Lucene search
K

2076 matches found

EUVD
EUVD
added 2026/04/21 6:26 p.m.6 views

EUVD-2026-24035

OpenBao's SQL Injection in PostgreSQL database secrets engine...

4.6CVSS5.8AI score0.00235EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/21 6:26 p.m.9 views

OpenBao's SQL Injection in PostgreSQL database secrets engine

Impact When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability w...

4.9CVSS5.8AI score0.00235EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/04/21 6:26 p.m.6 views

GHSA-6VGR-CP5C-FFX3 OpenBao's SQL Injection in PostgreSQL database secrets engine

Impact When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability w...

4.9CVSS5.8AI score0.00235EPSS
Exploits0References6
OSV
OSV
added 2026/04/21 3:0 p.m.5 views

GHSA-X234-X5VQ-CC2V Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

Summary A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected...

8.6CVSS5.8AI score0.00274EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/04/21 3:0 p.m.9 views

Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

Summary A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected...

8.6CVSS5.8AI score0.00274EPSS
Exploits1References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/21 12:50 p.m.5 views

CVE-2026-40264

A flaw was found in OpenBao. OpenBao's multi-tenant separation feature allows a privileged administrator in one tenant to revoke or renew a token belonging to another tenant if that token's accessors are leaked. This unauthorized token management could lead to a denial of service for the affected...

2.7CVSS5.7AI score0.00301EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/04/21 12:16 p.m.3 views

SUSE CVE-2026-39946

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...

4.9CVSS5.8AI score0.00235EPSS
Exploits0References3
RustSec
RustSec
added 2026/04/21 12:0 p.m.9 views

Broken hard revocation handling

Before sq-git checks if a commit can be authenticated, it first looks for hard revocations. Because parsing a policy is expensive and a project's policy rarely changes, sq-git has an optimization to only check a policy if it hasn't checked it before. It does this by maintaining a set of policies...

5.4AI score
Exploits0Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/21 11:46 a.m.4 views

CVE-2026-39946

A flaw was found in OpenBao. When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, it failed to use proper database quoting on schema names. This oversight could lead to role revocation failures or, in rarer instances, allow a management user to perform SQL injectio...

4.9CVSS5.8AI score0.00235EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/21 2:8 a.m.2 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection due to improper quoting of schema names in the PostgreSQL database secrets engine during the role revocation process. An attacker can execute arbitrary SQL commands as the management user by supplying crafted schema names...

5.8CVSS6.2AI score0.00235EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/21 2:7 a.m.5 views

Improper Restriction of Security Token Assignment

Overview Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the token store process. An attacker can cause unauthorized renewal or revocation of tokens across namespaces by obtaining token accessors and leveraging privileged administrator...

2.7CVSS5.4AI score0.00301EPSS
Exploits0References2
NVD
NVD
added 2026/04/21 1:16 a.m.5 views

CVE-2026-39946

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...

4.9CVSS0.00235EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/21 12:47 a.m.8 views

CVE-2026-40264 OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation

OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3...

2CVSS5.8AI score0.00301EPSS
Exploits0References1
CVE
CVE
added 2026/04/21 12:47 a.m.17 views

CVE-2026-40264

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, a tenant that leaks token accessors could have their token revoked or renewed by a privileged administrator in another tenant. This cross-namespace exposure is mitigated in version 2.5.3. The CVE entry not...

2.7CVSS5.8AI score0.00301EPSS
Exploits0References1Affected Software1
AlpineLinux
AlpineLinux
added 2026/04/21 12:47 a.m.5 views

CVE-2026-40264

OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3...

2.7CVSS5.4AI score0.00301EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/04/21 12:19 a.m.4 views

CVE-2026-39946 OpenBao allows SQL Injection in PostgreSQL database secrets engine

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...

4.6CVSS5.8AI score0.00235EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/21 12:19 a.m.28 views

CVE-2026-39946 OpenBao allows SQL Injection in PostgreSQL database secrets engine

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...

4.6CVSS0.00235EPSS
Exploits0References1
CVE
CVE
added 2026/04/21 12:19 a.m.16 views

CVE-2026-39946

OpenBao (open source identity-based secrets manager) before version 2.5.3 is affected. When revoking privileges on a role within the PostgreSQL database secrets engine, OpenBao could fail to properly quote schema names provided by PostgreSQL, potentially leading to role revocation failures and, m...

4.9CVSS5.8AI score0.00235EPSS
Exploits0References1Affected Software1
AlpineLinux
AlpineLinux
added 2026/04/21 12:19 a.m.4 views

CVE-2026-39946

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...

4.9CVSS5.8AI score0.00235EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/04/21 12:0 a.m.7 views

Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-7.3.1.7)

The version of AOS installed on the remote host is prior to 7.3.1.7. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-7.3.1.7 advisory. - LIBPNG is a reference library for use in applications that read, create, and manipulate PNG Portable Network Graphics raste...

8.3CVSS7.3AI score0.00955EPSS
Exploits4References10
Rows per page
Query Builder