Skip to main content

Poweradmin

1 CVEs product

Monthly

CVE-2026-54588 CRITICAL Act Now

Account takeover in Poweradmin versions prior to 4.2.4 and 4.3.3 allows remote unauthenticated attackers to hijack OIDC and SAML authentication flows by poisoning the HTTP Host header used to construct the redirect_uri sent to the Identity Provider. By tricking a victim into clicking a crafted login link, the attacker causes the IdP to deliver the authorization code to an attacker-controlled host, yielding full account access with no credentials required. No public exploit identified at time of analysis, though the upstream advisory and patched releases describe the issue in detail.

Information Disclosure Poweradmin
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
EPSS 0% CVSS 9.6
CRITICAL Act Now

Account takeover in Poweradmin versions prior to 4.2.4 and 4.3.3 allows remote unauthenticated attackers to hijack OIDC and SAML authentication flows by poisoning the HTTP Host header used to construct the redirect_uri sent to the Identity Provider. By tricking a victim into clicking a crafted login link, the attacker causes the IdP to deliver the authorization code to an attacker-controlled host, yielding full account access with no credentials required. No public exploit identified at time of analysis, though the upstream advisory and patched releases describe the issue in detail.

Information Disclosure Poweradmin
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy