Lucene search
+L

383 matches found

EUVD
EUVD
added 10 hours ago4 views

EUVD-2026-45082

grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...

5.4CVSS6.1AI score
Exploits0References2
CVE
CVE
added yesterday7 views

CVE-2026-35143

CVE-2026-35143 affects HCL DFXAnalytics. The issue is that session cookies generated during authentication do not set the SameSite attribute, enabling potential CSRF exposure if additional mitigations (e.g., Anti-CSRF tokens) are not in place. The available data specify a low overall severity (CV...

3CVSS6.2AI score
Exploits0References1
RedHat Linux
RedHat Linux
added 6 days ago6 views

undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie's SameSite policy to a less secure setting, potentially leading to unintend...

3.7CVSS6.9AI score0.00248EPSS
Exploits0References6
NVD
NVD
added last week7 views

CVE-2026-38057

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an...

8.1CVSS0.00308EPSS
Exploits0References3
EUVD
EUVD
added last week9 views

EUVD-2026-42907

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an...

8.1CVSS6.1AI score0.00308EPSS
Exploits0References3
OSV
OSV
added 2026/07/08 12:6 p.m.6 views

RLSA-2026:35842 Important: nodejs22 security, bug fix, and enhancement update

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

8.1CVSS6.6AI score0.02806EPSS
Exploits1References14
Snyk
Snyk
added 2026/07/07 1:1 p.m.6 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the GET /api/oauth/email/bind and GET /api/oauth/wechat/bind endpoints. An attacker can alter account binding state by tricking a logged-in user into visiting a crafted link, potentially allowing the...

6CVSS5.9AI score0.00187EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.8 views

PT-2026-56214

Name of the Vulnerable Software and Affected Versions New API versions prior to 0.12.0-alpha.1 Description The email and WeChat account binding endpoints use GET requests for state-changing account operations. In deployments where session cookies are sent on cross-site navigations, an attacker ca...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References7
OSV
OSV
added 2026/07/06 8:22 p.m.3 views

SUSE-SU-2026:22565-1 Security update for nodejs24

This update for nodejs24 fixes the following issues Update to version 24.18.0 bsc1269825. Security issues fixed: - CVE-2026-2581: undici: denial of service due to uncontrolled resource consumption bsc1268480. - CVE-2026-6733: undici: response queue poisoning on reused keep-alive sockets can lead ...

9.8CVSS6.1AI score0.02806EPSS
Exploits3References44
RedHat Linux
RedHat Linux
added 2026/07/06 3:7 p.m.7 views

undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie's SameSite policy to a less secure setting, potentially leading to unintend...

3.7CVSS7AI score0.00248EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2026/07/06 5:32 a.m.6 views

undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie's SameSite policy to a less secure setting, potentially leading to unintend...

3.7CVSS5.9AI score0.00248EPSS
Exploits0References6
OSV
OSV
added 2026/07/06 12:0 a.m.8 views

ALSA-2026:35892 Important: nodejs:22 security, bug fix, and enhancement update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input CVE-2026-42338 undici: undici: Denial of Service due to...

9.8CVSS7.1AI score0.02806EPSS
Exploits1References28
OSV
OSV
added 2026/06/30 9:6 a.m.3 views

SUSE-SU-2026:2695-1 Security update for nodejs22

This update for nodejs22 fixes the following issues: - CVE-2026-48618: tls: normalize hostname for server identity checks bsc1268593. - CVE-2026-48933: crypto: guard WebCrypto cipher output length bsc1268592. - CVE-2026-48615: lib,test: redact proxy credentials in tunnel errors bsc1268598. -...

9.8CVSS6.1AI score0.02806EPSS
Exploits3References39
OSV
OSV
added 2026/06/26 10:34 a.m.4 views

SUSE-SU-2026:2647-1 Security update for nodejs22

This update for nodejs22 fixes the following issues Update to 22.23.0: - CVE-2026-6733: undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery bsc1268479. - CVE-2026-9496: pacote: excessive CPU consumption in addGitSha when processing a...

9.8CVSS6.6AI score0.02806EPSS
Exploits3References39
OSV
OSV
added 2026/06/25 1:34 p.m.2 views

SUSE-SU-2026:2633-1 Security update for nodejs24

This update for nodejs24 fixes the following issues Update to 24.17.0: - CVE-2026-2581: undici: Undici: Denial of Service due to uncontrolled resource consumption bsc1268480. - CVE-2026-6733: undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response...

9.8CVSS6AI score0.02806EPSS
Exploits3References43
OSV
OSV
added 2026/06/25 12:57 p.m.3 views

SUSE-SU-2026:22368-1 Security update for nodejs22

This update for nodejs22 fixes the following issues Update to 22.23.0: - CVE-2026-6733: undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery bsc1268479. - CVE-2026-9496: pacote: excessive CPU consumption in addGitSha when processing a...

9.8CVSS7AI score0.26356EPSS
Exploits3References53
Cvelist
Cvelist
added 2026/06/24 8:17 p.m.28 views

CVE-2026-52802 Gogs: Open Redirect via redirect_to in Gogs

Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirectto parameters can bypass validation, allowing redirection to arbitrary external sites. All redirects in Gogs that are validated via the IsSameSite...

5.4CVSS0.00554EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/24 8:17 p.m.5 views

CVE-2026-52802

Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirectto parameters can bypass validation, allowing redirection to arbitrary external sites. All redirects in Gogs that are validated via the IsSameSite...

5.4CVSS6AI score0.00554EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/06/23 4:42 p.m.4 views

GHSA-XXHQ-69MF-W8CR Gogs has an Open Redirect via redirect_to

Summary An open redirect vulnerability exists in Gogs where attacker-controlled redirectto parameters can bypass validation, allowing redirection to arbitrary external sites. Details All redirects in Gogs that are validated via the IsSameSite function are vulnerable: go func IsSameSiteurl string...

5.4CVSS5.9AI score0.00554EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.18 views

PT-2026-51621

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description An open redirect issue exists where attacker-controlled redirect to parameters can bypass validation, allowing redirection to arbitrary external sites. This occurs in all redirects validated via the...

5.4CVSS6AI score0.00554EPSS
Exploits0References10
Rows per page
Query Builder