35363 matches found
CVE-2026-61503
Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and...
CVE-2026-61503
CVE-2026-61503 – Rejetto HFS : Affects HFS 3.0.0–3.2.0. The login endpoint returns observably different responses depending on whether the username exists, enabling remote, unauthenticated actors to confirm valid accounts (including the default admin) and facilitating password guessing and sessio...
CVE-2026-61500
Affected software: Rejetto HFS 3.0.0–3.2.0. Root cause: session-cookie signing key derived from the non‑cryptographic Math.random() generator; outputs disclosed to unauthenticated clients during login. Impact: remote attacker can observe login responses, reconstruct the generator state, recover t...
CVE-2026-57768
Incorrect Privilege Assignment vulnerability in favethemes Houzez Login Register houzez-login-register allows Privilege Escalation.This issue affects Houzez Login Register: from n/a through = 3.3.3...
EUVD-2026-43282
A security flaw has been discovered in SourceCodester Online Book Store System 1.0. This vulnerability affects unknown code of the file admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit has been released to the...
CVE-2026-57768
CVE-2026-57768 impacts the WordPress plugin Houzez Login Register (versions
CVE-2026-57768 WordPress Houzez Login Register plugin <= 3.3.3 - Privilege Escalation vulnerability
Incorrect Privilege Assignment vulnerability in favethemes Houzez Login Register houzez-login-register allows Privilege Escalation.This issue affects Houzez Login Register: from n/a through = 3.3.3...
CVE-2026-9597
Mattermost advisory MMSA-2026-00681 documents a vulnerability in Mattermost where versions 11.7.x <= 11.7.2 and 11.6.x
CVE-2026-9597 Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint
Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation...
CVE-2026-15537
A security flaw has been discovered in SourceCodester Online Book Store System 1.0. This vulnerability affects unknown code of the file admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit has been released to the...
CVE-2026-15537
The CVE-2026-15537 affects SourceCodester Online Book Store System 1.0, with the vulnerability residing in admin/login.php where the Username parameter is SQL-injected. This allows a remote attacker to exploit the flaw (PROOF-OF-CONCEPT) and aligns with a high-severity CVSS in the provided metric...
CVE-2026-15537 SourceCodester Online Book Store System login.php sql injection
A security flaw has been discovered in SourceCodester Online Book Store System 1.0. This vulnerability affects unknown code of the file admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit has been released to the...
Pritunl VPN Server 1.29.2145.25 - Username Enumeration
Pritunl 1.29.2145.25 contains a username enumeration issue caused by different error responses in /auth/session login attempts, letting attackers verify valid usernames, exploit requires network access to the login endpoint. id: CVE-2020-25200 info: name: Pritunl VPN Server 1.29.2145.25 - Usernam...
Alumni Management System 1.0 - SQL Injection
SourceCodester Alumni Management System 1.0 contains a sqlinjection caused by unsanitized input in admin/login.php, letting attackers bypass authentication, exploit requires injection of malicious SQL payload. id: CVE-2020-29214 info: name: Alumni Management System 1.0 - SQL Injection author:...
WordPress Custom Login And Signup Widget Plugin <= 1.0 - Arbitrary Code Execution
Improper Control of Generation of Code 'Code Injection' vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0 id: CVE-2025-49029 info: name: WordPress Custom Login And Signup Widget Plugin = 1.0 -...
WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
Privilege escalation vulnerability exists in the Frontend Login and Registration Blocks plugin for WordPress versions = 1.0.7. An unauthenticated attacker can exploit the AJAX endpoint flrblocksusersettingshandleajaxcallback to change the administrator's email address. Subsequently, the attacker...
AVTECH DVR - Login Verification Code Bypass
AVTECH DVR products are vulnerable to verification code bypass just by entering the "login=quick" parameter to bypass verification code. id: CVE-2013-4982 info: name: AVTECH DVR - Login Verification Code Bypass author: ritikchaddha severity: low description: | AVTECH DVR products are vulnerable t...
Social Login by BestWebSoft < 0.2 - Cross-Site Scripting
The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues. id: CVE-2017-18501 info: name: Social Login by BestWebSoft 0.2 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues...
iboss Secure Web Gateway - Stored Cross-Site Scripting
A cross-site scripting vulnerability has been found in iboss Secure Web Gateway up to version 10.1. The vulnerability affects the /login file of the Login Portal component, where manipulation of the redirectUrl parameter leads to cross-site scripting. The attack can be launched remotely and the...
Fortinet FortiOS <=5.2.3 - Cross-Site Scripting
Fortinet FortiOS 5.2.x before 5.2.3 contains a cross-site scripting vulnerability in the SSL VPN login page which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. id: CVE-2015-1880 info: name: Fortinet FortiOS =5.2.3 - Cross-Site Scripting author: pikpikcu...