CVE-2026-56425

The Azure Active Directory AAD authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier sessionid as the OAuth state...

EUVD-2026-38228

The Azure Active Directory AAD authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier sessionid as the OAuth state...

EUVD-2026-29373

The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks...

CVE-2026-45430

The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks...

CVE-2026-45430

The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks...

CVE-2026-45430

The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks...

CVE-2026-45430

The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks...

CVE-2026-45430

CVE-2026-45430 affects the Salesforce module for Backdrop CMS (vulnerable: 1.x-1.0.0 and earlier; fixed in 1.x-1.0.1 or later). The root cause is the module not properly using a random state parameter to protect the OAuth-like authorization flow, leaving it susceptible to CSRF attacks. The CVSSv3...

PT-2026-39931

The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks...

HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class

A vulnerability in the HuggingFace Transformers library, specifically in the Trainer class, allows for arbitrary code execution. The loadrngstate method in src/transformers/trainer.py at line 3059 calls torch.load without the weightsonly=True parameter. This issue affects all versions of the...

PYSEC-2014-50

The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG...