Lucene search
K

4096 matches found

snyk
snyk
added 2026/06/22 11:18 p.m.5 views

Improper Enforcement of Behavioral Workflow

Overview filament/filament is an A collection of full-stack components for accelerated Laravel app development. Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow through the improper handling of recovery codes in app-based multi-factor authentication...

9.1CVSS5.9AI score0.00193EPSS
Exploits0References2
nvd
nvd
added 2026/06/22 10:16 p.m.12 views

CVE-2026-48505

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not...

7.4CVSS0.00193EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/06/22 12:0 a.m.14 views

PT-2026-51391

Name of the Vulnerable Software and Affected Versions Filament versions 4.0.0 through 4.11.4 Filament versions prior to 5.6.5 Description A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This...

7.4CVSS5.9AI score0.00193EPSS
Exploits0References7
ptsecurity
ptsecurity
added 2026/06/22 12:0 a.m.19 views

PT-2026-51451

Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.6.0 Description In OpenID multi-user mode, disabling a user only prevents future OpenID logins for that identity. Existing session tokens remain valid because the shared session validation path does not check if the...

8.3CVSS6AI score0.00441EPSS
Exploits0References11
debiancve
debiancve
added 2026/06/21 6:18 a.m.6 views

CVE-2026-52911

In the Linux kernel, the following vulnerability has been resolved: ksmbd: scope conn-binding slowpath to bound sessions only When the binding SESSIONSETUP sets conn-binding = true, the flag stays set after the call so that the global session lookup in ksmbdsessionlookupall can find the session,...

8.8CVSS5.7AI score0.00362EPSS
Exploits0
ptsecurity
ptsecurity
added 2026/06/21 12:0 a.m.15 views

PT-2026-51234

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.0-beta.1 Craft CMS versions 5.0.0-RC1 through 5.9.0-beta.1 Description Stored cross-site scripting occurs when settings names and field option labels are rendered without sanitization, specifically...

4.8CVSS5.9AI score0.00183EPSS
Exploits0References9
snyk
snyk
added 2026/06/19 9:15 p.m.5 views

Improper Verification of Source of a Communication Channel

Overview Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via improper validation of cross-origin messages in the window message listeners. An attacker can hijack authenticated editing sessions by sending crafted postMessage events fro...

8.5CVSS5.9AI score0.00196EPSS
Exploits0References3
nvd
nvd
added 2026/06/18 7:16 p.m.12 views

CVE-2026-9692

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...

5.3CVSS0.00274EPSS
Exploits0References4
cve
cve
added 2026/06/18 5:53 p.m.19 views

CVE-2026-9692

Summary (CVE-2026-9692): Mojolicious::Sessions::Storable in Perl versions up to 0.05 generates insecure session IDs. The default generator seeds a SHA-1 hash with a mix of low-entropy sources: built-in rand, epoch time, heap address of an anonymous hash, and the process ID, making IDs predictable...

5.3CVSS5.3AI score0.00274EPSS
Exploits0References4
euvd
euvd
added 2026/06/18 5:53 p.m.11 views

EUVD-2026-37926

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...

7.3CVSS5.2AI score0.00329EPSS
Exploits0References4
snyk
snyk
added 2026/06/18 3:4 p.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the writer field's link and email marks. An attacker can execute arbitrary JavaScript code in the context of the authenticated user's browser session by injecting a malicious link and tricking the user into...

7.4CVSS5.9AI score0.00289EPSS
Exploits0References2
nvd
nvd
added 2026/06/17 7:18 p.m.15 views

CVE-2026-55198

Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The handlesessionexport handler in api/routes.py fails to verify active-profile ownership before serializing session...

7.1CVSS0.00272EPSS
Exploits0References5
cve
cve
added 2026/06/17 5:59 p.m.20 views

CVE-2026-55198

Hermes WebUI prior to 0.51.443 contains an authorization bypass in the session export endpoint. The _handle_session_export handler in api/routes.py fails to verify active-profile ownership before serializing session data, allowing authenticated users to exfiltrate transcripts from other profiles ...

7.1CVSS5.3AI score0.00272EPSS
Exploits0References5
ossf
ossf
added 2026/06/17 7:9 a.m.12 views

Malicious code in telegram-lite-grabber (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aad489fe689e441f3237d052bb24702e3178fca26564e662b060c0a8d01fe5f9 Package is named 'telegram-lite-grabber', a name strongly suggestive of a tool intended to harvest Telegram credentials or session data. No concrete...

6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/17 12:0 a.m.18 views

PT-2026-50376

Name of the Vulnerable Software and Affected Versions HCL iControl affected versions not specified Description HCL iControl is affected by an inadequate session timeout issue. This occurs when a web application fails to automatically terminate user sessions after a period of inactivity, potential...

5.3CVSS5.8AI score0.00204EPSS
Exploits0References4
patchstack
patchstack
added 2026/06/16 11:32 p.m.5 views

NPM: n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions

NPM: n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions vulnerability discovered by ? in WordPress Npm n8n versions 2.25.7...

10CVSS5.8AI score0.00403EPSS
Exploits0References2Affected Software1
github
github
added 2026/06/16 11:32 p.m.15 views

n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions

Impact When @n8n/mcp-browser is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the user, can establish an MCP session and invoke browser-control tools. Whe...

10CVSS5.4AI score0.00403EPSS
Exploits0References2Affected Software1
nvd
nvd
added 2026/06/16 3:16 p.m.13 views

CVE-2026-10831

A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a valid data port session before accepting break signal commands. A remote attacker with network...

6.9CVSS0.00292EPSS
Exploits0References1
cve
cve
added 2026/06/16 1:46 p.m.12 views

CVE-2026-10831

CVE-2026-10831 concerns MOXA NPort serial device servers. The issue is improper access control on the command port: the command interface does not properly verify that the sender is tied to a valid data-port session before accepting break signal commands. A remote attacker with network access can...

6.9CVSS5.4AI score0.00292EPSS
Exploits0References1
cvelist
cvelist
added 2026/06/16 1:46 p.m.28 views

CVE-2026-10831 Improper Authorization of Break Signal Commands in Devices

A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a valid data port session before accepting break signal commands. A remote attacker with network...

6.9CVSS0.00292EPSS
Exploits0References1
Rows per page
Query Builder