Lucene search
K

48263 matches found

Amazon
Amazon
added 2026/07/08 12:0 a.m.5 views

Medium: containerd

Issue Overview: x509.Certificate.VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name SAN entries. This caused strings.Splithost, "." to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically bas...

7.5CVSS6.9AI score0.00939EPSS
Exploits0
Amazon
Amazon
added 2026/07/08 12:0 a.m.6 views

Important: docker

Issue Overview: x509.Certificate.VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name SAN entries. This caused strings.Splithost, "." to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically bas...

7.5CVSS7.5AI score0.00939EPSS
Exploits0
Cloud Foundry
Cloud Foundry
added 2026/07/08 12:0 a.m.4 views

CVE-2026-47828 - Missing TLS Certificate Verification in BOSH CLI Allows Root Code Execution via Man-in-the-Middle Credential Replay | Cloud Foundry

CVSS Score: High 8.9 CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSSv3: High 7.1 CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Vendor BOSH-Ecosystem / BOSH bosh-cli Versions Affected Severity is High unless otherwise noted. bosh-cli – All versions prior to v7.10.4 Description...

8.9CVSS6AI score0.00148EPSS
Exploits0
Cloud Foundry
Cloud Foundry
added 2026/07/08 12:0 a.m.7 views

CVE-2026-47840 - LDAP StartTLS unconditionally disables hostname verification | Cloud Foundry

Severity High CVSS score: 8.3 High CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS score: 7.5 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N/RL:O Vendor CloudFoundry Foundation Versions Affected Severity is High unless otherwise noted. UAA All versions prior to v78.13.0...

9.3CVSS6AI score0.00132EPSS
Exploits0
Cvelist
Cvelist
added 2026/07/07 10:23 p.m.28 views

CVE-2026-55076 Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string...

7.4CVSS0.00479EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/07/07 10:23 p.m.6 views

CVE-2026-55076

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string...

7.4CVSS6AI score0.00479EPSS
Exploits0References8Affected Software1
NVD
NVD
added 2026/07/07 10:16 p.m.12 views

CVE-2026-55075

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link...

7.4CVSS0.00479EPSS
Exploits0References7
CVE
CVE
added 2026/07/07 9:33 p.m.14 views

CVE-2026-55075

Coder’s OIDC login flaw leads to account takeover via email-based user matching and improper handling of email_verified. Before versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two issues exist: (1) email-based matching could link by email without confirming an existing link to a different IdP subjec...

7.4CVSS6AI score0.00479EPSS
Exploits0References7Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/07 9:33 p.m.6 views

CVE-2026-55075

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link...

7.4CVSS6AI score0.00479EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/07 8:55 p.m.6 views

Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email

Am I affected? Users are affected if all of the following are true: - Their application uses better-auth at a version 1.6.11 on the stable line, or any current next pre-release. - emailAndPassword.enabled: true is set in their application's betterAuth ... configuration. - At least one OAuth or SS...

8.3CVSS5.9AI score0.00019EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/07/07 8:54 p.m.5 views

Missing Authorization

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Missing Authorization in the acceptInvitation function of the organization plugin when the system relies solely on an unverified email-string equality check ...

7.7CVSS6.1AI score0.00016EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/07 8:33 p.m.34 views

CVE-2026-57172 DataEase: Hardcoded JWT Signing Secret in ShareLink

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use the known key link-pwd-fit2cloud to forge linkToken JWTs,...

8.3CVSS0.00289EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/07 8:33 p.m.6 views

CVE-2026-57172

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use the known key link-pwd-fit2cloud to forge linkToken JWTs,...

8.3CVSS5.9AI score0.00289EPSS
Exploits0References3Affected Software1
RedHat Linux
RedHat Linux
added 2026/07/07 6:15 p.m.7 views

crypto/x509: golang: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries

A flaw was found in the crypto/x509 package of golang. This vulnerability allows a remote attacker to cause a Denial of Service DoS by presenting a specially crafted X.509 certificate with a large number of DNS Subject Alternative Name SAN entries. The certificate verification process, specifical...

7.5CVSS6AI score0.00939EPSS
Exploits0References8
OSV
OSV
added 2026/07/07 4:41 p.m.9 views

GO-2026-5920 Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder

Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder...

7.4CVSS5.9AI score0.00258EPSS
Exploits0References2
OSV
OSV
added 2026/07/07 4:3 p.m.7 views

PYSEC-2026-1200 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Summary Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header for example, bork or cnf that strict verifiers reject but Authlib accepts. In...

7.5CVSS6AI score0.00244EPSS
Exploits1References7
OSV
OSV
added 2026/07/07 3:26 p.m.7 views

GO-2026-5907 Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder

Coder's OIDC emailverified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder...

7.4CVSS5.9AI score0.00479EPSS
Exploits0References1
OSV
OSV
added 2026/07/07 3:26 p.m.6 views

GO-2026-5889 Contour has Improper JWT Verification for Non-SNI Requests on Virtual Hosts with Fallback Certificate Enabled in github.com/projectcontour/contour

Contour has Improper JWT Verification for Non-SNI Requests on Virtual Hosts with Fallback Certificate Enabled in github.com/projectcontour/contour...

5.9AI score0.00023EPSS
Exploits0References1
OSV
OSV
added 2026/07/07 2:34 p.m.4 views

PYSEC-2026-1452 Home Assistant does not correctly validate SSL for outgoing requests in core and used libs

Summary Problem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. Details In the past, aiohttp-session/request had the parameter verifyssl to control SSL certificate verification. This was a boolean value. In...

7CVSS6AI score0.00229EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/07 11:11 a.m.6 views

EUVD-2026-42034

Improper verification of cryptographic signature vulnerability in HAVELSAN Inc. Liman MYS allows Fake the Source of Data. This issue affects Liman MYS: before release.Master.1107...

8.1CVSS5.9AI score0.00185EPSS
Exploits0References1
Rows per page
Query Builder