| 0 |
| url |
VCID-5vwq-aqk5-nkh9 |
| vulnerability_id |
VCID-5vwq-aqk5-nkh9 |
| summary |
Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1190 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03614 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04597 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04608 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04592 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04564 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04557 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.0454 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04549 |
| published_at |
2026-04-18T12:55:00Z |
|
| 8 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.0458 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04543 |
| published_at |
2026-04-04T12:55:00Z |
|
| 10 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.05222 |
| published_at |
2026-04-29T12:55:00Z |
|
| 11 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.05153 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.0518 |
| published_at |
2026-04-24T12:55:00Z |
|
| 13 |
| value |
0.00019 |
| scoring_system |
epss |
| scoring_elements |
0.05221 |
| published_at |
2026-04-26T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1190 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-1190, GHSA-63v5-26vq-m4vm
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5vwq-aqk5-nkh9 |
|
| 1 |
| url |
VCID-7c1j-kcbb-v3f1 |
| vulnerability_id |
VCID-7c1j-kcbb-v3f1 |
| summary |
Keycloak: Information disclosure of disabled user attributes via administrative endpoint
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3911 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01408 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01407 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01414 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01254 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01413 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01402 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01775 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01846 |
| published_at |
2026-04-24T12:55:00Z |
|
| 8 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01842 |
| published_at |
2026-04-26T12:55:00Z |
|
| 9 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01773 |
| published_at |
2026-04-18T12:55:00Z |
|
| 10 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01888 |
| published_at |
2026-04-29T12:55:00Z |
|
| 11 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01857 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01788 |
| published_at |
2026-04-12T12:55:00Z |
|
| 13 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01786 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3911 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3911, GHSA-xh32-c9wx-phrp
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7c1j-kcbb-v3f1 |
|
| 2 |
| url |
VCID-8vzz-naas-a7ab |
| vulnerability_id |
VCID-8vzz-naas-a7ab |
| summary |
Keycloak affected by improper invitation token validation
A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1529 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01276 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01273 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01286 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01291 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01295 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01277 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01271 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01274 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01265 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.01945 |
| published_at |
2026-04-26T12:55:00Z |
|
| 10 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.01964 |
| published_at |
2026-04-21T12:55:00Z |
|
| 11 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.01879 |
| published_at |
2026-04-18T12:55:00Z |
|
| 12 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.01949 |
| published_at |
2026-04-24T12:55:00Z |
|
| 13 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.01974 |
| published_at |
2026-04-29T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1529 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-1529, GHSA-hcvw-475w-8g7p
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8vzz-naas-a7ab |
|
| 3 |
| url |
VCID-a5d9-k9vd-fyfe |
| vulnerability_id |
VCID-a5d9-k9vd-fyfe |
| summary |
Keycloak's identity-first login flow exposes user information
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-4633 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11315 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11344 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11378 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11389 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11372 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11446 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11318 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11237 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11308 |
| published_at |
2026-04-21T12:55:00Z |
|
| 9 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11179 |
| published_at |
2026-04-18T12:55:00Z |
|
| 10 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11177 |
| published_at |
2026-04-16T12:55:00Z |
|
| 11 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12329 |
| published_at |
2026-04-29T12:55:00Z |
|
| 12 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12472 |
| published_at |
2026-04-24T12:55:00Z |
|
| 13 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.1244 |
| published_at |
2026-04-26T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-4633 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-4633, GHSA-rhgq-f8x5-j2jc
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a5d9-k9vd-fyfe |
|
| 4 |
| url |
VCID-baux-3v7g-tucw |
| vulnerability_id |
VCID-baux-3v7g-tucw |
| summary |
Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-13881 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01421 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01417 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01413 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01426 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01718 |
| published_at |
2026-04-29T12:55:00Z |
|
| 5 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01682 |
| published_at |
2026-04-21T12:55:00Z |
|
| 6 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01591 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01578 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01589 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.0159 |
