ConnectWise ScreenConnect < 26.2 Improper Input Validation (CVE-2026-11596)

According to its version, the ConnectWise ScreenConnect remote access software installed on the remote host is prior to 26.2. It is, therefore, affected by an improper input validation vulnerability: - Input validation within the Host Pass creation functionality could allow an authenticated user...

EUVD-2026-37126

Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validateexp = false in the verifydecode helper within the stdlib JWT verification path. Attackers in possession of a previously issued...

PT-2026-49727

Name of the Vulnerable Software and Affected Versions Perry versions prior to 0.5.1166 Description An issue in the JWT validation process allows remote attackers to bypass token expiration. This occurs because the verify decode helper within the stdlib JWT verification path unconditionally sets...

CVE-2026-11596

Affected software: ScreenConnect™ (before version 26.2). The vulnerability concerns input validation in the Host Pass creation flow, where an authenticated user with Host Pass creation privileges could set a delegated access token expiration longer than the intended maximum. Impact, as described,...

CVE-2026-11596

In ScreenConnect™ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user with Host Pass creation privileges the ability to specify a token expiration duration beyond the intended maximum when generating delegated access tokens...

ConnectWise ScreenConnect 安全漏洞

ConnectWise ScreenConnect is a self-hosted remote desktop software application developed by ConnectWise. Versions of ConnectWise ScreenConnect prior to version 26.2 contained a security vulnerability. This vulnerability stemmed from the lack of input validation for the token expiration duration...

Operation on a Resource after Expiration or Release

Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to a logic error in the validation of expiration timestamps for access...

CVE-2026-33463 Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access

Operation on a Resource after Expiration or Termination CWE-672 in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticate...

EUVD-2026-33011

Operation on a Resource after Expiration or Termination CWE-672 in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticate...

CVE-2026-33463

Operation on a Resource after Expiration or Termination CWE-672 in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticate...

CVE-2026-33463

The CVE-2026-33463 issue affects Kibana and is caused by a logic error in validating expiration timestamps, allowing time-bounded public file share tokens to remain usable after expiration and enabling an unauthenticated actor with the token to access content. Affected versions include Kibana 8.x...

GHSA-F9F8-RM49-7JV2 Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Summary Composer leaks the full contents of tokens configured as GitHub OAuth tokens if they do not match Composer's expected format for such tokens to stderr. GitHub has introduced a new format for GitHub Actions GITHUBTOKEN values. These tokens are validated in the same way by Composer on GitHu...

RHCOS 4 : OpenShift Container Platform 4.1.16 jenkins (RHSA-2019:2789)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2019:2789 advisory. - jenkins: stored cross-site scripting in update center web pages SECURITY-1453 CVE-2019-10383 - jenkins: CSRF protection tokens for...

CVE-2026-40585

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a passwordresetat timestamp. However, the token redemption function findUserIDFromEmailAndToken queries only for a matching...

blueprintUE self-hosted edition 安全漏洞

The blueprintUE self-hosted edition is an open-source data modeling and visualization tool developed by blueprintUE. Versions prior to blueprintUE self-hosted edition 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the password reset token generation process, where th...

CVE-2026-24467

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable...

EUVD-2026-23882

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable...

CVE-2026-34362 AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the verifyTokenSocket function in plugin/YPTSocket/functions.php has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows...

CVE-2026-33417

Wallos is an open-source self-hosted personal subscription tracker. Multiple sources confirm a vulnerability in versions prior to 4.7.2 where password reset tokens never expire because the token validation logic does not check the token’s created_at timestamp in the password_resets table. The con...

CVE-2026-21622

Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Accounts.PasswordReset' module allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset...