Skip to main content
CVE-2026-50631 HIGH PATCH This Week

Refresh token replay in Apache CXF's OAuth2 provider lets remote attackers concurrently exchange a single leaked refresh token for multiple valid access tokens, breaking the single-use property defenders rely on. The flaw lives in AbstractOAuthDataProvider and only manifests when deployments set 'recycleRefreshTokens' to false. No public exploit identified at time of analysis, and EPSS sits at 0.02% (4th percentile), but SSVC scores technical impact as 'total' due to the OAuth trust implications.

Information Disclosure Cxf
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-48050 HIGH PATCH GHSA This Week

Unauthenticated information disclosure and CPU-exhaustion DoS in Basekick Labs Arc (versions prior to v26.06.1) expose Go's net/http/pprof debug handlers on the public API port without any token check. Remote attackers can fetch heap and goroutine profiles to leak in-memory secrets (live SQL strings, decoded msgpack records, cached *TokenInfo entries) and invoke /debug/pprof/profile?seconds=N to pin a CPU core for arbitrary durations. No public exploit identified at time of analysis, though the vulnerability is trivial to exercise with curl.

Information Disclosure
NVD GitHub
EPSS
0.1%
CVE-2026-48007 HIGH PATCH GHSA This Week

Information disclosure in Element Call 0.5.17 through 0.19.3 causes the application to send full visited URLs (including URL fragments) to a configured PostHog analytics server via the `$initial_person_info`, `$session_entry_url`, and `$current_url` fields. On standalone SPA deployments such as call.element.io that encode call encryption passwords in the URL fragment, this can leak those passwords to anyone with access to the PostHog data, enabling decryption of the associated E2EE media streams. No public exploit identified at time of analysis; the issue was disclosed and patched by the vendor in 0.19.4.

Google Information Disclosure
NVD GitHub
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy