160669 matches found
CVE-2026-35675 phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/update
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...
CVE-2026-35675 phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/update
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...
CVE-2026-35675
CVE-2026-35675 affects phpMyFAQ prior to 4.1.3. An authentication bypass exists in the /api/user/password/update password reset endpoint, allowing unauthenticated attacker to reset any user’s password without token verification or email confirmation. Impact is full account takeover with administr...
CVE-2026-35675
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...
CVE-2026-35672 phpMyFAQ - Authentication Bypass via Empty API Token
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...
EUVD-2026-32903
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...
CVE-2026-35672 phpMyFAQ - Authentication Bypass via Empty API Token
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...
CVE-2026-35672
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...
CVE-2026-35672
CVE-2026-35672 affects phpMyFAQ prior to 4.1.3 where the default API client token is an empty string. The authentication check compares the configured token to the request header x-pmf-token and uses strict inequality; if the header is empty, authentication is bypassed. This allows unauthenticate...
WordPress Smart Online Order for Clover plugin <= 1.6.0 - Broken Authentication vulnerability
Broken Authentication vulnerability discovered by she11f in WordPress Plugin Smart Online Order for Clover versions = 1.6.0...
CLSA-2026-1779968889 Fix of 7 CVEs
SECURITY UPDATE: Authentication Bypass in digest authentication - debian/patches/CVE-2026-43512.patch: reject digest authentication attempts for unknown users in getDigest - CVE-2026-43512 SECURITY UPDATE: Account lockout bypass in LockOutRealm via case variation of user names -...
CVE-2026-8990
The CVE-2026-8990 entry affects the Kidsview mobile application. A user with physical access can bypass the app’s authentication by interacting with push notifications, granting full access to the device owner’s account. Affected behavior is an authentication bypass via the notification channel, ...
EUVD-2026-32901
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...
CVE-2026-8990 Authentication Bypass in Kidsview
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...
CVE-2026-8990 Authentication Bypass in Kidsview
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...
CVE-2026-8990
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...
[SECURITY] [DLA 4604-1] roundcube security update
Debian LTS Advisory DLA-4604-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin May 28, 2026 https://wiki.debian.org/LTS Package : roundcube Version : 1.4.15+dfsg.1-1+deb11u9 CVE ID : CVE-2026-48842 CVE-2026-48843 CVE-2026-48844 CVE-2026-48845 CVE-2026-48846...
CVE-2026-8979 Authentication Bypass
The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint...
EUVD-2026-32896
The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint...
CVE-2026-8979
CVE-2026-8979 affects the Mennekes Amtron series firmware versions ≤ 5.22.3. The vulnerability is an authentication bypass where an unauthenticated remote attacker can change a user account password by sending a crafted POST to the /operator/operator endpoint. The CVSS data indicates a critical i...