Skip to main content

Axivion

2 CVEs product

Monthly

CVE-2026-12379 MEDIUM This Month

Open redirect in Axivion Dashboard's OAuth/OIDC login flow allows an attacker to silently redirect an authenticated user to an arbitrary external URL after successful sign-in. All Axivion versions are affected per the wildcard CPE (cpe:2.3:a:qt:axivion:*). A threat actor can exploit this for phishing - credential harvesting or second-factor theft - by embedding a crafted login URL that terminates on a convincing look-alike site rather than the legitimate dashboard. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Open Redirect Axivion
NVD
CVSS 4.0
6.8
CVE-2026-12593 HIGH PATCH This Week

Privilege escalation in the Qt Axivion Dashboard allows an authenticated low-privileged user to mint API tokens for other, higher-privileged accounts via the undocumented POST /api/users/~/{user}/tokens endpoint, which failed to enforce an authorization check on the target user. An attacker who knows a more-privileged user's login name and can log in through the Dashboard's OAuth/OIDC flow can forge and finalize a token for that account, potentially seizing Dashboard Administrator rights and — chained with a separate weakness — achieving code execution on the host. CVSS 4.0 is rated 8.7 (High); there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass RCE Axivion
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVSS 6.8
MEDIUM This Month

Open redirect in Axivion Dashboard's OAuth/OIDC login flow allows an attacker to silently redirect an authenticated user to an arbitrary external URL after successful sign-in. All Axivion versions are affected per the wildcard CPE (cpe:2.3:a:qt:axivion:*). A threat actor can exploit this for phishing - credential harvesting or second-factor theft - by embedding a crafted login URL that terminates on a convincing look-alike site rather than the legitimate dashboard. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Open Redirect Axivion
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in the Qt Axivion Dashboard allows an authenticated low-privileged user to mint API tokens for other, higher-privileged accounts via the undocumented POST /api/users/~/{user}/tokens endpoint, which failed to enforce an authorization check on the target user. An attacker who knows a more-privileged user's login name and can log in through the Dashboard's OAuth/OIDC flow can forge and finalize a token for that account, potentially seizing Dashboard Administrator rights and — chained with a separate weakness — achieving code execution on the host. CVSS 4.0 is rated 8.7 (High); there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass RCE Axivion
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy