SUSE CVE-2025-6014

Vault and Vault Enterprise's “Vault” TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...

OpenBao's SQL Injection in PostgreSQL database secrets engine

Impact When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability w...

GHSA-6VGR-CP5C-FFX3 OpenBao's SQL Injection in PostgreSQL database secrets engine

Impact When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability w...

CVE-2026-39946

A flaw was found in OpenBao. When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, it failed to use proper database quoting on schema names. This oversight could lead to role revocation failures or, in rarer instances, allow a management user to perform SQL injectio...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection due to improper quoting of schema names in the PostgreSQL database secrets engine during the role revocation process. An attacker can execute arbitrary SQL commands as the management user by supplying crafted schema names...

CVE-2026-39946

OpenBao (open source identity-based secrets manager) before version 2.5.3 is affected. When revoking privileges on a role within the PostgreSQL database secrets engine, OpenBao could fail to properly quote schema names provided by PostgreSQL, potentially leading to role revocation failures and, m...

CVE-2026-39946 OpenBao allows SQL Injection in PostgreSQL database secrets engine

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...

EUVD-2020-18273

Malware in sbrugna...

EUVD-2021-0986

Malware in sbrugna...

EUVD-2023-2597

Malicious code in bioql PyPI...

EUVD-2025-23390

Malicious code in bioql PyPI...

EUVD-2024-2820

Malicious code in bioql PyPI...

Authentication Bypass

github.com/hashicorp/vault is vulnerable to authentication bypass. The vulnerability is due to the TOTP Secrets Engine code validation endpoint allowing code reuse within its validity period, which allows an attacker to replay a previously valid code to gain unauthorized access...

GO-2025-3853 OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao

OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest...

GO-2025-3841 Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault

Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault...

CVE-2025-55000

OpenBao CVE-2025-55000 affects OpenBao 0.1.0–2.3.1. Root cause: unexpected normalization in the underlying TOTP library allows the TOTP secrets engine to accept valid codes more than once. Impact statement in sources notes that TOTP code verification is a privileged action and only trusted system...

CVE-2025-55000 OpenBao TOTP Secrets Engine Enables Code Reuse

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected...

BIT-VAULT-2025-6014 Vault TOTP Secrets Engine Code Reuse

Vault and Vault Enterprise’s “Vault” TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...

CVE-2025-6014

A flaw was found in github.com/hashicorp/vault. The Time-based One-Time Password Secrets Engine's TOTP validation endpoint allows code reuse during its validity period, enabling a remote attacker to potentially leverage existing, valid TOTP secrets. This vulnerability allows an attacker to...

Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse

Vault and Vault Enterprise’s “Vault” TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...