GO-2026-4653 Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion in github.com/pocket-id/pocket-id/backend

Pocket ID: OAuth redirecturi validation bypass via userinfo/host confusion in github.com/pocket-id/pocket-id/backend...

CVE-2026-28512 Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...

CVE-2026-28512 Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...

GHSA-9H33-G3WW-MQFF Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

Impact A flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host...

UBUNTU-CVE-2024-38428

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent...