Lucene search
K

2545 matches found

ATTACKERKB
ATTACKERKB
added 2026/03/13 9:41 p.m.3 views

CVE-2026-32729

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials via phishing, credential stuffing, or data breach c...

8.1CVSS5.9AI score0.0034EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/03/13 9:41 p.m.4 views

CVE-2026-32729 Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials via phishing, credential stuffing, or data breach c...

8.1CVSS5.9AI score0.0034EPSS
Exploits1References3
OSV
OSV
added 2026/03/12 8:57 p.m.3 views

GO-2026-4688 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint in github.com/steveiliop56/tinyauth

Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint in github.com/steveiliop56/tinyauth. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

8.5CVSS5.8AI score0.0027EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/12 6:59 p.m.26 views

CVE-2026-32246 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

8.5CVSS0.0027EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/12 6:59 p.m.3 views

CVE-2026-32246 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

8.5CVSS5.8AI score0.0027EPSS
Exploits1References1
OSV
OSV
added 2026/03/12 6:59 p.m.4 views

CVE-2026-32246 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

8.5CVSS5.8AI score0.0027EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/12 4:38 p.m.5 views

EUVD-2026-11681

Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint...

8.5CVSS5.8AI score0.0027EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/12 4:38 p.m.6 views

Missing Critical Step in Authentication

Overview Affected versions of this package are vulnerable to Missing Critical Step in Authentication via the OIDC authorize process. An attacker can gain unauthorized access to valid OIDC tokens by leveraging a session where only the password has been verified but the second authentication factor...

8.5CVSS5.7AI score0.0027EPSS
Exploits1References2
OSV
OSV
added 2026/03/12 4:38 p.m.4 views

GHSA-3Q28-QJRV-QR39 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Summary The OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. Details...

8.5CVSS6AI score0.0027EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/12 4:38 p.m.7 views

Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Summary The OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. Details...

8.5CVSS5.9AI score0.0027EPSS
Exploits1References4Affected Software1
CNNVD
CNNVD
added 2026/03/12 12:0 a.m.4 views

Tinyauth 授权问题漏洞

Tinyauth is an authentication and authorization server developed by Stavros personally. Versions of Tinyauth prior to 5.0.3 had vulnerabilities related to authorization. This vulnerability stemmed from the OIDC authorization endpoint, which allowed users with pending TOTP sessions to obtain...

8.5CVSS7.3AI score0.0027EPSS
Exploits1References1
NVD
NVD
added 2026/03/11 10:16 p.m.5 views

CVE-2026-32133

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Th...

9.1CVSS0.00505EPSS
Exploits1References1
CVE
CVE
added 2026/03/11 9:45 p.m.12 views

CVE-2026-32133

CVE-2026-32133 concerns the 2FAuth web app versioned before 6.1.0. A blind SSRF flaw in the OTP URL’s image parameter allows authenticated users to cause the server to make arbitrary HTTP requests from internal networks and cloud metadata endpoints. The issue is triggered by insufficient validati...

9.1CVSS5.9AI score0.00505EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/11 9:45 p.m.2 views

CVE-2026-32133

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Th...

7.8CVSS5.9AI score0.00505EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/11 9:45 p.m.2 views

CVE-2026-32133 2FAuth has Blind SSRF in image parameter allows internal network access and more

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Th...

7.8CVSS5.9AI score0.00505EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/11 9:45 p.m.7 views

EUVD-2026-11414

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Th...

7.8CVSS5.9AI score0.00505EPSS
Exploits1References1
OSV
OSV
added 2026/03/11 9:45 p.m.4 views

CVE-2026-32133 2FAuth has Blind SSRF in image parameter allows internal network access and more

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Th...

7.8CVSS5.9AI score0.00505EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/11 3:31 p.m.4 views

EUVD-2026-11172

In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled...

6.8CVSS5.8AI score0.0017EPSS
Exploits0References2
NVD
NVD
added 2026/03/11 3:16 p.m.4 views

CVE-2026-32229

In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled...

6.8CVSS0.0017EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/11 3:3 p.m.26 views

CVE-2026-32229

In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled...

6.8CVSS0.0017EPSS
Exploits0References1
Rows per page
Query Builder