Monthly
Directory data disclosure in PEAKUP Technology's PassGate (all versions through build 30042026) allows remote unauthenticated attackers to manipulate LDAP queries by injecting special characters into user-controlled input. Reported by TR-CERT (Turkey's national CERT), the flaw carries a CVSS 8.2 driven by high confidentiality impact with no authentication or user interaction required. No public exploit code or CISA KEV listing exists at time of analysis, indicating no confirmed active exploitation.
Privilege-escalation-capable LDAP injection in HAVELSAN Liman MYS (all releases before Master.1107) lets an authenticated attacker inject unsanitized special characters into LDAP queries, subverting directory-backed authentication and authorization logic. Because Liman is typically wired into corporate LDAP/Active Directory for login, a successful injection can expose directory data, bypass access controls, and manipulate query results. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; risk is driven by the high CVSS 8.8 rating rather than confirmed in-the-wild activity.
Pre-authentication login bypass in OpenAM Community Edition through 16.0.6 lets an unauthenticated remote attacker mint a valid OpenAM session for an arbitrary user without supplying a password. The MSISDN authentication module concatenates a request-supplied MSISDN value directly into an LDAP search filter (CWE-90), and because the default trusted-gateway list permits all traffic, any realm with an MSISDN module in its authentication chain is reachable and exploitable. No public exploit identified at time of analysis, and the issue is fixed in version 16.1.1.
LDAP injection in Jenkins Active Directory Plugin 2.41.1 and earlier allows unauthenticated remote attackers to enumerate Active Directory entries and authenticate as any directory user they can identify via wildcard matching, provided they already know that user's password. The vulnerability is confined to the Windows native ADSI authentication path, limiting exposure to Jenkins instances running on Windows with ADSI configured. No public exploit code or active exploitation has been identified; SSVC rates it non-automatable with partial technical impact.
LDAP injection in Central Dogma's Apache Shiro-based authentication module exposes unauthenticated remote attackers to authentication confusion and Active Directory enumeration. The SearchFirstActiveDirectoryRealm component in centraldogma-server-auth-shiro versions prior to 0.84.0 inserts the login username directly into an LDAP search filter without escaping metacharacters, allowing filter logic manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required beyond reaching the login endpoint. No public exploit or CISA KEV listing has been identified at time of analysis.
LDAP injection in OpenBao versions 0.1.0 through 2.5.4 allows an attacker with a valid low-privileged LDAP account to impersonate arbitrary directory users, including administrators, by supplying filter metacharacters in the username field at login. The root cause is a function selection error in `sdk/helper/ldaputil/client.go`: `EscapeLDAPValue()` (RFC 4514, DN escaping) is used in LDAP filter construction instead of `ldap.EscapeFilter()` (RFC 4515), leaving characters `*`, `(`, `)`, `\`, and NUL unescaped and injectable. Publicly available exploit code exists in the vendor advisory; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
LDAP injection in Apache Shiro's DefaultLdapRealm allows remote unauthenticated attackers to manipulate Distinguished Name construction during LDAP bind authentication, potentially bypassing authentication or impersonating other users. The flaw affects all versions through 2.2.0 and 3.0.0-alpha-1 when DefaultLdapRealm is in use, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.8 reflects high integrity impact against an authentication-critical component.
LDAP injection in Roxy-WI 8.2.6.4 and prior exposes LDAP directory attributes to authenticated administrators who can manipulate search filter logic via the username URL path parameter. The vulnerable function get_ldap_email (app/modules/roxywi/user.py:120-157) constructs LDAP queries through unsanitized f-string concatenation, enabling injection of additional filter clauses such as *)(mail=*)(cn=* to enumerate or harvest attributes beyond the intended user record. No patch is available at time of publication, and no public exploit identified at time of analysis.
LDAP injection in Yamcs LdapAuthModule (yamcs-core < 5.12.7) enables horizontal privilege escalation for authenticated low-privilege users. By submitting a wildcard character as the username alongside a single known valid LDAP password, an attacker causes the unescaped LDAP search filter to match the first user returned by the directory query, effectively authenticating as that account. A proof-of-concept exploit is publicly available in the GitHub advisory; no CISA KEV listing exists, but the low attack complexity and published PoC make this a credible threat for any Yamcs deployment using LDAP authentication.
LDAP filter injection in Apache Airflow FAB Auth Manager (apache-airflow-providers-fab < 3.6.4) enables unauthenticated remote attackers to manipulate LDAP query logic by embedding special characters in login credentials, resulting in directory data exfiltration or authentication bypass. The vulnerability is confirmed by source code evidence: the `_search_ldap` and `_ldap_get_nested_groups` methods in `override.py` directly interpolated user-supplied input into LDAP filter strings without sanitization. No public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, but the SSVC framework marks it as automatable, meaning exploitation can be scripted at scale against exposed Airflow instances using LDAP auth.
