Lucene search
+L

149 matches found

CVE
CVE
added 2026/06/07 10:45 p.m.43 views

CVE-2026-11465

CVE-2026-11465 affects songquanpeng’s one-api (up to 0.6.11-preview.7). The issue is in the Redemption Code Top-Up Endpoint, specifically the function Redeem in file model/redemption.go, where manipulation leads to business logic errors. Reported as exploitable remotely with high complexity and l...

3.1CVSS4.7AI score0.0022EPSS
Exploits0References7
OSV
OSV
added 2026/06/07 10:45 p.m.4 views

CVE-2026-11465 songquanpeng one-api Redemption Code Top-Up Endpoint redemption.go Redeem logic error

A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7. Affected by this issue is the function Redeem of the file model/redemption.go of the component Redemption Code Top-Up Endpoint. The manipulation results in business logic errors. The attack may be launched remotel...

2.3CVSS5.1AI score0.0022EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/07 12:0 a.m.21 views

PT-2026-47196

Name of the Vulnerable Software and Affected Versions songquanpeng one-api versions prior to 0.6.11-preview.7 Description A business logic error exists in the Redemption Code Top-Up Endpoint. The issue is located within the Redeem function of the model/redemption.go file. This flaw allows for...

3.1CVSS5.2AI score0.0022EPSS
Exploits0References10
CNNVD
CNNVD
added 2026/06/07 12:0 a.m.14 views

One API 安全漏洞

One API is an LLM API management and distribution system developed by JustSong’s developers. Versions of One API prior to 0.6.11-preview.7 contained a security vulnerability. This vulnerability stemmed from a function issue in the Redemption Code Top-Up Endpoint component’s model/redemption.go...

3.1CVSS4.8AI score0.0022EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.10 views

CVE-2026-6334

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

3.8CVSS5.5AI score0.00118EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:37 p.m.17 views

CVE-2026-47741

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

5.9CVSS5.5AI score0.00239EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/29 6:2 p.m.14 views

EUVD-2026-33409

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

5.9CVSS5.8AI score0.00239EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/29 6:2 p.m.9 views

CVE-2026-47741

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

5.9CVSS5.8AI score0.00239EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/29 6:2 p.m.14 views

CVE-2026-47741 Shopper: Race condition on Discount.usage_limit allows silent over-redemption

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

5.9CVSS5.8AI score0.00239EPSS
Exploits0References3
CVE
CVE
added 2026/05/29 6:2 p.m.25 views

CVE-2026-47741

CVE-2026-47741 affects Shopper, a Headless e-commerce Admin Panel. Before 2.8.0, CreateOrderFromCartAction::execute created the Order row before incrementing the discount’s total_use, allowing a race condition under concurrent checkout that silently exceeded the global usage_limit and applied the...

5.9CVSS5.8AI score0.00239EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/29 6:2 p.m.38 views

CVE-2026-47741 Shopper: Race condition on Discount.usage_limit allows silent over-redemption

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

5.9CVSS0.00239EPSS
Exploits0References3
OSV
OSV
added 2026/05/29 6:2 p.m.5 views

CVE-2026-47741 Shopper: Race condition on Discount.usage_limit allows silent over-redemption

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

5.9CVSS6AI score0.00239EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.14 views

PT-2026-44942

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total use counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usage limit wa...

5.9CVSS5.8AI score0.00239EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/18 9:44 a.m.7 views

Authentication Bypass by Primary Weakness

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the OAuth authorization code redemption process. An attacker can gain unauthorized access to resource...

3.8CVSS5.9AI score0.00118EPSS
Exploits0References2
OSV
OSV
added 2026/05/18 9:31 a.m.19 views

GHSA-JP3F-X449-4Q75 Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

3.1CVSS5.9AI score0.00118EPSS
Exploits0References4
NVD
NVD
added 2026/05/18 8:16 a.m.27 views

CVE-2026-6334

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

3.8CVSS0.00118EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/18 6:33 a.m.26 views

EUVD-2026-30743

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

3.1CVSS5.9AI score0.00118EPSS
Exploits0References1
CVE
CVE
added 2026/05/18 6:33 a.m.34 views

CVE-2026-6334

Mattermost versions 11.5.x <= 11.5.1 and 10.11.x

3.8CVSS5.9AI score0.00118EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/05/18 6:33 a.m.50 views

CVE-2026-6334 OAuth authorization code client binding not enforced during token redemption in Mattermost

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

3.1CVSS0.00118EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/18 6:33 a.m.8 views

CVE-2026-6334 OAuth authorization code client binding not enforced during token redemption in Mattermost

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

3.1CVSS5.9AI score0.00118EPSS
Exploits0References1
Rows per page
Query Builder