Lucene search
+L

890 matches found

Github Security Blog
Github Security Blog
added 2026/03/17 9:31 a.m.9 views

Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider...

8.8CVSS5.8AI score0.00256EPSS
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/17 8:34 a.m.6 views

CVE-2026-4208

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider...

7.7CVSS5.8AI score0.00256EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/17 8:34 a.m.48 views

CVE-2026-4208 Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider...

7.7CVSS0.00256EPSS
Exploits0References1
OSV
OSV
added 2026/03/17 8:34 a.m.3 views

CVE-2026-4208 Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider...

7.7CVSS6AI score0.00256EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/13 7:15 p.m.4 views

CVE-2026-31798 JumpServer Improper Certificate Validation in Custom SMS API Client

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and...

5CVSS5.9AI score0.00097EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/13 12:0 a.m.5 views

PT-2026-25359

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and...

5CVSS5.9AI score0.00097EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/03/11 5:29 p.m.5 views

SUSE CVE-2025-13821

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID:...

5.7CVSS5.8AI score0.00198EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/11 4:17 p.m.8 views

CVE-2026-3429 Org.keycloak.services.resources.account: improper access control leading to mfa deletion and account takeover in keycloak account rest api

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered...

4.2CVSS5.8AI score0.00251EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/11 4:17 p.m.29 views

CVE-2026-3429 Org.keycloak.services.resources.account: improper access control leading to mfa deletion and account takeover in keycloak account rest api

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered...

4.2CVSS0.00251EPSS
Exploits0References4
OSV
OSV
added 2026/03/11 12:35 a.m.5 views

GHSA-4HF6-3X24-C9M8 Parse Server's MFA recovery codes not consumed after use

Impact When multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recover...

8.2CVSS5.8AI score0.0044EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/11 12:0 a.m.6 views

PT-2026-24745

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the Account REST API of Keycloak that allows a user authenticated with a lower security level to perform sensitive actions intended only for higher-assurance sessions. An...

4.2CVSS5.9AI score0.00251EPSS
Exploits0References12
ATTACKERKB
ATTACKERKB
added 2026/03/10 12:0 a.m.2 views

CVE-2025-69615

Incorrect Access Control via missing 2FA rate-limiting allowing unlimited brute-force retries and full MFA bypass with no user interaction required. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-24, fixed 2025-11-03...

9.1CVSS5.8AI score0.0045EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/10 12:0 a.m.2 views

CVE-2025-69615

Incorrect Access Control via missing 2FA rate-limiting allowing unlimited brute-force retries and full MFA bypass with no user interaction required. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-24, fixed 2025-11-03...

5.8AI score0.0045EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/06 7:52 a.m.6 views

CVE-2026-30777

EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...

6.9CVSS5.8AI score0.00339EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/05 5:31 a.m.3 views

CVE-2026-30777

EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...

6.9CVSS5.8AI score0.00339EPSS
Exploits0References2
CVE
CVE
added 2026/03/05 5:31 a.m.27 views

CVE-2026-30777

EC-CUBE (EC-CUBE CO.,LTD.) contains a vulnerability that allows MFA bypass. An attacker with valid administrator credentials may bypass two-factor authentication and gain unauthorized access to the administrative page. The connected CVE records confirm the issue and describe the impact as unautho...

6.9CVSS6AI score0.00339EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/04 10:53 p.m.5 views

GHSA-6RX5-M2RC-HMF7 ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover

Summary A vulnerability in Zitadel's login V2 interface was discovered, allowing for possible account takeover. Impact Zitadel allows organization administrators to change the default redirect URI for their organization. This setting enables them to redirect users to an arbitrary location after...

7.7CVSS6.2AI score0.00318EPSS
Exploits0References4
Microsoft Secure
Microsoft Secure
added 2026/03/04 4:4 p.m.20 views

Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale

In this article 1. Operational overview of Tycoon2FA 2. Mitigation and protection guidance 3. Microsoft Defender detections Following its emergence in August 2023, Tycoon2FA rapidly became one of the most widespread phishing-as-a-service PhaaS platforms, enabling campaigns responsible for tens of...

5.6AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/03/02 10:53 a.m.5 views

CVE-2026-3429

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered...

4.2CVSS5.9AI score0.00251EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/02/23 1:30 p.m.7 views

CVE-2026-27579

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue...

7.4CVSS5.6AI score0.00226EPSS
Exploits1References1
Rows per page
Query Builder