Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the authentication and session management process. An attacker can gain unauthorized access to user accounts and maintain persistent access even after a password change by exploiting weak password...

CVE-2026-27575

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An...

PT-2026-22031

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.0.0 Description The application allows users to set weak passwords without enforcing minimum strength requirements. Active sessions remain valid after a user changes their password, potentially allowing an attacker...

Intimate products maker Tenga spilled customer data

Tenga confirmed reports published by several outlets that the company notified customers of a data breach. The Japanese manufacturer of adult products appears to have fallen victim to a phishing attack targeting one of its employees. Tenga reportedly wrote in the data breach notification: “An...

VulnCheck KEV: CVE-2026-1994

The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to...

Splunk Cloud Platform和Splunk Enterprise 资源管理错误漏洞

Splunk Cloud Platform and Splunk Enterprise are both products of the American company Splunk. Splunk Cloud Platform is a powerful service for data collection, processing, and analysis. Splunk Enterprise is a suite of software for data collection and analysis. There is a resource management...

Honeywell多款产品 访问控制错误漏洞

Honeywell I-HIB2PI-UL 2MP, etc., are products of the American company Honeywell. The Honeywell I-HIB2PI-UL 2MP is an infrared dome camera. The Honeywell SMB NDAA MVO-3 is an infrared gimbal camera. The Honeywell PTZ WDR 2MP 32M is a series of night vision cameras. Several Honeywell products have...

CVE-2020-37118

P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking...

CVE-2026-24667 Open eClass's Active Sessions Not Invalidated After Password Change Allow Persistent Account Access

The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, potentially enabling unauthorized continued access to user...

Open eClass 代码问题漏洞

Open eClass is an open-source e-classroom system developed by the Greek Universities Network. Versions of Open eClass prior to 4.2 contained code vulnerabilities. These vulnerabilities stemmed from the failure to invalidate active user sessions after password changes, allowing unauthorized access...

EUVD-2026-4672

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 lack cross-site request forgery CSRF protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered b...

CVE-2026-24432 Tenda W30E V2 Missing CSRF Protections for Administrative Actions

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 lack cross-site request forgery CSRF protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered b...

CVE-2026-24432

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 lack cross-site request forgery CSRF protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered b...

CVE-2026-24440 Tenda W30E V2 Allows Password Changes Without Verifying Current Password

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 allow account passwords to be changed through the maintenance interface without requiring verification of the existing password. This enables unauthorized password changes when access to the affected endpoint is obtained...

CVE-2025-59108

CVE-2025-59108 affects the web interface of the dormakaba Access Manager. The issue is a weak/default password policy: the password is set to 'admin' by default and, in tested versions, changing it is not enforced, enabling unauthenticated access to the web UI. According to the available sources,...

PT-2026-4758

By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced...

Tenda W30E security vulnerabilities

The Tenda W30E is a router produced by the Chinese company Tenda. The Tenda W30E V2 and earlier versions have security vulnerabilities. These vulnerabilities stem from an authorization flaw in the user management API, which may allow users with low privileges to change the password of administrat...

Tenda W30E security vulnerabilities

The Tenda W30E is a router produced by the Chinese company Tenda. Versions of the Tenda W30E such as V2 and V16.01.0.195037 had security vulnerabilities. These vulnerabilities stemmed from a maintenance interface that allowed changes to account passwords without verification of the existing...

CVE-2021-47754 Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)

Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users...

PT-2026-3099

Name of the Vulnerable Software and Affected Versions Easy!Appointments versions 1.5.2 and earlier Description The application's CSRF protection in application/core/EA Security.php::csrf verify only applies to POST requests, bypassing validation for other request methods like GET. Several...