Lucene search
K

299 matches found

CVE
CVE
added yesterday10 views

CVE-2026-55435

CVE-2026-55435 affects Coder’s AI Bridge proxy endpoints. The vulnerability stems from Server.IsAuthorized not checking whether a suspended account is active, so an unexpired API key issued to a suspended user remains usable until the key is deleted. Impact is limited to already-issued keys; no n...

5.4CVSS6AI score
Exploits0References7
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-55435

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret...

5.4CVSS6AI score
Exploits0References8Affected Software1
NVD
NVD
added 2 days ago5 views

CVE-2026-43918

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...

8.7CVSS0.00235EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 days ago4 views

CVE-2026-43918

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...

8.7CVSS5.9AI score0.00235EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2 days ago25 views

CVE-2026-43918

FOSSBilling before 0.8.0 does not invalidate existing sessions for suspended or inactive accounts. The session identity loaders (loggedin_client and loggedin_admin) only reject sessions if the backing account record no longer exists; they do not check that the account’s status remains active. Thi...

8.7CVSS5.9AI score0.00235EPSS
Exploits0References2
OSV
OSV
added 2 days ago4 views

GHSA-WQXV-W64V-5WH6 Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...

5.4CVSS5.9AI score
Exploits0References9
Github Security Blog
Github Security Blog
added 2 days ago5 views

Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...

5.4CVSS5.9AI score
Exploits0References9Affected Software1
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-56079

Name of the Vulnerable Software and Affected Versions Coder versions 2.30.0 through 2.32.6 Coder versions 2.33.0 through 2.33.7 Coder versions 2.34.0 through 2.34.1 Description AI Bridge proxy endpoints authenticate via the Server.IsAuthorized function in coderd/aibridgedserver. This process...

5.4CVSS5.9AI score
Exploits0References9
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.2 views

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: dm: fixed dmblkreportzones If dmgetlivetable returned NULL, dmputlivetable was never called. It is also possible that md-zonerevalidatemap might change during the execution of this function. This value should only be read once, s...

7.8CVSS6.5AI score0.00159EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/06/10 2:25 a.m.10 views

SUSE CVE-2026-46327

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...

7.8CVSS5.4AI score0.0012EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/09 4:51 p.m.10 views

CVE-2026-46327

A flaw was found in the Linux kernel's device mapper dm component. The dmblkreportzones function performs a check for the device's suspended state without proper locking. This allows the device to enter a suspended state immediately after the check, leading to an inconsistent state. This...

7.8CVSS5.4AI score0.0012EPSS
Exploits0References4
NVD
NVD
added 2026/06/09 2:16 p.m.17 views

CVE-2026-46327

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...

7.8CVSS0.0012EPSS
Exploits0References4
OSV
OSV
added 2026/06/09 2:16 p.m.9 views

UBUNTU-CVE-2026-46327

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...

7.8CVSS5.2AI score0.0012EPSS
Exploits0References3
CVE
CVE
added 2026/06/09 12:25 p.m.24 views

CVE-2026-46327

In the Linux kernel dm subsystem, the vulnerability centers on dm_blk_report_zones checking for suspended state without holding locks, allowing a race where the device may be suspended immediately after the check. The fix moves the dm_suspended_md check to occur after dm_get_live_table, ensuring ...

7.8CVSS5.4AI score0.0012EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2026/06/09 12:25 p.m.10 views

CVE-2026-46327

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...

7.8CVSS5.3AI score0.0012EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.17 views

PT-2026-47785

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A race condition exists in the Device Mapper component where the dm blk report zones function checks if a device is suspended using the dm suspended md call without holding the necessary...

7.8CVSS5.8AI score0.0012EPSS
Exploits0References14
Tenable Nessus
Tenable Nessus
added 2026/06/09 12:0 a.m.11 views

Linux Distros Unpatched Vulnerability : CVE-2026-46327

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the dmsuspendedmd call. However, this function is...

7.8CVSS7AI score0.0012EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:50 p.m.10 views

CVE-2026-7887

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...

6.4CVSS5.5AI score0.00172EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/22 12:31 a.m.13 views

EUVD-2026-31364

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...

2.3CVSS5.8AI score0.00172EPSS
Exploits0References2
NVD
NVD
added 2026/05/21 10:16 p.m.19 views

CVE-2026-7887

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...

6.4CVSS0.00172EPSS
Exploits0References1
Rows per page
Query Builder