Lucene search
K

2547 matches found

Nextcloud
Nextcloud
added 2026/05/13 6:50 a.m.25 views

Bypass of second factor authentication on DAV endpoints by reusing a pre-2FA session ID

None...

5.9CVSS5.8AI score0.0029EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/12 10:30 p.m.10 views

CVE-2026-44547 ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release...

9.6CVSS5.8AI score0.00209EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/12 10:30 p.m.36 views

CVE-2026-44547 ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release...

9.6CVSS0.00209EPSS
Exploits0References2
CVE
CVE
added 2026/05/12 10:30 p.m.18 views

CVE-2026-44547

CVE-2026-44547 affects ChurchCRM 7.2.0–7.2.2, where an incomplete fix for CVE-2026-4058 left the public login path exploitable. The hardening commit was merged but silently stripped from src/api/routes/public/public-user.php before any 7.2.x tag was cut, so all 7.2.x releases remain vulnerable. T...

9.6CVSS5.8AI score0.00209EPSS
Exploits0References2
NVD
NVD
added 2026/05/12 6:17 p.m.13 views

CVE-2026-44196

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication TOTP requirement entirely. Although, an attacker...

9.1CVSS0.00299EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 5:40 p.m.37 views

CVE-2026-44196 Pingvin Share X: TOTP Authentication Bypass via Password-only Login

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication TOTP requirement entirely. Although, an attacker...

9.1CVSS0.00299EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/12 5:40 p.m.11 views

EUVD-2026-29727

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication TOTP requirement entirely. Although, an attacker...

9.1CVSS5.8AI score0.00299EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 5:40 p.m.6 views

CVE-2026-44196 Pingvin Share X: TOTP Authentication Bypass via Password-only Login

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication TOTP requirement entirely. Although, an attacker...

9.1CVSS5.8AI score0.00299EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/12 9:49 a.m.13 views

CVE-2026-43914

A flaw was found in Vaultwarden, a Bitwarden-compatible server. A remote attacker can exploit an unprotected two-factor authentication 2FA function, sendemaillogin, to bypass login brute-force protection. This allows the attacker to repeatedly attempt password guesses without rate-limiting,...

9.8CVSS5.8AI score0.00288EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/05/12 8:20 a.m.7 views

CVE-2026-42452

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT temptoken for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow...

8.1CVSS5.7AI score0.00306EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.14 views

PT-2026-40332

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication TOTP requirement entirely. Although, an attacker...

9.1CVSS5.8AI score0.00299EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.8 views

Pingvin Share 授权问题漏洞

Pingvin Share is a self-hosted file sharing platform developed by Elias Schneider as an individual project. Versions of Pingvin Share from 1.14.1 to 1.16.2 have vulnerabilities related to authorization. These vulnerabilities stem from critical authentication bypass exploits, which could allow...

9.1CVSS5.9AI score0.00299EPSS
Exploits0References2
NVD
NVD
added 2026/05/11 11:20 p.m.16 views

CVE-2026-43914

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function sendemaillogin email.rs, api endpoi...

9.8CVSS0.00288EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/05/11 10:3 p.m.10 views

CVE-2026-43914 Vaultwarden: Brute-force protection bypass vulnerability

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function sendemaillogin email.rs, api endpoi...

7.3CVSS5.8AI score0.00288EPSS
Exploits1References3
CVE
CVE
added 2026/05/11 10:3 p.m.60 views

CVE-2026-43914

Vaultwarden prior to 1.35.4 is affected. The unprotected two‑factor login endpoint /api/two-factor/send-email-login (email.rs) can act as an oracle to determine if a username/password is correct, enabling brute‑force attempts without rate‑limiting even for users without email 2FA. Impact: bypasse...

9.8CVSS5.8AI score0.00288EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/05/11 10:3 p.m.38 views

CVE-2026-43914 Vaultwarden: Brute-force protection bypass vulnerability

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function sendemaillogin email.rs, api endpoi...

7.3CVSS0.00288EPSS
Exploits1References3
EUVD
EUVD
added 2026/05/11 10:3 p.m.9 views

EUVD-2026-29342

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function sendemaillogin email.rs, api endpoi...

7.3CVSS5.8AI score0.00288EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/05/11 10:3 p.m.7 views

CVE-2026-43914

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function sendemaillogin email.rs, api endpoi...

7.3CVSS5.8AI score0.00288EPSS
Exploits1References4Affected Software1
The Hacker News
The Hacker News
added 2026/05/11 3:45 p.m.17 views

Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation

Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence AI system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and...

5.7AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/05/11 2:40 p.m.9 views

CVE-2026-34087 Users API leaks whether privileged users have their user groups disabled for lack of 2FA

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth. This issue affects OATHAuth: from before 1.43.7, 1.44.4, 1.45.2...

5.1CVSS5.8AI score0.00267EPSS
Exploits0References1
Rows per page
Query Builder