1179 matches found
Erlang/OTP -- buffer overflow parsing SCTP ERROR/ABORT chunks
https://github.com/erlang/otp/security/advisories/GHSA-6f4f-chj5-5g97 reports: A buffer overflow error when parsing SCTP ERROR or ABORT chunks has been fixed. This could lead to stack corruption and VM crash, but ultimately with hard work by an attacker be refined into maybe even remote code...
Erlang/OTP -- TLS distribution check_ip flag does not enforce same-LAN constraint
https://github.com/erlang/otp/security/advisories/GHSA-gp7x-mfv6-52cv reports: Erlang distribution over TLS run with the kernel checkip flag now properly enforces connecting nodes to be on the same LAN. Previously the constraint was not enforced...
Erlang/OTP -- timing-based username enumeration in SSH password authentication
https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4 reports: A timing-based username enumeration vulnerability during password authentication with the userpasswords option has been fixed by performing a dummy PBKDF2 computation for invalid usernames, so authentication timing no...
Malicious code in @klapp-otp/routes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9246974efd1a626094dd3f2027df2e8f1468ce45ebcba42e5207a06c5c9e16ee On npm install, this package auto-executes index.js via the preinstall lifecycle hook. The script collects os.hostname, os.userInfo, dirname,...
CVE-2026-3655
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...
CVE-2026-8760
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to otplloginaction was placed only inside the OTP-generation branch and is never...
CVE-2026-42789
A flaw was found in Erlang OTP's publickey module. This vulnerability CWE-295, related to improper certificate validation, allows a non-Certificate Authority CA certificate to be accepted as an intermediate issuer. A remote attacker, holding an end-entity certificate issued by a trusted CA, can...
CVE-2026-10611
An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.requireotp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticat...
EUVD-2026-33917
An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.requireotp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticat...
CVE-2026-10611
CVE-2026-10611 describes an authentication bypass in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated via an authentication plugin (e.g., LDAP) may have their session established dur...
CVE-2026-8293 Really Simple Security < 9.5.10.1 - Authentication Bypass via Two-Factor OTP Skip
The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email...
PT-2026-45744
An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require otp=true, users authenticated through an authentication plugin, such as LDAP, may have their...
Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError
Summary OTPHP\Factory::loadFromProvisioningUri parses an attacker-supplied otpauth:// URI and forwards every query key to OTP::setParameter$key, $value. setParameter resolves the name with propertyexists$this, $parameter and performs a dynamic write $this-$parameter = $value src/OTP.php:196-197...
CVE-2026-3655
The CVE-2026-3655 entry describes an authentication bypass in the WordPress plugin “OTP Login With Phone Number, OTP Verification” versions 1.8.50–1.8.60. The root cause is a Firebase verification flow in the lwp_ajax_register AJAX handler that does not bind the Firebase session to the submitted ...
CVE-2026-3655
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...
CVE-2026-3655 OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...
Erlang/OTP 17.0 < 26.2.5.21 / 27.0 < 27.3.4.12 / 28.0 < 28.5.0.1 / 29.0 < 29.0.1 Certificate Chain Forgery (CVE-2026-42789)
The version of Erlang/OTP installed on the remote host is 17.0 prior to 26.2.5.21, 27.0 prior to 27.3.4.12, 28.0 prior to 28.5.0.1, or 29.0 prior to 29.0.1. It is, therefore, affected by a vulnerability: - Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP publickey...
Erlang/OTP 19.3 < 26.2.5.21 / 27.0 < 27.3.4.12 / 28.0 < 28.5.0.1 / 29.0 < 29.0.1 DNS nameConstraints Bypass (CVE-2026-42790)
The version of Erlang/OTP installed on the remote host is 19.3 prior to 26.2.5.21, 27.0 prior to 27.3.4.12, 28.0 prior to 28.5.0.1, or 29.0 prior to 29.0.1. It is, therefore, affected by a vulnerability: - Improper Certificate Validation vulnerability in Erlang OTP publickey pubkeycert and...
WordPress plugin OTP Login With Phone Number OTP Verification 授权问题漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
Linux Distros Unpatched Vulnerability : CVE-2026-42791
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper Certificate Validation vulnerability in Erlang OTP publickey pubkeyocsp module allows forged OCSP responses signed with an expired responder certificat...