Lucene search
K

79070 matches found

CVE
CVE
added 5 days ago22 views

CVE-2026-50160

Hoppscotch self-hosted deployments (Hoppscotch-backend

10CVSS6.1AI score0.0059EPSS
Exploits1References3Affected Software1
RedHat Linux
RedHat Linux
added 5 days ago4 views

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

7.4CVSS5.8AI score0.00394EPSS
Exploits1References5
NVD
NVD
added 5 days ago7 views

CVE-2026-58399

@acastellon/auth is an authentication control system for microservices. Versions prior to 2.3.0 appear to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for...

8.7CVSS0.00543EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-58399 @acastellon/auth has an authentication bypass via spoofable headers in validateToken()

@acastellon/auth is an authentication control system for microservices. Versions prior to 2.3.0 appear to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for...

8.7CVSS0.00543EPSS
Exploits0References3
CVE
CVE
added 5 days ago14 views

CVE-2026-58399

The CVE affects @acastellon/auth (authentication control for microservices). Versions

8.7CVSS5.8AI score0.00543EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 5 days ago4 views

CVE-2026-13603

The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to o...

10CVSS5.8AI score0.00253EPSS
Exploits0References2
CVE
CVE
added 5 days ago11 views

CVE-2026-13603

CVE-2026-13603 affects the pretix-oppwa payment integration. The vulnerability arises from insecure handling of Oppwa’s API URL: the code concatenated resourcePath from the return URL to baseUrl without validation and without a trailing slash, enabling an attacker to redirect the API call to a di...

10CVSS5.8AI score0.00253EPSS
Exploits0References1
EUVD
EUVD
added 5 days ago7 views

EUVD-2026-40958

The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to o...

10CVSS5.8AI score0.00253EPSS
Exploits0References1
NVD
NVD
added 5 days ago5 views

CVE-2026-13323

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...

4.1CVSS0.00169EPSS
Exploits0References2
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-40945

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...

4.1CVSS5.8AI score0.00169EPSS
Exploits0References2
CVE
CVE
added 5 days ago15 views

CVE-2026-13323

Open VSX Registry before 1.0.2 is affected by a vulnerability in the /vscode/unpkg/ endpoint that serves user-supplied HTML with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition header. An unauthenticated attacker can create a publisher account, upload a VSIX c...

4.1CVSS5.8AI score0.00169EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 5 days ago5 views

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

7.4CVSS5.8AI score0.00394EPSS
Exploits1References5
NVD
NVD
added 5 days ago7 views

CVE-2026-1239

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for...

7.5CVSS0.0026EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago36 views

CVE-2026-1239 Ninja Forms <= 3.14.1 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via token/refresh REST Endpoint

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for...

7.5CVSS0.0026EPSS
Exploits0References2
CVE
CVE
added 5 days ago20 views

CVE-2026-1239

The CVE-2026-1239 entry concerns the WordPress plugin Ninja Forms – The Contact Form Builder That Grows With You. A missing authorization check on the REST callback ninja-forms-views/token/refresh affects all versions up to and including 3.14.1, permitting unauthenticated attackers to view form s...

7.5CVSS5.8AI score0.0026EPSS
Exploits0References2
CVE
CVE
added 5 days ago9 views

CVE-2026-7829

UltraVNC repeater (= destination size, the NUL byte is written past the end of the stack array, corrupting adjacent data and potentially enabling code execution on the repeater host. An attacker with admin credentials (including via CVE-2026-7839 default password) can trigger this. The provided d...

7.2CVSS6.3AI score0.00504EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-40414

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication AUTHUSERNAME/AUTHPASSWORD, is reachable unauthenticated at /mcp because the nginx front-end does not apply the authrequest gate to that path and the MCP server auto-mints a...

6.9CVSS5.8AI score0.00437EPSS
Exploits0References6
NVD
NVD
added 6 days ago4 views

CVE-2026-56224

Capgo console.capgo.app/login before 12.128.2 accepts accesstoken and refreshtoken in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs...

5.4CVSS0.00194EPSS
Exploits0References2
NVD
NVD
added 6 days ago4 views

CVE-2026-54673

electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler HttpExecutor.prepareRedirectUrlOptions only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers —...

8.2CVSS0.00235EPSS
Exploits0References2
NVD
NVD
added 6 days ago6 views

CVE-2026-58449

txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs import and getattr on the caller-supplied dotted path with no allowlist. When the API is exposed with no TOKEN configured...

9.8CVSS0.00725EPSS
Exploits0References4
Rows per page
Query Builder