2546 matches found
PT-2026-23737
Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 7.10.8 Rocket.Chat versions prior to 7.11.5 Rocket.Chat versions prior to 7.12.5 Rocket.Chat versions prior to 7.13.4 Rocket.Chat versions prior to 8.0.2 Rocket.Chat versions prior to 8.1.1 Rocket.Chat versions...
OneUptime 安全漏洞
OneUptime is a comprehensive solution developed by OneUptime OpenSource. It is used to monitor and manage your online services. Versions of OneUptime 10.0.11 and earlier contain security vulnerabilities. These vulnerabilities stem from the WebAuthn authentication implementation, which does not...
Rocket.Chat 安全漏洞
Rocket.Chat is a chat software developed by the Rocket.Chat company. There were security vulnerabilities in versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0. These vulnerabilities stemmed from authentication issues within the DDP Streamer service, where two-factor...
EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface
Vulnerability Allowing MFA Bypass Affected EC-CUBE Versions Versions: 4.1.0 – 4.3.1 Vulnerability Overview If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication 2FA and log in to the administrative...
Incorrect Authorization
Overview ec-cube/ec-cube is an e-commerce solution. Affected versions of this package are vulnerable to Incorrect Authorization in the admintwofactorauthset process. An attacker can gain unauthorized access to the administrative interface and perform actions such as viewing sensitive information ...
GHSA-7RHV-H82H-VPJH EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface
Vulnerability Allowing MFA Bypass Affected EC-CUBE Versions Versions: 4.1.0 – 4.3.1 Vulnerability Overview If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication 2FA and log in to the administrative...
CVE-2026-21621
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
CVE-2026-21621
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
CVE-2026-21621 Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
CVE-2026-21621
CVE-2026-21621 affects the Hex.pm application (hexpm/hexpm). The vulnerability arises from the OAuth client_credentials flow in Elixir.HexpmWeb.API.OAuthController (validate_scopes_against_key/2), where a read-only API key (domain: api, resource: read) loses its scope and is issued a broad api sc...
EUVD-2026-9849
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
EEF-CVE-2026-21621 Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
Authorities Shut Down Tycoon 2FA Phishing Platform Used to Bypass MFA
Europol and partners dismantle Tycoon 2FA phishing service used to bypass MFA, disrupting a global phishing-as-a-service operation targeting organisations...
SUSE CVE-2025-64175
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs' 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim's username and password, they can use any unused recovery code e.g., from their own account to...
Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks
Tycoon 2FA , one of the prominent phishing-as-a-service PhaaS toolkits that allowed cybercriminals to stage adversary-in-the-middle AitM credential harvesting attacks at scale, was dismantled by a coalition of law enforcement agencies and security companies. The subscription-based phishing kit,...
CVE-2026-30777
EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...
CVE-2026-30777
EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...
EC-CUBE vulnerable to multi-factor authentication bypass
Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains the following vulnerability. Authentication bypass using an alternate path or channel CWE-288 - CVE-2026-30777 EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LT...
PT-2026-23497
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
PT-2026-23136
Name of the Vulnerable Software and Affected Versions EC-CUBE affected versions not specified Description The software contains a multi-factor authentication MFA bypass. An attacker with a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized...