Lucene search
K

2169 matches found

RedhatCVE
RedhatCVE
added 2026/05/11 8:25 p.m.9 views

CVE-2021-47923

OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized...

9.8CVSS5.9AI score0.00423EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.12 views

PT-2026-39654

Name of the Vulnerable Software and Affected Versions HireFlow version 1.2 Description The software fails to implement Cross-Site Request Forgery CSRF token validation on state-changing POST endpoints. This allows an attacker to trick an authenticated user into visiting a malicious page to perfor...

8.1CVSS5.9AI score0.00168EPSS
Exploits1References7
Cvelist
Cvelist
added 2026/05/11 12:0 a.m.39 views

CVE-2026-38566

HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...

0.00168EPSS
Exploits1References3
CVE
CVE
added 2026/05/11 12:0 a.m.15 views

CVE-2026-38566

CVE-2026-38566 affects HireFlow v1.2. The issue is CSRF on all state-changing POST endpoints (e.g., /profile password change, /candidates/delete/, /feedback/add/, /interviews/add) due to missing CSRF token validation and no SESSION_COOKIE_SAMESITE configuration. Root cause: CSRF token validation ...

8.1CVSS6AI score0.00168EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/10 2:20 p.m.20 views

User Impersonation

Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to User Impersonation via the OCSESSID cookie. An attacker can gain unauthorized access to user accounts by injecting arbitrary values into the session cookie, allowing session takeover...

9.8CVSS5.9AI score0.00423EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/10 12:0 a.m.17 views

PT-2026-39472

Name of the Vulnerable Software and Affected Versions Moodle LMS version 4.0 Description An issue allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Specifically, JavaScript code can be injected via the search field in the...

6.1CVSS6AI score0.00331EPSS
Exploits1References11
OSV
OSV
added 2026/05/09 12:31 p.m.10 views

OESA-2026-2219 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. MultiPartParser allows remote attackers to degrade performance by submitting multipart uploads wi...

9.8CVSS5.8AI score0.00879EPSS
Exploits1References9
OSV
OSV
added 2026/05/09 12:30 p.m.13 views

OESA-2026-2217 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. MultiPartParser allows remote attackers to degrade performance by submitting multipart uploads wi...

9.8CVSS5.8AI score0.00879EPSS
Exploits1References9
NVD
NVD
added 2026/05/08 8:16 p.m.48 views

CVE-2026-42190

RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the...

5.3CVSS0.00111EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/08 7:35 p.m.8 views

CVE-2026-42190

RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the...

5.3CVSS5.8AI score0.00111EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/05/08 7:35 p.m.11 views

EUVD-2026-28823

RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the...

5.3CVSS5.8AI score0.00111EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.10 views

RedwoodSDK 跨站请求伪造漏洞

RedwoodSDK is an open-source React-based server-first web application framework developed by RedwoodJS. Versions of RedwoodSDK from 1.0.0-beta.50 to 1.2.3 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the use of HTTP methods on the server without source...

5.3CVSS5.7AI score0.00111EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 2:13 a.m.12 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the admin session cookie handling process. An attacker can maintain unauthorized access to administrative functionality by reusing a valid session cookie after a user logs out, until the cookie expires...

9.1CVSS5.8AI score0.00197EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/05 9:31 p.m.9 views

CVE-2026-40934 jupyter-server authentication cookies remain valid after password reset due to static cookie secret

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...

7.6CVSS5.7AI score0.00308EPSS
Exploits1References1
Snyk
Snyk
added 2026/05/05 8:58 p.m.10 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the SessionMiddleware process when the X-Admin-Token HTTP header is accepted from the client and its raw value is used as the authenticated user ID if no Kratos session cookie ...

9.8CVSS5.8AI score0.00257EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 8:58 p.m.5 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the SessionMiddleware process when the X-Admin-Token HTTP header is accepted from the client and its raw value is used as the authenticated user ID if no Kratos session cookie ...

9.8CVSS5.8AI score0.00257EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/04 12:42 a.m.7 views

CVE-2026-42365

A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability...

8.6CVSS5.8AI score0.00329EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/05/04 12:42 a.m.25 views

CVE-2026-42365

GeoVision GeoVision LPC2011/LPC2211 Web Interface (version 1.10) exposes a session cookie vulnerability that allows authentication bypass through a crafted sequence of HTTP requests and brute-forcing session cookies. The CVE notes a network‑based, low‑complexity exposure with no user interaction ...

8.6CVSS5.8AI score0.00329EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/04 12:0 a.m.9 views

PT-2026-36733

Name of the Vulnerable Software and Affected Versions GeoVision LPC2011/LPC2211 version 1.10 Description The Web Interface functionality contains a flaw where session cookies are guessable. An attacker can use a series of specially crafted HTTP requests to brute-force these cookies, allowing them...

8.6CVSS5.3AI score0.00329EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/04/30 12:0 a.m.9 views

CVE-2026-36956

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An...

8.8CVSS5.4AI score0.00163EPSS
Exploits1References3
Rows per page
Query Builder