| published_at |
2026-04-12T12:55:00Z |
|
| 10 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01599 |
| published_at |
2026-04-11T12:55:00Z |
|
| 11 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01689 |
| published_at |
2026-04-26T12:55:00Z |
|
| 12 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01694 |
| published_at |
2026-04-24T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-13881 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-13881, GHSA-g78x-7vwx-9f58
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-baux-3v7g-tucw |
|
| 5 |
| url |
VCID-gzz6-md9v-b3em |
| vulnerability_id |
VCID-gzz6-md9v-b3em |
| summary |
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3009 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.07718 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.07686 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.0906 |
| published_at |
2026-04-29T12:55:00Z |
|
| 3 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09009 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09089 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.0912 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09121 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.0909 |
| published_at |
2026-04-26T12:55:00Z |
|
| 8 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09076 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.08971 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.0895 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09103 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09145 |
| published_at |
2026-04-24T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3009 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3009, GHSA-m297-3jv9-m927
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gzz6-md9v-b3em |
|
| 6 |
| url |
VCID-j5bq-q689-qbg3 |
| vulnerability_id |
VCID-j5bq-q689-qbg3 |
| summary |
Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1486 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05672 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.0569 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05735 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.0574 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05748 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.0577 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05744 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05704 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05711 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06822 |
| published_at |
2026-04-29T12:55:00Z |
|
| 10 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06663 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06821 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06827 |
| published_at |
2026-04-24T12:55:00Z |
|
| 13 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06847 |
| published_at |
2026-04-26T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1486 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-1486, GHSA-37gf-gmxv-74wv
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j5bq-q689-qbg3 |
|
| 7 |
| url |
VCID-jsvn-26y8-q3ey |
| vulnerability_id |
VCID-jsvn-26y8-q3ey |
| summary |
Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14778 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.01153 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.01139 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.01145 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.01158 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.0116 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.01144 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.0114 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.0113 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01733 |
| published_at |
2026-04-29T12:55:00Z |
|
| 9 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01696 |
| published_at |
2026-04-26T12:55:00Z |
|
| 10 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01701 |
| published_at |
2026-04-24T12:55:00Z |
|
| 11 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01688 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01598 |
| published_at |
2026-04-18T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14778 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-14778, GHSA-fm6w-rrp3-2x4w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jsvn-26y8-q3ey |
|
| 8 |
| url |
VCID-khfk-1gas-vfan |
| vulnerability_id |
VCID-khfk-1gas-vfan |
| summary |
Keycloak services allows the issuance of access and refresh tokens for disabled users
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14559 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03104 |
| published_at |
2026-04-29T12:55:00Z |
|
| 1 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02992 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03008 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03013 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03014 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03039 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03002 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02978 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02969 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02944 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02955 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03075 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.0307 |
| published_at |
2026-04-24T12:55:00Z |
|
| 13 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.0306 |
| published_at |
2026-04-26T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14559 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-14559, GHSA-wv3h-x6c4-r867
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-khfk-1gas-vfan |
|
| 9 |
| url |
VCID-m3uj-4mag-kbf2 |
| vulnerability_id |
VCID-m3uj-4mag-kbf2 |
| summary |
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2733 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.09472 |
| published_at |
2026-04-29T12:55:00Z |
|
| 1 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12873 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12924 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12727 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12807 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12857 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12823 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12787 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12741 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12643 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12651 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12763 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12781 |
