149 matches found
Brute Force
Overview Affected versions of this package are vulnerable to Brute Force due to improper enforcement of authentication lockout in the login process. An attacker can gain unauthorized access to accounts protected by two-factor authentication by repeatedly submitting incorrect TOTP codes without...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the OIDC login process when the EmailFallback mechanism is enabled. An attacker can gain unauthorized access to accounts protected by TOTP by authenticating to the OIDC provider with a matching email address,...
EUVD-2026-21414
Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path...
PT-2026-31948
Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0 Description A flaw exists in Vikunja before version 2.3.0 related to the Time-based One-Time Password TOTP failed-attempt lockout mechanism. A database transaction handling bug prevents the account lockout from...
Vikunja 安全漏洞
Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.3.0 contained security vulnerabilities. These vulnerabilities stemmed from a failure in the TOTP lock mechanism’s attempt to lock the account due to database transaction processing errors...
SonicWall SMA 1000 Series <= 12.4.3-03245 / 12.5.x <= 12.5.0-02283 Multiple Vulnerabilities (SNWLID-2026-0003)
The remote host is a SonicWall SMA 1000 Series device that is affected by multiple vulnerabilities: - A privilege escalation vulnerability due to improper neutralization of special elements used in an SQL command. A remote authenticated attacker with read-only administrator privileges can escalat...
CVE-2026-4114
Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN admin to bypass AMC TOTP authentication...
CVE-2026-4114
Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN admin to bypass AMC TOTP authentication...
PT-2026-31395
Name of the Vulnerable Software and Affected Versions SonicWall SMA1000 series appliances affected versions not specified Description A remote attacker can enumerate SSL VPN user credentials due to an observable response discrepancy. Recommendations At the moment, there is no information about a...
SUSE CVE-2026-33473
Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue...
CVE-2026-31875
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as...
SUSE CVE-2026-32246
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...
CVE-2026-33473
Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue...
CVE-2026-33473 Vikunja has TOTP Reuse During Validity Window
Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue...
CVE-2026-33473
CVE-2026-33473 describes a TOTP reuse vulnerability in Vikunja: any user with 2FA enabled can reuse their TOTP within the standard 30-second window in versions prior to 2.2.1. The issue affects Vikunja 0.13 up to before 2.2.1 and is fixed in 2.2.1. The CVSS 3.1 base score is 5.7 (Medium). Actiona...
Vikunja 授权问题漏洞
Vikunja is an open-source to-do application developed by Vikunja developers. In versions 0.13 to 2.2.1 of Vikunja, there was a vulnerability related to authorization. This vulnerability occurred because users who enabled two-factor authentication could reuse TOTP within the standard 30-second...
Replay Attack
Overview Affected versions of this package are vulnerable to Replay Attack via the TOTP authentication process. An attacker can bypass authentication controls by reusing a valid TOTP code within its validity window. Remediation Upgrade github.com/go-vikunja/vikunja/pkg/user to version 2.2.1 or...
Replay Attack
Overview Affected versions of this package are vulnerable to Replay Attack via the TOTP authentication process. An attacker can bypass authentication controls by reusing a valid TOTP code within its validity window. Remediation Upgrade code.vikunja.io/api/pkg/user to version 2.2.1 or higher...
GO-2026-4805 Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api
Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest...
GHSA-P747-QC5P-773R Vikunja has TOTP Reuse During Validity Window
Summary Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Details The below code is called when a user that has 2FA is authenticating to the application. Once they submit a valid username-password-totp combination, the user gets authenticated...