CVE-2026-4408

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper...

Samba 操作系统命令注入漏洞

Samba is an open-source suite of standard Windows interoperability programs for Linux and Unix systems. Samba has a vulnerability related to operating system command injection, which stems from the incorrect escaping of shell metacharacters when the “check password” script uses the %u character...

PT-2026-43438

Name of the Vulnerable Software and Affected Versions Samba affected versions not specified Description A flaw exists in the handling of certificate auto-enrollment Group Policy. When this feature is enabled, Samba may retrieve a CA certificate via an unencrypted HTTP connection and install it in...

CVE-2026-39322 PolarLearn: Any password authenticates banned accounts and grants API access

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and...

PT-2026-30983

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and...

CVE-2026-34453

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...

PT-2026-29381

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2 Description The publish service in SiYuan allows unauthenticated visitors to access bookmarked blocks from password-protected documents. This occurs because the /api/bookmark/getBookmark endpoint, when operating ...

AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification

Summary The getapivideofile and getapivideo API endpoints in AVideo return full video playback sources direct MP4 URLs, HLS manifests for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the CustomizeUser::getModeYouTu...

CVE-2026-33763

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getapivideopasswordiscorrect API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field...

CVE-2026-33763

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getapivideopasswordiscorrect API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field...

CVE-2026-33763

The connected GitHub advisory documents an unauthenticated brute-force vulnerability in AVideo via the video password verification API. The endpoint plugin/API/API.php:get_api_video_password_is_correct allows any user to verify a video password without authentication or rate limiting, enabling ef...

Fedora 44 : coturn (2026-379e214a37)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-379e214a37 advisory. Coturn 4.9.0 - Multiple security fixes - Fix to Web Admin password check - Cleanup of deprecated OpenSSL APIs - Fix for CVE-2026-27624: Bypass...

Malicious Package

Overview pearpass-utils-password-check is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious code in pearpass-utils-password-check (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e49c29e613eb5defffe0f8db190791cd1e27be699c5aa6343ad0d60814b2e756 The package pearpass-utils-password-check was found to contain malicious code. Source: ghsa-malware...

MAL-2026-1246 Malicious code in pearpass-utils-password-check (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e49c29e613eb5defffe0f8db190791cd1e27be699c5aa6343ad0d60814b2e756 The package pearpass-utils-password-check was found to contain malicious code. Source: ghsa-malware...

CVE-2025-66489

Cal.com (open-source scheduling software) versions prior to 5.9.8 are affected by an authentication bypass flaw in the login credentials provider. The issue arises when a non-empty totpCode is supplied, causing the password verification step to be bypassed during login through the /api/auth/callb...

EUVD-2025-200322

NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database. User access in the client application is restricted by a password authentication check in the client software but the underlying database connection always has access. The latest...

CLSA-2025-1762437868 cups: Fix of CVE-2025-58060

CVE-2025-58060: fix authentication bypass by checking password when AuthType is set to anything but Basic...

CLSA-2025-1762423156 cups: Fix of CVE-2025-58060

CVE-2025-58060: fix authentication bypass by checking password when AuthType is set to anything but Basic...

CLSA-2025-1762422944 cups: Fix of CVE-2025-58060

CVE-2025-58060: fix authentication bypass by checking password when AuthType is set to anything but Basic...