CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

127 matches found

CVE-2026-48928

A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS mutual Transport Layer Security setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive informati...

5.4CVSS5.7AI score0.00247EPSS

Exploits0References4

OSV•added 3 days ago•3 views

ALPINE-CVE-2026-48928

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

5.4CVSS6.1AI score0.00247EPSS

Exploits0References1

NVD•added 3 days ago•9 views

CVE-2026-48928

5.4CVSS0.00247EPSS

Exploits0References1

Cvelist•added 3 days ago•36 views

CVE-2026-48928

4.2CVSS0.00247EPSS

Exploits0References1

Debian CVE•added 3 days ago•5 views

CVE-2026-48928

5.4CVSS6.2AI score0.00247EPSS

Exploits0

CVE•added 3 days ago•14 views

CVE-2026-48928

CVE-2026-48928 affects Node.js releases 22/24/26. The issue is uppercase SNI context matching causing MTLS authorization bypass due to case-sensitive hostname matching in multi-context mTLS. SUSE indicates this CVE is fixed in nodejs24 update to 24.17.0; remediation is to upgrade to that version ...

5.4CVSS6.6AI score0.00247EPSS

Exploits0References1Affected Software1

AlpineLinux•added 3 days ago•6 views

CVE-2026-48928

5.4CVSS6.6AI score0.00247EPSS

Exploits0

Tenable Nessus•added 2026/06/20 12:0 a.m.•6 views

Linux Distros Unpatched Vulnerability : CVE-2026-48928

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release line...

5.4CVSS6.7AI score0.00247EPSS

Exploits0References3

Github Security Blog•added 2026/06/10 1:37 p.m.•8 views

@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers

Affected: @hulumi/policies 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-697 Incorrect Comparison Summary AWS IAM trust policies can list more than one federated identity provider — for example, a role that accepts BOTH GitHub Actions OIDC and Google's OIDC. The GOIDC1 and GOIDC2 policy rules ar...

5.5AI score0.0004EPSS

Exploits0References3Affected Software1

OSV•added 2026/06/10 1:37 p.m.•6 views

GHSA-G759-4PXW-6692 @hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers

8.3CVSS5.5AI score0.0004EPSS

Exploits0References3

Positive Technologies•added 2026/06/10 12:0 a.m.•9 views

PT-2026-48474

8.3CVSS5.5AI score0.0004EPSS

Exploits0References4

Github Security Blog•added 2026/05/21 8:45 p.m.•14 views

@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators

Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in GOIDC1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail. Patched in 1.3.2: the AW...

5.8AI score

Exploits0References2Affected Software1

OSV•added 2026/05/21 8:45 p.m.•3 views

GHSA-Q2F7-M237-V562 @hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators

9.3CVSS5.8AI score

Exploits0References2

OSV•added 2026/01/07 8:0 a.m.•5 views

CURL-CVE-2025-14819 OpenSSL partial chain store policy bypass

When doing TLS related transfers with reused easy or multi handles and altering the CURLSSLOPTNOPARTIALCHAIN option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcur...

5.3CVSS6.5AI score0.00679EPSS

Exploits0

RedhatCVE•added 2025/12/16 7:48 p.m.•6 views

CVE-2025-14503

An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM...

8.6CVSS7.5AI score0.0043EPSS

Exploits0References1

NVD•added 2025/12/15 8:15 p.m.•10 views

CVE-2025-14503

8.6CVSS0.0043EPSS

Exploits0References3

OSV•added 2025/12/15 8:15 p.m.•5 views

CVE-2025-14503

8.6CVSS7.4AI score

Exploits0References3

Cvelist•added 2025/12/15 7:45 p.m.•18 views

CVE-2025-14503 Overly Permissive Trust Policy in Harmonix on AWS EKS

8.6CVSS0.0043EPSS

Exploits0References3

Vulnrichment•added 2025/12/15 7:45 p.m.•2 views

CVE-2025-14503 Overly Permissive Trust Policy in Harmonix on AWS EKS

8.6CVSS7.1AI score0.0043EPSS

Exploits0References3

CVE•added 2025/12/15 7:45 p.m.•18 views

CVE-2025-14503

CVE-2025-14503 affects Harmonix on AWS (Harmonix on AWS framework). The issue is an overly-permissive IAM trust policy in the EKS environment provisioning role that trusts the account root principal, potentially enabling any IAM principal within the same AWS account to call sts:AssumeRole and obt...

8.6CVSS7.1AI score0.0043EPSS

Exploits0References3Affected Software1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by