CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

195 matches found

CVE-2026-34460 NamelessMC: OAuth callback `state` is not validated, allowing login CSRF / session swapping

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause ...

5.4CVSS0.00014EPSS

Exploits0References1

Cvelist•added 2026/05/27 3:24 p.m.•29 views

CVE-2026-45027 WeGIA: Use of Weak Password Hashing Algorithm (SHA-256, no salt) in html/login.php

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow in...

5.9CVSS0.00017EPSS

Exploits0References1

Fedora•added 2026/04/28 1:0 a.m.•4 views

[SECURITY] Fedora 43 Update: openssh-10.0p1-9.fc43

SSH Secure SHell is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forward...

8.1CVSS6.2AI score0.00061EPSS

Exploits2

Positive Technologies•added 2026/04/15 12:0 a.m.•2 views

PT-2026-33186

Name of the Vulnerable Software and Affected Versions TP-Link Archer C7 versions v5 and v5.8 through Build 20220715 Description Inadequate encryption strength in the uhttpd modules allows for password recovery exploitation. The web interface encrypts the admin password client-side using RSA-1024...

8.8CVSS5.8AI score0.00004EPSS

Exploits0References6

Vulnrichment•added 2026/04/13 3:56 p.m.•0 views

CVE-2025-31991 HCL DevOps Velocity is susceptible to brute-force attacks

Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability is fixed in 5.1.7...

6.8CVSS5.8AI score0.00035EPSS

Exploits0References1

Cvelist•added 2026/04/08 6:12 p.m.•14 views

CVE-2026-34721 Zammad has Cross-site request forgery (CSRF) in OAuth callback endpoints

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4...

5.9CVSS0.00019EPSS

Exploits0References1

EUVD•added 2026/03/09 9:31 p.m.•1 views

EUVD-2025-208456

ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs i...

5.8AI score0.00074EPSS

Exploits1References2

RedhatCVE•added 2026/01/09 12:41 p.m.•3 views

CVE-2023-25350

Faveo Helpdesk 1.0-1.11.1 is vulnerable to SQL Injection. When the user logs in through the login box, he has no judgment on the validity of the user's input data. The parameters passed from the front end to the back end are controllable, which will lead to SQL injection...

8.8CVSS7.4AI score0.00226EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 9:49 a.m.•3 views

CVE-2020-24007

Umanni RH 1.0 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page...

9.8CVSS7.2AI score0.01847EPSS

Exploits1References1

Patchstack•added 2025/12/31 12:0 a.m.•3 views

WordPress MelaPress Login Security Premium plugin 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability discovered by Michelle Porter - Wordfence in WordPress Plugin MelaPress Login Security Premium versions 2.1.0...

8.2CVSS5.9AI score0.00477EPSS

Exploits0References1Affected Software1

CNNVD•added 2025/12/09 12:0 a.m.•1 views

WordPress plugin Login Security, FireWall, Malware removal by CleanTalk 跨站脚本漏洞

WordPress and the WordPress plugin are products of the WordPress Foundation, a blogging platform developed in the PHP language. WordPress is a blogging platform developed using the PHP language, which provides the ability to host a personal blog site on a PHP and MySQL based server.WordPress plug...

7.2CVSS5.5AI score0.00142EPSS

Exploits0References2

CNNVD•added 2025/11/24 12:0 a.m.•2 views

Code-Projects COVID Tracking System SQL注入漏洞

Code-Projects COVID Tracking System is a new Crown Pneumonia tracking system from Code-Projects open source. A SQL injection vulnerability exists in Code-Projects COVID Tracking System version 1.0, which stems from incorrect manipulation of the parameter code in the file /login.php, which could...

9.8CVSS7.8AI score0.0004EPSS

Exploits1References8

OSV•added 2025/10/29 5:54 p.m.•3 views

CVE-2025-64100 CKAN Vulnerable to Session Cookie Fixation

CKAN is an open-source DMS data management system for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage CKAN uses cookie-based session storage by default. The attacker would need to...

6.1CVSS6.5AI score0.00039EPSS

Exploits0References4

EUVD•added 2025/10/07 12:30 a.m.•1 views

EUVD-2015-5027

Malware in sbrugna...

7.5CVSS7.6AI score0.00278EPSS

Exploits0References4

EUVD•added 2025/10/07 12:30 a.m.•1 views

EUVD-2014-8834

Malware in sbrugna...

5CVSS6.4AI score0.00345EPSS

Exploits2References4