Lucene search
+L

11447 matches found

NVD
NVD
added 2 days ago7 views

CVE-2026-62236

grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...

5.4CVSS0.00099EPSS
Exploits0References2
NVD
NVD
added 2 days ago8 views

CVE-2026-62241

clawvet self-hosted API server apps/api before 0.7.5 hard-codes a fallback JWT secret 'clawvet-dev-secret-change-me' in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated...

9.3CVSS0.00389EPSS
Exploits0References2
NVD
NVD
added 2 days ago4 views

CVE-2026-62232

Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOTP challenge window. Attackers who know the victim's password can call this task without a CSRF...

9.1CVSS0.0028EPSS
Exploits0References2
CVE
CVE
added 2 days ago18 views

CVE-2026-62241

CVE-2026-62241 affects the clawvet self-hosted API server (apps/api) prior to 0.7.5. The vulnerability arises from a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') implemented in auth.ts and shipped as the default in .env.example. Because GET /api/v1/scans returns scan records co...

9.3CVSS6.1AI score0.00389EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago41 views

CVE-2026-62241 clawvet < 0.7.5 Hard-coded JWT Secret Session Forgery

clawvet self-hosted API server apps/api before 0.7.5 hard-codes a fallback JWT secret 'clawvet-dev-secret-change-me' in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated...

9.3CVSS0.00389EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago11 views

EUVD-2026-45085

clawvet self-hosted API server apps/api before 0.7.5 hard-codes a fallback JWT secret 'clawvet-dev-secret-change-me' in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated...

9.3CVSS6.1AI score0.00389EPSS
Exploits0References2
OSV
OSV
added 2 days ago2 views

CVE-2026-62241 clawvet < 0.7.5 Hard-coded JWT Secret Session Forgery

clawvet self-hosted API server apps/api before 0.7.5 hard-codes a fallback JWT secret 'clawvet-dev-secret-change-me' in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated...

9.3CVSS5.5AI score0.00389EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-45082

grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...

5.4CVSS6.1AI score0.00099EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago37 views

CVE-2026-62236 grav-plugin-login < 3.8.11 CSRF via regenerate2FASecret

grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...

5.4CVSS0.00099EPSS
Exploits0References2
CVE
CVE
added 2 days ago15 views

CVE-2026-62236

grav-plugin-login before 3.8.11 contains a CSRF in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated user without anti-CSRF nonce or Origin/Referer checks. Grav core dispatches the task via a top-level GET using the task: URI param...

5.4CVSS6.1AI score0.00099EPSS
Exploits0References2
CVE
CVE
added 2 days ago9 views

CVE-2026-62232

Grav

9.1CVSS6.1AI score0.0028EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 days ago6 views

CVE-2026-62232

Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOTP challenge window. Attackers who know the victim's password can call this task without a CSRF...

9.1CVSS6.1AI score0.0028EPSS
Exploits0References3
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-45120

Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOTP challenge window. Attackers who know the victim's password can call this task without a CSRF...

9.1CVSS6.1AI score0.0028EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-62232 Grav < 2.0.4 2FA Bypass via Secret Regeneration

Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOTP challenge window. Attackers who know the victim's password can call this task without a CSRF...

9.1CVSS0.0028EPSS
Exploits0References2
OSV
OSV
added 2 days ago3 views

CVE-2026-62232 Grav < 2.0.4 2FA Bypass via Secret Regeneration

Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOTP challenge window. Attackers who know the victim's password can call this task without a CSRF...

9.1CVSS5.3AI score0.0028EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-60741

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing...

5.5CVSS5.4AI score0.00207EPSS
Exploits0References3
NVD
NVD
added 3 days ago7 views

CVE-2026-44434

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit dccf5d4, Quicly was vulnerable to stateless reset injection through lack of packet entry validation. The QUIC protocol is designed to withstand packet injection attacks, once the...

5.3CVSS0.00147EPSS
Exploits0References2
OSV
OSV
added 3 days ago4 views

GHSA-WCRF-9VRR-854F Envoy Gateway: Authentication Bypass via Improper Input Validation in EnvoyExtensionPolicy Lua Allows Secret Disclosure

Impact The toabsolutenormalizedpath function security.lua:28-43 does not collapse redundant path separators // → /. On Linux, //etc/passwd is equivalent to /etc/passwd POSIX path semantics, but iscriticalpath fails to match the double-slash variant because //etc/passwd does not start with /etc/...

9.1CVSS6.1AI score0.0004EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 3 days ago10 views

Envoy Gateway: Authentication Bypass via Improper Input Validation in EnvoyExtensionPolicy Lua Allows Secret Disclosure

Impact The toabsolutenormalizedpath function security.lua:28-43 does not collapse redundant path separators // → /. On Linux, //etc/passwd is equivalent to /etc/passwd POSIX path semantics, but iscriticalpath fails to match the double-slash variant because //etc/passwd does not start with /etc/...

6.1AI score0.0004EPSS
Exploits0References2Affected Software1
NVD
NVD
added 3 days ago10 views

CVE-2026-46514

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fmresetpassword in Tools/ResetPassword.php:48-53 returned a plaintext password and fmaddextension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to JSON-encode...

6.5CVSS0.0026EPSS
Exploits0References4
Rows per page
Query Builder