4096 matches found
Improper Enforcement of Behavioral Workflow
Overview filament/filament is an A collection of full-stack components for accelerated Laravel app development. Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow through the improper handling of recovery codes in app-based multi-factor authentication...
CVE-2026-48505
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not...
PT-2026-51391
Name of the Vulnerable Software and Affected Versions Filament versions 4.0.0 through 4.11.4 Filament versions prior to 5.6.5 Description A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This...
PT-2026-51451
Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.6.0 Description In OpenID multi-user mode, disabling a user only prevents future OpenID logins for that identity. Existing session tokens remain valid because the shared session validation path does not check if the...
CVE-2026-52911
In the Linux kernel, the following vulnerability has been resolved: ksmbd: scope conn-binding slowpath to bound sessions only When the binding SESSIONSETUP sets conn-binding = true, the flag stays set after the call so that the global session lookup in ksmbdsessionlookupall can find the session,...
PT-2026-51234
Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.0-beta.1 Craft CMS versions 5.0.0-RC1 through 5.9.0-beta.1 Description Stored cross-site scripting occurs when settings names and field option labels are rendered without sanitization, specifically...
Improper Verification of Source of a Communication Channel
Overview Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via improper validation of cross-origin messages in the window message listeners. An attacker can hijack authenticated editing sessions by sending crafted postMessage events fro...
CVE-2026-9692
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...
CVE-2026-9692
Summary (CVE-2026-9692): Mojolicious::Sessions::Storable in Perl versions up to 0.05 generates insecure session IDs. The default generator seeds a SHA-1 hash with a mix of low-entropy sources: built-in rand, epoch time, heap address of an anonymous hash, and the process ID, making IDs predictable...
EUVD-2026-37926
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the writer field's link and email marks. An attacker can execute arbitrary JavaScript code in the context of the authenticated user's browser session by injecting a malicious link and tricking the user into...
CVE-2026-55198
Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The handlesessionexport handler in api/routes.py fails to verify active-profile ownership before serializing session...
CVE-2026-55198
Hermes WebUI prior to 0.51.443 contains an authorization bypass in the session export endpoint. The _handle_session_export handler in api/routes.py fails to verify active-profile ownership before serializing session data, allowing authenticated users to exfiltrate transcripts from other profiles ...
Malicious code in telegram-lite-grabber (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aad489fe689e441f3237d052bb24702e3178fca26564e662b060c0a8d01fe5f9 Package is named 'telegram-lite-grabber', a name strongly suggestive of a tool intended to harvest Telegram credentials or session data. No concrete...
PT-2026-50376
Name of the Vulnerable Software and Affected Versions HCL iControl affected versions not specified Description HCL iControl is affected by an inadequate session timeout issue. This occurs when a web application fails to automatically terminate user sessions after a period of inactivity, potential...
NPM: n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions
NPM: n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions vulnerability discovered by ? in WordPress Npm n8n versions 2.25.7...
n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions
Impact When @n8n/mcp-browser is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the user, can establish an MCP session and invoke browser-control tools. Whe...
CVE-2026-10831
A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a valid data port session before accepting break signal commands. A remote attacker with network...
CVE-2026-10831
CVE-2026-10831 concerns MOXA NPort serial device servers. The issue is improper access control on the command port: the command interface does not properly verify that the sender is tied to a valid data-port session before accepting break signal commands. A remote attacker with network access can...
CVE-2026-10831 Improper Authorization of Break Signal Commands in Devices
A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a valid data port session before accepting break signal commands. A remote attacker with network...