Directory data disclosure in PEAKUP Technology's PassGate (all versions through build 30042026) allows remote unauthenticated attackers to manipulate LDAP queries by injecting special characters into user-controlled input. Reported by TR-CERT (Turkey's national CERT), the flaw carries a CVSS 8.2 driven by high confidentiality impact with no authentication or user interaction required. No public exploit code or CISA KEV listing exists at time of analysis, indicating no confirmed active exploitation.
Privilege-escalation-capable LDAP injection in HAVELSAN Liman MYS (all releases before Master.1107) lets an authenticated attacker inject unsanitized special characters into LDAP queries, subverting directory-backed authentication and authorization logic. Because Liman is typically wired into corporate LDAP/Active Directory for login, a successful injection can expose directory data, bypass access controls, and manipulate query results. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; risk is driven by the high CVSS 8.8 rating rather than confirmed in-the-wild activity.
Pre-authentication login bypass in OpenAM Community Edition through 16.0.6 lets an unauthenticated remote attacker mint a valid OpenAM session for an arbitrary user without supplying a password. The MSISDN authentication module concatenates a request-supplied MSISDN value directly into an LDAP search filter (CWE-90), and because the default trusted-gateway list permits all traffic, any realm with an MSISDN module in its authentication chain is reachable and exploitable. No public exploit identified at time of analysis, and the issue is fixed in version 16.1.1.
LDAP injection in Jenkins Active Directory Plugin 2.41.1 and earlier allows unauthenticated remote attackers to enumerate Active Directory entries and authenticate as any directory user they can identify via wildcard matching, provided they already know that user's password. The vulnerability is confined to the Windows native ADSI authentication path, limiting exposure to Jenkins instances running on Windows with ADSI configured. No public exploit code or active exploitation has been identified; SSVC rates it non-automatable with partial technical impact.
LDAP injection in Central Dogma's Apache Shiro-based authentication module exposes unauthenticated remote attackers to authentication confusion and Active Directory enumeration. The SearchFirstActiveDirectoryRealm component in centraldogma-server-auth-shiro versions prior to 0.84.0 inserts the login username directly into an LDAP search filter without escaping metacharacters, allowing filter logic manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required beyond reaching the login endpoint. No public exploit or CISA KEV listing has been identified at time of analysis.
LDAP injection in OpenBao versions 0.1.0 through 2.5.4 allows an attacker with a valid low-privileged LDAP account to impersonate arbitrary directory users, including administrators, by supplying filter metacharacters in the username field at login. The root cause is a function selection error in `sdk/helper/ldaputil/client.go`: `EscapeLDAPValue()` (RFC 4514, DN escaping) is used in LDAP filter construction instead of `ldap.EscapeFilter()` (RFC 4515), leaving characters `*`, `(`, `)`, `\`, and NUL unescaped and injectable. Publicly available exploit code exists in the vendor advisory; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
LDAP injection in Apache Shiro's DefaultLdapRealm allows remote unauthenticated attackers to manipulate Distinguished Name construction during LDAP bind authentication, potentially bypassing authentication or impersonating other users. The flaw affects all versions through 2.2.0 and 3.0.0-alpha-1 when DefaultLdapRealm is in use, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.8 reflects high integrity impact against an authentication-critical component.
LDAP injection in Roxy-WI 8.2.6.4 and prior exposes LDAP directory attributes to authenticated administrators who can manipulate search filter logic via the username URL path parameter. The vulnerable function get_ldap_email (app/modules/roxywi/user.py:120-157) constructs LDAP queries through unsanitized f-string concatenation, enabling injection of additional filter clauses such as *)(mail=*)(cn=* to enumerate or harvest attributes beyond the intended user record. No patch is available at time of publication, and no public exploit identified at time of analysis.
LDAP injection in Yamcs LdapAuthModule (yamcs-core < 5.12.7) enables horizontal privilege escalation for authenticated low-privilege users. By submitting a wildcard character as the username alongside a single known valid LDAP password, an attacker causes the unescaped LDAP search filter to match the first user returned by the directory query, effectively authenticating as that account. A proof-of-concept exploit is publicly available in the GitHub advisory; no CISA KEV listing exists, but the low attack complexity and published PoC make this a credible threat for any Yamcs deployment using LDAP authentication.
LDAP filter injection in Apache Airflow FAB Auth Manager (apache-airflow-providers-fab < 3.6.4) enables unauthenticated remote attackers to manipulate LDAP query logic by embedding special characters in login credentials, resulting in directory data exfiltration or authentication bypass. The vulnerability is confirmed by source code evidence: the `_search_ldap` and `_ldap_get_nested_groups` methods in `override.py` directly interpolated user-supplied input into LDAP filter strings without sanitization. No public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, but the SSVC framework marks it as automatable, meaning exploitation can be scripted at scale against exposed Airflow instances using LDAP auth.