Lucene search
K

17 matches found

CVE
CVE
added 2026/06/09 11:50 p.m.114 views

CVE-2026-47838

Spring Security CVE-2026-47838 involves the SubjectDnX509PrincipalExtractor and malformed X.509 CN values, causing the extracted username to be read incorrectly and potentially allowing an attacker to impersonate another user. Affected versions include Spring Security 5.7.0–5.7.24; 5.8.0–5.8.26; ...

8.1CVSS5.5AI score0.00116EPSS
Exploits0References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 6:30 a.m.10 views

Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user...

8.1CVSS5.2AI score0.00296EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/22 5:8 a.m.3 views

CVE-2026-22747 Unauthorized User Impersonation when Using X.509 Client Certificates

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user...

6.8CVSS5.8AI score0.00296EPSS
Exploits0References1
CVE
CVE
added 2026/03/20 10:53 p.m.13 views

CVE-2026-29796

CVE-2026-29796 involves WebSocket endpoints in OCPP-based charging-station/back-end deployments (notably IGL-Technologies eParking.fi) that lack authentication. An unauthenticated attacker can connect to the WebSocket, impersonate a charging station, and issue/receive OCPP commands as a legitimat...

9.8CVSS5.9AI score0.00468EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/07 1:43 a.m.4 views

CVE-2026-22552

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

9.4CVSS5.8AI score0.00889EPSS
Exploits0References1
NVD
NVD
added 2026/03/06 4:16 p.m.6 views

CVE-2026-26288

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

9.8CVSS0.00637EPSS
Exploits0References2
CVE
CVE
added 2026/03/06 3:15 p.m.23 views

CVE-2026-26288

CVE-2026-26288 involves WebSocket/OCPP endpoints lacking authentication, enabling an unauthenticated attacker to impersonate a charging station and send/receive OCPP commands as a legitimate charger. The issue can lead to privilege escalation, unauthorized control of charging infrastructure, and ...

9.8CVSS5.8AI score0.00637EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/06 3:15 p.m.4 views

CVE-2026-26288 Everon api.everon.io Missing Authentication for Critical Function

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

9.4CVSS5.8AI score0.00637EPSS
Exploits0References2
NVD
NVD
added 2026/03/06 12:16 a.m.6 views

CVE-2026-22552

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

9.8CVSS0.00889EPSS
Exploits0References3
CVE
CVE
added 2026/03/05 11:18 p.m.14 views

CVE-2026-22552

CVE-2026-22552 involves WebSocket endpoints missing authentication in the ePower epower.ie component. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging-station identifier and impersonate a charger, sending/receiving OCPP commands as a legi...

9.8CVSS6AI score0.00889EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/02/27 12:31 a.m.6 views

EUVD-2026-8929

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

9.4CVSS5.6AI score0.00518EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/02/27 12:9 a.m.5 views

CVE-2026-27772 EV Energy ev.energy Missing Authentication for Critical Function

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

9.4CVSS6AI score0.00531EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/26 12:0 a.m.11 views

PT-2026-22243

Name of the Vulnerable Software and Affected Versions Systems utilizing WebSocket endpoints for communication with charging stations via the Open Charge Point Protocol OCPP affected versions not specified Description WebSocket endpoints lack proper authentication mechanisms, allowing attackers to...

9.8CVSS5.9AI score0.00508EPSS
Exploits0References9
NVD
NVD
added 2025/12/11 8:15 a.m.6 views

CVE-2025-12029

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious...

8CVSS0.00506EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.19 views

EUVD-2022-2416

Malicious code in bioql PyPI...

5.9CVSS6AI score0.00852EPSS
Exploits0References4
Palo Alto Networks
Palo Alto Networks
added 2025/04/09 4:0 p.m.46 views

PAN-OS: Session Fixation Vulnerability in GlobalProtect SAML Login

When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. This requires the legitimate user to first click on a malicious link provided by the attacker. T...

8.3CVSS6.7AI score0.00354EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2021/08/02 4:2 p.m.5 views

lasso: XML signature wrapping vulnerability when parsing SAML responses

An XML Signature Wrapping XSW vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability...

7.5CVSS5.7AI score0.01325EPSS
Exploits0References5
Rows per page
Query Builder