CVE-2026-40585

blueprintUE prior to 4.2.0 generates a 128-character CSPRNG reset token and stores it with a password_reset_at timestamp. The token redemption function findUserIDFromEmailAndToken() only validates email+token, not whether password_reset_at falls within any expiry window, so a generated reset toke...

EUVD-2026-24181

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a passwordresetat timestamp. However, the token redemption function findUserIDFromEmailAndToken queries only for a matching...

PT-2026-34022

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password reset at timestamp. However, the token redemption function findUserIDFromEmailAndToken queries only for a matching...

PT-2026-29935

Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

CVE-2026-26060 Fleet: Password reset tokens remain valid after password change for 24 hours

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the...

CVE-2026-26060 Fleet: Password reset tokens remain valid after password change for 24 hours

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the...

Fleet: Password reset tokens remain valid after password change for 24 hours

Summary A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change...

EUVD-2026-14967

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The passwordresets table includes a createdat timestamp column, but the token validation logic never checks it. A password reset token remains valid...

AWS libcrypto 安全漏洞

AWS libcrypto is a general-purpose encryption library open sourced by Amazon Web Services. Versions of AWS libcrypto prior to 1.69.0 contained security vulnerabilities. These vulnerabilities stemmed from observable time differences during AES-CCM decryption, which could potentially allow...

CVE-2025-62781

PILOS (Frontend for BigBlueButton) prior to version 4.8.0 exposes a session-regen flaw: when a local user changes their password, all other active sessions are terminated except the current one, whose token is not refreshed. If an attacker already possesses that session token (from another vulner...

CVE-2025-62772

On Mercku M6a devices through 2.1.0, session tokens remain valid for at least months in some cases...

CVE-2025-62772

On Mercku M6a devices through 2.1.0, session tokens remain valid for at least months in some cases...

CVE-2025-3930 Lack of JWT Expiration after Log Out in Strapi

Strapi uses JSON Web Tokens JWT for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date which is set to 30 days by default, but can be changed. The existence...

EUVD-2021-21885

Malware in sbrugna...

EUVD-2022-2546

Malicious code in bioql PyPI...

EUVD-2024-2751

Malicious code in bioql PyPI...

EUVD-2022-48998

Malicious code in bioql PyPI...

EUVD-2023-1158

Malicious code in bioql PyPI...

Automated Testing of Broken Authentication Vulnerabilities in Web APIs with AuthREST

We present AuthREST, an open-source security testing tool targeting broken authentication, one of the most prevalent API security risks in the wild. AuthREST automatically tests web APIs for credential stuffing, password brute forcing, and unchecked token authenticity. Empirical results show that...

Linux Distros Unpatched Vulnerability : CVE-2017-12867

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The SimpleSAMLAuthTimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by...