issue causes Libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys authby=secret, and the connection cannot find a matching configured secret. When automatically added on startup using the auto= keyword,...
Information Disclosure
github.com/authzed/spicedb is vulnerable to Information Disclosure. The vulnerability exists in the MetricsHandler function in defaults.go because it exposes the --grpc-preshared-key flag in the spicedb serve command which allows an attacker to gain access to the secret key and preform unauthoriz...
Spoofing
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The spicedb serve command contains a flag named --grpc-preshared-key which is used to protect the gRPC API from being accessed by unauthorized requests. The...
CVE-2023-29193 SpiceDB binding metrics port to untrusted networks and can leak command-line flags
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The spicedb serve command contains a flag named --grpc-preshared-key which is used to protect the gRPC API from being accessed by unauthorized requests. The...