24 matches found
CVE-2026-53868
Capgo before 12.128.2 contains a denial-of-service vulnerability where attackers can register accounts with arbitrary, unverified emails and then delete them, causing pending deletions that lock legitimate users out for up to 30 days. Root cause: unverified email ownership in account lifecycle op...
PT-2026-49045
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description A denial of service issue exists where attackers can register accounts using arbitrary email addresses without verification. By initiating the deletion process for these accounts, attackers can lock...
MISP 授权问题漏洞
MISP is a set of open-source software solutions developed by MISP. This product is used for collecting, storing, distributing, and sharing network security metrics. It also includes features for analyzing threats to network security and malware analysis. MISP has an authorization vulnerability;...
CVE-2026-6266
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider IDP identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a...
CVE-2026-6266
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider IDP identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a...
CVE-2026-32700
Devise (Rails) prior to v5.0.3 has a race condition in the Confirmable module used with reconfirmable, allowing an attacker to confirm a victim’s email by issuing two concurrent email-change requests. This desynchronizes confirmation_token and unconfirmed_email; the attacker controls the token’s ...
Devise 竞争条件问题漏洞
Devise is an open-source authentication solution based on Warden, developed by heartcombo. Versions of Devise prior to 5.0.3 had a race condition vulnerability, which stemmed from a race condition in the Confirmable module. This vulnerability could allow attackers to confirm email addresses that...
Improper Authentication
github.com/mattermost/mattermost-server is vulnerable to improper authentication. The vulnerability is due to failure to validate email ownership during the Slack import process, which allows an attacker to create verified user accounts with arbitrary email domains and bypass email-based team...
Improper Input Validation
mantisbt/mantisbt is vulnerable to improper input validation. The vulnerability is due to lack of email ownership verification during profile updates, which allows an attacker to register an unauthorized email address and potentially cause information disclosure by redirecting notifications...
MantisBT 安全漏洞
MantisBT is a Web-based open source defect tracking system from the MantisBT team. The system provides project management and defect tracking services in a web-operated format. A security vulnerability exists in MantisBT version 2.27.1 and prior versions, which stems from a failure to verify...
CVE-2025-41410
Mattermost versions 10.10.x = 10.10.2, 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictio...
EUVD-2025-34742
Mattermost has a Missing Authorization vulnerability...
CVE-2025-41410
Mattermost versions 10.10.x = 10.10.2, 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictio...
CVE-2025-41410 Slack import bypasses email verification for team access controls
Mattermost versions 10.10.x = 10.10.2, 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictio...
CVE-2025-41410 Slack import bypasses email verification for team access controls
Mattermost versions 10.10.x = 10.10.2, 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictio...
Mattermost 安全漏洞
Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. A security vulnerability in Mattermost 10.10.2 and prior versions 10.10.x, 10.5.10 and prior versions 10.5.x, and 10.11.2 and prior versions 10.11.x, which stems from the failure to validate email...
EUVD-2021-0934
Malware in sbrugna...
CVE-2025-55795
The openml/openml.org web application version v2.0.20241110 uses incremental user IDs and insufficient email ownership verification during email update workflows. An authenticated attacker controlling a user account with a lower user ID can update their email address to that of another user with ...
CVE-2021-39909
Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval...
CVE-2020-14958
In Gogs 0.11.91, MakeEmailPrimary in models/usermail.go lacks a "not the owner of the email" check...