Lucene search
K

603 matches found

CVE
CVE
added 3 days ago7 views

CVE-2026-57574

This CVE affects Misskey, an open-source federated social platform, where the vulnerability resides in the Time-based One-Time Password (TOTP) authentication in UserAuthService. The issue results from insufficient validation of used TOTP tokens, allowing a single-use code to be reused within its ...

7.4CVSS6.1AI score0.0034EPSS
Exploits0References4
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-43026

The miniOrange Social Login and Register Discord, Google, Twitter, LinkedIn plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the...

9.8CVSS6.2AI score0.00463EPSS
Exploits0References6
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-43011

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window ...

6.4CVSS6.1AI score0.00199EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-57277

Name of the Vulnerable Software and Affected Versions miniOrange Social Login and Register Discord, Google, Twitter, LinkedIn versions prior to 7.7.1 Description An authentication bypass exists in the Profile Completion flow that allows for account takeover. The issue occurs because the plugin...

9.8CVSS6.2AI score0.00463EPSS
Exploits0References12
ATTACKERKB
ATTACKERKB
added 4 days ago7 views

CVE-2026-14245

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the umresetpasswordprocesshook function performing no server-side...

9.8CVSS6AI score0.00586EPSS
Exploits0References11
NVD
NVD
added 6 days ago11 views

CVE-2026-57867

MicroRealEstate allows adversaries to bypass authentication due to a lack of token state management. This would permit adversaries targeting MicroRealEstate deployments to brute-force One-Time Passwords OTP to log in as any user. This issue affects MicroRealEstate: through 1.0.0-alpha3...

8.8CVSS0.00342EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-57867

MicroRealEstate allows adversaries to bypass authentication due to a lack of token state management. This would permit adversaries targeting MicroRealEstate deployments to brute-force One-Time Passwords OTP to log in as any user. This issue affects MicroRealEstate: through 1.0.0-alpha3...

8.8CVSS6AI score0.00342EPSS
Exploits0References3
Cvelist
Cvelist
added 6 days ago32 views

CVE-2026-57867

MicroRealEstate allows adversaries to bypass authentication due to a lack of token state management. This would permit adversaries targeting MicroRealEstate deployments to brute-force One-Time Passwords OTP to log in as any user. This issue affects MicroRealEstate: through 1.0.0-alpha3...

8.8CVSS0.00342EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 10:19 p.m.4 views

Replay Attack

Overview Affected versions of this package are vulnerable to Replay Attack in the TOTP authentication process. An attacker can gain unauthorized access by reusing a previously valid one-time password across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path. Remediation Upgra...

7.1CVSS7.2AI score0.00481EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 10:19 p.m.6 views

Replay Attack

Overview Affected versions of this package are vulnerable to Replay Attack in the TOTP authentication process. An attacker can gain unauthorized access by reusing a previously valid one-time password across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path. Remediation Upgra...

7.1CVSS7.2AI score0.00481EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/03 8:19 p.m.39 views

CVE-2026-20779 Gitea TOTP single-use enforcement defect allows OTP replay

Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path...

7.1CVSS0.00481EPSS
Exploits0References4
CVE
CVE
added 2026/07/03 8:19 p.m.13 views

CVE-2026-20779

Gitea prior to 1.26.3 (versions from 1.5.0 up to

7.1CVSS7.2AI score0.00481EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/01 7:53 a.m.8 views

EUVD-2026-40922

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updati...

9.8CVSS5.9AI score0.0038EPSS
Exploits1References8
CVE
CVE
added 2026/07/01 7:53 a.m.20 views

CVE-2026-11387

The CVE concerns the WordPress plugin SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery (versions up to 3.9.5). The vulnerability allows unauthenticated privilege escalation via account takeover by exploiting flawed identity validation before updating user detai...

9.8CVSS5.9AI score0.0038EPSS
Exploits1References8
NVD
NVD
added 2026/06/25 4:16 p.m.11 views

CVE-2026-54036

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user or attacker with a stolen session even when 2FA is already fully enabled on the account. This endpoint overwrites the existi...

8.1CVSS0.00213EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/25 3:45 p.m.30 views

CVE-2026-54040 LibreChat: 2FA Backup Code Regeneration Without OTP Verification Allows 2FA Bypass

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring any TOTP token or existing backup code verification. An attacker with a stolen session token can...

5.9CVSS0.0015EPSS
Exploits1References1
CVE
CVE
added 2026/06/25 3:39 p.m.17 views

CVE-2026-54036

CVE-2026-54036 (LibreChat) describes a vulnerability where the GET /api/auth/2fa/enable endpoint can be invoked by an authenticated user (or attacker with a stolen session) even when 2FA is fully enabled. The call overwrites the existing TOTP secret, regenerates backup codes, and sets twoFactorEn...

8.1CVSS6AI score0.00213EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2026/06/24 1:16 p.m.12 views

CVE-2026-56338

Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures. Authenticated users cannot complete 2FA enrollment as the backend consistently returns HTTP 500 errors...

6.9CVSS0.00281EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 11:53 a.m.33 views

CVE-2026-56338 Capgo - Denial of Service in 2FA Email Verification via /auth/v1/otp Endpoint

Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures. Authenticated users cannot complete 2FA enrollment as the backend consistently returns HTTP 500 errors...

6.9CVSS0.00281EPSS
Exploits0References2
NVD
NVD
added 2026/06/22 2:17 p.m.13 views

CVE-2026-56450

AIL did not restrict repeated failed attempts to verify a two-factor authentication OTP code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable...

5.1CVSS0.0033EPSS
Exploits0References1
Rows per page
Query Builder