Lucene search
K

72 matches found

CVE
CVE
added 2026/07/04 8:15 a.m.22 views

CVE-2026-14621

CVE-2026-14621 affects FederatedAI FATE (OSX Broker) up to 2.2.0. The vulnerability resides in QueuePushReqStreamObserver.initEggroll (file path java/osx/osx-broker/src/main/java/org/fedai/osx/broker/grpc/QueuePushReqStreamObserver.java) where manipulation of rollSiteSessionId, dstRole, or dstPar...

3.1CVSS5.1AI score0.00299EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/07/04 8:15 a.m.34 views

CVE-2026-14621 FederatedAI FATE OSX Broker QueuePushReqStreamObserver.java QueuePushReqStreamObserver.initEggroll wrong session

A vulnerability has been found in FederatedAI FATE up to 2.2.0. This affects the function QueuePushReqStreamObserver.initEggroll of the file java/osx/osx-broker/src/main/java/org/fedai/osx/broker/grpc/QueuePushReqStreamObserver.java of the component OSX Broker. Such manipulation of the argument...

3.1CVSS0.00299EPSS
Exploits0References7
EUVD
EUVD
added 2026/07/01 12:34 a.m.7 views

EUVD-2026-40426

Capgo console.capgo.app/login before 12.128.2 accepts accesstoken and refreshtoken in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs...

5.4CVSS5.8AI score0.00194EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 5:33 p.m.3 views

GHSA-VVHJ-W2JQ-263Q OpenAM Authenticated Privilege Escalation via Raw Token Disclosure Session RPC

Summary Description An insufficient authorization CWE-285 and information exposure CWE-200 issue in OpenAM's session management endpoint allows a low-privileged authenticated user to retrieve active session credentials belonging to other users, including those with higher privileges. This affects...

8.5CVSS5.9AI score
Exploits0References2
EUVD
EUVD
added 2026/06/19 1:16 p.m.9 views

EUVD-2026-38023

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade t...

2.1CVSS5.8AI score0.00409EPSS
Exploits0References1
Debian
Debian
added 2026/05/28 5:15 p.m.18 views

[SECURITY] [DLA 4602-1] lemonldap-ng security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-4602-1 [email protected] https://www.debian.org/lts/security/ Abhijith PA May 28, 2026 https://wiki.debian.org/LTS -...

8CVSS5.9AI score0.01185EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/05/21 5:11 p.m.9 views

CVE-2026-48249 Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in rm/incs/mobile_login.inc.php

Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobilelogin.inc.php by setting CURLOPTSSLVERIFYPEER to false and not setting CURLOPTSSLVERIFYHOST when issuing outbound HTTPS requests issued during the mobile RouteMate login flow. An attacker positioned on the...

8.2CVSS5.9AI score0.00173EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/21 8:32 a.m.14 views

Malicious code in ionic-insta-api-wrapper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 44363ea3b97b18ea938430059144fd219a58b93d04149e45da97c60322ff4868 This package presents itself as an Instagram API wrapper but silently forwards caller-supplied Instagram credentials and session data to a hardcoded...

5.5AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/13 9:7 p.m.8 views

CVE-2026-44423

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records SSH username, device UID, remote IP, terminal type, authenticated fla...

6.5CVSS5.9AI score0.00246EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.12 views

ShellHub 安全漏洞

ShellHub is an open-source remote device access and management platform developed by ShellHub. Versions of ShellHub prior to 0.24.2 contained security vulnerabilities. These vulnerabilities stemmed from the GET /api/sessions/:uid request, which returned a complete session object for any...

6.5CVSS5.9AI score0.00246EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/06 7:57 p.m.54 views

CVE-2026-40326 Masa CMS CSRF in site bundle creation allows unauthorized site data export

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in csettings.cfc does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in...

7.1CVSS0.00156EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/05/05 2:50 p.m.8 views

CVE-2026-35192

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSIONSAVEEVERYREQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django serie...

6.5CVSS5.8AI score0.00544EPSS
Exploits0
OSV
OSV
added 2026/05/03 9:55 a.m.6 views

OESA-2026-2135 python-flask security update

Flask is a lightweight WSGI web application framework. It is designed to make getting started quick and easy, with the ability to scale up to complex applications. It began as a simple wrapper around Werkzeug and Jinja and has become one of the most popular Python web application frameworks...

4.3CVSS5.7AI score0.00374EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/27 8:22 p.m.3 views

Exposure of Data Element to Wrong Session

Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...

8.7CVSS5.9AI score0.00161EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/27 8:22 p.m.5 views

Exposure of Data Element to Wrong Session

Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...

8.7CVSS5.9AI score0.00161EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/27 8:22 p.m.11 views

Exposure of Data Element to Wrong Session

Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...

8.7CVSS5.9AI score0.00161EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/27 8:22 p.m.3 views

Exposure of Data Element to Wrong Session

Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...

8.7CVSS5.9AI score0.00161EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/06 3:27 a.m.6 views

EUVD-2025-208337

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is...

6.4CVSS6.1AI score0.00177EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/03 7:17 p.m.5 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via sandbox-browser-entrypoint.sh. An attacker can gain unauthorized access to VNC observer sessions by connecting to the noVNC service, which is exposed without...

9.1CVSS5.8AI score0.00514EPSS
Exploits0References2
OSV
OSV
added 2026/02/21 6:17 a.m.5 views

UBUNTU-CVE-2026-27205

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...

4.3CVSS5.8AI score0.00374EPSS
Exploits0References5
Rows per page
Query Builder