Lucene search
+L

92 matches found

CVE
CVE
added 2 days ago9 views

CVE-2026-47086

CYRUS IMAPD has a vulnerability CVE-2026-47086 affecting Cyrus IMAP up to version 3.12.2. The GENURLAUTH feature allows issuance of URLAUTH tokens by any authenticated user for named mailboxes, bypassing ACLs and enabling reading mail from those mailboxes without granted permissions. The issue is...

3.5CVSS6.1AI score0.00169EPSS
Exploits0References2
NVD
NVD
added 3 days ago4 views

CVE-2026-53512

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refreshtoken grant authenticates only possession of the bound refreshToken row and matching clientid, without verifying the...

9.1CVSS0.00303EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 3 days ago5 views

CVE-2026-53512

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refreshtoken grant authenticates only possession of the bound refreshToken row and matching clientid, without verifying the...

9.1CVSS6.1AI score0.00303EPSS
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/07/07 8:11 p.m.5 views

Incorrect Authorization

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Incorrect Authorization in the refreshtoken grant process of the legacy oidcProvider and mcp plugins, where confidential clients are not required to...

9.1CVSS6.1AI score0.00303EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.14 views

PT-2026-53747

Name of the Vulnerable Software and Affected Versions Strapi users-permissions plugin affected versions not specified Description The users-permissions plugin fails to restrict JSON Web Token JWT algorithms when the plugin::users-permissions.jwt.algorithm configuration is not explicitly set. This...

6.3CVSS5.8AI score0.00147EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/06/24 9:4 p.m.10 views

CVE-2026-49277

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth...

2.3CVSS5.9AI score0.00215EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/23 8:3 p.m.2 views

CVE-2026-53928 NocoDB: Refresh Tokens Persist Through Password Recovery

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForg...

6.3CVSS6AI score0.00242EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/29 8:13 p.m.10 views

CVE-2026-45041

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TESTPRIVATEKEY and uses it in production via parselicense to "verify" license tokens. Because the key is embedded in every...

8.7CVSS5.9AI score0.00239EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 7:16 p.m.15 views

CVE-2026-45041

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TESTPRIVATEKEY and uses it in production via parselicense to "verify" license tokens. Because the key is embedded in every...

8.7CVSS0.00239EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/25 8:40 a.m.20 views

CVE-2026-33381

A flaw was found in Grafana. When a user's access to mint tokens for a service account is revoked, the system may temporarily allow the user to continue minting tokens for a few seconds. This could lead to a temporary bypass of access control, potentially enabling unauthorized actions if the toke...

8.1CVSS5.6AI score0.00245EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/05/22 12:0 a.m.11 views

Linux Distros Unpatched Vulnerability : CVE-2026-33381

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will...

8.1CVSS5.4AI score0.00245EPSS
Exploits0References3
OSV
OSV
added 2026/05/20 2:28 a.m.9 views

MAL-2026-4394 Malicious code in @ikyyofc/gemini-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5793a1cde3de83b8c15b49a0f9981d72fbf431067a4416ce6b2bd5650ea4a4d6 @ikyyofc/[email protected] ships two heavily obfuscated modules src/gemini.js and src/utils/proxy.js wrapped in an obfuscator.io-style string-array +...

5.8AI score
Exploits0References17
OSV
OSV
added 2026/05/15 8:42 a.m.5 views

BIT-GRAFANA-2026-33381 Users can generate Service Account tokens after permissions removal

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

8.1CVSS5.8AI score0.00245EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/05/15 1:59 a.m.14 views

SUSE CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

5.9CVSS5.8AI score0.00245EPSS
Exploits0References6
OSV
OSV
added 2026/05/13 9:32 p.m.5 views

GHSA-WFHV-MJ62-F5XH Grafana: Users can generate Service Account tokens after permissions removal

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

5.9CVSS5.2AI score0.00245EPSS
Exploits0References4
NVD
NVD
added 2026/05/13 8:16 p.m.12 views

CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

8.1CVSS0.00245EPSS
Exploits0References1
OSV
OSV
added 2026/05/13 8:16 p.m.17 views

UBUNTU-CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

8.1CVSS5.8AI score0.00245EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/13 7:28 p.m.7 views

CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

5.9CVSS5.8AI score0.00245EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/13 7:28 p.m.2 views

CVE-2026-33381 Users can generate Service Account tokens after permissions removal

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

5.9CVSS6.3AI score0.00245EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/28 6:10 p.m.5 views

CVE-2026-42422

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval...

8.8CVSS5.2AI score0.00282EPSS
Exploits0References4
Rows per page
Query Builder