59 matches found
EUVD-2026-38092
Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful,...
CVE-2026-56073
CVE-2026-56073 affects Cap-go before 12.128.2. An authentication bypass in OTP verification lets an attacker bypass email verification by manipulating server responses, intercepting OTP requests and falsely marking verification as successful. This enables unauthorized 2FA enablement and potential...
CVE-2026-8293
The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email...
CVE-2026-35675
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...
Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass
Summary Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The...
GHSA-6G38-8J4P-J3PR Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass
Summary Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The...
CVE-2026-34736
Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users...
CVE-2026-34736
Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users...
CVE-2026-34736
Open edX Platform experiened an account-activation bypass vulnerability (CVE-2026-34736). In affected versions from maple up to just before ulmo, an unauthenticated attacker could bypass email verification by chaining two issues: the OAuth2 password grant issuing tokens to inactive users, and the...
CVE-2026-32497
CVE-2026-32497 affects the WordPress plugin User Verification . The vulnerability is a weak authentication issue that enables authentication abuse via an email verification bypass in versions up to and including 2.0.45 (range: n/a through 2.0.45). Multiple sources corroborate the flaw and list th...
CVE-2026-4283
The WP DSGVO Tools GDPR plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the super-unsubscribe AJAX action accepting a processnow parameter from unauthenticated users, which bypasses the intended email-confirmation...
WordPress User Verification plugin <= 2.0.45 - Email Verification Bypass vulnerability
Email Verification Bypass vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin User Verification versions = 2.0.45...
GHSA-282G-FHMX-XF54 ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API
Summary A vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. Impact Zitadel provides an API for managing users. The API also allows users to self-manage their own data including updati...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the UpdateHumanUser API. An attacker can bypass proper verification of email or phone by directly setting the verification flag without completing the intended verification process. This may allow unauthorized...
CVE-2025-65925
An issue was discovered in Zeroheight SaaS prior to 2025-06-13. A legacy user creation API pathway allowed accounts to be created without completing the intended email verification step. While unverified accounts could not access product functionality, the behavior bypassed intended verification...
CVE-2025-65925
An issue was discovered in Zeroheight SaaS prior to 2025-06-13. A legacy user creation API pathway allowed accounts to be created without completing the intended email verification step. While unverified accounts could not access product functionality, the behavior bypassed intended verification...
CVE-2025-65925
An issue was discovered in Zeroheight SaaS prior to 2025-06-13. A legacy user creation API pathway allowed accounts to be created without completing the intended email verification step. While unverified accounts could not access product functionality, the behavior bypassed intended verification...
CVE-2025-65925
CVE-2025-65925 affects Zeroheight SaaS prior to 2025-06-13, where a legacy user-creation API path allowed accounts to be created without completing email verification. Unverified accounts could not access product functionality, but the bypassed verification controls enabled unintended account cre...
EUVD-2022-6835
Malicious code in bioql PyPI...
EUVD-2024-42679
Malicious code in bioql PyPI...