CVE-2026-45675

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, line...

Improper Authentication

allauth-django is vulnerable to improper authentication. The vulnerability is due to the use of the mutable preferredusername attribute as the identifier for third-party provider accounts, which allows an attacker to change this value and potentially impersonate or gain unauthorized access to...

FreeBSD : py-social-auth-app-django -- Unsafe account association (3116b6f3-b433-11f0-82ac-901b0edee044)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 3116b6f3-b433-11f0-82ac-901b0edee044 advisory. Michal iha reports: Upon authentication, the user could be associated by e-mail even if the...

UBUNTU-CVE-2025-61783

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service doe...

py-social-auth-app-django -- Unsafe account association

Michal Čihař reports: Upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail...

EUVD-2006-4750

Malware in sbrugna...

CVE-2011-1319

The Security component in IBM WebSphere Application Server WAS 6.1.0.x before 6.1.0.35 and 7.x before 7.0.0.15 allows remote authenticated users to cause a denial of service memory consumption by using a Lightweight Third-Party Authentication LTPA token for authentication...

Authentication Credential Reuse

parse-server is vulnerable to Authentication Credential Reuse. The vulnerability is due to improper isolation of authentication credentials, allowing them to be shared across multiple Parse Server apps using the same third-party authentication provider...

parse-server 授权问题漏洞

parse-server is a Node.js/Express parse server open-sourced by Parse Platform. An authorization issue vulnerability exists in parse-server versions prior to 7.5.2 and prior to 8.0.2, which stems from mishandling of third-party authentication and could result in authentication credentials being...

CVE-2024-48953

An issue was discovered in Logpoint before 7.5.0. Endpoints for creating, editing, or deleting third-party authentication modules lacked proper authorization checks. This allowed unauthenticated users to register their own authentication plugins in Logpoint, resulting in unauthorized access...

PT-2024-33295 · Logpoint · Logpoint

Name of the Vulnerable Software and Affected Versions: Logpoint versions prior to 7.5.0 Description: An issue was discovered in Logpoint where endpoints for creating, editing, or deleting third-party authentication modules lacked proper authorization checks. This allowed unauthenticated users to...

GHSA-2M5G-8XPW-42VP OpenCFP Framework (Sentry) Account takeover via null password reset codes

OpenCFP, an open-source conference talk submission system written in PHP, contains a security vulnerability in its third-party authentication framework, Sentry, developed by Cartalyst. The vulnerability stems from how Sentry handles password reset checks. Users lacking a password reset token stor...

SAML 授权问题漏洞

SAML is a library for Ross Kinder individual developers that contains a partial implementation of the saml standard in golang. That is, it allows third parties to authenticate your users, or allows third parties to rely on us to authenticate their users. There is an authorization issue...

Apple's New Feature Will Install Security Updates Automatically Without Full OS Update

Apple has introduced a Rapid Security Response feature in iOS 16 and macOS Ventura that's designed to deploy security fixes without the need for a full operating system version update. "macOS security gets even stronger with new tools that make the Mac more resistant to attack, including Rapid...

GHSA-VPQ9-C67Q-23FQ Fastly Magento2 sensitive information disclosure

The Fastly CDN module before 1.2.26 for Magento2, when used with a third-party authentication plugin, might allow remote authenticated users to obtain sensitive information from authenticated sessions via vectors involving caching of redirect responses...

Virtuozzo Hybrid Infrastructure 5.0 Update 1 (5.0.1-42)

This update provides support for more guest operating systems, as well as bug fixes and improvements. Vulnerability id: VSTOR-50067 Fixed the false-positive alert "Swap space is used." Vulnerability id: VSTOR-51196 Fixed the false-positive alert "Disk may run out of space" that appears for a cach...

多款Qualcomm产品信息泄露漏洞

A Qualcomm chip is a chip from Qualcomm Incorporated USA. A way to miniaturize circuits mainly semiconductor devices, but also passive components, etc. and are often manufactured on the surface of semiconductor wafers. The Qualcomm chip suffers from an information disclosure vulnerability that...

FormaLMS 2.4.4 - Authentication Bypass Exploit

Exploit Title: FormaLMS 2.4.4 - Authentication Bypass Google Dork: inurl:index.php?r=adm/ Exploit Author: Cristian 'void' Giustini @ Hacktive Security Vendor Homepage: https://formalms.org Software Link: https://formalms.org Version: = 2.4.4 Tested on: Linux CVE : CVE-2021-43136 Info: An...

Sensitive data exposure in NATS

Overview Preview versions of two NPM packages and one Deno package from the NATS project contain an information disclosure flaw, leaking options to the NATS server; for one package, this includes TLS private credentials. The connection configuration options in these JavaScript-based implementatio...

No-Cms 1.0 - order_by SQL Injection

No-Cms 1.0 - orderby SQL Injection Exploit Title: No-Cms 1.0 - 'orderby' SQL Injection Date: 2018-11-28 Exploit Author: Loading Kura Kura Vendor Homepage: https://github.com/goFrendiAsgard/No-CMS Software Link: https://codeload.github.com/goFrendiAsgard/No-CMS/zip/master Tested on: Win10/Kali Lin...