Lucene search
K

5102 matches found

EUVD
EUVD
added yesterday2 views

EUVD-2026-41905

Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an...

6AI score
Exploits0References1
CVE
CVE
added yesterday6 views

CVE-2026-14536

CVE-2026-14536 affects Devolutions Server 2026.2.9.0, where improper enforcement of a mandatory multi-factor authentication policy allows an attacker with valid credentials to bypass MFA and authenticate without completing MFA. The root cause is described as an invalid default MFA value encounter...

6AI score
Exploits0References1
Nuclei
Nuclei
added 3 days ago67 views

Really Simple Security < 9.1.2 - Authentication Bypass

The Really Simple Security Free, Pro, and Pro Multisite plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'checkloginandgetuser' function. This makes it possible...

9.8CVSS7AI score0.81722EPSS
Exploits21References7
NVD
NVD
added 4 days ago3 views

CVE-2026-20779

Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path...

7.1CVSS0.00481EPSS
Exploits0References4
CVE
CVE
added 4 days ago11 views

CVE-2026-20779

Gitea prior to 1.26.3 (versions from 1.5.0 up to

7.1CVSS7.2AI score0.00481EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 4 days ago14 views

PT-2026-55587

Name of the Vulnerable Software and Affected Versions Gitea versions 1.5.0 through 1.26.2 Description A defect in the Time-based One-Time Password TOTP single-use enforcement allows a valid TOTP code to be accepted multiple times. This issue affects web two-factor authentication flows and the Bas...

7.1CVSS7.2AI score0.00481EPSS
Exploits0References6
Cvelist
Cvelist
added 6 days ago30 views

CVE-2026-58036 Users API leaks whether privileged users have their user groups disabled for lack of 2FA

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryAllUsers.Php, includes/Api/ApiQueryUsers.Php, includes/Permissions/PermissionManager.Php,...

2.1CVSS0.00239EPSS
Exploits0References1
NVD
NVD
added 6 days ago6 views

CVE-2026-11883

The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request...

7.2CVSS0.00365EPSS
Exploits0References1
Cvelist
Cvelist
added 6 days ago38 views

CVE-2026-11883 WebAuthn Provider for Two Factor < 2.5.6 - 2FA Bypass

The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request...

0.00365EPSS
Exploits0References1
CVE
CVE
added 6 days ago15 views

CVE-2026-11883

CVE-2026-11883 affects the WebAuthn Provider for Two Factor WordPress plugin (before 2.5.6). The vulnerability arises from incorrect validation of the second-factor authentication response, enabling an attacker who already knows a user’s password to bypass 2FA by submitting a malformed request. T...

7.2CVSS5.8AI score0.00365EPSS
Exploits0References1
The Hacker News
The Hacker News
added 6 days ago15 views

Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts

Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface CLI, compromising dozens of accounts in the process. The activity, per Huntress, originates from an IPv6 address range 2a0a:d683::/32 controlled by...

5.8AI score
Exploits0
NVD
NVD
added last week6 views

CVE-2026-56350

n8n before 2.8.0 contains an authentication bypass vulnerability allowing authenticated SSO users to disable SSO enforcement through the API. Attackers can create local password credentials to authenticate directly, bypassing organizational SSO policies and identity-provider-enforced multi-factor...

7.7CVSS0.00258EPSS
Exploits0References2
CVE
CVE
added last week11 views

CVE-2026-56350

CVE-2026-56350 affects n8n prior to 2.8.0. The vulnerability is an authentication bypass that allows authenticated SSO users to disable SSO enforcement via the API, enabling creation of local password credentials to authenticate directly and bypass organizational SSO policies and identity-provide...

7.7CVSS5.8AI score0.00258EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-54039

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.8.0 Description An authentication bypass exists that allows authenticated Single Sign-On SSO users to disable SSO enforcement via the API. This allows attackers to create local password credentials to authenticate...

6.3CVSS5.8AI score0.00258EPSS
Exploits0References4
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-533 Sentry: Improper authentication on SAML SSO process allows user identity linking

Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same...

9.1CVSS5.8AI score0.00435EPSS
Exploits0References6
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-266 ajenti.plugin.core has password bypass when 2FA is activated

Impact If the 2FA was activated, it was possible to bypass the password authentication Patches This is fixed in the version 0.112. Users should upgrade to this version as soon as possible...

9.1CVSS5.8AI score0.00329EPSS
Exploits0References5
NVD
NVD
added 2026/06/26 8:17 p.m.6 views

CVE-2026-46386

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRETKEYBASE=OVERWRITEME as the default Rails master key. Combined with cookiesserializer = :marshal, this gives any logged-in user a deterministic...

9.9CVSS0.00272EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 7:26 p.m.8 views

CVE-2026-46386

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRETKEYBASE=OVERWRITEME as the default Rails master key. Combined with cookiesserializer = :marshal, this gives any logged-in user a deterministic...

9.9CVSS5.8AI score0.00272EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/26 8:29 a.m.9 views

CVE-2026-53232

A flaw was found in the Linux kernel's network PHY Physical Layer driver. When a PHY probing operation fails, the system does not properly clean up the SFP Small Form-Factor Pluggable upstream connection. This oversight leaves a dangling reference in the SFP bus, which could be accessed later...

8.8CVSS5.7AI score0.00221EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/25 6:45 p.m.7 views

EUVD-2026-38392

Filament: Multi-factor authentication app recovery codes can still be used multiple times via concurrent submission...

7.4CVSS5.8AI score0.00193EPSS
Exploits0References2
Rows per page
Query Builder