119 matches found
CVE-2026-14781
A flaw in Keycloak’s OIDC broker (org.keycloak.broker.oidc) causes incorrect synchronization of the email_verified claim. When trustEmail=true and the userinfo endpoint is enabled, Keycloak uses email from userinfo but takes email_verified from the id_token without validating that it corresponds ...
EUVD-2026-38737
Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a...
PT-2026-52216
Name of the Vulnerable Software and Affected Versions Gitea Docker image versions prior to 1.26.3 Description A critical authentication bypass exists in the official Gitea Docker image due to an insecure default configuration in the app.ini file. The variable REVERSE PROXY TRUSTED PROXIES is set ...
PT-2026-48827
Name of the Vulnerable Software and Affected Versions Okta affected versions not specified Description Improper state verification in the OAuth implementation allows an attacker to manipulate the authentication flow. This can lead to a victim's account being linked to an account controlled by the...
CVE-2026-6552 Authorization Bypass Through User-Controlled Key in GitLab
GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take over another group member's GitLab account due to improper...
PT-2026-48717
Name of the Vulnerable Software and Affected Versions PenguinMod-BackendApi versions prior to 1.0.0 Description A NoSQL injection—a method of attacking non-relational databases by manipulating queries—exists in the password reset endpoint. This allows an authenticated user with a registered accou...
CVE-2026-43972
CVE-2026-43972 (gun_http2) : In gun_http2:push_promise_frame/7, the incoming PUSH_PROMISE :authority header is stored without validating it against the connection origin. Later, gun_http2:headers_frame/9 uses this unvalidated value when calling gun_cookies:set_cookie_header/7, before status handl...
Instagram Recovery Tool Bug Exposed 20,225 Accounts to Password Reset Abuse
Meta says an Instagram recovery tool bug allowed attackers to abuse password resets, affecting 20,225 accounts and exposing users without 2FA to account takeover risk...
27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokens
A malicious Codex UI npm package with 27,000 weekly downloads was caught exfiltrating OpenAI refresh tokens, exposing developers to account takeover risks...
SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover
Summary Changing a user’s password does not invalidate existing sessions, allowing an attacker with a stolen cookie to retain access even after the victim resets their password. Details SillyTavern relies on cookie-session for authentication, storing all session data user handle, permissions in a...
1 in 8 employees have sold company logins or know someone who has
UK anti-fraud non-profit Cifas just published research that should bother anyone who runs a business, or buys from one: One in eight workers at large enterprises have either sold their company login credentials or know someone who did. The internet is awash with compromised credentials that...
WWBN AVideo 安全漏洞
WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained security vulnerabilities. These vulnerabilities stemmed from the plugin/MobileManager/oauth2.php file, which exposed the user’s password hash in the OAuth login...
EUVD-2026-26037
An insecure direct object reference IDOR vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an...
CVE-2026-5779 Multiple vulnerabilities in MphRx's Minerva
An insecure direct object reference IDOR vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an...
MphRx Minerva 访问控制错误漏洞
MphRx Minerva is a medical data integration and interoperability platform developed by MphRx Corporation. Version MphRx Minerva V3.6.0 contains a security vulnerability related to access control. This vulnerability stems from an insecure direct object reference in the...
EUVD-2026-21692
A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...
Improper Authentication
github.com/1panel-dev/1panel is vulnerable to improper authentication.The vulnerability is due to improper server-side validation of a client-controlled parameter, which allows an unauthenticated attacker to bypass CAPTCHA protections and perform automated login attempts leading to potential...
CVE-2026-27599 CI4MS: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration...
Fleet: Password reset tokens remain valid after password change for 24 hours
Summary A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change...
PT-2026-25366
LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP Model Context Protocol OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the browser hitting the redire...