CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

41 matches found

EUVD•added 2026/05/22 12:31 a.m.•5 views

EUVD-2026-31364

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...

2.3CVSS5.8AI score0.00037EPSS

Exploits0References2

NVD•added 2026/05/21 10:16 p.m.•7 views

CVE-2026-7887

6.4CVSS0.00037EPSS

Exploits0References1

CVE•added 2026/05/21 9:20 p.m.•7 views

CVE-2026-7887

Summary: CVE-2026-7887 affects Concrete CMS 9.5.0 and earlier. The OAuth 2.0 Authorization-Code Handler does not enforce account status, allowing a user with uIsActive=0 (suspended/banned/terminated) to authenticate and obtain API tokens. What’s affected: Concrete CMS versions prior to 9.5.1 (per...

6.4CVSS5.8AI score0.00037EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/05/21 9:20 p.m.•22 views

CVE-2026-7887 For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status

2.3CVSS0.00037EPSS

Exploits0References1

ATTACKERKB•added 2026/05/21 9:20 p.m.•2 views

CVE-2026-7887

2.3CVSS5.8AI score0.00037EPSS

Exploits0References2Affected Software1

Positive Technologies•added 2026/05/21 12:0 a.m.•6 views

PT-2026-42557

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description The OAuth 2.0 Authorization-Code Handler fails to verify account status. This allows users who are suspended, banned, or terminated employees, specifically those with the uIsActive variable set ...

2.3CVSS5.8AI score0.00037EPSS

Exploits0References4

CNNVD•added 2026/05/21 12:0 a.m.•3 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system designed for teams. Concrete CMS versions 9.5.0 and earlier have security vulnerabilities. These vulnerabilities stem from an oversight in the handling of OAuth 2.0 authorization codes, which bypasses account status checks. This could...

6.4CVSS5.8AI score0.00037EPSS

Exploits0References1

RedhatCVE•added 2026/04/25 10:43 a.m.•1 views

CVE-2026-22746

A flaw was found in Spring Security. If an application uses the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, an attacker can bypass the DaoAuthenticationProvider's timing attack defense. This bypass allows an attacker to potentially gain limited information...

3.7CVSS5.2AI score0.00067EPSS

Exploits0References4

RedhatCVE•added 2026/03/26 3:8 p.m.•1 views

CVE-2026-33688

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at objects/userRecoverPass.php performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames a...

5.3CVSS5.7AI score0.00086EPSS

Exploits1References1

EUVD•added 2026/03/25 7:53 p.m.•3 views

EUVD-2026-14498

AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint...

5.3CVSS5.8AI score0.00086EPSS

Exploits1References3

OSV•added 2026/03/25 7:53 p.m.•1 views

GHSA-M99F-MMVG-3XMX AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint

Summary The password recovery endpoint at objects/userRecoverPass.php performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and...

5.3CVSS5.9AI score0.00086EPSS

Exploits1References4

Github Security Blog•added 2026/03/25 7:53 p.m.•3 views

AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint

5.3CVSS5.9AI score0.00086EPSS

Exploits1References4Affected Software1

NVD•added 2026/03/23 7:16 p.m.•2 views

CVE-2026-33688

5.3CVSS0.00086EPSS

Exploits1References2

ATTACKERKB•added 2026/03/23 6:43 p.m.•4 views

CVE-2026-33688

5.3CVSS5.8AI score0.00086EPSS

Exploits1References3Affected Software1

Vulnrichment•added 2026/03/23 6:43 p.m.•1 views

CVE-2026-33688 AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint

5.3CVSS5.8AI score0.00086EPSS

Exploits1References2

Cvelist•added 2026/03/23 6:43 p.m.•17 views

CVE-2026-33688 AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint

5.3CVSS0.00086EPSS

Exploits1References2

CVE•added 2026/03/23 6:43 p.m.•2 views

CVE-2026-33688

WWBN AVideo

5.3CVSS5.8AI score0.00086EPSS

Exploits1References2Affected Software1

OSV•added 2026/03/23 6:43 p.m.•1 views

CVE-2026-33688 AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint

5.3CVSS5.8AI score0.00086EPSS

Exploits1References4

Positive Technologies•added 2026/03/23 12:0 a.m.•0 views

PT-2026-27188

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.1 Description AVideo is an open source video platform. Versions up to and including 26.0 have an issue in the password recovery endpoint at objects/userRecoverPass.php. This endpoint performs user existence and...

5.3CVSS5.8AI score0.00086EPSS

Exploits1References5

CNNVD•added 2026/03/23 12:0 a.m.•3 views

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained security vulnerabilities. These vulnerabilities stemmed from the password recovery endpoint, userRecoverPass.php, which performed an identity verification before...

5.3CVSS5.8AI score0.00086EPSS

Exploits1References2

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by