Lucene search
+L

227 matches found

OSV
OSV
added 2026/03/26 8:33 p.m.4 views

GO-2026-4860 OpenBao lacks user confirmation for OIDC direct callback mode in github.com/openbao/openbao

OpenBao lacks user confirmation for OIDC direct callback mode in github.com/openbao/openbao...

9.6CVSS5.8AI score0.00411EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/26 6:32 p.m.6 views

OpenBao lacks user confirmation for OIDC direct callback mode

Impact OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the...

9.6CVSS5.9AI score0.00411EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/26 6:32 p.m.9 views

GHSA-7Q7G-X6VG-XPC3 OpenBao lacks user confirmation for OIDC direct callback mode

Impact OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the...

9.6CVSS5.9AI score0.00411EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/02/21 1:28 a.m.8 views

CVE-2026-26327

OpenClaw is a personal AI assistant. Discovery beacons Bonjour/mDNS and DNS-SD include TXT records such as lanHost, tailnetDns, gatewayPort, and gatewayTlsSha256. TXT records are unauthenticated. Prior to version 2026.2.14, some clients treated TXT values as authoritative routing/pinning inputs...

7.1CVSS5.5AI score0.001EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/19 10:59 p.m.2 views

CVE-2026-26327 OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning

OpenClaw is a personal AI assistant. Discovery beacons Bonjour/mDNS and DNS-SD include TXT records such as lanHost, tailnetDns, gatewayPort, and gatewayTlsSha256. TXT records are unauthenticated. Prior to version 2026.2.14, some clients treated TXT values as authoritative routing/pinning inputs...

7.1CVSS5.6AI score0.001EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/02/18 12:33 a.m.23 views

OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning

Summary Discovery beacons Bonjour/mDNS and DNS-SD include TXT records such as lanHost, tailnetDns, gatewayPort, and gatewayTlsSha256. TXT records are unauthenticated. Prior to the fix, some clients treated TXT values as authoritative routing/pinning inputs: - iOS and macOS: used TXT-provided host...

7.1CVSS5.6AI score0.001EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/01/16 4:29 p.m.22 views

CVE-2026-23523 Dive allows One-click Remote Code Execution through Deep Links for MCP Install

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the...

9.6CVSS0.06299EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/01/16 4:29 p.m.4 views

CVE-2026-23523 Dive allows One-click Remote Code Execution through Deep Links for MCP Install

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the...

9.6CVSS6.6AI score0.06299EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/01/09 11:16 a.m.9 views

CVE-2021-0306

In addAllPermissions of PermissionManagerService.java, there is a possible permissions bypass when upgrading major Android versions which allows an app to gain the android.permission.ACTIVITYRECOGNITION permission without user confirmation. This could lead to local escalation of privilege with no...

7.8CVSS7.2AI score0.00259EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/01 12:17 p.m.20 views

CVE-2025-61037

A local privilege escalation vulnerability exists in SevenCs ORCA G2 2.0.1.35 EC2007 Kernel v5.22. The flaw is a Time-of-Check Time-of-Use TOCTOU race condition in the license management logic. The regService process, which runs with SYSTEM privileges, creates a fixed directory and writes files...

7CVSS7.7AI score0.0014EPSS
Exploits1References1
The Hacker News
The Hacker News
added 2025/12/05 5:53 p.m.12 views

Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails

A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show. The zero-click Google Drive Wiper technique hinges on connecti...

7AI score
Exploits0
NVD
NVD
added 2025/12/05 5:16 p.m.9 views

CVE-2025-66550

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This...

5.7CVSS0.00288EPSS
Exploits0References4
CVE
CVE
added 2025/12/05 4:56 p.m.32 views

CVE-2025-66550

CVE-2025-66550 affects Nextcloud Calendar prior to versions 4.7.17 and 5.2.4. A malicious user could create a calendar event with an attachment that links to a download URL for a file on the same Nextcloud server, causing the file to be downloaded without user confirmation. The issue is resolved ...

5.7CVSS6.2AI score0.00288EPSS
Exploits0References4Affected Software1
Nextcloud
Nextcloud
added 2025/12/05 7:57 a.m.27 views

Calendar attachments of local files are offered to downloaded

None...

5.7CVSS5.2AI score0.00288EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2021-12324

Malware in sbrugna...

7.8CVSS7.7AI score0.00102EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2012-2827

Malware in sbrugna...

4.3CVSS6.1AI score0.00751EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2015-3794

Malware in sbrugna...

4.3CVSS6.3AI score0.01374EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2008-1590

Malware in sbrugna...

4.3CVSS6.3AI score0.01214EPSS
Exploits1References8
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2016-2865

Malware in sbrugna...

6.5CVSS7.7AI score0.01216EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.7 views

EUVD-2019-11867

Malware in sbrugna...

8.8CVSS8.6AI score0.00398EPSS
Exploits0References2
Rows per page
Query Builder