CVE-2026-43926

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

EUVD-2026-34255

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

CVE-2026-43926

FOSSBilling prior to 0.8.0 allows probing the password-reset flow because the non-API controller for /client/reset-password-confirm/:hash is not rate-limited like /api/* endpoints. The endpoint may reveal valid vs invalid tokens (200 vs 302), enabling unlimited token guessing until expiry. Token ...

CVE-2026-43926 FOSSBilling's password reset confirmation endpoint lacks rate limiting

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

CVE-2026-0809 Weak KSeF token encoding in Streamsoft Prestiż

Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the KSeF Krajowy System e-Faktur token to be guessed after analyzing how tokens with know values are encoded. This issue was fixed in version 20.0.380.92...

CVE-2026-0809

CVE-2026-0809 concerns Streamsoft Prestiż. The vulnerability arises from a weak, custom token encoding algorithm used by the software, which enables an attacker to guess the KSeF (Krajowy System e‑Faktur) token after analyzing how tokens with known values are encoded. The issue affects Streamsoft...

Streamsoft Prestiz 安全漏洞

Streamsoft Prestiz is an ERP system for the plastics industry developed by Streamsoft Corporation. Streamsoft Prestiz has a security vulnerability that stems from the use of a custom token encoding algorithm. This vulnerability may allow an attacker to guess the value of KSeF tokens after analyzi...

Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens

createWebhook in Vercel Workflow DevKit accepts a user-specified token parameter that serves as the credential for the public webhook endpoint /.well-known/workflow/v1/webhook/token. Official documentation recommended predictable token patterns, making it possible for an unauthenticated remote...

Weak Password Recovery Mechanism for Forgotten Password

Overview @workflow/core is a Core runtime and engine for Workflow DevKit Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the createWebhook function. An attacker can gain unauthorized access to workflow execution by guessing predictab...

EUVD-2026-9910

OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually...

CVE-2026-25235

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0...

CVE-2026-25235

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0...

UBUNTU-CVE-2026-25235

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0...

CVE-2026-25235

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0...

EUVD-2026-5200

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0...

CVE-2026-25235 PEAR Has a Predictable Verification Hash in Election Account Requests

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0...

pearweb 安全漏洞

PearWeb is a PHP extension and application repository developed by PEAR. Versions prior to pearweb1.33.0 contained security vulnerabilities. These vulnerabilities stemmed from predictable verification hashing, which could allow attackers to guess verification tokens and potentially unauthorized...

PT-2025-49266

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The...

PT-2025-44424

Name of the Vulnerable Software and Affected Versions 2nd Line Android App versions v1.2.92 and earlier Description The 2nd Line Android App has an issue with how it controls access during authentication. The server only checks the first character of the user token, which allows attackers to gues...

CVE-2025-59425

A flaw was found in vLLM’s API token authentication logic, where token comparisons were not performed in constant time. This weakness could allow an attacker to exploit timing differences to guess valid tokens and bypass authentication. Mitigation Mitigation for this issue is either not available...