Lucene search
+L

20 matches found

ptsecurity
ptsecurity
added 2 days ago5 views

PT-2026-60096

Name of the Vulnerable Software and Affected Versions nebula-mesh affected versions not specified Description Operator session tokens are stored in plaintext within the token column of the operator sessions table. These tokens are 32-byte random hex values sent via cookies and remain valid for 24...

7.1CVSS6.1AI score
Exploits0References6
nvd
nvd
added 2026/06/24 1:16 p.m.11 views

CVE-2026-56269

Flowise before 3.1.0 npm package flowise, versions 3.0.13 and earlier uses a weak hardcoded default value 'Secre$t' for the TOKENHASHSECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key...

4.6CVSS0.00093EPSS
Exploits0References2
euvd
euvd
added 2026/06/24 11:53 a.m.8 views

EUVD-2026-38746

Flowise before 3.1.0 npm package flowise, versions 3.0.13 and earlier uses a weak hardcoded default value 'Secre$t' for the TOKENHASHSECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key...

4.6CVSS5.8AI score0.00093EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/24 11:53 a.m.4 views

CVE-2026-56269

Flowise before 3.1.0 npm package flowise, versions 3.0.13 and earlier uses a weak hardcoded default value 'Secre$t' for the TOKENHASHSECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key...

4.6CVSS5.8AI score0.00093EPSS
Exploits0References3
osv
osv
added 2026/06/24 11:53 a.m.4 views

CVE-2026-56269 Flowise - Weak Default Token Hash Secret in JWT Token Encryption

Flowise before 3.1.0 npm package flowise, versions 3.0.13 and earlier uses a weak hardcoded default value 'Secre$t' for the TOKENHASHSECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key...

4.2CVSS6.2AI score0.00093EPSS
Exploits0References4
redhatcve
redhatcve
added 2026/06/05 7:14 p.m.10 views

CVE-2026-40458

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

7CVSS5.3AI score0.00165EPSS
Exploits0References1
snyk
snyk
added 2026/04/17 3:31 p.m.9 views

Cross-site Request Forgery (CSRF)

Overview org.pac4j:pac4j-core is a pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF d...

7.1CVSS5.8AI score0.00165EPSS
Exploits0References2
github
github
added 2026/04/17 3:31 p.m.8 views

PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

7CVSS5.6AI score0.00165EPSS
Exploits0References4Affected Software1
nvd
nvd
added 2026/04/17 2:16 p.m.7 views

CVE-2026-40458

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

7CVSS0.00165EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/04/17 1:18 p.m.5 views

CVE-2026-40458

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

7CVSS5.6AI score0.00165EPSS
Exploits0References3Affected Software1
vulnrichment
vulnrichment
added 2026/04/17 1:18 p.m.6 views

CVE-2026-40458 Cross-Site Request Forgery in PAC4J

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

7CVSS5.6AI score0.00165EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/04/16 12:0 a.m.16 views

PT-2026-51774

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0 Description The software uses a weak hardcoded default value 'Secre$t' for the TOKEN HASH SECRET environment variable in the packages/server/src/enterprise/utils/tempTokenUtils.ts file when the variable is not...

5.6CVSS6.2AI score0.00093EPSS
Exploits0References9
github
github
added 2026/04/03 9:59 p.m.17 views

LiteLLM: Authentication bypass via OIDC userinfo cache key collision

Impact When JWT authentication is enabled enablejwtauth: true, the OIDC userinfo cache uses token:20 as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. A...

9.4CVSS5.9AI score0.0049EPSS
Exploits1References3Affected Software1
osv
osv
added 2026/04/03 9:59 p.m.7 views

GHSA-JJHC-V7C2-5HH6 LiteLLM: Authentication bypass via OIDC userinfo cache key collision

Impact When JWT authentication is enabled enablejwtauth: true, the OIDC userinfo cache uses token:20 as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. A...

9.4CVSS5.9AI score0.0049EPSS
Exploits1References3
vulnrichment
vulnrichment
added 2026/03/16 6:3 p.m.7 views

CVE-2026-28498 Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect OIDC ID Tokens. Specifically, the internal hash verification logic verifyhash...

8.2CVSS5.7AI score0.00226EPSS
Exploits1References3
euvd
euvd
added 2025/10/03 8:7 p.m.5 views

EUVD-2023-2693

Malicious code in bioql PyPI...

5.3CVSS5.6AI score0.00462EPSS
Exploits0References4
code423n4
code423n4
added 2023/11/13 12:0 a.m.15 views

RandomizerNXT allows randomness re-rolling and also front-running.

Lines of code Vulnerability details Description When a collection uses RandomizerNXT as the randomizer, the process of minting and setting the token hash happens in the same transaction and block, which allows two attacks. First, a user can see the randomness outcome in mempool and front-run his...

6.9AI score
Exploits0
osv
osv
added 2023/10/25 6:32 p.m.35 views

GHSA-86J9-25M2-9W97 Non-constant time webhook token hash comparison in Jenkins Zanata Plugin

Jenkins Zanata Plugin 0.6 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token hashes are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, ther...

3.7CVSS5.5AI score0.00462EPSS
Exploits0References4
github
github
added 2023/10/25 6:32 p.m.21 views

Non-constant time webhook token hash comparison in Jenkins Zanata Plugin

Jenkins Zanata Plugin 0.6 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token hashes are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, ther...

5.3CVSS5.2AI score0.00462EPSS
Exploits0References4Affected Software1
circl
circl
added 2021/03/18 3:32 p.m.8 views

CVE-2021-28417

creationtimestamp| type| source ---|---|--- 2021-03-18 15:32:05+00:00| seen| https://t.me/cibsecurity/25088...

4.8CVSS4.9AI score0.01871EPSS
Exploits4References1
Rows per page
Query Builder