Lucene search
K

441 matches found

RedHat Linux
RedHat Linux
added yesterday5 views

Important: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.6 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

8.9CVSS6.6AI score0.0068EPSS
Exploits5References13
Cvelist
Cvelist
added 2026/06/23 8:3 p.m.25 views

CVE-2026-53928 NocoDB: Refresh Tokens Persist Through Password Recovery

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForg...

6.3CVSS0.00242EPSS
Exploits0References1
OSV
OSV
added 2026/06/19 5:44 a.m.2 views

SUSE-SU-2026:22170-1 Security update for python-PyJWT

This update for python-PyJWT fixes the following issues - CVE-2026-48522: PyJWKClient passes URI arguments directly to urllib.request.urlopen and allows for SSRF and token forgery bsc1266798. - CVE-2026-48523: verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are...

7.4CVSS5.8AI score0.00379EPSS
Exploits4References11
Github Security Blog
Github Security Blog
added 2026/06/17 2:7 p.m.10 views

NocoDB: Refresh Tokens Persist Through Password Recovery

Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. Details passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated tokenversion and revoked OAuth tokens — it did...

6.3CVSS5.3AI score0.00242EPSS
Exploits0References2Affected Software1
RedHat Linux
RedHat Linux
added 2026/06/16 12:16 p.m.5 views

Important: Red Hat Security Advisory: fence-agents security update

An update for fence-agents is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

7.4CVSS5.5AI score0.00379EPSS
Exploits1References2
Rockylinux
Rockylinux
added 2026/06/16 12:4 p.m.5 views

fence-agents security update

An update is available for fence-agents. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The fence-agents packages provide a collection of scripts for handling...

7.4CVSS5.4AI score0.00379EPSS
Exploits1
Tenable Nessus
Tenable Nessus
added 2026/06/16 12:0 a.m.5 views

RockyLinux 10 : fence-agents (RLSA-2026:25902)

The remote RockyLinux 10 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:25902 advisory. python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens CVE-2026-48526 Tenable has extracted the preceding description block directly from the...

7.4CVSS5.3AI score0.00379EPSS
Exploits1References3
EUVD
EUVD
added 2026/06/15 7:28 p.m.9 views

EUVD-2026-32917

PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed...

7.4CVSS5.1AI score0.00379EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/06/10 1:55 p.m.9 views

CVE-2026-53470

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the /api/v1/sources/id/image-url endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance OVA images...

9.6CVSS5.5AI score0.0028EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/10 1:55 p.m.11 views

EUVD-2026-36031

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens JWTs for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the sourceid claim within these tokens against the requested source ID. This oversight allows an...

9.6CVSS5.5AI score0.00286EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.18 views

PT-2026-48445

Name of the Vulnerable Software and Affected Versions migration-planner affected versions not specified Description The agent-API middleware processes JSON Web Tokens JWTs for authentication, but the UpdateSourceInventory and UpdateAgentStatus handlers do not validate the source id claim within t...

9.6CVSS5.9AI score0.00286EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.12 views

PT-2026-48444

Name of the Vulnerable Software and Affected Versions migration-planner affected versions not specified Description An improper access control flaw exists in the '/api/v1/sources/id/image-url' endpoint. An authenticated attacker can bypass ownership checks to obtain presigned S3 URLs for Open...

9.6CVSS5.9AI score0.0028EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/06 6:43 p.m.12 views

CVE-2026-46395

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the hmacBase64 function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing ke...

9.3CVSS5.9AI score0.00295EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.7 views

CVE-2025-57735

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...

9.1CVSS5.4AI score0.00667EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.9 views

CVE-2026-33031

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an...

8.6CVSS5.4AI score0.00274EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/05 6:27 p.m.10 views

EUVD-2026-34886

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the hmacBase64 function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing ke...

9.3CVSS5.9AI score0.00295EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/06/05 12:0 a.m.8 views

HAXCMS 安全漏洞

HAXCMS is an open-source content management system developed by HAX The Web. Versions of HAXCMS prior to 26.0.0 contained security vulnerabilities. These vulnerabilities stemmed from improper cleaning of the video-player component, which could allow attackers to execute arbitrary JavaScript in th...

9.3CVSS5.8AI score0.0023EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/04 10:17 p.m.8 views

CVE-2026-48524

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. A remote attacker can exploit this vulnerability by sending specially crafted JWTs with unknown 'kid' key ID values. This can force the PyJWKClient.getsigningkey function to make an unlimited number of unrate-limit...

5.9CVSS5.7AI score0.00222EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/01 9:16 a.m.9 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the str.lstrip function used for validating JWT tokens against Dag IDs. An attacker can gain unauthorized access to other Dags' log data by crafting JWT tokens that exploit character overlap in Dag names. Note...

3.1CVSS5.8AI score0.00344EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/01 7:35 a.m.35 views

CVE-2026-48726 Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoketoken call, so the JWT remained accepted by the API server...

0.00368EPSS
Exploits0References3
Rows per page
Query Builder