CVE-2026-10169

The CVE describes a weakness in the Forgot Password Endpoint of OUSL-GROUP-BrinaryBrains School Student Management System. The vulnerability affects the function ajax_forgot_password in application/controllers/Login.php, where manipulation of the email parameter enables weak password recovery. It...

CVE-2026-4377 Use of Weak Credentials in D-Link DWR-X1820 router

Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the default password if they have the device IMEI number. This issue was fixed in version 1.00B16CP...

WordPress plugin Login with OTP 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

IBM Cloud Pak for Data System 安全漏洞

IBM Cloud Pak for Data System is an enterprise data and AI integration platform provided by IBM. The version 11.3.0.2 of IBM Cloud Pak for Data System, as well as the Interim Fix 002, contain security vulnerabilities. These vulnerabilities stem from the use of default passwords during the...

CVE-2026-43948 wger: cross-tenant password reset and plaintext disclosure via gym=None bypass

wger is a free, open-source workout and fitness manager. Prior to 2.6, the resetuserpassword and gympermissionsuseredit views in wger perform a gym-scope authorization check using Python object comparison != that evaluates None != None as False, silently bypassing the guard when both the attacker...

Security Bulletin: IBM MQ Appliance is affected by a default password vulnerability (CVE-2025-14917)

Summary IBM MQ Appliance has addressed a default password vulnerability. Vulnerability Details CVEID:CVE-2025-14917 DESCRIPTION: IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when...

EUVD-2026-27945

Use after free in Passwords in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: High...

PT-2026-34035

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store...

EUVD-2026-23231

An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message...

CVE-2026-33784

A Use of Default Password vulnerability in the Juniper Networks Support Insights JSI Virtual Lightweight Collector vLWC allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change ...

CVE-2026-34977

Aperi'Solve is an open-source steganalysis web platform. Prior to 3.2.1, when uploading a JPEG, a user can specify an optional password to accompany the JPEG. This password is then directly passed into an expect command, which is then subsequently passed into a bash -c command, without any form o...

Navicat 安全漏洞

Navicat is a database management tool developed by Navicat Corporation. It aims to provide a visual user interface, making it easier for users to manage the design, development, and maintenance of databases. Version 12.1.15 of Navicat has a security vulnerability; this vulnerability stems from a...

Weak Password Requirements

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Weak Password Requirements via the authentication process. An attacker can bypass intended authentication mechanisms by sending a high volume of password guesses without restriction...

CVE-2026-33935

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification...

CVE-2026-33297 AVideo has an IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php

WWBN AVideo is an open source video platform. Prior to version 26.0, the setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numer...

AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php

Summary The setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before...

CVE-2025-70041

An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master...

VulnCheck KEV: CVE-2023-24796

Password vulnerability found in Vinga WR-AC1200 81.102.1.4370 and before allows a remote attacker to execute arbitrary code via the password parameter at the /goform/sysTools and /adm/systools.asp endpoints...

CVE-2026-28213

EverShop (TypeScript-first eCommerce platform) prior to version 2.1.1 is affected by a vulnerability in the Forgot Password flow. When a target email is specified, the API response reveals the password reset token, enabling potential account takeover. The issue affects versions before 2.1.1; upgr...

CVE-2019-25438 LabCollector 5.423 SQL Injection via login.php

LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the login parameter of login.php or the username parameter of...