VYPR

Go modules package

github.com/steveiliop56/tinyauth

pkg:golang/github.com/steveiliop56/tinyauth

Vulnerabilities (3)

  • CVE-2026-33544HigApr 2, 2026
    affected < 1.0.1-0.20260401140714-fc1d4f2082a5fixed 1.0.1-0.20260401140714-fc1d4f2082a5

    Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared acro

  • CVE-2026-32246Mar 12, 2026
    affected < 1.0.1-20260311144920-9eb2d33064b7fixed 1.0.1-20260311144920-9eb2d33064b7

    Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP s

  • CVE-2026-32245Mar 12, 2026
    affected < 1.0.1-20260311144920-9eb2d33064b7fixed 1.0.1-20260311144920-9eb2d33064b7

    Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization