Lucene search
K

3269 matches found

Nuclei
Nuclei
added 14 hours ago82 views

DataEase v2.10.2 - JWT Signature Verification Bypass

DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions, the lack of signature verification of JWT tokens allows attackers to forge JWTs, which then allow access to any interface. The...

9.3CVSS6.1AI score0.01223EPSS
Exploits1References1
CVE
CVE
added yesterday11 views

CVE-2026-61428

PraisonAI AgentMail is affected by CVE-2026-61428 in versions before 4.6.78, where webhook messages lack signature verification. This enables unauthenticated attackers to POST crafted message.received events to the webhook endpoint, injecting arbitrary content into the agent and triggering replie...

7.3CVSS6.2AI score
Exploits0References2
IBM Security Bulletins
IBM Security Bulletins
added 3 days ago4 views

Security Bulletin: Due to use of Golang Go, multiple vulnerabilities affect IBM Cloud Pak System

Summary Due to use of Golang Go multiple vulnerabilities affect IBM Cloud Pak System. IBM Cloud Pak System has addressed these vulnerabilities. Vulnerability Details CVEID:CVE-2026-39827 DESCRIPTION: An authenticated SSH client that repeatedly opened channels which were rejected by the server...

9.1CVSS6.7AI score0.00533EPSS
Exploits0Affected Software2
EUVD
EUVD
added 3 days ago9 views

EUVD-2026-42560

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The corvuspaysuccesshandler function registers the REST endpoint POST /wp-json/corvuspay/success/ with...

5.3CVSS6.2AI score0.00222EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 3 days ago5 views

CVE-2026-9027

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The corvuspaysuccesshandler function registers the REST endpoint POST /wp-json/corvuspay/success/ with...

5.3CVSS6.2AI score0.00222EPSS
Exploits0References9
CVE
CVE
added 3 days ago10 views

CVE-2026-9027

Summary of the CVE-2026-9027 issue : The CorvusPay WooCommerce Gateway for WordPress (versions up to 2.7.4) is vulnerable to a payment bypass via improper verification of the cryptographic signature. The REST endpoint POST /wp-json/corvuspay/success/ is registered with a permissive permission cal...

5.3CVSS6.2AI score0.00222EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 3 days ago7 views

golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters

A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or DSA parameter during...

7.5CVSS7AI score0.00415EPSS
Exploits0References9
NVD
NVD
added 4 days ago6 views

CVE-2026-54773

CoreWCF is a port of the service side of Windows Communication Foundation WCF to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF WS-Security signature verification performs a document-wide ds:Signature lookup, allowing an unauthenticated remote attacker to place a SOAP header before wsse:Security an...

5.9CVSS0.00238EPSS
Exploits0References6
CVE
CVE
added 4 days ago17 views

CVE-2026-54774

CoreWCF (CoreWCF.Primitives and related components) is affected by CVE-2026-54774 where SamlSerializer may skip final SignatureValue verification when validating SAML tokens signed with a non-X.509 issuer token. The vulnerability arises when an out-of-band token resolver provides a non-X.509 Secu...

7.4CVSS5.9AI score0.0015EPSS
Exploits0References6
CVE
CVE
added 4 days ago19 views

CVE-2026-54783

CoreWCF (Net Core port of WCF) has an XML Signature Wrapping vulnerability in WS-Security endorsing/signature verification prior to v1.8.1 and v1.9.1, where the ds:Signature may not cover the expected Security header target. An attacker who captures a signed SOAP envelope can replay arbitrary ser...

7.4CVSS6AI score0.00143EPSS
Exploits0References6
NVD
NVD
added 4 days ago8 views

CVE-2026-56360

n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious data...

6.3CVSS0.00186EPSS
Exploits0References2
CVE
CVE
added 4 days ago8 views

CVE-2026-56360

n8n is affected in versions prior to 1.123.18 and 2.6.2 where the ZendeskTrigger node fails to verify HMAC-SHA256 signatures on Zendesk webhooks. This allows attackers who know the webhook URL to send unsigned POST requests, potentially triggering workflows with arbitrary data. No remediation det...

6.3CVSS6.1AI score0.00186EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-56360 n8n - Webhook Forgery via Unsigned POST Requests in ZendeskTrigger

n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious data...

6.3CVSS0.00186EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 4 days ago5 views

CVE-2026-57246

When dealing with abnormally constructed objects, there is a lack of argument validation; JavaScript triggers signature verification, but the signature plugin does not perform validation when copying the abnormal string, causing the application to crash...

7.8CVSS6AI score0.00116EPSS
Exploits0References2Affected Software2
OSV
OSV
added 5 days ago6 views

PYSEC-2026-1200 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Summary Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header for example, bork or cnf that strict verifiers reject but Authlib accepts. In...

7.5CVSS6AI score0.00244EPSS
Exploits1References7
OSV
OSV
added 6 days ago3 views

BIT-MASTODON-2026-50128 Mastodon: Spoofing of attribution domains

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how...

5.3CVSS6AI score0.00129EPSS
Exploits0References3
NVD
NVD
added 2026/07/02 7:16 p.m.9 views

CVE-2026-13743

CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. This could allow an attacker with physical access to the product to upload arbitrary malicious firmware to the device without authentication...

5.2CVSS0.00116EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/02 6:35 p.m.7 views

EUVD-2026-41419

CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. This could allow an attacker with physical access to the product to upload arbitrary malicious firmware to the device without authentication...

5.2CVSS5.9AI score0.00116EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/02 6:35 p.m.8 views

CVE-2026-13743

CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. This could allow an attacker with physical access to the product to upload arbitrary malicious firmware to the device without authentication...

5.2CVSS5.9AI score0.00116EPSS
Exploits0References2
NVD
NVD
added 2026/07/02 11:16 a.m.11 views

CVE-2026-54430

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2josejwksawsalbresolve function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to albbaseurl without URL encoding or path sanitization, and the HTT...

5.1CVSS0.00121EPSS
Exploits0References3
Rows per page
Query Builder