|
1151
|
4.3 |
MEDIUM
Network
|
-
|
-
|
A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL …
|
CWE-400
CWE-404
Uncontrolled Resource Consumption
Improper Resource Shutdown or Release
|
CVE-2026-10802
|
2026-06-5 01:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1152
|
- |
|
-
|
-
|
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on ass…
|
CWE-345
Insufficient Verification of Data Authenticity
|
CVE-2026-41577
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1153
|
- |
|
-
|
-
|
authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper UR…
|
CWE-601
Open Redirect
|
CVE-2026-41569
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1154
|
9.3 |
CRITICAL
Network
|
-
|
-
|
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more comp…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42849
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1155
|
8.5 |
HIGH
Network
|
-
|
-
|
authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstre…
|
CWE-20
Improper Input Validation
|
CVE-2026-47201
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1156
|
8.8 |
HIGH
Network
|
-
|
-
|
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured…
|
CWE-287
Improper Authentication
|
CVE-2026-49443
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1157
|
9.8 |
CRITICAL
Network
|
-
|
-
|
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions …
|
CWE-287
Improper Authentication
|
CVE-2026-49448
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1158
|
8.0 |
HIGH
Network
|
-
|
-
|
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script en…
|
CWE-863
Incorrect Authorization
|
CVE-2026-35482
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1159
|
7.1 |
HIGH
Network
|
-
|
-
|
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys mana…
|
CWE-862
Missing Authorization
|
CVE-2026-31942
|
2026-06-5 00:48 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1160
|
9.6 |
CRITICAL
Network
|
-
|
-
|
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders aga…
|
CWE-200
Information Exposure
|
CVE-2026-32625
|
2026-06-5 00:48 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
