161349 matches found
CVE-2026-45691 Nextcloud: Bypass of second factor authentication on DAV endpoints
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie created after successful password authentication but before TOTP completion could be reused as a Bearer token to authenticat...
CVE-2026-45690 Nextcloud: Two-Factor Authentication Bypass via Pending Session Token Replay
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication 2FA protections...
CVE-2026-45690
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication 2FA protections...
CVE-2026-45690 Nextcloud: Two-Factor Authentication Bypass via Pending Session Token Replay
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication 2FA protections...
EUVD-2026-33716
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication 2FA protections...
CVE-2026-45690
Nextcloud Server versions 32.0.0–32.0.9 and 33.0.0–33.0.3 expose an authentication bypass where, after valid credentials are entered on a 2FA-enabled account, a temporary session token is created before the second factor is enforced. The token can be extracted and replayed via HTTP Basic Authenti...
CVE-2026-45284
Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0...
CVE-2026-45284 Nextcloud: Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate
Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0...
CVE-2026-45285 Nextcloud: Hidden Public Link creation when sharing to a Team External Member
Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member a person added via email address who does not have a Nextcloud account, the...
CVE-2026-45285
Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member a person added via email address who does not have a Nextcloud account, the...
CVE-2026-45156 Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC
Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions...
CVE-2026-45156
Nextcloud vulnerable component: User OIDC handling; a missing signature verification allowed an ID4me authority to impersonate any user. Affected versions: 0.3.0–before 3.1.0, 5.0.0–before 5.1.0, and 6.0.0–before 6.4.0. Root cause: absent JWT/signature check in OIDC flow as described in the CVE d...
CVE-2026-45156 Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC
Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions...
CVE-2026-9831
A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...
CVE-2026-10157
A vulnerability was identified in Open5GS up to 2.7.6. This impacts an unknown function of the file src/amf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit is...
curl: libcurl 8.20.0 ignores HTTP Digest domain protection space and preemptively leaks Digest auth outside the declared scope
Summary: libcurl 8.20.0 ignores the server-declared HTTP Digest domain protection space for origin authentication and reuses stored Digest state too broadly on the same easy handle. After a successful Digest-authenticated request, a later request on the same easy handle can receive a preemptive...
CVE-2026-42674 WordPress Advanced Access Manager plugin <= 7.1.0 - Bypass Vulnerability vulnerability
Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding. This issue affects Advanced Access Manager: from n/a through 7.1.0...
CVE-2026-42674 WordPress Advanced Access Manager plugin <= 7.1.0 - Bypass Vulnerability vulnerability
Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding. This issue affects Advanced Access Manager: from n/a through 7.1.0...
CVE-2026-42674
The CVE concerns the WordPress plugin Advanced Access Manager (AAM)
EUVD-2026-33689
Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding. This issue affects Advanced Access Manager: from n/a through 7.1.0...