Lucene search
K

26 matches found

Cvelist
Cvelist
added 2026/06/24 1:20 p.m.32 views

CVE-2026-57289

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to...

0.00108EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/25 5:27 a.m.9 views

Malicious code in heims (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 33e7dda6f116113ebe2bd1ae1ec5238d66f8ada8a87e69a90e49aac1f4eb3f57 The package's WechatUtil.gettoken in src/heims/utils/wechat/wechatutil.py hardcodes a POST to https://token.zhangjianpeng.cn/ with md5appid and...

5.8AI score
Exploits0References1
CNNVD
CNNVD
added 2026/04/17 12:0 a.m.12 views

nextjs-auth0 安全漏洞

nextjs-auth0 is an open-source Next.js SDK developed by Auth0, used for authentication with Auth0. Versions 4.12.0 to 4.17.1 of nextjs-auth0 contain security vulnerabilities. These vulnerabilities stem from requests that trigger random number retries, which may lead to improper handling of token...

5.4CVSS5.8AI score0.00214EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/26 7:12 a.m.33 views

CVE-2026-4874 Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS0.00295EPSS
Exploits0References6
OSV
OSV
added 2026/03/20 5:25 p.m.3 views

GHSA-VQ4Q-79HH-Q767 Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

Summary A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token...

8.1CVSS5.8AI score0.00363EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/03/16 12:0 a.m.8 views

FastMCP 安全漏洞

FastMCP is a MCP server-building software developed by Jeremiah Lowin. Versions of FastMCP prior to 2.14.2 contained security vulnerabilities. These vulnerabilities stemmed from servers failing to properly handle resource parameters submitted by clients during authorization and token requests. As...

7.4CVSS5.8AI score0.00358EPSS
Exploits1References1
OSV
OSV
added 2026/02/09 10:42 p.m.3 views

CVE-2026-25958 Cube privilege escalation via a specially crafted request

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14...

7.7CVSS5.5AI score0.00352EPSS
Exploits0References3
OSV
OSV
added 2025/10/23 3:30 p.m.9 views

GHSA-895X-RFQP-JH5C Keycloak does not invalidate offline sessions when the offline_access scope is removed

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

5.4CVSS5.8AI score0.00272EPSS
Exploits0References11
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2013-0279

Malware in sbrugna...

5CVSS6AI score0.03243EPSS
Exploits0References9
Tenable Nessus
Tenable Nessus
added 2025/08/21 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2018-20170

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST...

5.3CVSS5.7AI score0.0111EPSS
Exploits1References2
OSV
OSV
added 2025/05/08 2:15 p.m.6 views

CVE-2025-47730

The TeleMessage archiving backend through 2025-05-05 accepts API calls to request an authentication token from the TM SGNL aka Archive Signal app with the credentials of logfile for the user and enRR8UVVywXYbFkqUQDPRkO for the password...

7.5CVSS5.8AI score0.00337EPSS
Exploits0References4
NVD
NVD
added 2025/02/18 6:15 p.m.19 views

CVE-2025-26620

Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...

6.3CVSS0.00362EPSS
Exploits0References2
OSV
OSV
added 2024/05/15 12:42 a.m.3 views

CVE-2024-3744 Kubernetes azure-file-csi-driver in versions before 1.29.4 and 1.30.1 discloses service account tokens in logs

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged whe...

6.5CVSS6.6AI score0.00269EPSS
Exploits0References5
Kubernetes Security Advisories
Kubernetes Security Advisories
added 2024/05/08 4:2 p.m.13 views

azure-file-csi-driver discloses service account tokens in logs

CVSS Rating: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N - MEDIUM 6.5 A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to...

6.5CVSS6.4AI score0.00269EPSS
Exploits0
Kubernetes Security Advisories
Kubernetes Security Advisories
added 2023/06/02 7:3 p.m.7 views

secrets-store-csi-driver discloses service account tokens in logs

A security issue was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged...

6.5CVSS6.2AI score0.00372EPSS
Exploits1Affected Software1
Positive Technologies
Positive Technologies
added 2023/05/25 12:0 a.m.2 views

PT-2023-3262 · Kubernetes · Secrets-Store-Csi-Driver

Name of the Vulnerable Software and Affected Versions: secrets-store-csi-driver versions prior to 1.3.3 Description: The issue is related to insufficient protection of registration data in the secrets-store-csi-driver component of Kubernetes. This can allow an attacker to gain unauthorized access...

6.5CVSS6.7AI score0.00372EPSS
Exploits1References17
Veracode
Veracode
added 2022/12/22 2:33 a.m.30 views

Information Disclosure

github.com/Azure/aad-pod-identity is vulnerable to information disclosure. The vulnerability exists because server.go does not properly handle invalid token requests, allowing an attacker to bypass the NMI validation and send the token to IMDS in the cluster through the token request made with...

5.3CVSS5.2AI score0.00709EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2022/12/21 12:0 a.m.2 views

PT-2022-7109 · Microsoft · Aad Pod Identity

Name of the Vulnerable Software and Affected Versions: AAD Pod Identity versions prior to 1.8.13 Description: The issue is related to the NMI component in AAD Pod Identity, which intercepts and validates token requests based on regex. A token request made with a backslash in the request, for...

5.5CVSS6.8AI score0.00709EPSS
Exploits0References10
GitLab Advisory Database
GitLab Advisory Database
added 2022/12/21 12:0 a.m.50 views

Improper Restriction of Security Token Assignment

aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request...

5.3CVSS2.9AI score0.00709EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2019/01/15 8:56 a.m.26 views

Denial Of Service (DoS)

openstack-keystone is vulnerable to denial of service DoS attacks. The vulnerability exists as OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to cause a denial of service disk consumption via many invalid token...

5CVSS5.8AI score0.03243EPSS
Exploits0References10Affected Software1
Rows per page
Query Builder