Lucene search
+L

860 matches found

Nuclei
Nuclei
added 8 hours ago33 views

ownCloud Guests - User Enumeration

ownCloud Guests before 0.12.5 contains an unauthenticated user enumeration vulnerability caused by insufficient validation of the token in showPasswordForm at /apps/guests/register/email/token, letting unauthenticated attackers enumerate valid guest users, exploit requires no authentication. id:...

5.3CVSS5.2AI score0.00908EPSS
Exploits1References3
OSV
OSV
added 3 days ago4 views

GHSA-22XC-XG2R-9J7V Envoy Gateway: xDS Control Plane Information Disclosure when operating in GatewayNamespaceMode

Impact When Envoy Gateway runs in GatewayNamespaceMode provider.kubernetes.deploy.type=GatewayNamespace, the xDS gRPC server is configured with a StreamInterceptor for JWT authentication but no UnaryInterceptor. The go-control-plane xDS server exposes both streaming and unary Fetch RPC methods fo...

7.4CVSS6.1AI score0.00027EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago39 views

CVE-2026-46513 Frogman: API tokens stored in plaintext

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, Frogman stored API tokens generated by Tools/CreateApiToken.php:33-36 as raw bin2hexrandombytes32 strings in ocapitokens, and Frogman.class.php:78 authenticated the X-Frogman-Token header by comparing it with the stor...

7.4CVSS0.00261EPSS
Exploits0References4
NVD
NVD
added 4 days ago7 views

CVE-2026-26718

A Cross-Site Request Forgery CSRF vulnerability exists in the xxl-job-admin web application v.3.0.0 that allows an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affected endpoint lacks proper CSRF token validation and accepts arbitrary HTTP methods via a permissive...

9.1CVSS0.00224EPSS
Exploits1References2
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-46684 DataEase: Unauthorized Command Execution Vulnerability

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase enterprise token handling can let TokenFilterdoFilter pass X-DE-TOKEN values to TokenUtils.validate, which checks only token presence and length before userBOByTokentoken uses JWT.decode without signature...

9.5CVSS0.00193EPSS
Exploits0References3
CVE
CVE
added 4 days ago15 views

CVE-2026-46684

CVE-2026-46684 (DataEase) : Open-source data visualization tool DataEase prior to 2.10.23 is affected by an unauthorized command execution vulnerability. The issue stems from enterprise token handling where TokenFilter#doFilter() may pass X-DE-TOKEN values to TokenUtils.validate(), which only che...

9.5CVSS6.1AI score0.00193EPSS
Exploits0References3
NVD
NVD
added 4 days ago5 views

CVE-2026-45793

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...

7.5CVSS0.00519EPSS
Exploits0References9
AlpineLinux
AlpineLinux
added 4 days ago18 views

CVE-2026-45793

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...

7.5CVSS6.1AI score0.00519EPSS
Exploits0
OSV
OSV
added 4 days ago5 views

CVE-2026-45793 Composer: Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...

7.5CVSS6.1AI score0.00519EPSS
Exploits0References11
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-45793 Composer: Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...

7.5CVSS0.00519EPSS
Exploits0References9
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-44723

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...

7.5CVSS6AI score0.00519EPSS
Exploits0References9
CVE
CVE
added 4 days ago73 views

CVE-2026-45793

CVE-2026-45793 affects Composer (PHP dependency manager). Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validated GitHub tokens with ^[.A-Za-z0-9_]+$ and interpolated rejected tokens into an UnexpectedValueException. GitHub Actions GITHUB_TOKEN values formatted as g...

7.5CVSS6.1AI score0.00519EPSS
Exploits0References9
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-26718

A Cross-Site Request Forgery CSRF vulnerability exists in the xxl-job-admin web application v.3.0.0 that allows an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affected endpoint lacks proper CSRF token validation and accepts arbitrary HTTP methods via a permissive...

0.00224EPSS
Exploits1References2
CVE
CVE
added 4 days ago5 views

CVE-2026-26718

CVE-2026-26718 – xxl-job-admin 3.0.0 CSRF flaw . A Cross-Site Request Forgery exists in the xxl-job-admin web application (v3.0.0) that enables an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affected endpoint lacks proper CSRF token validation and accepts arbitra...

9.1CVSS6.2AI score0.00224EPSS
Exploits1References2
Cvelist
Cvelist
added 5 days ago25 views

CVE-2026-55954 Missing ID token claim validation in ueberauth_apple allows account takeover

Authentication Bypass by Spoofing vulnerability in ueberauth ueberauthapple allows account takeover via unvalidated ID token claims. The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback idtoken against Apple's JWKS but does not validate any registered...

9.1CVSS0.00411EPSS
Exploits0References4
CVE
CVE
added 5 days ago6 views

CVE-2026-58476

Sustainable Irrigation Platform (SIP) 5.2.16 is affected by a CSRF vulnerability that allows a remote attacker to trigger state-changing administrative actions by enticing a logged-in administrator to visit a malicious page. The issue arises because HTTP GET requests lack CSRF token validation or...

8.1CVSS6.1AI score0.00228EPSS
Exploits2References2Affected Software1
Cvelist
Cvelist
added 6 days ago35 views

CVE-2026-56877

The SCORM lab launch endpoint in Skillable scorm.skillable.com through 2026-07-13 does not validate the client-supplied userId parameter against the authenticated SCORM session token. An authenticated user can substitute arbitrary userId values to bypass per-user lab launch rate limits and consum...

6.3CVSS0.0041EPSS
Exploits1References2
NVD
NVD
added 2026/07/10 6:16 p.m.12 views

CVE-2026-56665

ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session....

4.2CVSS0.00167EPSS
Exploits0References5
NVD
NVD
added 2026/07/10 6:16 p.m.9 views

CVE-2026-56668

ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token's...

8.1CVSS0.00231EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/10 5:22 p.m.8 views

EUVD-2026-42963

ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session....

4.2CVSS6.1AI score0.00167EPSS
Exploits0References5
Rows per page
Query Builder