CVE-2026-9047

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : Devolutions...

CVE-2026-9091

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this pat...

CVE-2026-9091 CVE-2026-9091

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this pat...

CVE-2026-48897

CVE-2026-48897 relates to the Joomla! Core MFA authentication bypass. The issue is caused by insufficient state checks and, per the linked Joomla security advisory and NVD record, a vector that bypasses 2FA. Consequences stated include high impact on integrity with no confidentiality/availability...

SUSE CVE-2025-6015

Vault and Vault Enterprise's “Vault” login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...

EUVD-2026-27311

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with...

CVE-2026-28510

Vulnerability summary (CVE-2026-28510): elabftw versions up to 5.4.1 fail to reliably preserve MFA state during login, allowing an attacker with valid primary credentials to complete authentication using an attacker-controlled TOTP secret and bypass the additional factor. This can lead to unautho...

New AI-Powered Bluekit Phishing Kit Targets Major Platforms with MFA Bypass Attacks

Bluekit Phishing Kit is a new PhaaS tool that targets major platforms, using AiTM techniques to steal session data and bypass MFA protections...

EUVD-2026-17919

Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request...

CVE-2026-4828

Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request...

CVE-2026-4828

Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request...

CVE-2026-4828

Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.63 and 9.7.0-alpha.7. These vulnerabilities stemmed from the fact that the password...

Linux Distros Unpatched Vulnerability : CVE-2026-25937

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's...

CVE-2026-32730

CVE-2026-32730 affects ApostropheCMS: the bearer token authentication flow can bypass MFA/TOTP if a password-verification token (incompleteToken) is used as a bearer token. The root cause is a MongoDB query bug in the getBearer() logic: it checks for requirementsToVerify with $ne: [] (not equal t...

EUVD-2026-12975

ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware...

ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware

MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware Summary The bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...

From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA

Not every cloud breach starts with malware or a zero-day. In this incident, attackers discovered an exposed Spring Boot Actuator endpoint, harvested credentials from leaked configuration data, then used the OAuth2 Resource Owner Password Credentials ROPC flow to authenticate without MFA...

PT-2026-26158

MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware Summary The bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...

CVE-2026-25937 GLPI has a MFA bypass

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue...