PT-2026-47026

Name of the Vulnerable Software and Affected Versions Hippoo Mobile App for WooCommerce versions prior to 1.9.5 Description An authentication bypass exists that allows for administrator account takeover. The issue stems from a logic conflation in the get user permissions function within...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

Multiple vulnerabilities in Cybozu Garoon

Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-3687Cross-site scripting vulnerability in E-mail CWE-79 - CVE-2026-20711 CyVDB-3689Cross-site scripting vulnerability in Message CWE-79 - CVE-2026-22881 CyVDB-3995Improper input verification in...

CVE-2025-55796

The openml/openml.org web application version v2.0.20241110 uses predictable MD5-based tokens for critical user workflows such as signup confirmation, password resets, email confirmation resends, and email change confirmation. These tokens are generated by hashing the current timestamp formatted ...

CVE-2025-11833

CVE-2025-11833 affects the WordPress Post SMTP plugin up to and including version 3.6.0, due to a missing capability check in the __construct function. This unauthenticated issue lets attackers read arbitrary logged emails (including password reset emails), enabling potential account takeover and...

EUVD-2021-22792

Malware in sbrugna...

EUVD-2020-3817

Malware in sbrugna...

EUVD-2025-2663

Malicious code in bioql PyPI...

EUVD-2022-3703

Malicious code in bioql PyPI...

EUVD-2022-5592

Malicious code in bioql PyPI...

GHSA-9WJ2-4HCM-R74J phpMyFAQ duplicate email registration allows multiple accounts with the same email

Summary phpMyFAQ does not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause...

PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks

The maintainers of the Python Package Index PyPI repository have announced that the package manager now checks for expired domains to prevent supply chain attacks. "These changes improve PyPI's overall account security posture, making it harder for attackers to exploit expired domain names to gai...

[SECURITY] [DLA 4249-1] mediawiki security update

Debian LTS Advisory DLA-4249-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin July 23, 2025 https://wiki.debian.org/LTS Package : mediawiki Version : 1:1.35.13-1+deb11u4 CVE ID : CVE-2025-3469 CVE-2025-6590 CVE-2025-6591 CVE-2025-6593 CVE-2025-6594 CVE-2025-6595...

JobCenter 安全漏洞

JobCenter is a task center application by NoardGuo Personal Developer. A security vulnerability exists in JobCenter 7e7b0b2 and prior versions that stems from an unconfigured SERVERNAME causing the password reset feature to rely on the Host HTTP header, which could lead to account takeover...

CVE-2024-1050

The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxforceresetpassworddeletemetas function in all versions up to, and including, 1.26.5. This makes it possible for authenticated attackers,...

CVE-2023-42820

JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users not using local...

CVE-2012-5686

ZPanel 10.0.1 has insufficient entropy for its password reset process...

CVE-2025-29993

CVE-2025-29993 affects PowerCMS versions PowerCMS 6.6 and earlier, PowerCMS 5.27 and earlier, and PowerCMS 4.58 and earlier. The vulnerability is an HTTP header injection flaw in PowerCMS that can cause the product to send emails (e.g., password reset) containing tampered URLs. The root cause is ...

PT-2024-12113 · Taskcafe · Taskcafe

Name of the Vulnerable Software and Affected Versions: TaskCafe version 0.3.2 Description: The issue is related to a lack of validation in the Cookie value, which allows an unauthenticated attacker who knows a registered UserID to change the password of that user. This can be exploited by attacke...

PT-2024-34599 · Lunary Ai · Lunary

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version 1.2.4 Description: An account takeover issue exists due to the exposure of password recovery tokens in API responses. When a user initiates the password reset process, the recovery token is included in the response of...