445 matches found
CVE-2026-48611
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations...
CVE-2026-48611
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations...
EUVD-2026-36375
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations...
CVE-2026-48611
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations...
CVE-2026-48611
CVE-2026-48611 describes improper authentication checks in an OAuth implementation that can allow account hijacking even when OAuth is not configured or enabled, leading to unauthorized access in default installations. The public records do not specify targeted products, versions, vendor names, o...
PT-2026-48826
Name of the Vulnerable Software and Affected Versions phpBB versions prior to 3.3.16 Description Improper authentication checks in the OAuth implementation allow remote unauthenticated account hijacking. This issue can lead to unauthorized access in default installations, even in cases where OAut...
Hackers Abused Meta’s AI Support Bot to Hijack Major Instagram Accounts
Hackers abused Meta’s AI support bot to hijack major Instagram accounts, bypassing security checks as videos showed the flaw before Meta fixed the issue...
CVE-2026-44166
PocketBase suffers an account pre-hijacking vulnerability via OAuth2 unverfied→verified autolinking. An attacker who knows a victim’s email can pre-create and link an unverified PocketBase user by authenticating with an OAuth2 provider (e.g., A). When the victim later signs up with a different pr...
aap-controller: aap-gateway: Account hijacking and unauthorized access via unverified email linking
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider IDP identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a...
Important: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update
An update is now available for Red Hat Ansible Automation Platform 2.6 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...
CVE-2026-6266 Aap-controller: aap-gateway: account hijacking and unauthorized access via unverified email linking
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider IDP identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a...
EUVD-2026-26967
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider IDP identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a...
CVE-2026-6266 Aap-controller: aap-gateway: account hijacking and unauthorized access via unverified email linking
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider IDP identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a...
OpenC3 COSMOS 安全漏洞
OpenC3 COSMOS is an open-source application developed by OpenC3. Vulnerabilities exist in versions of OpenC3 COSMOS prior to 6.10.5 and 7.0.0-rc3. These vulnerabilities stem from the password change feature, which allows users to change their passwords using valid session tokens without providing...
RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update (Important) (RHSA-2026:13512)
The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:13512 advisory. Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT...
RHEL 10 / 9 : Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update (Important) (RHSA-2026:13508)
The remote Redhat Enterprise Linux 10 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:13508 advisory. Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT...
EUVD-2026-19827
ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting XSS vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocu...
Meta rolls out anti-scam tools across WhatsApp, Facebook, and Messenger
Meta has rolled out more anti-scam protections across WhatsApp, Facebook, and Messenger to fight sophisticated fraud tactics. The features will help stop celebrity impersonators and brand spoofers from defrauding its users, the company said. Meta is also targeting attackers who exploit legitimate...
Vikunja 代码问题漏洞
Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.0.0 had code vulnerabilities. These vulnerabilities stemmed from allowing the setting of weak passwords, where user-changed passwords still allowed active sessions to remain valid,...
CVE-2024-5386
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role...