CVE-2026-45691 Nextcloud: Bypass of second factor authentication on DAV endpoints

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie created after successful password authentication but before TOTP completion could be reused as a Bearer token to authenticat...

CVE-2025-12485

Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step. This issue affects the following versions :...

PT-2025-45338

Name of the Vulnerable Software and Affected Versions Devolutions Server versions 2025.2.15.0 through 2025.3.5.0 Description A flaw exists in Devolutions Server related to improper privilege management during the handling of pre-MFA cookies. A low-privileged authenticated user can potentially...

EUVD-2022-30638

Malicious code in bioql PyPI...

CVE-2022-26070 Error message discloses internal path

When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path. The vulnerability impacts Splunk Enterprise versions before 8.1.0...

CVE-2022-26070

CVE-2022-26070 affects Splunk Enterprise versions before 8.1.0. The issue is information disclosure: when handling a mismatched pre-authentication cookie, the response leaks the Splunk local system path in an internal error message. Red Hat and other sources corroborate the same description; Red ...