Lucene search
K

438 matches found

Nuclei
Nuclei
added yesterday13 views

PHP Login System 2.0.1 - Cross-Site Scripting

msaad1999's PHP-Login-System 2.0.1 contains a reflected cross-site scripting caused by unsanitized input in 'validator' parameter in /reset-password, letting remote attackers execute arbitrary JavaScript in a user's browser, exploit requires attacker to craft malicious URL id: CVE-2023-38875 info...

6.1CVSS6.6AI score0.00824EPSS
Exploits0References2
NVD
NVD
added 5 days ago7 views

CVE-2026-58503

Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the resetpassword endpoint. This issue is fixed in versions 16.16.0 and 15.106.0...

6.9CVSS0.00354EPSS
Exploits0References7
CVE
CVE
added 5 days ago8 views

CVE-2026-58503

Frappe CVE-2026-58503 affects the reset_password endpoint, allowing unauthenticated user enumeration prior to versions 16.16.0 and 15.106.0. The issue is mitigated by the fixes introduced in 16.16.0 and 15.106.0. The CVSS metrics (v4.0) indicate NETWORK access with low attack complexity and no pr...

6.9CVSS6.1AI score0.00354EPSS
Exploits0References7
OSV
OSV
added 5 days ago2 views

CVE-2026-58503 Frappe: Unauthenticated User Enumeration via reset_password

Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the resetpassword endpoint. This issue is fixed in versions 16.16.0 and 15.106.0...

6.9CVSS6.1AI score0.00354EPSS
Exploits0References9
Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-58503 Frappe: Unauthenticated User Enumeration via reset_password

Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the resetpassword endpoint. This issue is fixed in versions 16.16.0 and 15.106.0...

6.9CVSS0.00354EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-57334

Name of the Vulnerable Software and Affected Versions Frappe versions prior to 16.16.0 Frappe versions prior to 15.106.0 Description User enumeration is possible through the 'reset password' endpoint. User enumeration is a technique used to verify if a specific user exists within a system by...

6.9CVSS6.1AI score0.00354EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/07/06 10:58 p.m.35 views

CVE-2026-53646 FOSSBilling: Client password reset token reuse allows persistent account takeover

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a ClientPasswordReset record already exists for a client from a previous unexpired reset request, subsequent calls to the resetpassword guest API endpoint reuse the existing token instea...

7.7CVSS0.00215EPSS
Exploits1References1
OSV
OSV
added 2026/06/23 5:3 p.m.6 views

GHSA-5C3F-6486-3G7G Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES

Summary Password-reset tokens are generated using conf.Auth.ActivateCodeLives the account-activation lifetime, not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making...

6.8CVSS6.1AI score0.00202EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:40 p.m.11 views

CVE-2026-43926

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

6.3CVSS5.5AI score0.00217EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.9 views

CVE-2026-41276

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...

9.8CVSS7.5AI score0.0687EPSS
Exploits1References1
Schneier on Security
Schneier on Security
added 2026/06/04 11:4 a.m.16 views

Hacking Meta’s AI Chatbot

Hackers are convincing Meta's AI support chatbot to let them take over other peoples' accounts: A video posted on X showed the step-by-step process to hack someone's Instagram account. The hacker allegedly used a VPN to spoof the targets' presumed location to avoid triggering Instagram's automate...

5.8AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/05/16 1:56 a.m.10 views

CVE-2025-64526

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...

6.9CVSS6AI score0.00492EPSS
Exploits0References1
NVD
NVD
added 2026/05/14 7:16 p.m.50 views

CVE-2026-27886

Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessibl...

9.2CVSS0.00612EPSS
Exploits5References1
OSV
OSV
added 2026/05/14 6:43 p.m.4 views

CVE-2026-27886 Strapi may leak sensitive data via relational filtering due to lack of query sanitization

Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessibl...

9.2CVSS6AI score0.00612EPSS
Exploits5References3
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.29 views

PT-2026-40972

Name of the Vulnerable Software and Affected Versions Strapi versions 4.0.0 through 5.36.1 Description Strapi did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessible...

9.2CVSS5.8AI score0.00612EPSS
Exploits5References11
Snyk
Snyk
added 2026/05/06 7:50 p.m.10 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the resetuserpassword and gympermissionsuseredit function when both the attacker and victim have gym=None. An attacker can gain unauthorized access to another user's account, obtain their new plaintext passwor...

9.9CVSS5.8AI score0.00371EPSS
Exploits0References2
NVD
NVD
added 2026/04/23 8:16 p.m.6 views

CVE-2026-41276

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...

9.8CVSS0.0687EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/23 7:49 p.m.37 views

CVE-2026-41276 Flowise: AccountService resetPassword Authentication Bypass Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...

7.7CVSS0.0687EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/23 7:49 p.m.4 views

CVE-2026-41276 Flowise: AccountService resetPassword Authentication Bypass Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...

7.7CVSS5.6AI score0.0687EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/23 7:49 p.m.4 views

CVE-2026-41276

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...

7.7CVSS5.8AI score0.0687EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder