Lucene search
K

1777 matches found

CVE
CVE
added 2 hours ago41 views

CVE-2026-49352

CVE-2026-49352 affects 9router, a Node.js/Next.js AI router. The vulnerability stems from a hardcoded fallback JWT secret, implemented as the public string 9router-default-secret-change-me, used when JWT_SECRET is unset in multiple files. An attacker can forge a valid auth_token cookie and gain a...

9.8CVSS6.1AI score0.0019EPSS
Exploits1References3
NVD
NVD
added 11 hours ago5 views

CVE-2026-61452

The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...

6.9CVSS
Exploits0References2
Cvelist
Cvelist
added 11 hours ago5 views

CVE-2026-61452 Grav before 2.0.4 Improper Session Invalidation JWT Access Tokens

The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...

6.9CVSS
Exploits0References2
EUVD
EUVD
added 11 hours ago4 views

EUVD-2026-44649

The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...

6.9CVSS6.1AI score
Exploits0References2
Nuclei
Nuclei
added 18 hours ago13 views

FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass

FUXA v1.2.7 contains a hardcoded credentials vulnerability caused by use of a hard-coded secret key in server/api/jwt-helper.js, letting remote attackers forge admin tokens and bypass authentication, exploit requires no special conditions. id: CVE-2025-69971 info: name: FUXA = 1.2.7 - Hardcoded J...

9.8CVSS6.1AI score0.02036EPSS
Exploits0References3
Nuclei
Nuclei
added 18 hours ago169 views

Cisco IOS XE WLC - Arbitrary File Upload

A vulnerability in the Out-of-Band Access Point AP Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers WLCs could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.This vulnerability is due to the presence of a hard-coded JSON Web...

10CVSS7.1AI score0.17894EPSS
Exploits1References2
NVD
NVD
added yesterday4 views

CVE-2026-45363

ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decodetoken, '', true, algorithm: 'HS256' accepts an attacker-forged token because OpenSSL::HMAC.digest'SHA256', '', payload returns a valid digest under an empty key and no empty-key...

9.1CVSS0.00018EPSS
Exploits0References5
CVE
CVE
added yesterday42 views

CVE-2026-45069

CVE-2026-45069 concerns Symfony’s OidcTokenHandler, where verifyClaims() registered aud/iss/exp checkers but did not pass the mandatory claims list to ClaimCheckerManager::check(). Consequently, a validly signed JWT missing these claims could pass verification. The issue is fixed in Symfony relea...

9.1CVSS6.1AI score0.0005EPSS
Exploits0References4Affected Software1
NVD
NVD
added yesterday7 views

CVE-2026-56451

A vulnerability has been identified in Opcenter X All versions V2604. Affected applications do not properly validate the algorithm specified in the JSON Web Token JWT header. This could allow an unauthenticated remote attacker to forge arbitrary JWT, bypass authentication mechanisms and impersona...

10CVSS0.00384EPSS
Exploits0References1
EUVD
EUVD
added yesterday5 views

EUVD-2026-43650

A vulnerability has been identified in Opcenter X All versions V2604. Affected applications do not properly validate the algorithm specified in the JSON Web Token JWT header. This could allow an unauthenticated remote attacker to forge arbitrary JWT, bypass authentication mechanisms and impersona...

10CVSS7AI score0.00384EPSS
Exploits0References1
CVE
CVE
added yesterday21 views

CVE-2026-56451

Opcenter X (all versions

10CVSS6.1AI score0.00384EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday24 views

CVE-2026-56451

A vulnerability has been identified in Opcenter X All versions V2604. Affected applications do not properly validate the algorithm specified in the JSON Web Token JWT header. This could allow an unauthenticated remote attacker to forge arbitrary JWT, bypass authentication mechanisms and impersona...

10CVSS0.00384EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday27 views

CVE-2026-13699 Databroker 0.6.1 PublishValue missing data_point panic

In Eclipse KUKSA Databroker version 0.6.1, the kuksa.val.v2.VAL/PublishValue gRPC handler fails to validate the existence of the optional datapoint field in PublishValueRequest. When a request contains a valid signalid but omits datapoint, the server directly calls unwrap on request.datapoint,...

4.3CVSS0.00224EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added yesterday4 views

PT-2026-57985

Name of the Vulnerable Software and Affected Versions Eclipse KUKSA Databroker version 0.6.1 Description The kuksa.val.v2.VAL/PublishValue gRPC handler fails to validate the existence of the optional data point field in PublishValueRequest. If a request includes a valid signal id but omits data...

6.5CVSS6.1AI score0.00224EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday4 views

PT-2026-58045

Name of the Vulnerable Software and Affected Versions Microsoft Office SharePoint affected versions not specified Description Weak authentication in Microsoft Office SharePoint allows a remote, unauthenticated attacker to bypass security features over a network. The issue stems from weaknesses in...

9.1CVSS6.2AI score
Exploits0References14
NVD
NVD
added 3 days ago9 views

CVE-2026-15497

A vulnerability was determined in SonicCloudOrg sonic-agent up to 2.7.2. This affects an unknown function of the file sonic-server-controller/src/main/java/org/cloud/sonic/controller/controller/ExchangeController.java of the component JWT Authentication Filter. This manipulation causes code...

7.5CVSS0.00394EPSS
Exploits0References5
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-43228

Flowise before 3.1.0 affected versions 3.0.13 and earlier uses weak hardcoded default JWT secrets 'authtoken', 'refreshtoken' and default audience and issuer values 'AUDIENCE', 'ISSUER' in the enterprise passport authentication middleware packages/server/src/enterprise/middleware/passport/index.t...

9.8CVSS6.1AI score0.00396EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-43226

Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. Attackers can exploit the unauthenticated /md, /llm, and /llm/job endpoints by...

8.8CVSS6.2AI score0.00268EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-43219

A vulnerability was determined in SonicCloudOrg sonic-agent up to 2.7.2. This affects an unknown function of the file sonic-server-controller/src/main/java/org/cloud/sonic/controller/controller/ExchangeController.java of the component JWT Authentication Filter. This manipulation causes code...

7.5CVSS6.6AI score0.00394EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-57552

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0 Description The enterprise passport authentication middleware in packages/server/src/enterprise/middleware/passport/index.ts uses weak hardcoded default secrets and values for audience and issuer. When the...

9.8CVSS6.1AI score0.00396EPSS
Exploits0References8
Rows per page
Query Builder