CVE-2026-34025 IP restriction bypass in Wertheim SafeController Software allows logins from unauthorized network locations

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP...

Keycloak: Unauthorized authentication via disabled SAML Identity Provider

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider IdP to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity...

CVE-2025-52026

An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 ...

PT-2026-4531

Name of the Vulnerable Software and Affected Versions Aptsys gemscms backend platform versions prior to 2025-05-29 Description An information disclosure issue exists in the /srvs/membersrv/getCashiers API endpoint of the Aptsys gemscms backend platform. This unauthenticated endpoint reveals a lis...

CVE-2025-60892

An issue in Raspberry Pi Imager version 1.9.6 for Windows, affecting its OS customization feature. The imager's 'public-key authentication' setting unintentionally re-adds a user's idrsa.pub key from their local Windows machine to the authorizedkeys file on the Raspberry Pi, even after the user...

EUVD-2025-37486

An issue in Raspberry Pi Imager version 1.9.6 for Windows, affecting its OS customization feature. The imager's 'public-key authentication' setting unintentionally re-adds a user's idrsa.pub key from their local Windows machine to the authorizedkeys file on the Raspberry Pi, even after the user...

PT-2025-44765

Name of the Vulnerable Software and Affected Versions Raspberry Pi Imager version 1.9.6 Description An issue exists in the OS customization feature of Raspberry Pi Imager. The 'public-key authentication' setting unintentionally re-adds a user's id rsa.pub key from their local Windows machine to t...

EUVD-2025-35189

The incomplete verification mechanism in the AutoBizLine com.mysecondline.app 1.2.91 allows attackers to log in as other users and gain unauthorized access to their personal information...

EUVD-2024-33486

Malicious code in bioql PyPI...

EUVD-2024-44220

Malicious code in bioql PyPI...

EUVD-2025-21859

Malicious code in bioql PyPI...

WordPress plugin Simpler Checkout 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

“Ring cameras hacked”? Amazon says no, users not so sure

In the last week, countless Amazon Ring users on TikTok, Reddit, and X have been saying they believe their Ring cameras were hacked starting May 28. Many posted screenshots of their accounts, showing multiple unauthorized device logins, making these claims hard to ignore. Forbes looked into the...

DNN.PLATFORM 安全漏洞

DNN.PLATFORM is an open source web content management platform CMS from DNN Open Source. A security vulnerability exists in DNN.PLATFORM versions prior to 10.0.1, which stems from a specially crafted request bypassing an IP filter design that could lead to unauthorized logins...

Password Spray Attacks Taking Advantage of Lax MFA

In the first quarter of 2025, Rapid7’s Managed Threat Hunting team observed a significant volume of brute-force password attempts leveraging FastHTTP, a high-performance HTTP server and client library for Go, to automate unauthorized logins via HTTP requests. This rapid volume of credential...

Password Spray Attacks Taking Advantage of Lax MFA

In the first quarter of 2025, Rapid7’s Managed Threat Hunting team observed a significant volume of brute-force password attempts leveraging FastHTTP, a high-performance HTTP server and client library for Go, to automate unauthorized logins via HTTP requests. This rapid volume of credential...

Vben-Admin 安全漏洞

Vben-Admin is a Vben admin for Hackerhan Personal Developers. A security vulnerability exists in Vben-Admin version 2.10.1, which stems from hard-coded credentials that lead to unauthorized logins...

CVE-2019-15002

An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn’t require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account...

CVE-2024-12287

The Biagiotti Membership plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as othe...

CVE-2024-49765

CVE-2024-49765 affects Discourse where sites enabling Discourse Connect alongside local login methods could allow an attacker to bypass Discourse Connect to create accounts and log in. The issue is described as a bypass of login paths rather than a remote exploit; affected component is the Discou...