2076 matches found
OpenBao SQL注入漏洞
OpenBao is an open-source sensitive data management software developed by OpenBao. Versions of OpenBao prior to 2.5.3 had a SQL injection vulnerability. This vulnerability occurred when revoking role permissions in the PostgreSQL database key engine, where the correct database reference was not...
OpenBao 安全漏洞
OpenBao is an open-source sensitive data management software developed by OpenBao. Versions of OpenBao prior to 2.5.3 contained security vulnerabilities. These vulnerabilities were caused by a problem with tenant isolation in namespaces, which could lead to tokens being revoked from tenants whose...
Incorrect Ownership Assignment
Overview Affected versions of this package are vulnerable to Incorrect Ownership Assignment through improper validation of the defaultGroup ID after group access revocation. An attacker can gain unauthorized access to group collections and perform full CRUD operations by omitting the X-Tenant...
CVE-2026-40196 HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the...
CVE-2026-40196
HomeBox (home inventory system) versions prior to 0.25.0 are affected by an access control flaw where a user’s defaultGroup ID remains assigned after being invited to a group, and revocation via the web interface does not apply to the API. The root cause is that the original group ID persists as ...
CVE-2026-40196 HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the...
PT-2026-33517
Name of the Vulnerable Software and Affected Versions HomeBox versions prior to 0.25.0 Description An issue exists where the defaultGroup ID remains permanently assigned to a user after their access to a group is revoked. Although the web interface enforces this revocation, the API does not...
BIT-AUTHENTIK-2025-29928 authentik's deletion of sessions did not revoke sessions when using database session storage
authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage which is a non-default setting, deleting sessions via the Web Interface or the API would not revoke the session and the session holder wou...
EUVD-2025-209495
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...
CVE-2025-12624
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...
CVE-2025-12624
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...
CVE-2025-12624
WSO2 Identity Server is affected by CVE-2025-12624, where active access tokens are not revoked when a user account is locked. The underlying issue is a failure to enforce revocation of previously issued, valid tokens, allowing locked accounts to maintain access to protected resources via unexpire...
SUSE-SU-2026:1386-1 Security update for openssl-1_1
This update for openssl-11 fixes the following issues: - CVE-2026-28387: Potential use-after-free in DANE client code bsc1260441. - CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL bsc1260442. - CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInf...
WSO2 Identity Server 安全漏洞
WSO2 Identity Server is an identity authentication server developed by the American company WSO2. There is a security vulnerability in WSO2 Identity Server; this vulnerability arises from the failure to revoke active access tokens when user accounts are locked, which may lead to bypassing access...
PT-2026-33306
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...
LDAP Injection
Overview Affected versions of this package are vulnerable to LDAP Injection via the parseDN handling and the LDAP store helpers in X509LDAPCertStoreSpi and LDAPStoreHelper. An attacker can influence LDAP search filters by supplying a crafted X.500 subject or issuer string that is parsed into an...
CVE-2026-4002
The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajaxrevoketoken function which handles the 'petjeafdisconnect' AJAX action. The function performs destructive operations includin...
CVE-2026-4002
The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajaxrevoketoken function which handles the 'petjeafdisconnect' AJAX action. The function performs destructive operations includin...
Improper Session Invalidation
github.com/usememos/memos is vulnerable to improper session invalidation. The vulnerability is due to access tokens not being revoked after a password change, which allows an attacker to retain unauthorized access using previously issued valid tokens...
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
Summary pyLoad caches role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old revoked privileges until logout/session...