| published_at |
2026-04-24T12:55:00Z |
|
| 13 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12743 |
| published_at |
2026-04-26T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2733 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2733, GHSA-fjf4-6f34-w64q
|
| risk_score |
1.7 |
| exploitability |
0.5 |
| weighted_severity |
3.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m3uj-4mag-kbf2 |
|
| 10 |
| url |
VCID-mdkf-3bgs-w7dm |
| vulnerability_id |
VCID-mdkf-3bgs-w7dm |
| summary |
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-4874 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.0647 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06461 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06526 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06433 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06535 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06468 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06456 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06507 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06542 |
| published_at |
2026-04-11T12:55:00Z |
|
| 9 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06548 |
| published_at |
2026-04-09T12:55:00Z |
|
| 10 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06645 |
| published_at |
2026-04-26T12:55:00Z |
|
| 11 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.0663 |
| published_at |
2026-04-24T12:55:00Z |
|
| 12 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06619 |
| published_at |
2026-04-21T12:55:00Z |
|
| 13 |
| value |
0.00028 |
| scoring_system |
epss |
| scoring_elements |
0.07783 |
| published_at |
2026-04-29T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-4874 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-4874, GHSA-22rm-wp4x-v5cx
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mdkf-3bgs-w7dm |
|
| 11 |
| url |
VCID-qgbq-s33g-d7af |
| vulnerability_id |
VCID-qgbq-s33g-d7af |
| summary |
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3429 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13935 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16588 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16673 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16727 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16706 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.16989 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.18848 |
| published_at |
2026-04-29T12:55:00Z |
|
| 7 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.19091 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.19038 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.18994 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.19006 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.19015 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.18907 |
| published_at |
2026-04-24T12:55:00Z |
|
| 13 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.1889 |
| published_at |
2026-04-26T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3429 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3429, GHSA-8g9r-9wjw-37j4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qgbq-s33g-d7af |
|
| 12 |
| url |
VCID-szbr-v2vq-3kbn |
| vulnerability_id |
VCID-szbr-v2vq-3kbn |
| summary |
Keycloak: manage-clients permission escalates to full realm admin access
A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3121 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01718 |
| published_at |
2026-04-29T12:55:00Z |
|
| 1 |
| value |
0.00028 |
| scoring_system |
epss |
| scoring_elements |
0.07847 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08686 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08649 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08588 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08662 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08685 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08645 |
| published_at |
2026-04-26T12:55:00Z |
|
| 8 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08691 |
| published_at |
2026-04-24T12:55:00Z |
|
| 9 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08679 |
| published_at |
2026-04-21T12:55:00Z |
|
| 10 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08668 |
| published_at |
2026-04-04T12:55:00Z |
|
| 11 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08526 |
| published_at |
2026-04-18T12:55:00Z |
|
| 12 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08539 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3121 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3121, GHSA-7xf9-4jfc-wgm4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-szbr-v2vq-3kbn |
|
| 13 |
| url |
VCID-tc9b-zzjt-63c7 |
| vulnerability_id |
VCID-tc9b-zzjt-63c7 |
| summary |
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2092 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00079 |
| scoring_system |
epss |
| scoring_elements |
0.23452 |
| published_at |
2026-04-09T12:55:00Z |
|
| 1 |
| value |
0.00079 |
| scoring_system |
epss |
| scoring_elements |
0.23401 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00079 |
| scoring_system |
epss |
| scoring_elements |
0.23471 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00079 |
| scoring_system |
epss |
| scoring_elements |
0.23329 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00079 |
| scoring_system |
epss |
| scoring_elements |
0.23508 |
| published_at |
2026-04-02T12:55:00Z |
|
| 5 |
| value |
0.00079 |
| scoring_system |
epss |
| scoring_elements |
0.23433 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00079 |
| scoring_system |
epss |
| scoring_elements |
0.23378 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00079 |
| scoring_system |
epss |
| scoring_elements |
0.23396 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00079 |
| scoring_system |
epss |
| scoring_elements |
0.2339 |
| published_at |
2026-04-18T12:55:00Z |
|
| 9 |
| value |
0.00079 |
| scoring_system |
epss |
| scoring_elements |
0.23545 |
| published_at |
2026-04-04T12:55:00Z |
|
| 10 |
| value |
0.00091 |
| scoring_system |
epss |
| scoring_elements |
0.25466 |
| published_at |
2026-04-29T12:55:00Z |
|
| 11 |
| value |
0.00091 |
| scoring_system |
epss |
| scoring_elements |
0.25573 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00091 |
| scoring_system |
epss |
| scoring_elements |
0.25523 |
| published_at |
2026-04-24T12:55:00Z |
