CVE-2026-33316

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword function sets the user’s status to StatusActive after a successful password reset without...

CVE-2026-33316

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword function sets the user’s status to StatusActive after a successful password reset without...

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

Summary A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token...

EUVD-2025-38349

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an...

PT-2025-45498

Name of the Vulnerable Software and Affected Versions SuiteCRM versions 7.14.7 and prior SuiteCRM versions 8.0.0 through 8.9.0 Description SuiteCRM is a Customer Relationship Management CRM software application. A flaw exists where user sessions are not invalidated when an account is deactivated....

CVE-2019-13347

An issue was discovered in the SAML Single Sign On SSO plugin for several Atlassian products affecting versions 3.1.0 through 3.2.2 for Jira and Confluence, versions 2.4.0 through 3.0.3 for Bitbucket, and versions 2.4.0 through 2.5.2 for Bamboo. It allows locally disabled users to reactivate thei...

CVE-2022-4068

A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary...

PT-2021-19812 · Xwiki · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 11.10.13 XWiki Platform versions prior to 12.6.7 XWiki Platform versions prior to 12.10.2 Description: A user disabled on a wiki using email verification for registration can re-activate themselves by using th...

HackerOne: Disabled account can still use GraphQL endpoint

Summary Hi team & @jobert, I am not sure if it is by design. After disabling the account, the user will be forced to Enable his account after logging in. However, many of actions are implemented using GraphQL endpoint which bypasses account reactivation process before use. Since re-enabling the...

Facebook Glitch Locks Out Accounts

A bug in an account verification system used by Facebook resulted in a wave of account suspensions Tuesday that had users locked out of the world’s largest social network and scratching their heads over the reason. Facebook discovered a bug in a system designed to detect and disable fake accounts...

rocketmail.txt

http://securityhole.8m.com/ New Webmail Security Hole Found - 10 April 1999 MAO Enterprises announced today that a security flaw in Rocketmail's free web email services at www.rocketmail.com. If you should happen to know the login name of an account at Rocketmail which has been inactive for a...