CVE-2026-57522 Bitwarden Server < 2026.5.0 JSON Injection via Webhook Templates

Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens, which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template referenc...

CVE-2026-45689 Rocket.Chat: Pre-Auth NoSQL Injection in OAuth2 Token Endpoint leading to Arbitrary User ATO

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains a valid Rocket.Chat OAuth access token for an arbitrary user by sending a single HTTP POST with...

CVE-2026-45689

Summary: Rocket.Chat prior to versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 is affected by a pre-auth NoSQL injection at the OAuth2 token endpoint. An unauthenticated attacker can send a crafted HTTP POST to /oauth/token using MongoDB query operators, bypassing grant-para...

NocoDB: Refresh Tokens Persist Through Password Recovery

Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. Details passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated tokenversion and revoked OAuth tokens — it did...

CVE-2026-5774

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token...

EUVD-2026-21366

Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence...

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition due to unsynchronized concurrent access to the userTokens map in the local authentication process. An attacker can cause the server to crash or reuse authentication tokens by sending multiple simultaneous requests to the...

CVE-2026-39943

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records in directusrevisions whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline,...

Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade

Title Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or...

CVE-2026-5774

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token...

CVE-2026-5774 Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token...

CVE-2026-5774 Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token...

CVE-2026-5774

CVE-2026-5774 affects Canonical Juju API server components, where improper synchronization of the userTokens map in Juju 4.0.5, 3.6.20, and 2.9.56 can enable an authenticated user to cause a denial of service or potentially replay a single-use discharge token. Root cause: unsynchronized token map...

PT-2026-31910

Name of the Vulnerable Software and Affected Versions Canonical Juju versions 2.9.56, 3.6.20, and 4.0.5 Description Improper synchronization within the userTokens map in the API server of Canonical Juju may allow an authenticated user to cause a denial of service on the server or potentially reus...

CVE-2026-39943 Directus exposes sensitive fields in revision history

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records in directusrevisions whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline,...

CVE-2026-39943

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records in directusrevisions whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline,...

PT-2026-29871

Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users...

CVE-2026-34362 AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the verifyTokenSocket function in plugin/YPTSocket/functions.php has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows...

CVE-2026-23482

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks...

CVE-2026-23482

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks...