CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/05 7:29 p.m.•7 views

CVE-2026-24468

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

5.3CVSS5.5AI score0.00294EPSS

ATTACKERKB•added 2026/06/04 12:46 p.m.•5 views

CVE-2026-43926

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

6.3CVSS5.8AI score0.00217EPSS

Exploits0References3Affected Software1

CVE•added 2026/06/04 12:46 p.m.•12 views

CVE-2026-43926

FOSSBilling prior to 0.8.0 allows probing the password-reset flow because the non-API controller for /client/reset-password-confirm/:hash is not rate-limited like /api/* endpoints. The endpoint may reveal valid vs invalid tokens (200 vs 302), enabling unlimited token guessing until expiry. Token ...

6.3CVSS5.8AI score0.00217EPSS

CNNVD•added 2026/06/04 12:0 a.m.•4 views

FOSSBilling 安全漏洞

FOSSBilling is an open-source billing and customer management platform for hosting service providers and digital service providers. Versions of FOSSBilling prior to 0.8.0 contained security vulnerabilities. These vulnerabilities stemmed from the password reset confirmation endpoint being...

6.3CVSS5.3AI score0.00217EPSS

EUVD•added 2026/06/03 12:0 a.m.•9 views

EUVD-2026-34153

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network...

4.3CVSS5.9AI score0.00166EPSS

ATTACKERKB•added 2026/05/28 2:13 p.m.•6 views

CVE-2026-35675

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...

8.8CVSS5.8AI score0.00324EPSS

Exploits0References3

Snyk•added 2026/05/20 3:45 p.m.•6 views

Weak Password Recovery Mechanism for Forgotten Password

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the updatePassword function. An attacker can enumerate valid user accounts and forcibly chan...

8.8CVSS5.8AI score0.00241EPSS

NVD•added 2026/05/12 6:16 p.m.•6 views

CVE-2026-31242

The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. Th...

9.1CVSS0.00489EPSS

Positive Technologies•added 2026/05/12 12:0 a.m.•7 views

PT-2026-40129

6AI score0.00489EPSS

Exploits0References3

NVD•added 2026/04/20 4:16 p.m.•2 views

CVE-2026-24468

5.3CVSS0.00294EPSS

ATTACKERKB•added 2026/04/20 3:45 p.m.•2 views

CVE-2026-24468

Exploits0References5Affected Software1

Cvelist•added 2026/04/20 3:45 p.m.•26 views

CVE-2026-24468 OpenAEV Vulnerable to Username/Email Enumeration Through Differential HTTP Responses in Password Reset API

5.3CVSS0.00294EPSS

EUVD•added 2026/04/20 3:45 p.m.•1 views

EUVD-2026-23883

CVE•added 2026/04/20 3:45 p.m.•9 views

CVE-2026-24468

OpenAEV versions prior to 2.0.13 expose an account-enumeration flaw via the /api/reset login parameter. If the email does not exist, the API returns 400 Bad Request; if the email exists, it returns 200. This observable response difference enables an attacker to reliably determine which emails are...

Positive Technologies•added 2026/04/20 12:0 a.m.•2 views

PT-2026-33788

CNNVD•added 2026/04/20 12:0 a.m.•6 views

Exploits0References8

OpenAEV 安全漏洞

OpenAEV is an open-source personal planning platform under the OpenAEV Platform. Versions of OpenAEV from 1.11.0 to 2.0.13 contained security vulnerabilities. These vulnerabilities stemmed from differences in responses made by the/api/reset endpoint for valid and invalid usernames, which could...

5.3CVSS5.8AI score0.00294EPSS

NVD•added 2026/04/15 8:16 p.m.•3 views

CVE-2026-33877

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint /api/v1/@apostrophecms/login/reset-request that allows unauthenticated username and email enumeration. When a user is not found,...

3.7CVSS0.00365EPSS

Exploits1References2

CVE•added 2026/04/10 4:3 p.m.•5 views

CVE-2026-35660

OpenClaw is affected by a vulnerability in the Gateway agent’s /reset endpoint, prior to version 2026.3.23. The flaw grants callers with operator.write permission the ability to reset admin sessions by invoking /reset or /new with an explicit sessionKey, bypassing operator.admin requirements and ...

8.1CVSS5.9AI score0.00272EPSS

Exploits0References4Affected Software1

Cvelist•added 2026/04/10 4:3 p.m.•24 views

CVE-2026-35660 OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset

OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey ...

8.1CVSS0.00272EPSS