CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

24 matches found

NVD•added 2026/05/11 11:20 p.m.•12 views

CVE-2026-43914

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function sendemaillogin email.rs, api endpoi...

9.8CVSS0.00048EPSS

Exploits1References3

EUVD•added 2026/05/11 10:3 p.m.•4 views

EUVD-2026-29342

7.3CVSS5.8AI score0.00048EPSS

Exploits1References3

ATTACKERKB•added 2026/05/11 10:3 p.m.•3 views

CVE-2026-43914

7.3CVSS5.8AI score0.00048EPSS

Exploits1References4Affected Software1

Cvelist•added 2026/05/11 10:3 p.m.•29 views

CVE-2026-43914 Vaultwarden: Brute-force protection bypass vulnerability

7.3CVSS0.00048EPSS

Exploits1References3

CVE•added 2026/05/11 10:3 p.m.•11 views

CVE-2026-43914

Vaultwarden prior to 1.35.4 is affected. The unprotected two‑factor login endpoint /api/two-factor/send-email-login (email.rs) can act as an oracle to determine if a username/password is correct, enabling brute‑force attempts without rate‑limiting even for users without email 2FA. Impact: bypasse...

9.8CVSS5.8AI score0.00048EPSS

Exploits1References3Affected Software1

Positive Technologies•added 2026/05/11 12:0 a.m.•6 views

PT-2026-39864

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.4 Description A flaw in the login brute-force protection allows attackers to determine if a username and password combination is correct when email two-factor authentication 2FA is enabled. The API endpoint...

7.3CVSS5.8AI score0.00048EPSS

Exploits1References5

NVD•added 2026/02/19 7:17 a.m.•2 views

CVE-2025-14427

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MfaEmailDisable action in all versions up to, and including, 21.0.9. This makes it possible for...

4.3CVSS0.00013EPSS

Exploits0References2

Vulnrichment•added 2026/02/19 4:36 a.m.•4 views

CVE-2025-14427 Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update

4.3CVSS5.5AI score0.00013EPSS

Exploits0References2

Cvelist•added 2026/02/19 4:36 a.m.•25 views

CVE-2025-14427 Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update

4.3CVSS0.00013EPSS

Exploits0References2

Positive Technologies•added 2026/02/19 12:0 a.m.•6 views

PT-2026-20617

4.3CVSS5.5AI score0.00013EPSS

Exploits0References2

RedhatCVE•added 2026/01/13 10:52 p.m.•2 views

CVE-2026-22594

Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0...

8.1CVSS6.7AI score0.00015EPSS

Exploits0References1

OSV•added 2026/01/13 8:40 a.m.•4 views

BIT-GHOST-2026-22594 Ghost has Staff 2FA bypass

8.1CVSS6.7AI score0.00015EPSS

Exploits0References4

OSV•added 2026/01/10 2:56 a.m.•6 views

CVE-2026-22594 Ghost has Staff 2FA bypass

8.1CVSS6.4AI score0.00015EPSS

Exploits0References5

OSV•added 2026/01/08 9:29 p.m.•4 views

GHSA-5FP7-G646-CCF4 Ghost has Staff 2FA bypass

Impact A vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. Vulnerable versions This vulnerability is present in Ghost v5.105.0 to v5.130.5 to and Ghost v6.0.0 to v6.10.3. Patches v5.130.6 and v6.11.0 contain a fix for this issue. References Ghost thanks Sho Odagiri of G...

8.1CVSS6.7AI score0.00015EPSS

Exploits0References5

EUVD•added 2025/11/18 6:32 p.m.•2 views

EUVD-2025-198026

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6...

5.4CVSS6.5AI score0.00046EPSS

Exploits0References2

OSV•added 2025/11/18 6:32 p.m.•2 views

GHSA-9JRW-JRRJ-P6FR Drupal Email TFA allows Functionality Bypass

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass. This issue affects Email TFA: from 0.0.0 before 2.0.6...

5.4CVSS6.9AI score0.00046EPSS

Exploits0References3

Cvelist•added 2025/11/18 4:55 p.m.•4 views

CVE-2025-12760 Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6...

0.00046EPSS

Exploits0References1

Positive Technologies•added 2025/11/18 12:0 a.m.•3 views

PT-2025-47342

Name of the Vulnerable Software and Affected Versions Drupal Email TFA versions prior to 2.0.6 Description An authentication bypass issue exists in Drupal Email TFA, allowing functionality bypass through an alternate path or channel. The issue impacts the Email TFA module. Recommendations Update ...

5.4CVSS6.8AI score0.00046EPSS

Exploits0References3

OSV•added 2025/11/05 6:8 p.m.•2 views

DRUPAL-CONTRIB-2025-115

The Email TFA module provides additional email-based two-factor authentication for Drupal logins. In certain scenarios, the module does not fully protect all login mechanisms as expected. This issue is mitigated by the fact that an attacker must already have valid user credentials username and...

5.4CVSS7AI score0.00046EPSS

Exploits0References1