CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 3 days ago•9 views

EUVD-2026-33581

9.1CVSS5.9AI score0.00035EPSS

Cvelist•added 3 days ago•30 views

CVE-2026-48726 Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path

0.00035EPSS

CVE•added 3 days ago•9 views

CVE-2026-48726

CVE-2026-48726 describes a bug in Apache Airflow where the logout flow for FabAuthManager and KeycloakAuthManager does not reach revoke_token(), leaving previously issued JWTs valid until expiry. This creates a residual gap after CVE-2025-57735 where cookie-side invalidation was addressed but pro...

6.5CVSS5.9AI score0.00035EPSS

Exploits0References3Affected Software1

Vulnrichment•added 3 days ago•3 views

CVE-2026-48726 Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path

5.9AI score0.00035EPSS

CNNVD•added 3 days ago•3 views

Apache Airflow code vulnerabilities

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. Versions of Apache Airflow prior to 3.2.2 contained code vulnerabilities. These vulnerabilities stemmed from the authentication...

9.1CVSS5.9AI score0.00035EPSS

CNNVD•added 6 days ago•6 views

SillyTavern 安全漏洞

SillyTavern is a frontend interface for the SillyTavern open-source language model. Versions of SillyTavern prior to 1.18.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of cookie-session for authentication. The password update endpoint only updated the password...

7.5CVSS5.8AI score0.00016EPSS

Exploits1References1

ATTACKERKB•added last week•3 views

CVE-2026-9097

Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken function in object/tokenoauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revok...

5.7AI score0.00054EPSS

CVE•added last week•14 views

CVE-2026-9097

CVE-2026-9097 affects Casdoor

9.8CVSS5.7AI score0.00054EPSS

Cvelist•added last week•25 views

CVE-2026-9097 CVE-2026-9097

0.00054EPSS

EUVD•added 2026/05/28 4:47 a.m.•4 views

EUVD-2026-32720

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been...

6.8CVSS5.7AI score0.00053EPSS

CNNVD•added 2026/05/28 12:0 a.m.•7 views

Casdoor 安全漏洞

Casdoor is an open-source platform developed by Casdoor that supports various authentication and authorization protocols. Versions of Casdoor prior to 2.362.0 contained security vulnerabilities. These vulnerabilities stemmed from failing to verify whether the JWT used for token exchange was still...

5.7AI score0.00054EPSS

OSV•added 2026/05/21 8:39 p.m.•3 views

GHSA-F76X-F9VJ-92JV NocoDB: Stale Auth Cache After API Token Deletion

Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. Details The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache...

2.3CVSS5.7AI score

RedhatCVE•added 2026/05/19 6:27 a.m.•9 views

CVE-2026-8922

A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect OIDC Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially...

5.4CVSS5.7AI score0.00011EPSS

ATTACKERKB•added 2026/05/19 6:27 a.m.•4 views

CVE-2026-8922

5.4CVSS5.8AI score0.00011EPSS

CVE•added 2026/05/19 6:27 a.m.•13 views

CVE-2026-8922

Technical details are not publicly available in the provided documents. Monitor for updates from Red Hat and ENISA; no affected versions, exploit information, or mitigations are stated here.

5.4CVSS5.8AI score0.00011EPSS

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/19 6:27 a.m.•5 views

CVE-2026-8922 Org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: security flaw in org.keycloak/keycloak-services

5.4CVSS5.8AI score0.00011EPSS

RedhatCVE•added 2026/05/15 7:57 p.m.•5 views

CVE-2026-22706

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication...

6.5CVSS5.8AI score0.00059EPSS

Cvelist•added 2026/05/14 6:38 p.m.•27 views

CVE-2026-22706 Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

2.1CVSS0.00059EPSS