62 matches found
EUVD-2026-43315
Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation...
CVE-2026-9597
Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation...
CVE-2026-9597
Mattermost advisory MMSA-2026-00681 documents a vulnerability in Mattermost where versions 11.7.x <= 11.7.2 and 11.6.x
CVE-2026-9597 Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint
Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation...
CVE-2026-14495 DoLogin Security <= 4.3 - Unauthenticated Authentication Bypass via Insufficient Randomness via 'dologin' Parameter Weak PRNG Token
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because dologin\s::rrand seeds the Mersenne Twister with mtsranddouble microtime 1000000 — discarding the integer-second...
BIT-GHOST-2026-53947 Ghost: Member existence leak via magic link sign-in response
Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is...
CVE-2026-53947 Ghost: Member existence leak via magic link sign-in response
Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is...
CVE-2026-53947
Ghost (Node.js CMS) contains a member existence leak via the magic link sign-in flow in versions 5.18.0–6.21.0, caused by differing responses from the members signin endpoints. An unauthenticated user could confirm whether an email is registered on a Ghost site. The issue is fixed in version 6.21...
CVE-2025-10908
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...
CVE-2025-10470
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...
EUVD-2025-209760
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...
EUVD-2025-209756
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...
CVE-2025-10470
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...
CVE-2025-10470
CVE-2025-10470 affects WSO2 Identity Server's Magic Link authentication flow. The vulnerability arises because the flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, causing uncontrolled memory usage growth. This can lead to a denial-of-servi...
CVE-2025-10470
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...
CVE-2025-10470 Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...
CVE-2025-10470 Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...
CVE-2025-10908
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...
CVE-2025-10908 Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...
CVE-2025-10908
CVE-2025-10908 affects WSO2 Identity Server. The root cause is a lack of user account state validation during authentication, allowing locked accounts to be authenticated via Magic Link or Pass Key and bypass the account-lock mechanism. This can lead to unauthorized access to applications and dat...