17849 matches found
EUVD-2026-41629
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check...
WordPress Copyright Proof <=4.16 - Cross-Site-Scripting
WordPress Copyright Proof plugin 4.16 and prior contains a cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users when a specific setting is enabled. id: CVE-2022-1906...
CVE-2026-54431
A flaw was found in liboauth2. The Demonstrating Proof-of-Possession DPoP verifier incorrectly accepts a malformed DPoP proof. This proof contains private key material in its JSON Web Key JWK header, which should be rejected according to RFC 9449. This vulnerability could allow an attacker to...
CVE-2026-50027
creationtimestamp| type| source ---|---|--- 2026-07-02 16:35:08+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-84hp-mqvj-3p8h 2026-07-03 03:00:27+00:00| seen| https://infosec.exchange/users/offseq/statuses/116853809243699371...
CVE-2026-54431
In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...
CVE-2026-54431 Improper Data Validation in liboauth2
In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...
CVE-2026-54431
CVE-2026-54431 affects the liboauth2 DPoP verifier. The bug allows a DPoP proof whose JWK header embeds private key material to be accepted, violating RFC 9449 section 4.3 step 7, because the function oauth2_token_verify() returns success for a malformed DPoP proof that embeds the private EC key ...
CVE-2026-54431
In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...
CVE-2026-54431
In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...
EUVD-2026-41277
In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...
GHSA-XGJW-PM74-86Q4 sigstore-js has Insufficient Verification of Data Authenticity
sigstore-js derives a transparency-log timestamp from tlogEntries.integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a tlog entry can be inclusionProof-only no signed inclusionPromise/set, and the inclusion proof path does not...
PYSEC-2026-477 PraisonAI has critical RCE via `type: job` workflow YAML
praisonai workflow run loads untrusted YAML and if type: job executes steps through JobWorkflowExecutor in jobworkflow.py. This supports: - run: → shell command execution via subprocess.run - script: → inline Python execution via exec - python: → arbitrary Python script execution A malicious YAML...
[SECURITY] Fedora 44 Update: nginx-mod-js-challenge-0^20230517.gitda6852d-9.fc44
Simple JavaScript proof-of-work based access for Nginx with virtually no over head...
CVE-2026-48755
creationtimestamp| type| source ---|---|--- 2026-06-26 20:35:12+00:00| published-proof-of-concept| https://github.com/lxc/incus/security/advisories/GHSA-v6mj-8pf4-hhw4 2026-07-01 02:15:18+00:00| seen| https://bsky.app/profile/securityonline.bsky.social/post/3mpkh3n7jjr2b 2026-07-01 02:31:46+00:00...
CVE-2026-48769
creationtimestamp| type| source ---|---|--- 2026-06-26 20:35:07+00:00| published-proof-of-concept| https://github.com/lxc/incus/security/advisories/GHSA-f6m5-xw2g-xc4x 2026-07-01 02:15:18+00:00| seen| https://bsky.app/profile/securityonline.bsky.social/post/3mpkh3n7jjr2b 2026-07-01 02:31:46+00:00...
CVE-2026-48529
creationtimestamp| type| source ---|---|--- 2026-06-25 22:35:05+00:00| published-proof-of-concept| https://github.com/github/github-mcp-server/security/advisories/GHSA-pjp5-fpmr-3349 2026-06-26 18:26:46+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mp7l26lvbx2l...
CVE-2026-48708
creationtimestamp| type| source ---|---|--- 2026-06-24 18:35:07+00:00| published-proof-of-concept| https://github.com/OliveTin/OliveTin/security/advisories/GHSA-7fq5-7wr8-rjwj 2026-06-24 19:54:03+00:00| seen| https://gist.github.com/alon710/cb59405487e5944ed006860e5bc630ab 2026-06-24...
CVE-2026-48709
creationtimestamp| type| source ---|---|--- 2026-06-24 18:35:05+00:00| published-proof-of-concept| https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx 2026-06-24 18:43:21+00:00| seen| https://gist.github.com/alon710/f2b2f51072808beda8e52a43b0bdd064 2026-06-24...
CVE-2026-53541
creationtimestamp| type| source ---|---|--- 2026-06-24 18:35:02+00:00| published-proof-of-concept| https://github.com/OliveTin/OliveTin/security/advisories/GHSA-prj9-97mp-mwh2...
CVE-2026-47386
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid accesstoken, refreshtoken pair, breaking the single-use guarantee that PKCE relies on. This vulnerability ...