76 matches found
CVE-2026-56305
Capgo before 12.128.2 exposes an authentication bypass in the password-change endpoint due to missing current-password validation. Attackers with temporary session access can change user passwords, potentially causing permanent user lockout and full account takeover. No official remediation detai...
GHSA-29XF-69GQ-M9JX Coder: User-admin role can reset owner account password
Summary The PUT /api/v2/users/user/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's password. It also did not require the current password when an admin reset another user's password. Note: Exploitation requires the privileg...
PT-2026-56067
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.34.2 Coder versions prior to 2.33.8 Coder versions prior to 2.32.7 Coder versions prior to 2.29.17 Description An issue exists where the PUT /api/v2/users/user/password endpoint only authorized the ActionUpdatePersona...
EUVD-2025-210338
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings Security section without supplying the current password or any additional verification, as the application does not enforce a...
CVE-2025-71328
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings Security section without supplying the current password or any additional verification, as the application does not enforce a...
CVE-2025-71328 Flowise - Unverified Password Change via Account Settings
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings Security section without supplying the current password or any additional verification, as the application does not enforce a...
PT-2026-52611
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.10 Description An authenticated user can change their account password through the account settings Security section without providing the current password or any additional verification. This occurs because the...
CVE-2026-8327
Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...
CVE-2026-8327 Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass.
Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...
Concrete CMS 安全漏洞
Concrete CMS is an open-source content management system developed by Concrete CMS. Versions prior to Concrete CMS 9.5.0 contained security vulnerabilities. These vulnerabilities stemmed from the User Profile Editing controller, which passed the entire original POST array to UserInfo::update...
CVE-2026-40588
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...
CVE-2026-40588
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...
CVE-2026-40588 blueprintUE: Authenticated Password Change Does Not Verify Current Password
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...
CVE-2026-40588 blueprintUE: Authenticated Password Change Does Not Verify Current Password
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...
CVE-2026-40588
The CVE-2026-40588 entry concerns blueprintUE: prior to version 4.2.0, its password change form at /profile/{slug}/edit/ lacks a current_password field and does not verify the existing password before applying a new one. If an attacker has a valid authenticated session (via XSS, session hijacking...
blueprintUE self-hosted edition 安全漏洞
The blueprintUE self-hosted edition is an open-source data modeling and visualization tool developed by blueprintUE. Versions prior to blueprintUE self-hosted edition 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the password change form located at...
PT-2026-34036
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a current password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...
CVE-2026-33124 Frigate has insecure password change functionality
Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/username/password endpoint. Changing a password does not...
CVE-2026-33124 Frigate has insecure password change functionality
Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/username/password endpoint. Changing a password does not...
CVE-2026-33124 Frigate has insecure password change functionality
Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/username/password endpoint. Changing a password does not...