Lucene search
K

62 matches found

EUVD
EUVD
added yesterday5 views

EUVD-2026-43315

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation...

5.4CVSS6.1AI score0.00138EPSS
Exploits0References2
NVD
NVD
added yesterday5 views

CVE-2026-9597

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation...

5.4CVSS0.00138EPSS
Exploits0References1
CVE
CVE
added yesterday13 views

CVE-2026-9597

Mattermost advisory MMSA-2026-00681 documents a vulnerability in Mattermost where versions 11.7.x <= 11.7.2 and 11.6.x

5.4CVSS6.1AI score0.00138EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added yesterday17 views

CVE-2026-9597 Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation...

5.4CVSS0.00138EPSS
Exploits0References1
Cvelist
Cvelist
added 6 days ago37 views

CVE-2026-14495 DoLogin Security <= 4.3 - Unauthenticated Authentication Bypass via Insufficient Randomness via 'dologin' Parameter Weak PRNG Token

The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because dologin\s::rrand seeds the Mersenne Twister with mtsranddouble microtime 1000000 — discarding the integer-second...

8.8CVSS0.00425EPSS
Exploits0References5
OSV
OSV
added 2026/06/30 11:39 p.m.3 views

BIT-GHOST-2026-53947 Ghost: Member existence leak via magic link sign-in response

Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is...

5.3CVSS5.8AI score0.00206EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 6:7 p.m.28 views

CVE-2026-53947 Ghost: Member existence leak via magic link sign-in response

Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is...

5.3CVSS0.00206EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 6:7 p.m.11 views

CVE-2026-53947

Ghost (Node.js CMS) contains a member existence leak via the magic link sign-in flow in versions 5.18.0–6.21.0, caused by differing responses from the members signin endpoints. An unauthenticated user could confirm whether an email is registered on a Ghost site. The issue is fixed in version 6.21...

5.3CVSS5.9AI score0.00206EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.13 views

CVE-2025-10908

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...

7.3CVSS5.5AI score0.0023EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:41 p.m.11 views

CVE-2025-10470

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...

8.6CVSS5.6AI score0.00317EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/11 12:32 p.m.15 views

EUVD-2025-209760

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...

8.6CVSS5.8AI score0.00317EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/11 12:32 p.m.13 views

EUVD-2025-209756

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...

7.3CVSS5.8AI score0.0023EPSS
Exploits0References2
NVD
NVD
added 2026/05/11 12:16 p.m.19 views

CVE-2025-10470

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...

8.6CVSS0.00317EPSS
Exploits0References1
CVE
CVE
added 2026/05/11 10:16 a.m.18 views

CVE-2025-10470

CVE-2025-10470 affects WSO2 Identity Server's Magic Link authentication flow. The vulnerability arises because the flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, causing uncontrolled memory usage growth. This can lead to a denial-of-servi...

8.6CVSS5.8AI score0.00317EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/11 10:16 a.m.7 views

CVE-2025-10470

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...

8.6CVSS5.8AI score0.00317EPSS
Exploits0References2Affected Software2
Vulnrichment
Vulnrichment
added 2026/05/11 10:16 a.m.7 views

CVE-2025-10470 Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...

8.6CVSS5.8AI score0.00317EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/11 10:16 a.m.47 views

CVE-2025-10470 Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...

8.6CVSS0.00317EPSS
Exploits0References1
NVD
NVD
added 2026/05/11 10:16 a.m.14 views

CVE-2025-10908

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...

7.3CVSS0.0023EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/11 9:1 a.m.41 views

CVE-2025-10908 Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...

0.0023EPSS
Exploits0References1
CVE
CVE
added 2026/05/11 9:1 a.m.17 views

CVE-2025-10908

CVE-2025-10908 affects WSO2 Identity Server. The root cause is a lack of user account state validation during authentication, allowing locked accounts to be authenticated via Magic Link or Pass Key and bypass the account-lock mechanism. This can lead to unauthorized access to applications and dat...

7.3CVSS5.8AI score0.0023EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder