Lucene search
K

16 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/24 3:22 p.m.12 views

Malicious code in cami-design (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57ccc787b2437085a18ed05c52fc473d8c28162cbe3cbbaa04adaefa73389da1 On install, scripts/install.js invokes autoUpdate.install, which writes a launchd agent to...

6.4AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.4 views

PT-2026-29935

Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

5.9AI score
Exploits0References2
OSV
OSV
added 2026/03/27 6:17 p.m.7 views

GHSA-3458-R943-HMX4 Fleet: Password reset tokens remain valid after password change for 24 hours

Summary A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change...

6CVSS5.9AI score0.00335EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/27 6:17 p.m.3 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the password reset process. An attacker can gain unauthorized access to a user's account by reusing a previously obtained password reset token within its validity period, even after the user has change...

8.8CVSS5.9AI score0.00335EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/27 6:17 p.m.8 views

EUVD-2026-16742

Fleet: Password reset tokens remain valid after password change for 24 hours...

6CVSS5.8AI score0.00335EPSS
Exploits0References1
NVD
NVD
added 2026/03/27 1:16 a.m.10 views

CVE-2026-33935

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification...

8.7CVSS0.00543EPSS
Exploits1References5
EUVD
EUVD
added 2026/03/27 12:43 a.m.7 views

EUVD-2026-16521

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification...

8.7CVSS5.8AI score0.00543EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/03/27 12:43 a.m.7 views

CVE-2026-33935 MyTube has Unauthenticated Account Lockout via Shared Login Attempt State

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification...

8.7CVSS5.9AI score0.00543EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.4 views

CVE-2026-32729

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials via phishing, credential stuffing, or data breach c...

8.8CVSS5.9AI score0.0034EPSS
Exploits1References1
NVD
NVD
added 2026/03/16 2:19 p.m.5 views

CVE-2026-32729

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials via phishing, credential stuffing, or data breach c...

8.8CVSS0.0034EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/13 9:41 p.m.6 views

EUVD-2026-12180

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials via phishing, credential stuffing, or data breach c...

8.1CVSS5.9AI score0.0034EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/13 9:41 p.m.36 views

CVE-2026-32729 Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials via phishing, credential stuffing, or data breach c...

8.1CVSS0.0034EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/13 9:41 p.m.2 views

CVE-2026-32729 Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials via phishing, credential stuffing, or data breach c...

8.1CVSS5.9AI score0.0034EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/13 12:0 a.m.7 views

PT-2026-25401

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials via phishing, credential stuffing, or data breach c...

8.8CVSS5.9AI score0.0034EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2020/05/12 12:0 a.m.7 views

PT-2020-12290 · Red Hat · Openshift Container Platform

Name of the Vulnerable Software and Affected Versions: OpenShift Container Platform affected versions not specified Description: A flaw in OpenShift Container Platform allows an attacker with access to a backup to obtain unencrypted OAuth tokens. These tokens can be used to log into the cluster a...

6.6CVSS6.3AI score0.00128EPSS
Exploits0References2
OSV
OSV
added 2019/06/17 3:15 p.m.3 views

CVE-2018-10239

A privilege escalation vulnerability in the "support access" feature on Infoblox NIOS 6.8 through 8.4.1 could allow a locally authenticated administrator to temporarily gain additional privileges on an affected device and perform actions within the super user scope. The vulnerability is due to a...

6.7CVSS5.8AI score0.00379EPSS
Exploits0References1
Rows per page
Query Builder