Lucene search
K

312 matches found

Snyk
Snyk
added 2026/05/07 9:34 p.m.7 views

Improper Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the token revocation process. An attacker can maintain unauthorized access by using a stolen access token that was issued with no expiration, as the token cannot be invalidated through...

9.1CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/07 9:34 p.m.5 views

Improper Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the token revocation process. An attacker can maintain unauthorized access by using a stolen access token that was issued with no expiration, as the token cannot be invalidated through...

9.1CVSS5.8AI score
Exploits0References3
NVD
NVD
added 2026/05/07 3:16 p.m.21 views

CVE-2026-41519

Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cyclesessionkeys", but DRF API tokens "wlu" prefix stored in "authtokentoken" are not revoked. This issue has been patched in version 5.17.1...

5.4CVSS0.00228EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/07 1:41 p.m.35 views

CVE-2026-41519 Weblate's API Token Not Invalidated on Password Change

Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cyclesessionkeys", but DRF API tokens "wlu" prefix stored in "authtokentoken" are not revoked. This issue has been patched in version 5.17.1...

4.2CVSS0.00228EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/07 1:41 p.m.6 views

CVE-2026-41519

Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cyclesessionkeys", but DRF API tokens "wlu" prefix stored in "authtokentoken" are not revoked. This issue has been patched in version 5.17.1...

4.2CVSS5.7AI score0.00228EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/05/07 1:41 p.m.19 views

CVE-2026-41519

CVE-2026-41519 affects Weblate prior to 5.17.1, where DRF API tokens with wlu_ prefix stored in authtoken_token are not revoked on password change, while browser sessions are invalidated via cycle_session_keys(). The connected advisory confirms the issue impact and provides remediation: upgrade t...

5.4CVSS5.7AI score0.00228EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/05/07 4:16 a.m.24 views

CVE-2026-41671

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

6.8CVSS0.00323EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/07 3:0 a.m.8 views

CVE-2026-41671

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

6.8CVSS5.8AI score0.00323EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/05/07 3:0 a.m.40 views

CVE-2026-41671 Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

6.8CVSS0.00323EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/07 3:0 a.m.12 views

EUVD-2026-28283

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

6.8CVSS5.8AI score0.00323EPSS
Exploits0References2
CVE
CVE
added 2026/05/07 3:0 a.m.9 views

CVE-2026-41671

Admidio prior to version 5.0.9 contains a vulnerability in its OIDC token introspection (/modules/sso/index.php/oidc/introspect) and revocation (/oidc/revoke) endpoints. The introspection endpoint always returns {"active": true} and the revocation endpoint returns {"revoked": true} without authen...

6.8CVSS5.8AI score0.00323EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/07 2:57 a.m.9 views

Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change

Summary A session invalidation vulnerability exists in daptin's authentication system where JSON Web Tokens JWTs remain fully valid after a user changes their password. The JWT validation middleware CheckJWT only verifies token signature, expiry, issuer, and signing algorithm — it does not check...

5.9AI score
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/05/07 12:0 a.m.9 views

Weblate 代码问题漏洞

Weblate is an open-source, copyleft, web-based free software system for continuous localization. Versions of Weblate prior to 5.17.1 had a code-related vulnerability. This vulnerability occurred when users changed their passwords, and the DRF API tokens were not revoked...

5.4CVSS5.8AI score0.00228EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/07 12:0 a.m.8 views

Admidio 授权问题漏洞

Admidio is a set of open-source member management systems developed by the Admidio team. This system supports features such as member lists, event management, message boards, photo albums, and downloads. Prior to Admidio 5.0.9, there was an authorization vulnerability. This vulnerability stemmed...

6.8CVSS5.8AI score0.00323EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/06 9:31 p.m.11 views

Duplicate Advisory: OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xmxx-7p24-h892. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain...

9.8CVSS5.7AI score0.0054EPSS
Exploits1References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/06 7:49 p.m.7 views

CVE-2026-43585

OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthoriz...

9.2CVSS5.8AI score0.0054EPSS
Exploits1References4
OSV
OSV
added 2026/04/30 5:28 p.m.4 views

GHSA-6J8J-4QP3-36P2 Weblate Doesn't Invalidate API Token on Password Change

Impact When a user changes their password, browser sessions are correctly invalidated via cyclesessionkeys, but DRF API tokens wlu prefix stored in authtokentoken are not revoked. Patches https://github.com/WeblateOrg/weblate/pull/19057 Resources Weblate thanks Sang Yu Jeon for reporting this via...

4.2CVSS5.8AI score0.00228EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/30 5:28 p.m.13 views

Weblate Doesn't Invalidate API Token on Password Change

Impact When a user changes their password, browser sessions are correctly invalidated via cyclesessionkeys, but DRF API tokens wlu prefix stored in authtokentoken are not revoked. Patches https://github.com/WeblateOrg/weblate/pull/19057 Resources Weblate thanks Sang Yu Jeon for reporting this via...

5.4CVSS5.2AI score0.00228EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/30 12:0 a.m.14 views

PT-2026-37127

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17.1 Description When a user changes their password, browser sessions are invalidated using the cycle session keys function, but Django REST Framework DRF API tokens with the wlu prefix stored in authtoken token are...

5.4CVSS5.8AI score0.00228EPSS
Exploits0References13
OSV
OSV
added 2026/04/29 9:58 p.m.6 views

GHSA-9XX5-CV6J-X533 Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation

Summary The OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the...

6.8CVSS6AI score0.00323EPSS
Exploits0References4
Rows per page
Query Builder