Lucene search
+L

1344 matches found

Cvelist
Cvelist
added 2 days ago33 views

CVE-2026-16103 Keycloak-services: keycloak-services: incomplete fix for ciba brute-force lockout bypass at token redemption

A flaw was found in the keycloak-services component of Keycloak. This issue is an incomplete fix for CVE-2026-9798, where brute-force protection checks were added to the Client-Initiated Backchannel Authentication CIBA initiation handler but were omitted from the token redemption handler. This...

4.3CVSS0.00207EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2 days ago6 views

CVE-2026-16103 Keycloak-services: keycloak-services: incomplete fix for ciba brute-force lockout bypass at token redemption

A flaw was found in the keycloak-services component of Keycloak. This issue is an incomplete fix for CVE-2026-9798, where brute-force protection checks were added to the Client-Initiated Backchannel Authentication CIBA initiation handler but were omitted from the token redemption handler. This...

4.3CVSS5.3AI score0.00207EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-60799

A flaw was found in the keycloak-services component of Keycloak. This issue is an incomplete fix for CVE-2026-9798, where brute-force protection checks were added to the Client-Initiated Backchannel Authentication CIBA initiation handler but were omitted from the token redemption handler. This...

4.3CVSS5.2AI score0.00207EPSS
Exploits0References2
NVD
NVD
added 3 days ago7 views

CVE-2026-44596

Yamcs is a mission control framework. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core, handled by yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java, lacked any rate limiting, account lockout, or failed-attempt throttling, so an unauthenticated remote attack...

9.8CVSS0.0177EPSS
Exploits3References5
OSV
OSV
added 3 days ago7 views

CVE-2026-44596 Yamcs: No Rate Limiting on Authentication Endpoint

Yamcs is a mission control framework. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core, handled by yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java, lacked any rate limiting, account lockout, or failed-attempt throttling, so an unauthenticated remote attack...

6.5CVSS6.2AI score0.0177EPSS
Exploits3References7
Cvelist
Cvelist
added 3 days ago34 views

CVE-2026-44596 Yamcs: No Rate Limiting on Authentication Endpoint

Yamcs is a mission control framework. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core, handled by yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java, lacked any rate limiting, account lockout, or failed-attempt throttling, so an unauthenticated remote attack...

6.5CVSS0.0177EPSS
Exploits3References5
CVE
CVE
added 3 days ago9 views

CVE-2026-14254

CVE-2026-14254 describes a race condition in Delphix Continuous Data’s account lockout mechanism. Parallel authentication requests could bypass the lockout threshold because the failed-login counter and lockout status were not updated in time, undermining brute-force protections and allowing cont...

8.3CVSS6.1AI score0.0033EPSS
Exploits0References1
CISA KEV Catalog
CISA KEV Catalog
added 4 days ago7 views

KNX Association KNX Protocol Connection Authorization Option 1 Overly Restrictive Account Lockout Mechanism Vulnerability

KNX Association KNX Protocol Connection Authorization Option 1 contains an overly restrictive account lockout mechanism vulnerability that could allow an attacker to purge all devices without additional security options enabled and set a BCU key to lock the device...

7.5CVSS6.1AI score0.00855EPSS
In wildExploits0
NVD
NVD
added 6 days ago7 views

CVE-2026-61458

PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any...

8.7CVSS0.00304EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago32 views

CVE-2026-61458 PasswordPusher < 2.9.2 Passphrase Brute-Force via Unthrottled Endpoint

PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any...

8.7CVSS0.00304EPSS
Exploits0References2
CVE
CVE
added 6 days ago10 views

CVE-2026-61458

PasswordPusher

8.7CVSS6.1AI score0.00304EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 6 days ago6 views

PT-2026-57885

Name of the Vulnerable Software and Affected Versions PasswordPusher versions prior to 2.9.2 Description An issue exists where passphrase-protected pushes are susceptible to brute-force attacks. The 'POST /p/:token/access' endpoint lacks route-specific rate limiting and per-push lockout mechanism...

8.7CVSS6.1AI score0.00304EPSS
Exploits0References4
NVD
NVD
added 2026/07/01 1:17 p.m.6 views

CVE-2026-53904

MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as well as previously issued temporary passwords, furthermore, password resets are not limited in any way. An attacker who...

7.1CVSS0.00204EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 11:58 a.m.27 views

CVE-2026-53904

CVE-2026-53904 affects MCO; vulnerability is an Account Denial of Service due to improper password-reset implementation. The description across sources states that every reset request invalidates the current password and any issued temporary passwords, with no limits on reset requests. An attacke...

7.1CVSS5.8AI score0.00204EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.13 views

PT-2026-54830

Name of the Vulnerable Software and Affected Versions MCO version 25.3.3.1 Description Account Denial of Service occurs due to the improper implementation of the password reset functionality. Each request to reset a password invalidates the current password and any previously issued temporary...

7.1CVSS5.8AI score0.00204EPSS
Exploits0References7
CVE
CVE
added 2026/06/26 4:9 p.m.26 views

CVE-2026-11779

Technical details about CVE-2026-11779 are not publicly available in the provided documents. Monitor for updates.

5.3CVSS5.8AI score0.00235EPSS
Exploits0References2
OSV
OSV
added 2026/06/25 6:18 p.m.4 views

GHSA-R4V7-6WCG-GHJ5 FileBrowser: Missing Rate Limiting on Authentication Endpoint Enables Brute Force Attacks

Summary The /api/auth/login endpoint does not implement rate limiting, account lockout, or progressive backoff for repeated authentication failures. As a result, an attacker can perform unlimited login attempts against the endpoint. When combined with the username enumeration timing vulnerability...

6.5CVSS5.9AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/22 1:2 p.m.4 views

CVE-2026-56450

AIL did not restrict repeated failed attempts to verify a two-factor authentication OTP code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable...

5.1CVSS5.9AI score0.0033EPSS
Exploits0References2
NVD
NVD
added 2026/06/20 4:17 p.m.16 views

CVE-2026-56228

Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value e.g., billions of characters as the minimum password length, making compliance...

6.9CVSS0.00272EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/20 3:24 p.m.12 views

EUVD-2026-38116

Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value e.g., billions of characters as the minimum password length, making compliance...

6.9CVSS5.9AI score0.00272EPSS
Exploits0References2
Rows per page
Query Builder