CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

2033 matches found

CVE-2026-53926

NocoDB vulnerability CVE-2026-53926: prior to 2026.05.1, revokeAllOAuthTokensByUser was an empty stub used by passwordChange, passwordForgot, and passwordReset, so OAuth access and refresh tokens were not revoked after a password change/reset, allowing an attacker-issued token to remain valid. Th...

6.3CVSS5.9AI score0.00051EPSS

Exploits0References1

ATTACKERKB•added yesterday•3 views

CVE-2026-53926

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or...

6.3CVSS5.9AI score0.00051EPSS

Exploits0References2Affected Software1

Cvelist•added yesterday•11 views

CVE-2026-54305 n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An...

8.9CVSS0.00042EPSS

Exploits0References1

NVD•added 2 days ago•7 views

CVE-2026-9162

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continu...

4.3CVSS0.00202EPSS

Exploits0References1

ATTACKERKB•added 2 days ago•5 views

CVE-2026-9162

4.3CVSS5.9AI score0.00202EPSS

Exploits0References2Affected Software1

EUVD•added 2 days ago•7 views

EUVD-2026-38247

4.3CVSS5.9AI score0.00202EPSS

Exploits0References1

Cvelist•added 2 days ago•32 views

CVE-2026-9162 Global session revocation does not invalidate active WebSocket connections

4.3CVSS0.00202EPSS

Exploits0References1

CVE•added 2 days ago•9 views

CVE-2026-9162

Mattermost vulnerability CVE-2026-9162 affects Mattermost versions 11.7.x ≤ 11.7.0, 11.6.x ≤ 11.6.2, 11.5.x ≤ 11.5.5, 10.11.x ≤ 10.11.17. The issue: global session revocation does not invalidate cached authentication state for active WebSocket connections, allowing a user with an existing WebSock...

4.3CVSS5.9AI score0.00202EPSS

Exploits0References1Affected Software1

Tenable Nessus•added 6 days ago•3 views

Siemens SIMATIC S7-1500 TM MFP NULL Pointer Dereference (CVE-2026-28388)

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application...

7.5CVSS7.6AI score0.00885EPSS

Exploits0References4

Github Security Blog•added 2026/06/16 11:32 p.m.•9 views

n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints

Impact Three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing relationship could...

8.9CVSS5.6AI score0.00042EPSS

Exploits0References2Affected Software1

NVD•added 2026/06/16 7:17 p.m.•9 views

CVE-2026-53843

OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation...

8.8CVSS0.00275EPSS

Exploits0References2

CVE•added 2026/06/16 6:4 p.m.•19 views

CVE-2026-53843

OpenClaw prior to 2026.5.26 contains an authorization bypass where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and al...

8.8CVSS5.3AI score0.00275EPSS

Exploits0References2Affected Software1

Positive Technologies•added 2026/06/16 12:0 a.m.•11 views

PT-2026-49760

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.26 Description An authorization bypass exists where a surviving pairing-scoped device session can re-establish node token authority after the token has been revoked. This allows a previously paired device to...

8.8CVSS5.2AI score0.00275EPSS

Exploits0References5

EUVD•added 2026/06/13 12:34 a.m.•10 views

EUVD-2026-36618

OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...

6.5CVSS5.2AI score0.00207EPSS

Exploits0References3

EUVD•added 2026/06/13 12:34 a.m.•9 views

EUVD-2026-36612

OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit stale token acceptance to invoke slash command behavior briefly after token revocation, potentially...

6.5CVSS5.3AI score0.00181EPSS

Exploits0References3

NVD•added 2026/06/12 10:16 p.m.•13 views

CVE-2026-53830

6.5CVSS0.00207EPSS

Exploits0References2

NVD•added 2026/06/12 10:16 p.m.•13 views

CVE-2026-53824

6.5CVSS0.00181EPSS

Exploits0References2