Lucene search
K

2427 matches found

Cvelist
Cvelist
added 17 hours ago8 views

CVE-2026-12281 Shibboleth < 2.5.4 - Unauthenticated Administrator Account Creation via Identity Header Spoofing

The Shibboleth WordPress plugin before 2.5.4 does not fail closed when its HTTP header identity mode is enabled without an anti-spoofing key, treating any request that carries identity headers as an authenticated session without verifying them. On a deployment where untrusted client headers reach...

Exploits0References1
Nuclei
Nuclei
added 2 days ago407 views

JFrog Artifactory 6.7.3 - Admin Login Bypass

JFrog Artifactory 6.7.3 is vulnerable to an admin login bypass issue because by default the access-admin account is used to reset the password of the admin account. While this is only allowable from a connection directly from localhost, providing an X-Forwarded-For HTTP header to the request allo...

9.8CVSS7AI score0.53879EPSS
Exploits3References5
Nuclei
Nuclei
added 4 days ago28 views

SonicWall Email Security <= 10.0.9.x - Unauthenticated Admin Account Creation

SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. id: CVE-2021-20021 info: name: SonicWall Email Security = 10.0.9.x - Unauthenticated Admin Account Creation author: pussycat0x severity: critical...

9.8CVSS7.1AI score0.83425EPSS
Exploits0References2
NVD
NVD
added 5 days ago5 views

CVE-2026-12761

The miniOrange Social Login and Register Discord, Google, Twitter, LinkedIn plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the...

9.8CVSS0.00463EPSS
Exploits0References6
CVE
CVE
added 5 days ago9 views

CVE-2026-12761

Summary (CVE-2026-12761) The miniOrange Social Login and Register plugin for WordPress is vulnerable through the Profile Completion OTP flow in versions up to and including 7.7.0. The flow accepts an arbitrary email via the email_field POST parameter and does not verify that the email belongs to ...

9.8CVSS6.2AI score0.00463EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago9 views

PT-2026-57277

Name of the Vulnerable Software and Affected Versions miniOrange Social Login and Register Discord, Google, Twitter, LinkedIn versions prior to 7.7.1 Description An authentication bypass exists in the Profile Completion flow that allows for account takeover. The issue occurs because the plugin...

9.8CVSS6.2AI score0.00463EPSS
Exploits0References12
CVE
CVE
added 6 days ago9 views

CVE-2026-55207

CVE-2026-55207 affects Pimcore: an unauthenticated attacker who knows a valid admin username can hijack an admin account by abusing a malicious resetPasswordUrl in a password reset request. The server generates a real cryptographic recovery token, appends it to the attacker-controlled URL, emails...

8.8CVSS6AI score0.0035EPSS
Exploits0References5
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-54801

A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.20, SICORE Base system All versions V26.20.0. The affected application contains insufficient validation of authentication credentials when processing administrative account modifications through the we...

8.6CVSS0.0034EPSS
Exploits0References1
NVD
NVD
added 6 days ago5 views

CVE-2026-14245

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the umresetpasswordprocesshook function performing no server-side...

9.8CVSS0.00586EPSS
Exploits0References10
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-42543

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the umresetpasswordprocesshook function performing no server-side...

9.8CVSS6AI score0.00586EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 6 days ago7 views

PT-2026-56933

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 2025.4.6 Pimcore versions prior to 2026.1.6 Description An unauthenticated attacker who knows a valid admin username can take over an admin account by sending a password reset request containing an attacker-controlled...

8.8CVSS6.1AI score0.0035EPSS
Exploits0References7
Nuclei
Nuclei
added 2026/07/03 1:39 p.m.55 views

Palo Alto Expedition - Admin Account Takeover

Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. id: CVE-2024-5910 info: name: Palo Alto Expedition - Admin Account Takeover author: johnk3r severity: critical...

9.8CVSS7.4AI score0.91783EPSS
Exploits9References3
EUVD
EUVD
added 2026/06/27 4:30 a.m.9 views

EUVD-2026-39943

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravelinvoiceeditaccount AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wpajaxnoprivpravelinvoiceeditaccount, accepts an attacker-controlled...

9.8CVSS5.8AI score0.00662EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/27 12:30 a.m.17 views

EUVD-2026-39925

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access...

9.3CVSS5.8AI score0.00569EPSS
Exploits0References3
NVD
NVD
added 2026/06/26 11:17 p.m.14 views

CVE-2026-31928

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access...

9.8CVSS0.00569EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/26 10:52 p.m.38 views

CVE-2026-31928 Daktronics Controller Firmware Use of Hard-coded Credentials

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access...

9.3CVSS0.00569EPSS
Exploits0References2
CVE
CVE
added 2026/06/26 10:52 p.m.18 views

CVE-2026-31928

The CVE-2026-31928 entry concerns DMP-5000 devices shipped with a default administrative web account and weak authentication controls that are not required to be changed during initial configuration or operation, enabling full system access if exploited. The issue is tied to hard-coded/default cr...

9.8CVSS5.8AI score0.00569EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.17 views

PT-2026-52988

Name of the Vulnerable Software and Affected Versions DMP-5000 affected versions not specified Description Devices are shipped with a default administrative web account that utilizes weak authentication controls. These credentials are not required to be changed during the initial configuration or...

9.8CVSS5.8AI score0.00569EPSS
Exploits0References8
CVE
CVE
added 2026/06/25 7:8 p.m.29 views

CVE-2026-57520

Bitwarden Server prior to 2026.5.0 is affected by a privilege-escalation vulnerability in the bulk user-remove endpoint. The issue arises from a missing role hierarchy check, allowing authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by supplying...

7.1CVSS5.9AI score0.00354EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/06/23 4:8 p.m.4 views

CVE-2026-56115 Bootimus 0.1.70 Broken Access Control via JWTMiddleware Authorization Bypass

Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function in internal/auth/auth.go, which validates JWT tokens and account status but...

8.7CVSS5.9AI score0.00307EPSS
Exploits1References5
Rows per page
Query Builder