Lucene search
K

5102 matches found

CVE
CVE
added 2026/06/24 11:53 a.m.11 views

CVE-2026-56338

Capgo prior to version 12.128.2 contains a denial-of-service flaw in the /auth/v1/otp endpoint used for 2FA email verification. The issue arises from captcha validation failures causing the backend to return HTTP 500 errors, preventing authenticated users from completing 2FA enrollment and access...

6.9CVSS5.9AI score0.00281EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/24 11:53 a.m.5 views

CVE-2026-56256

Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization ORG management API endpoints e.g., editing organization details, inviting users do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can...

7.1CVSS5.9AI score0.00238EPSS
Exploits0References3
CVE
CVE
added 2026/06/24 11:53 a.m.9 views

CVE-2026-56256

CVE-2026-56256 affects Capgo prior to 12.128.2, where 2FA is enforced only at the UI level. The backend ORG management API endpoints (e.g., editing organization details, inviting users) do not require 2FA, allowing an authenticated admin without 2FA to replay/modify a captured ORG API request to ...

7.1CVSS5.9AI score0.00238EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 11:53 a.m.31 views

CVE-2026-56256 Capgo - Two-Factor Authentication Bypass via Organization Management API

Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization ORG management API endpoints e.g., editing organization details, inviting users do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can...

7.1CVSS0.00238EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/24 11:53 a.m.8 views

EUVD-2026-38743

Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization ORG management API endpoints e.g., editing organization details, inviting users do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can...

7.1CVSS5.9AI score0.00238EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/24 12:0 a.m.8 views

pgAdmin < 9.16 Stored XSS / Open Redirect

The version of pgAdmin installed on the remote host is prior to 9.16. It is, therefore, affected by multiple vulnerabilities: - Text returned by a PostgreSQL server, including error messages, quoted object names, and EXPLAIN fields, is passed verbatim through html-react-parser at every user-facin...

9.3CVSS7.3AI score0.00218EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.8 views

PT-2026-51620

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.5.0 Description A missing authorization issue allows a user with permissions to edit other users to reset the two-factor authentication 2FA of a superadmin. Recommendations Update to version 8.5.0...

5.8CVSS5.9AI score0.00019EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/22 11:18 p.m.4 views

Improper Enforcement of Behavioral Workflow

Overview filament/filament is an A collection of full-stack components for accelerated Laravel app development. Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow through the improper handling of recovery codes in app-based multi-factor authentication...

9.1CVSS5.9AI score0.00193EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/22 9:39 p.m.24 views

CVE-2026-48505 Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not...

7.4CVSS0.00193EPSS
Exploits0References1
CVE
CVE
added 2026/06/22 9:39 p.m.24 views

CVE-2026-48505

Filament’s MFA recovery-code handling (versions 4.0.0–4.11.5 and 5.6.5) allows the same recovery code to be reused under concurrent submissions. When recovery codes are enabled, an attacker with the user’s password and codes can establish multiple authenticated sessions per code, extending access...

7.4CVSS5.9AI score0.00193EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 1:2 p.m.3 views

CVE-2026-56450

AIL did not restrict repeated failed attempts to verify a two-factor authentication OTP code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable...

5.1CVSS5.9AI score0.0033EPSS
Exploits0References2
CVE
CVE
added 2026/06/22 1:2 p.m.13 views

CVE-2026-56450

CVE-2026-56450 relates to the AIL Framework where the OTP (2FA) verification lacked rate-limiting, allowing unlimited OTP attempts after reaching the 2FA step. Root cause: no per-user throttling on failed OTPs. Impact: potential brute-force of OTPs enabling unauthorized access. The patch adds per...

5.1CVSS5.9AI score0.0033EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/22 1:2 p.m.7 views

EUVD-2026-38239

AIL did not restrict repeated failed attempts to verify a two-factor authentication OTP code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable...

5.1CVSS5.9AI score0.0033EPSS
Exploits0References1
The Hacker News
The Hacker News
added 2026/06/22 10:55 a.m.18 views

⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More

It’s Monday again. This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control. The annoying part is how little of this feels new. Weak credentials,...

7.2AI score
Exploits0
NVD
NVD
added 2026/06/20 1:16 a.m.13 views

CVE-2026-56212

Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's...

5.1CVSS0.00206EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/20 12:34 a.m.9 views

EUVD-2026-38095

Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account...

9.3CVSS5.9AI score0.00351EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/20 12:34 a.m.8 views

EUVD-2026-38092

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful,...

9.4CVSS5.9AI score0.00188EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/20 12:14 a.m.30 views

CVE-2026-56212 Capgo - Improper 2FA Enforcement Logic via Team Security Settings

Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's...

5.1CVSS0.00206EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/20 12:14 a.m.5 views

CVE-2026-56212

Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's...

5.1CVSS5.9AI score0.00206EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/20 12:14 a.m.9 views

EUVD-2026-38098

Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's...

5.1CVSS5.9AI score0.00206EPSS
Exploits0References2
Rows per page
Query Builder