CVE-2026-31283

CVE-2026-31283 impacts Totara LMS v19.1.5 and earlier, where the forgot password API lacks rate limiting for target email addresses. This underpins a potential Email Bombing attack; the root cause is insufficient request throttling in the forgot password flow. Public details confirm affected prod...

GHSA-HCVW-475W-8G7P Keycloak affected by improper invitation token validation

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token JWT payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an...

CVE-2026-1529

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token JWT payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an...

Improper Verification of Cryptographic Signature

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the invitation tokens in the registration process. An...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability, which stems from the lack of encryption signature verification. Attackers could successfully self-register with unauthorized organizations by modifying the organization...

CVE-2026-23478

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update. This vulnerability is fixed in...

EUVD-2026-2413

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update. This vulnerability is fixed in...

CVE-2026-23478 Cal.com has an Authentication Bypass via Unvalidated Email in Custom JWT Callback

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update. This vulnerability is fixed in...

Withdrawn Advisory: Lunary improper access control vulnerability

Withdrawn Advisory This advisory has been withdrawn because the lunary npm package is connected to https://github.com/lunary-ai/lunary-js, not the https://github.com/lunary-ai/lunary repo that is discussed in this advisory. The underlying vulnerability report is still valid, but it doesn't affect...