Lucene search
K

452 matches found

osv
osv
added 2026/04/10 12:30 a.m.12 views

GHSA-RC8F-R29C-CHR6 Duplicate Advisory: OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xq8g-hgh6-87hv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows...

6.3CVSS5.7AI score0.00361EPSS
Exploits0References4
redhatcve
redhatcve
added 2026/03/27 10:51 p.m.11 views

CVE-2026-33152

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration...

9.1CVSS5.9AI score0.00513EPSS
Exploits1References1
snyk
snyk
added 2026/03/27 10:31 p.m.3 views

Weak Password Requirements

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Weak Password Requirements via the authentication process. An attacker can bypass intended authentication mechanisms by sending a high volume of password guesses without...

6.9CVSS5.9AI score0.00361EPSS
Exploits0References3
github
github
added 2026/03/27 10:31 p.m.15 views

OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing

Summary BlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...

6.5CVSS5.9AI score0.00361EPSS
Exploits0References5Affected Software1
nvd
nvd
added 2026/03/26 7:17 p.m.12 views

CVE-2026-33152

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration...

9.1CVSS0.00513EPSS
Exploits1References2
cvelist
cvelist
added 2026/03/26 7:7 p.m.26 views

CVE-2026-33152 Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration...

9.1CVSS0.00513EPSS
Exploits1References2
attackerkb
attackerkb
added 2026/03/26 7:7 p.m.3 views

CVE-2026-33152

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration...

9.1CVSS5.8AI score0.00513EPSS
Exploits1References3Affected Software1
cve
cve
added 2026/03/26 7:7 p.m.31 views

CVE-2026-33152

Summary: Tandoor Recipes before 2.6.0 configures Django REST Framework with BasicAuthentication as a default, while rate limiting (ACCOUNT_RATE_LIMITS: login: 5/m/ip) applies only to the HTML login endpoint at /accounts/login/. This means any API endpoint that accepts authenticated requests can b...

9.1CVSS5.8AI score0.00513EPSS
Exploits1References2Affected Software1
cvelist
cvelist
added 2026/03/26 1:0 p.m.22 views

CVE-2025-55269 HCL Aftermarket DPC is affected by Weak Password Policy vulnerability

HCL Aftermarket DPC is affected by Weak Password Policy vulnerability, which makes it easier for attackers to guess weak passwords or use brute-force techniques to gain unauthorized access to user accounts...

4.2CVSS0.00242EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/03/20 5:38 p.m.8 views

CVE-2026-33129

A flaw was found in H3, a minimal HTTP framework. A remote attacker can exploit a Timing Side-Channel vulnerability in the requireBasicAuth function. This vulnerability arises from the use of an unsafe string comparison, allowing the attacker to deduce valid passwords character-by-character by...

5.9CVSS5.6AI score0.00319EPSS
Exploits1References2
vulnrichment
vulnrichment
added 2026/03/20 9:41 a.m.5 views

CVE-2026-33129 h3 has an observable timing discrepancy in basic auth utils

H3 is a minimal HTTP framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server...

5.9CVSS5.8AI score0.00319EPSS
Exploits1References3
osv
osv
added 2026/03/20 9:41 a.m.5 views

CVE-2026-33129 h3 has an observable timing discrepancy in basic auth utils

H3 is a minimal HTTP framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server...

5.9CVSS5.8AI score0.00319EPSS
Exploits1References5
ptsecurity
ptsecurity
added 2026/03/03 12:0 a.m.8 views

PT-2026-26406

This issue is a browser-origin WebSocket auth chain on local loopback deployments using password auth. It is serious, but conditional: an attacker must get the user to open a malicious page and then successfully guess the gateway password. Context and Preconditions OpenClaw’s web/gateway surface ...

7.5CVSS5.8AI score0.00294EPSS
Exploits0References7
redhatcve
redhatcve
added 2026/02/28 7:45 p.m.9 views

CVE-2026-27753

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interface. Attackers can conduct online password guessing attacks without account lockout or rate...

6.9CVSS6AI score0.00328EPSS
Exploits0References1
cve
cve
added 2026/02/27 6:9 p.m.13 views

CVE-2026-27753

CVE-2026-27753 affects SODOLA SL902-SWTGW124AS firmware up to version 200.1.20, where an authentication bypass in the device management interface allows remote attackers to perform unlimited login attempts without account lockout or rate limiting. This network-vector vulnerability enables passwor...

6.9CVSS6AI score0.00328EPSS
Exploits0References2Affected Software1
vulnrichment
vulnrichment
added 2026/02/27 6:9 p.m.5 views

CVE-2026-27753 SODOLA SL902-SWTGW124AS <= 200.1.20 Improper Login Rate Limiting

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interface. Attackers can conduct online password guessing attacks without account lockout or rate...

6.9CVSS6AI score0.00328EPSS
Exploits0References2
nessus
nessus
added 2026/01/16 12:0 a.m.3 views

MiracleLinux 4 : samba-3.6.9-168.AXS4.0.1 (AXSA:2014-176:02)

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2014-176:02 advisory. CVE-2012-6150 The winbindnamelisttosidstringlist function in nsswitch/pamwinbind.c in Samba through 4.1.2 handles invalid requiremembershipof group...

5CVSS7.7AI score0.10642EPSS
Exploits1References3
euvd
euvd
added 2026/01/10 1:6 a.m.6 views

EUVD-2026-1884

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint /account/changepassword was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker...

6.9CVSS6.6AI score0.0022EPSS
Exploits0References4
redhatcve
redhatcve
added 2025/12/13 3:58 p.m.5 views

CVE-2025-53960

When issuing JSON Web Tokens JWT, Apache StreamPark directly uses the user's password as the HMAC signing key e.g., with the HS256 algorithm. An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge...

5.9CVSS6.8AI score0.0022EPSS
Exploits0References1
euvd
euvd
added 2025/12/12 6:30 p.m.4 views

EUVD-2025-203092

Apache StreamPark: Use the user’s password as the secret key Vulnerability...

5.9CVSS6.5AI score0.0022EPSS
Exploits0References4
Rows per page
Query Builder