42 matches found
CVE-2026-34777
A flaw was found in Electron, a framework for building desktop applications. When an embedded iframe requests permissions, such as for fullscreen or media access, the framework incorrectly provides the origin of the main page instead of the requesting iframe's origin. This vulnerability allows a...
CVE-2026-34777
CVE-2026-34777 affects Electron: prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, the origin passed to session.setPermissionRequestHandler() for iframe-permission requests (fullscreen, pointerLock, keyboardLock, openExternal, or media) was the top‑level page origin instead of the requesting ...
CVE-2026-34777 Electron: Incorrect origin passed to permission request handler for iframe requests
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to...
GHSA-R5P7-GP4J-QHRX Electron: Incorrect origin passed to permission request handler for iframe requests
Impact When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter ...
Origin Validation Error
Overview org.webjars.npm:electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Origin Validation Error in the session.setPermissionRequestHandler function. An attacker can gain...
Origin Validation Error
Overview electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Origin Validation Error in the session.setPermissionRequestHandler function. An attacker can gain unauthorized access to...
Electron: Incorrect origin passed to permission request handler for iframe requests
Impact When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter ...
PT-2026-30007
Impact When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter ...
Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...
GHSA-F2HX-5FX3-HMCV Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...
keycloak: Keycloak: UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.
A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...
CVE-2026-4636
A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...
CVE-2026-4636 Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.
A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...
CVE-2026-4636
A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...
CVE-2026-4636
A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...
PT-2026-29732
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak where an authenticated user possessing the uma protection role can circumvent User-Managed Access UMA policy validation. This allows an attacker to include resource...
New Malware Uses Windows Character Map for Cryptomining
Darktrace reports new malware hijacking Windows Character Map for cryptomining, exposing risks of hidden attacks in everyday software…...
Update your Android! Google patches 111 vulnerabilities, 2 are critical
Google has patched 111 vulnerabilities in Android, including two critical flaws, in its September 2025 Android Security Bulletin. While the last few months have been quite calm regarding the number of vulnerabilities, this month is a real whopper with 111, compared to 6 in August and none in July...
Improper Authentication
github.com/mattermost/mattermost-plugin-confluence is vulnerable to Improper Authentication. The vulnerability is due to missing enforcement of user authentication in the Mattermost instance, which allows an attacker to access subscription details through an unauthenticated API call to the GET...
CVE-2025-56254
creationtimestamp| type| source ---|---|--- 2025-09-02 14:21:23+00:00| seen| https://gist.github.com/Darkcrai86/61d0935ed95ded11f16549af9d5c76e1...