Lucene search
K

76 matches found

CVE
CVE
added yesterday5 views

CVE-2026-56305

Capgo before 12.128.2 exposes an authentication bypass in the password-change endpoint due to missing current-password validation. Attackers with temporary session access can change user passwords, potentially causing permanent user lockout and full account takeover. No official remediation detai...

8.7CVSS6.1AI score
Exploits0References2
OSV
OSV
added 5 days ago3 views

GHSA-29XF-69GQ-M9JX Coder: User-admin role can reset owner account password

Summary The PUT /api/v2/users/user/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's password. It also did not require the current password when an admin reset another user's password. Note: Exploitation requires the privileg...

7.2CVSS6AI score0.00615EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56067

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.34.2 Coder versions prior to 2.33.8 Coder versions prior to 2.32.7 Coder versions prior to 2.29.17 Description An issue exists where the PUT /api/v2/users/user/password endpoint only authorized the ActionUpdatePersona...

7.2CVSS6AI score0.00615EPSS
Exploits0References14
EUVD
EUVD
added 2026/06/26 12:32 a.m.6 views

EUVD-2025-210338

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings Security section without supplying the current password or any additional verification, as the application does not enforce a...

8.7CVSS6AI score0.00327EPSS
Exploits1References3
NVD
NVD
added 2026/06/25 10:16 p.m.11 views

CVE-2025-71328

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings Security section without supplying the current password or any additional verification, as the application does not enforce a...

8.8CVSS0.00327EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/06/25 9:41 p.m.20 views

CVE-2025-71328 Flowise - Unverified Password Change via Account Settings

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings Security section without supplying the current password or any additional verification, as the application does not enforce a...

8.7CVSS0.00327EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.9 views

PT-2026-52611

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.10 Description An authenticated user can change their account password through the account settings Security section without providing the current password or any additional verification. This occurs because the...

8.7CVSS5.8AI score0.00327EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:24 p.m.10 views

CVE-2026-8327

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...

5.3CVSS5.5AI score0.00182EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/21 9:15 p.m.10 views

CVE-2026-8327 Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass.

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...

5.3CVSS5.8AI score0.00182EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/21 12:0 a.m.10 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions prior to Concrete CMS 9.5.0 contained security vulnerabilities. These vulnerabilities stemmed from the User Profile Editing controller, which passed the entire original POST array to UserInfo::update...

5.3CVSS5.8AI score0.00182EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/22 7:22 p.m.5 views

CVE-2026-40588

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...

8.1CVSS5.8AI score0.00215EPSS
Exploits0References1
NVD
NVD
added 2026/04/21 6:16 p.m.5 views

CVE-2026-40588

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...

8.1CVSS0.00215EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/21 5:12 p.m.3 views

CVE-2026-40588 blueprintUE: Authenticated Password Change Does Not Verify Current Password

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...

8.1CVSS5.8AI score0.00215EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/21 5:12 p.m.33 views

CVE-2026-40588 blueprintUE: Authenticated Password Change Does Not Verify Current Password

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...

8.1CVSS0.00215EPSS
Exploits0References1
CVE
CVE
added 2026/04/21 5:12 p.m.13 views

CVE-2026-40588

The CVE-2026-40588 entry concerns blueprintUE: prior to version 4.2.0, its password change form at /profile/{slug}/edit/ lacks a current_password field and does not verify the existing password before applying a new one. If an attacker has a valid authenticated session (via XSS, session hijacking...

8.1CVSS5.8AI score0.00215EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.7 views

blueprintUE self-hosted edition 安全漏洞

The blueprintUE self-hosted edition is an open-source data modeling and visualization tool developed by blueprintUE. Versions prior to blueprintUE self-hosted edition 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the password change form located at...

8.1CVSS5.8AI score0.00215EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.17 views

PT-2026-34036

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a current password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...

8.1CVSS5.8AI score0.00215EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/20 9:16 a.m.5 views

CVE-2026-33124 Frigate has insecure password change functionality

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/username/password endpoint. Changing a password does not...

8.6CVSS5.8AI score0.00247EPSS
Exploits0References2
OSV
OSV
added 2026/03/20 9:16 a.m.6 views

CVE-2026-33124 Frigate has insecure password change functionality

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/username/password endpoint. Changing a password does not...

8.6CVSS5.8AI score0.00247EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/20 9:16 a.m.25 views

CVE-2026-33124 Frigate has insecure password change functionality

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/username/password endpoint. Changing a password does not...

8.6CVSS0.00247EPSS
Exploits0References2
Rows per page
Query Builder