Lucene search
K

2645 matches found

OSV
OSV
added yesterday3 views

MAL-2026-10228 Malicious code in chat-adapter-zoom (npm)

The chat-adapter-zoom package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a Zoom...

6.1AI score
Exploits0References3
NVD
NVD
added 2026/07/06 9:16 a.m.9 views

CVE-2026-46455

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks... with only the subject-exists check and the realm-URL issuer check. Keycloak's...

9.8CVSS0.00411EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/07/06 7:56 a.m.9 views

CVE-2026-46455

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks... with only the subject-exists check and the realm-URL issuer check. Keycloak's...

6AI score0.00411EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/07/06 7:56 a.m.30 views

CVE-2026-46455 Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks... with only the subject-exists check and the realm-URL issuer check. Keycloak's...

0.00411EPSS
Exploits1References1
CVE
CVE
added 2026/07/06 7:56 a.m.17 views

CVE-2026-46455

CVE-2026-46455 affects Apache Camel with the camel-keycloak component. The security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) that only enforces subject and issuer, but omits the default IS_ACTIVE check. Consequently, the verifie...

9.8CVSS6AI score0.00411EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.13 views

PT-2026-55890

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.18.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.x Description Insufficient session expiration in the Apache Camel Keycloak Component occurs because the KeycloakSecurityHelper.parseAndVerifyAccessToken...

9.8CVSS6.1AI score0.00411EPSS
Exploits1References7
Snyk
Snyk
added 2026/07/03 10:19 p.m.5 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to improper enforcement of the PKCE S256 challenge during the OAuth2 token exchange process. An attacker can obtain access tokens without providing the expected code verifier by bypassing the intended...

9.1CVSS6AI score0.00379EPSS
Exploits0References2
NVD
NVD
added 2026/07/03 9:16 p.m.7 views

CVE-2026-26247

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check...

9.1CVSS0.00379EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/03 8:19 p.m.39 views

CVE-2026-26247 Gitea OAuth2 PKCE S256 challenges are not enforced during token exchange

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check...

0.00379EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/03 8:19 p.m.8 views

CVE-2026-26247

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check...

5.9AI score0.00379EPSS
Exploits0References5
CVE
CVE
added 2026/07/03 8:19 p.m.14 views

CVE-2026-26247

Gitea versions before 1.25.5 are affected by an OAuth2 PKCE S256 verification weakness during the authorization/token-exchange flow. The underlying issue is that PKCE S256 is not persisted/validated correctly, allowing token exchange without the required verifier check. Impact is a potential acce...

9.1CVSS5.9AI score0.00379EPSS
Exploits0References4
OSV
OSV
added 2026/07/03 8:19 p.m.2 views

CVE-2026-26247 Gitea OAuth2 PKCE S256 challenges are not enforced during token exchange

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check...

9.1CVSS5.9AI score0.00379EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/07/03 2:25 a.m.10 views

CVE-2026-54430

A flaw was found in liboauth2 in the oauth2josejwksawsalbresolve function. The AWS ALB JWT verifier reads the signer and kid fields from the unverified JWT header. When signer matches the configured ARN, kid is appended to the ALB base URL without path sanitization, and an HTTP GET request is...

5.8CVSS5.8AI score0.00121EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.8 views

PT-2026-55597

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.25.5 Description The software fails to correctly persist the OAuth2 PKCE S256 challenge method during the authorization process. This flaw allows for token exchange without the required verifier check. PKCE Proof Key...

9.1CVSS6.2AI score0.00379EPSS
Exploits0References7
NVD
NVD
added 2026/07/02 11:16 a.m.12 views

CVE-2026-54430

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2josejwksawsalbresolve function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to albbaseurl without URL encoding or path sanitization, and the HTT...

5.1CVSS0.00121EPSS
Exploits0References3
OSV
OSV
added 2026/07/02 11:16 a.m.3 views

UBUNTU-CVE-2026-54430

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2josejwksawsalbresolve function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to albbaseurl without URL encoding or path sanitization, and the HTT...

5.1CVSS5.9AI score0.00121EPSS
Exploits0References5
Debian CVE
Debian CVE
added 2026/07/02 10:30 a.m.6 views

CVE-2026-54431

In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...

5.1CVSS5.8AI score0.00128EPSS
Exploits0
Chainguard
Chainguard
added 2026/06/26 8:22 p.m.5 views

CVE-2026-48702 vulnerabilities

Vulnerabilities for packages: ko-fips, spire-server, tkn, cloudbeat, tekton-chains, trivy-operator-fips, crossplane, kubescape-server, kyverno-notation-aws, kubescape-server-fips, tflint, zarf, teleport, chainctl-fips, kubescape, kyverno-fips, spire-server-fips, gitsign,...

6.1AI score
Exploits0
Chainguard
Chainguard
added 2026/06/26 8:22 p.m.6 views

GHSA-47Q9-M4WW-924M vulnerabilities

Vulnerabilities for packages: ko-fips, spire-server, tkn, cloudbeat, tekton-chains, trivy-operator-fips, crossplane, kubescape-server, kyverno-notation-aws, kubescape-server-fips, tflint, zarf, teleport, chainctl-fips, kubescape, kyverno-fips, spire-server-fips, gitsign,...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.7 views

CVE-2026-48702 vulnerabilities

Vulnerabilities for packages: teleport, policy-controller, falcoctl, kyverno, spire-server, neuvector-sigstore-interface, tkn, goreleaser, crossplane, kyverno-notation-aws, tekton-chains, ratify, tflint, ko, kubescape, zarf, aactl, slsa-verifier, trivy-operator, gitsign...

6.1AI score
Exploits0
Rows per page
Query Builder