32765 matches found
CVE-2026-56223
Capgo
CVE-2026-56223 Capgo - Account Takeover via Cross-Domain SSO Email Assertion in provision-user
Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a...
EUVD-2026-38737
Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a...
DoJ Seizes Huione Cloud Account Tied to Cyber Scam Money Laundering
The U.S. Department of Justice DoJ on Tuesday announced the seizure of a cloud computing account put to use by subsidiaries of Cambodia-based corporate conglomerate HuiOne Group, as the Treasury unveiled fresh sanctions against nine individuals and 26 entities linked to Prince Group. "These...
CVE-2026-54588
A flaw was found in Poweradmin, a web-based DNS administration tool. An unauthenticated attacker can exploit this vulnerability by manipulating the HTTPHOST request header. This manipulation allows the attacker to poison the redirecturi used in the OpenID Connect OIDC, Security Assertion Markup...
CVE-2026-9172
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the deletesingleaccount function in versions up to, and including, 1.2.0. The REST route...
CVE-2026-7761
CVE-2026-7761 affects the WordPress plugin Ultimate Member up to version 2.11.4. The description in connected sources details a chain of three logic flaws causing account takeover via password reset URL disclosure: (1) an MD5 hash fallback in get_directory_by_hash() allows routing to a crafted po...
EUVD-2026-38714
The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: 1 an MD5 hash fallback in getdirectorybyhash that allows any post to be used as a member directory ...
CVE-2026-12416
The CVE affects the WordPress Invoice Generator plugin up to version 1.0.0. The root cause is pravel_invoice_change_password(), registered as a nopriv AJAX handler without nonce or authorization checks, which compares the supplied reset_activation_code to the user’s forgot_email meta with a loose...
EUVD-2026-38680
The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravelinvoicechangepassword function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and...
CVE-2026-9172 Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Account Deletion via /delete-account/ REST Endpoint
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the deletesingleaccount function in versions up to, and including, 1.2.0. The REST route...
CVE-2026-9172
WordPress plugin Devs Accounting – Simple Accounting and Invoicing Solution (versions up to 1.2.0) is vulnerable to unauthorized modification/deletion of data due to a missing capability check in delete_single_account(), with the REST route devs-accounting/v1/delete-account/(?P\d+) registered wit...
EUVD-2026-38677
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the deletesingleaccount function in versions up to, and including, 1.2.0. The REST route...
EUVD-2026-38679
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the pravelchangepassword AJAX handler — registered via wpajaxnoprivpravelchangepassword and...
CVE-2026-4297
The CVE concerns the Welcome Software Publishing WordPress plugin (
EUVD-2026-38664
The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the ncsetOption function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the us...
CVE-2026-9175
The CVE concerns the WordPress plugin Devs Accounting – Simple Accounting and Invoicing Solution, affected versions up to 1.2.0. The root cause is a REST endpoint get-account in get_single_account() where the permission_callback unconditionally returns true, resulting in missing authorization for...
EUVD-2026-38659
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the getsingleaccount REST API callback being registered with a permissioncallback that unconditionally returns tru...
Netsweeper 4.0.5 - Default Weak Account
The Web Panel in Netsweeper before 4.0.5 has a default password of 'branding' for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/. id: CVE-2014-9614 info: name: Netsweeper 4.0.5 - Default Weak Account author: daffainfo severity: critica...
Horde Groupware Unauthenticated Admin Access
Horde Groupware contains an administrative account with a blank password, which allows remote attackers to gain access. id: CVE-2005-3344 info: name: Horde Groupware Unauthenticated Admin Access author: pikpikcu severity: critical description: Horde Groupware contains an administrative account wi...