CVE-2025-71327

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API...

CVE-2025-71327

Flowise has an authentication bypass in the unprotected /api/v1/account/register endpoint. Unauthenticated attackers can register arbitrary accounts and gain full API access without credentials. CVSS metrics are provided (v3.1: 9.1; v4.0: 9.3), indicating a critical impact on confidentiality and ...

CVE-2026-50244 Naxclow IoT Platform Missing Authorization

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water...

CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...

CVE-2026-34389 Fleet's user account creation via invite does not enforce invited email address

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

Fleet 授权问题漏洞

Fleet is an open-source device management platform developed by Fleet Device Management. It supports various operating systems and devices, and helps IT and security teams with device management, vulnerability reporting, MDM operations, etc. Versions of Fleet prior to 4.81.0 contained a...

CVE-2026-26417

CVE-2026-26417 affects Tata Consultancy Services Cognix Recon Client v3.0. Affected component: password reset functionality in Cognix Recon Client. Root cause described as broken access control allowing authenticated users to reset passwords for arbitrary user accounts via crafted requests. CVSSv...

PT-2026-23477

Name of the Vulnerable Software and Affected Versions Tata Consultancy Services Cognix Recon Client version 3.0 Description A broken access control issue exists in the password reset functionality. Authenticated users can reset passwords for any user account by sending specially crafted requests...

CVE-2026-26368

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user UGUSER to reset the password of arbitrary accounts, including those in the UGADMIN and UGSUPERADMIN groups, without...

CVE-2026-26367

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user UGUSER to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce...

GO-2025-4217 memos vulnerability allows the creation of arbitrary accounts in github.com/usememos/memos

memos vulnerability allows the creation of arbitrary accounts in github.com/usememos/memos...

CVE-2025-50433

An issue was discovered in imonnit.com 2025-04-24 allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts...

PT-2025-48071

Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate...

CVE-2025-6027 Ace User Management <= 2.0.3 - Subscriber+ Authentication Bypass via Password Rest

The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators...

EUVD-2005-2490

Malware in sbrugna...

EUVD-2019-2075

Malware in sbrugna...

EUVD-2016-2421

Malware in sbrugna...

EUVD-2024-54066

Malicious code in bioql PyPI...

PT-2025-35801

Name of the Vulnerable Software and Affected Versions: Quest One Identity version 7.5.1.20903 Description: A crafted response manipulation can bypass the One-Time Password OTP on the Multi-Factor Authentication MFA page, leading to unauthorized access to the Privileged Access Management PAM porta...

CVE-2025-27929

Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts...