35516 matches found
EUVD-2025-210470
A null pointer dereference vulnerability exists in the Matter SDK connectedhomeip before 1.4.0, affecting the ReadRevisionAttribute function used in multiple clusters Channel, Account Login, TargetNavigator, etc.. The function lacks proper validation of the delegate pointer before dereferencing. ...
QNAP HBS 3 - Broken Access Control
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 Hybrid Backup Sync. If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to...
iboss Secure Web Gateway - Stored Cross-Site Scripting
A cross-site scripting vulnerability has been found in iboss Secure Web Gateway up to version 10.1. The vulnerability affects the /login file of the Login Portal component, where manipulation of the redirectUrl parameter leads to cross-site scripting. The attack can be launched remotely and the...
Ghost CMS - User Enumeration
Ghost CMS 5.9.4 contains a user enumeration vulnerability in the login functionality. The application reveals whether a user account exists through different error messages, allowing attackers to enumerate valid user accounts via specially-crafted HTTP requests. id: CVE-2022-41697 info: name: Gho...
Zyxel - Cross-Site Scripting
Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, and ZyWALL 1100 devices contain a reflected cross-site scripting vulnerability on the security firewall login page via the mpidx...
Cockpit Web Console < 360 - Remote Code Execution
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH...
CVE-2026-44745
SAP Approuter does not properly validate incoming request headers during the OAuth2 login flow under certain configurations. This allows an unauthenticated remote attacker to craft a malicious link which, when clicked by a victim, could lead to unauthorized access. Successful exploitation results...
CVE-2026-44745 Open Redirect vulnerability in SAP Approuter
SAP Approuter does not properly validate incoming request headers during the OAuth2 login flow under certain configurations. This allows an unauthenticated remote attacker to craft a malicious link which, when clicked by a victim, could lead to unauthorized access. Successful exploitation results...
CVE-2026-44745
Technical details are not publicly available in the provided documents. Monitor for updates on CVE-2026-44745 for potential details on affected versions, remediation, and impact.
PT-2026-60105
Name of the Vulnerable Software and Affected Versions Nebula-mesh versions 0.2.0 through 0.3.8 Description When OIDC is enabled, the application is susceptible to a denial of service via memory exhaustion. An unauthenticated remote client can repeatedly send requests to the GET /ui/oidc/login...
PT-2026-58847
Name of the Vulnerable Software and Affected Versions Matter SDK connectedhomeip versions prior to 1.4.0 Description A null pointer dereference occurs in the ReadRevisionAttribute function, which is utilized across several clusters including Channel, Account Login, and TargetNavigator. The issue...
CVE-2026-58488
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Versions prior to 1.11.0 allowed attackers to circumvent the rate-limiting of the /login and /register routes by spoofing IP addresses. HedgeDoc instances checked for CloudFlare's cf-connecting-ip header and used th...
CVE-2026-51821
SQL Injection vulnerability in Shenzhou Shihan Video Conference System v.1.0 allows a remote attacker to execute arbitrary code via the /user/getUserLogin endpoint...
CVE-2026-58488
CVE-2026-58488 affects HedgeDoc versions prior to 1.11.0. The vulnerability arises from the login/register rate-limit logic which, when a cf-connecting-ip header is present, uses that header instead of the user’s real IP—even if requests did not originate from Cloudflare. This allowed an attacker...
CVE-2026-58488 HedgeDoc: Rate-limit bypass via CF-Connecting-IP header spoofing
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Versions prior to 1.11.0 allowed attackers to circumvent the rate-limiting of the /login and /register routes by spoofing IP addresses. HedgeDoc instances checked for CloudFlare's cf-connecting-ip header and used th...
CVE-2026-61503
Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and...
CVE-2026-61503
CVE-2026-61503 – Rejetto HFS : Affects HFS 3.0.0–3.2.0. The login endpoint returns observably different responses depending on whether the username exists, enabling remote, unauthenticated actors to confirm valid accounts (including the default admin) and facilitating password guessing and sessio...
CVE-2026-61503 Rejetto HFS < 3.2.1 Username Enumeration via Login Response Differences
Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and...
CVE-2026-61503 Rejetto HFS < 3.2.1 Username Enumeration via Login Response Differences
Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and...
CVE-2026-61500
Affected software: Rejetto HFS 3.0.0–3.2.0. Root cause: session-cookie signing key derived from the non‑cryptographic Math.random() generator; outputs disclosed to unauthenticated clients during login. Impact: remote attacker can observe login responses, reconstruct the generator state, recover t...