Lucene search
K

87 matches found

NVD
NVD
added 2026/07/07 7:16 p.m.8 views

CVE-2026-55435

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret...

5.4CVSS0.00315EPSS
Exploits0References7
CVE
CVE
added 2026/07/07 5:37 p.m.12 views

CVE-2026-55435

CVE-2026-55435 affects Coder’s AI Bridge proxy endpoints. The vulnerability stems from Server.IsAuthorized not checking whether a suspended account is active, so an unexpired API key issued to a suspended user remains usable until the key is deleted. Impact is limited to already-issued keys; no n...

5.4CVSS6AI score0.00315EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/07/07 5:37 p.m.6 views

CVE-2026-55435 Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret...

5.4CVSS6AI score0.00315EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/07/07 5:37 p.m.37 views

CVE-2026-55435 Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret...

5.4CVSS0.00315EPSS
Exploits0References7
OSV
OSV
added 2026/07/07 4:41 p.m.8 views

GO-2026-5925 Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder

Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References2
NVD
NVD
added 2026/07/06 10:16 p.m.9 views

CVE-2026-43918

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...

8.7CVSS0.00235EPSS
Exploits0References2
OSV
OSV
added 2026/07/06 9:11 p.m.4 views

GHSA-WQXV-W64V-5WH6 Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References9
Snyk
Snyk
added 2026/07/06 9:11 p.m.4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient validation in the IsAuthorized function. An attacker can maintain unauthorized access to AI Bridge LLM proxy endpoints by using previously issued, unexpired API tokens even after the associate...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:50 p.m.10 views

CVE-2026-7887

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...

6.4CVSS5.5AI score0.00172EPSS
Exploits0References1
NVD
NVD
added 2026/05/21 10:16 p.m.21 views

CVE-2026-7887

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...

6.4CVSS0.00172EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/21 12:0 a.m.10 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system designed for teams. Concrete CMS versions 9.5.0 and earlier have security vulnerabilities. These vulnerabilities stem from an oversight in the handling of OAuth 2.0 authorization codes, which bypasses account status checks. This could...

6.4CVSS5.8AI score0.00172EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:17 p.m.5 views

CVE-2026-32717

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API...

2.7CVSS5.8AI score0.00231EPSS
Exploits1References1
NVD
NVD
added 2026/03/16 2:19 p.m.7 views

CVE-2026-32717

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API...

2.7CVSS0.00231EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/13 9:23 p.m.7 views

EUVD-2026-12176

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API...

2.7CVSS5.8AI score0.00231EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/13 9:23 p.m.6 views

CVE-2026-32717

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API...

2.7CVSS5.8AI score0.00231EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/03/13 9:23 p.m.24 views

CVE-2026-32717

AnythingLLM prior to 1.11.2 in multi-user mode suffers an access control bypass where suspended users remain authenticated via browser extension API keys. If a user already has a valid brx-... browser extension API key, it continues to work after suspension, allowing access to browser extension e...

2.7CVSS5.8AI score0.00231EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/13 9:23 p.m.35 views

CVE-2026-32717 AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API...

2.7CVSS0.00231EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/13 12:0 a.m.4 views

PT-2026-25397

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API...

2.7CVSS5.8AI score0.00231EPSS
Exploits1References7
RedhatCVE
RedhatCVE
added 2026/02/13 1:30 a.m.9 views

CVE-2025-68663

Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a vulnerability was found in Outline's WebSocket authentication mechanism that allows suspended users to maintain or establish real-time WebSocket connections and continue receiving sensitive operational updates aft...

6.9CVSS5.4AI score0.00237EPSS
Exploits0References1
OSV
OSV
added 2026/02/12 8:51 a.m.11 views

BIT-MOODLE-2025-67848 Moodle: moodle: authentication bypass via lti provider allows suspended users to gain unauthorized access.

A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability LTI Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access...

8.1CVSS5.4AI score0.00373EPSS
Exploits0References4
Rows per page
Query Builder