58 matches found
CVE-2026-44054
Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect mechanism...
EUVD-2026-28379
RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's makesigninkey function and exam.py's genticketcode function. This issue has been patched via commit 2f68e16...
CVE-2026-41505
RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's makesigninkey function and exam.py's genticketcode function. This issue has been patched via commit 2f68e16...
CVE-2026-41505 RELATE: Predictable Token Generation in auth.py and exam.py
RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's makesigninkey function and exam.py's genticketcode function. This issue has been patched via commit 2f68e16...
PT-2026-38443
RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make sign in key function and exam.py's gen ticket code function. This issue has been patched via commit 2f68e16...
RELATE 安全特征问题漏洞
RELATE is a web-based course package developed by Andreas Klöckner as an individual project. Previous versions of RELATE, such as 2f68e16, had security-related vulnerabilities. These vulnerabilities stemmed from the makesigninkey function in auth.py and the genticketcode function in exam.py, whic...
CVE-2026-40496
CVE-2026-40496 affects FreeScout prior to version 1.8.213, where attachment download tokens were created with a weak formula: md5(APP_KEY + attachment_id + size). Because attachment_id is sequential and size brute-forcible, an unauthenticated attacker can forge valid tokens and download private a...
CVE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST...
CVE-2025-40931
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come fro...
CVE-2025-40931
Apache::Session::Generate::MD5 (versions through 1.94 for Perl) creates insecure session IDs. The default generator returns a MD5 hash seeded with the built-in rand(), the epoch time, and the PID; the PID comes from a small set, and the epoch time may be guessed if not leaked. Built-in rand() is ...
CVE-2025-13079
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it...
CVE-2025-13079 Popup Builder - Create highly converting, mobile friendly marketing popups. <= 4.4.2 - Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it...
CVE-2025-13079 Popup Builder - Create highly converting, mobile friendly marketing popups. <= 4.4.2 - Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it...
CVE-2025-13079
CVE-2025-13079 concerns the WordPress plugin “Popup Builder” (versions
WordPress Popup Builder plugin <= 4.4.2 - Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens vulnerability
Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Popup Builder versions = 4.4.2...
CVE-2025-64097 NervesHub has Insufficient Token Entropy that Allows Authentication Bypass via Brute Force
NervesHub is a web service that allows users to manage over-the-air OTA firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens...
NervesHub security feature vulnerability
NervesHub is a software developed under open source by NervesHub for managing firmware updates of Nerves devices. Versions of NervesHub from 1.0.0 to 2.3.0 had security vulnerabilities. These vulnerabilities stemmed from the predictable and non-encrypted token format, which could lead to...
PT-2026-3943
NervesHub is a web service that allows users to manage over-the-air OTA firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens...
CVE-2025-66511 Nextcloud Calendar app used predictable proposal participant tokens
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The...
CVE-2025-66511 Nextcloud Calendar app used predictable proposal participant tokens
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The...