Lucene search
K

883 matches found

Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-57282

Name of the Vulnerable Software and Affected Versions Logto versions prior to 1.41.0 Description The Account Center step-up check accepts any active verification record belonging to the current user where isVerified is set to true. An attacker with an existing Account API bearer token can create...

8.1CVSS6.1AI score0.00259EPSS
Exploits0References8
OSSF Malicious Packages
OSSF Malicious Packages
added 5 days ago11 views

Malicious code in airkey-mfa-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector addd30fd6d90110d178ea017b2968c6014dab0e8304bdfeb55b13612a75f61da Package auto-executes a preinstall script node test.js on npm install that collects username, hostname, platform, Node version, and CI flag and POSTs...

5.9AI score
Exploits0References5
NVD
NVD
added 6 days ago13 views

CVE-2026-48949

Lack of validation leads to an XSS vulnerability in the MFA management views...

8.4CVSS0.00147EPSS
Exploits0References1
NVD
NVD
added 2026/07/06 8:16 p.m.6 views

CVE-2026-14536

Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an...

8.8CVSS0.00231EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/01 6:34 p.m.6 views

CVE-2026-13769

Overly permissive file permissions in AWS CLI before 1.44.78 v1 and 2.34.29 v2 on Unix-like systems where the umask has not been configured to restrict file permissions the default on most systems may allow other local users on the same host to read credentials written by certain CLI subcommands...

6.8CVSS5.8AI score0.00101EPSS
Exploits0References5
CISA KEV Catalog
CISA KEV Catalog
added 2026/06/29 12:0 a.m.11 views

SimpleHelp Authentication Bypass Vulnerability

SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacke...

10CVSS5.9AI score0.0116EPSS
In wildExploits1
NVD
NVD
added 2026/06/22 10:16 p.m.12 views

CVE-2026-48505

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not...

7.4CVSS0.00193EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.15 views

PT-2026-51391

Name of the Vulnerable Software and Affected Versions Filament versions 4.0.0 through 4.11.4 Filament versions prior to 5.6.5 Description A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This...

7.4CVSS5.9AI score0.00193EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/19 7:35 p.m.20 views

EUVD-2026-36540

parse-server: Endpoints /login and /verifyPassword disclose MFA secrets and protected fields when User get is denied...

5.9CVSS5.8AI score0.00251EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/18 4:11 p.m.10 views

EUVD-2026-37907

Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641...

6.9CVSS5.2AI score0.00308EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/17 10:7 p.m.20 views

CVE-2024-24769 Vantage6: No limit on emails sent for password/MFA reset

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a l...

2.1CVSS0.00278EPSS
Exploits0References3
NVD
NVD
added 2026/06/12 7:16 p.m.16 views

CVE-2026-53725

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the User class via Class-Level Permissions could expose sensitive user data through the /login and...

5.9CVSS0.00251EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 6:35 p.m.32 views

CVE-2026-53725 Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the User class via Class-Level Permissions could expose sensitive user data through the /login and...

5.9CVSS0.00251EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:35 p.m.19 views

CVE-2026-53725

Parse Server up to version 9.9.1-alpha.5 contains a vulnerability in MFA handling: when _User get is denied by Class-Level Permissions, the /login and /verifyPassword endpoints may bypass CLP/protectedFields sanitization and return raw database rows, exposing MFA data (MFA TOTP secrets and recove...

5.9CVSS5.3AI score0.00251EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.23 views

PT-2026-48961

Name of the Vulnerable Software and Affected Versions Parse Server versions 9.8.0 through 9.9.1-alpha.4 Description Applications that enable Multi-Factor Authentication MFA and restrict the get permission on the User class via Class-Level Permissions CLP may expose sensitive user data. The issue...

5.9CVSS5.3AI score0.00251EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/28 4:19 p.m.10 views

EUVD-2026-32942

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this pat...

5.9AI score0.00322EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/28 4:19 p.m.9 views

CVE-2026-9091

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this pat...

5.9AI score0.00322EPSS
Exploits0References2
The Hacker News
The Hacker News
added 2026/05/28 1:33 p.m.20 views

ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More

Every time you think the industry has finally stopped doing some reckless, low-effort crap, somebody spins up a fresh box full of sketchy loaders, fake installers, recycled social-engineering bait, and enough exposed infrastructure to make you wonder if prod is just a public beta now - meanwhile...

9.8CVSS6.5AI score0.01456EPSS
Exploits1
Vulnrichment
Vulnrichment
added 2026/05/26 4:44 p.m.9 views

CVE-2026-48897 Joomla! Core - [20260512] - MFA Authentication Bypass

Insufficient state checks lead to a vector that allows to bypass 2FA checks...

8.2CVSS5.8AI score0.00211EPSS
Exploits0References1
NVD
NVD
added 2026/05/22 4:16 p.m.11 views

CVE-2026-9047

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : Devolutions...

7.6CVSS0.00215EPSS
Exploits0References1
Rows per page
Query Builder