A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), an
Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences intern
A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipul
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (whic
A vulnerability was found in jack0240 魏 bskms 蓝天幼儿园管理系统 up to dffe6640b5b54d8e29da6f060e0493fea74b3fad. It has been rated as critical. Affected by this issue is some unknown functionality of the file
A vulnerability was identified in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use ent
PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concaten
A vulnerability, which was classified as critical, has been found in huija bicycleSharingServer up to 7b8a3ba48ad618604abd4797d2e7cf3b5ac7625a. Affected by this issue is the function userDao.selectUse
When restoring a session from cache, a pointer from the serialized session data is used in a free operation without validation. An attacker who can poison the session cache could trigger an arbitrary
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtain
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication b
Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code.
SQL Injection vulnerability exists in the sortKey parameter of the GET /api/v1/wanted/cutoff API endpoint in readarr 0.4.15.2787. The endpoint fails to properly sanitize user-supplied input, allowing
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim in
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifica
A vulnerability was found in kitsada8621 Digital Library Management System 1.0. It has been classified as problematic. Affected is the function JwtRefreshAuth of the file middleware/jwt_refresh_token_
A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) activ
Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind
Due to improper JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access.
Page 1+ Next →