Lucene search
K

289 matches found

Patchstack
Patchstack
added 2026/04/16 9:5 a.m.8 views

WordPress Barcode Scanner (+Mobile App) plugin <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication vulnerability

Unauthenticated Privilege Escalation via Insecure Token Authentication vulnerability discovered by 0xd4rk5id3 - EnvoraSec in WordPress Plugin Barcode Scanner with Inventory & Order Manager versions = 1.11.0...

9.8CVSS5.8AI score0.00503EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/04/16 12:16 a.m.7 views

CVE-2026-4880

The Barcode Scanner +Mobile App – Inventory manager, Order fulfillment system, POS Point of Sale plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied...

9.8CVSS0.00503EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/16 12:0 a.m.10 views

WordPress plugin Barcode Scanner 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

9.8CVSS5.8AI score0.00503EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/15 11:25 p.m.38 views

CVE-2026-4880 Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication

The Barcode Scanner +Mobile App – Inventory manager, Order fulfillment system, POS Point of Sale plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied...

9.8CVSS0.00503EPSS
Exploits0References3
CVE
CVE
added 2026/04/15 11:25 p.m.10 views

CVE-2026-4880

The CVE concerns the WordPress plugin Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS, affected up to version 1.11.0. The root cause is insecure token-based authentication where the plugin trusts a user-supplied Base64-encoded user ID in the token parameter to ide...

9.8CVSS5.8AI score0.00503EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/15 11:25 p.m.11 views

CVE-2026-4880

The Barcode Scanner +Mobile App – Inventory manager, Order fulfillment system, POS Point of Sale plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied...

9.8CVSS5.8AI score0.00503EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/15 7:19 p.m.9 views

Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache

Affected Components - DSF FHIR Server with enabled bearer-token authentication or back-channel logout. - DSF BPE Server with enabled bearer-token authentication or back-channel logout. - DSF BPE Server API v2 process plugins using FHIR client connections with configured OIDC authentication. Summa...

6.3CVSS5.8AI score0.00291EPSS
Exploits0References5Affected Software2
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.6 views

PT-2026-33185

The Barcode Scanner +Mobile App – Inventory manager, Order fulfillment system, POS Point of Sale plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied...

9.8CVSS5.8AI score0.00503EPSS
Exploits0References4
PyPA
PyPA
added 2026/04/13 3:17 p.m.15 views

PYSEC-2026-8

Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though...

7.5CVSS5.8AI score0.00439EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.5 views

PT-2026-32366

Name of the Vulnerable Software and Affected Versions Airflow versions prior to 3.2.0 Description Lack of clarity regarding the responsibilities of the Deployment Manager in ensuring secure deployments. Certain assumptions about the security model, workload isolation, and JWT authentication were...

7.5CVSS5.7AI score0.00439EPSS
Exploits0References11
GithubExploit
GithubExploit
added 2026/04/12 5:15 a.m.147 views

Exploit for Path Traversal in Gogs

CVE-2025-8110-Authenticated-Remote-Code-Execution-on-Gogs-v0.1...

8.8CVSS6.4AI score0.7654EPSS
Exploits15
CNNVD
CNNVD
added 2026/04/09 12:0 a.m.5 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 contained security vulnerabilities. These vulnerabilities stemmed from improper access control in the HTTP /sessions/:sessionKey/kill route. As a result, any user with a toke...

8.1CVSS5.8AI score0.00346EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/03 10:54 p.m.15 views

CVE-2026-34953 PraisonAI: Authentication Bypass in OAuthManager.validate_token()

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validatetoken returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access t...

9.1CVSS0.00375EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2026/04/03 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-34531

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to...

8.2CVSS6AI score0.00324EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/04/02 11:26 p.m.7 views

SUSE CVE-2026-34531

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token...

8.2CVSS5.7AI score0.00324EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/01 11:9 p.m.8 views

Parser Server's streaming file download bypasses afterFind file trigger authorization

Impact File downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the default GridFS adapter. This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators...

8.2CVSS5.9AI score0.00378EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/04/01 9:17 p.m.4 views

UBUNTU-CVE-2026-34531

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token...

8.2CVSS5.7AI score0.00324EPSS
Exploits0References5
CVE
CVE
added 2026/04/01 8:44 p.m.25 views

CVE-2026-34531

CVE-2026-34531 affects Flask-HTTPAuth (Python package) and concerns the token verification callback receiving an empty string when a request targets a token-protected resource without a token or with an empty token. This could allow authentication against any user whose token is an empty string. ...

8.2CVSS5.8AI score0.00324EPSS
Exploits0References4Affected Software1
Debian CVE
Debian CVE
added 2026/04/01 8:44 p.m.6 views

CVE-2026-34531

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token...

8.2CVSS5.6AI score0.00324EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/03/31 11:48 p.m.9 views

Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client

Summary In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any...

8.2CVSS5.9AI score0.00324EPSS
Exploits0References6Affected Software1
Rows per page
Query Builder