Search Results (641 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-56357 1 N8n 1 N8n 2026-06-23 4 Medium
n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.
CVE-2026-55202 2 Tinyproxy, Tinyproxy Project 2 Tinyproxy, Tinyproxy 2026-06-23 8.2 High
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.
CVE-2026-49231 1 Apache 1 Apisix 2026-06-22 N/A
Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVE-2026-39999 1 Apache 1 Apache Apisix 2026-06-22 N/A
Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue.
CVE-2026-56020 1 Webmin 1 Webmin 2026-06-22 8.1 High
The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.
CVE-2026-50141 1 Woodpecker-ci 1 Woodpecker 2026-06-18 N/A
Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones.
CVE-2026-53849 1 Openclaw 1 Openclaw 2026-06-18 8.1 High
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.
CVE-2026-36537 1 Thingsboard 1 Thingsboard 2026-06-17 9.8 Critical
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.
CVE-2026-53857 1 Openclaw 1 Openclaw 2026-06-16 8.1 High
OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.
CVE-2026-53811 1 Openclaw 1 Openclaw 2026-06-16 8.8 High
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another Matrix identity, potentially gaining unauthorized permissions depending on operator configuration.
CVE-2026-27089 2 Magepeople, Wordpress 2 Wptravelly, Wordpress 2026-06-16 7.5 High
Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.
CVE-2026-53833 2 Openclaw, Qqbot 2 Openclaw, Qqbot 2026-06-16 7.7 High
OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.
CVE-2026-53832 1 Openclaw 1 Openclaw 2026-06-15 7.7 High
OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity headers to assume operator identity and potentially escalate privileges.
CVE-2026-53823 1 Openclaw 1 Openclaw 2026-06-15 8.1 High
OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other identities.
CVE-2026-49757 1 Team-alembic 1 Ash Authentication 2026-06-15 N/A
Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core ยง5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.
CVE-2026-5792 1 Hedef Media 1 Related Marketing Cloud (rmc) 2026-06-15 6.5 Medium
Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc. Related Marketing Cloud (RMC) allows Brute Force. This issue affects Related Marketing Cloud (RMC): through 12052026.
CVE-2026-53817 1 Openclaw 1 Openclaw 2026-06-12 8.8 High
OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.
CVE-2026-6090 1 Lenovo 1 Smart Connect 2026-06-10 7 High
A potential authentication bypass was reported in Lenovo Smart Connect for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges.
CVE-2026-11127 1 Google 2 Android, Chrome 2026-06-09 6.5 Medium
Inappropriate implementation in WebAPKs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted WebAPK. (Chromium security severity: Medium)
CVE-2026-11019 1 Google 2 Android, Chrome 2026-06-08 6.5 Medium
Inappropriate implementation in Payments in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)