|
| 13 |
| value |
0.00091 |
| scoring_system |
epss |
| scoring_elements |
0.25515 |
| published_at |
2026-04-26T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2092 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2092, GHSA-wmxr-6j5f-838p
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tc9b-zzjt-63c7 |
|
| 14 |
| url |
VCID-ugtk-3bjv-s3a4 |
| vulnerability_id |
VCID-ugtk-3bjv-s3a4 |
| summary |
Keycloak has Improper Access Control allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false
A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-4628 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06992 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06999 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.07009 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06885 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.07005 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06934 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06973 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06918 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.0705 |
| published_at |
2026-04-21T12:55:00Z |
|
| 9 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06915 |
| published_at |
2026-04-18T12:55:00Z |
|
| 10 |
| value |
0.00025 |
| scoring_system |
epss |
| scoring_elements |
0.06931 |
| published_at |
2026-04-16T12:55:00Z |
|
| 11 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.082 |
| published_at |
2026-04-29T12:55:00Z |
|
| 12 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08274 |
| published_at |
2026-04-24T12:55:00Z |
|
| 13 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08234 |
| published_at |
2026-04-26T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-4628 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-4628, GHSA-4pgc-gfrr-wcmg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ugtk-3bjv-s3a4 |
|
| 15 |
| url |
VCID-v77w-st1u-pfe6 |
| vulnerability_id |
VCID-v77w-st1u-pfe6 |
| summary |
Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3190 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00024 |
| scoring_system |
epss |
| scoring_elements |
0.06433 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.0831 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08292 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08228 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08302 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08245 |
| published_at |
2026-04-26T12:55:00Z |
|
| 6 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08285 |
| published_at |
2026-04-24T12:55:00Z |
|
| 7 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08307 |
| published_at |
2026-04-21T12:55:00Z |
|
| 8 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08144 |
| published_at |
2026-04-18T12:55:00Z |
|
| 9 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08157 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08265 |
| published_at |
2026-04-13T12:55:00Z |
|
| 11 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08281 |
| published_at |
2026-04-12T12:55:00Z |
|
| 12 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08278 |
| published_at |
2026-04-04T12:55:00Z |
|
| 13 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.09712 |
| published_at |
2026-04-29T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3190 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3190, GHSA-q35r-vvhv-vx5h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v77w-st1u-pfe6 |
|
| 16 |
| url |
VCID-xd7x-aevv-cfcp |
| vulnerability_id |
VCID-xd7x-aevv-cfcp |
| summary |
Keycloak: Denial of Service due to excessive SAMLRequest decompression
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2575 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08543 |
| published_at |
2026-04-09T12:55:00Z |
|
| 1 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08537 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08393 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08523 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08449 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08531 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08517 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08475 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08376 |
| published_at |
2026-04-18T12:55:00Z |
|
| 9 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08501 |
| published_at |
2026-04-13T12:55:00Z |
|
| 10 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13011 |
| published_at |
2026-04-29T12:55:00Z |
|
| 11 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13136 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13142 |
| published_at |
2026-04-24T12:55:00Z |
|
| 13 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13113 |
| published_at |
2026-04-26T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2575 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2575, GHSA-xv6h-r36f-3gp5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xd7x-aevv-cfcp |
|
| 17 |
| url |
VCID-y1h3-yyn9-53fr |
| vulnerability_id |
VCID-y1h3-yyn9-53fr |
| summary |
Keycloak: Unauthorized authentication via disabled SAML Identity Provider
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2603 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.3858 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38518 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38504 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38495 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38444 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38556 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00192 |
| scoring_system |
epss |
| scoring_elements |
0.40884 |
| published_at |
2026-04-29T12:55:00Z |
|
| 7 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.4543 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45429 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45478 |
| published_at |
2026-04-18T12:55:00Z |
|
| 10 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45482 |
| published_at |
2026-04-16T12:55:00Z |
|
| 11 |
| value |
0.00261 |
| scoring_system |
epss |
| scoring_elements |
0.4947 |
| published_at |
2026-04-24T12:55:00Z |
|
| 12 |
| value |
0.00261 |
| scoring_system |
epss |
| scoring_elements |
0.4948 |
| published_at |
2026-04-21T12:55:00Z |
|
| 13 |
| value |
0.00261 |
| scoring_system |
epss |
| scoring_elements |
0.49479 |
| published_at |
2026-04-26T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2603 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2603, GHSA-x4p7-7chp-64hq
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y1h3-yyn9-53fr |
|