Anchor: Program<'info, System> is not properly validated

Summary An logic error causes anchor programs to accept any program id when requiring the system program id, causing false assumptions resulting in potential arbitrary cpi in programs that invoke system program instructions. Details In the TryFrom implementation for Program, the id of T is compar...

CVE-2026-23511

CVE-2026-23511 affects Zitadel, an open source identity management platform. A user enumeration flaw in login interfaces allows an unauthenticated attacker to verify the existence of valid user accounts by iterating through usernames and userIDs. The issue is present in multiple versions prior to...

CVE-2001-1528

AmTote International homebet program returns different error messages when invalid account numbers and PIN codes are provided, which allows remote attackers to determine the existence of valid account numbers via a brute force attack...

EUVD-2018-18987

Malware in sbrugna...

EUVD-2025-10290

Malicious code in bioql PyPI...

EUVD-2022-49191

Malicious code in bioql PyPI...

CVE-2022-46382

RackN Digital Rebar through 4.6.14, 4.7 through 4.7.22, 4.8 through 4.8.5, 4.9 through 4.9.12, and 4.10 through 4.10.8 has Insecure Permissions. After signing into Digital Rebar, users are issued authentication tokens tied to their account to perform actions within Digital Rebar. During the...

Ash Authentication 访问控制错误漏洞

Ash Authentication is an Ash authentication framework open-sourced by Alembic. An access control error vulnerability exists in Ash Authentication versions prior to 4.7.0 that originates in the GET request validation process and could lead to automatic account validation...

CVE-2024-1665

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

CVE-2024-1665

This CVE ID is rejected/not used and does not represent an active vulnerability entry.

CVE-2024-26268

The CVE-2024-26268 issue is a user enumeration vulnerability in Liferay Portal (7.2.0–7.4.3.26) and older unsupported versions, and in Liferay DXP 7.4 before update 27, 7.3 before update 8, and 7.2 before fix pack 20. The root cause is that an attacker can infer whether an account exists by measu...

CVE-2023-35154 Knowage-Server vulnerable to account validation bypass

Knowage is an open source analytics and business intelligence suite. Starting in version 6.0.0 and prior to version 8.1.8, an attacker can register and activate their account without having to click on the link included in the email, allowing them access to the application as a normal user. This...

CVE-2023-35154 Knowage-Server vulnerable to account validation bypass

Knowage is an open source analytics and business intelligence suite. Starting in version 6.0.0 and prior to version 8.1.8, an attacker can register and activate their account without having to click on the link included in the email, allowing them access to the application as a normal user. This...

Authentication flaw

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app...

CVE-2023-3128

CVE-2023-3128 affects Grafana when using Azure AD OAuth with multi-tenant apps. The issue arises because the Azure AD profile email field is not unique and can be modified, allowing an attacker to bypass authentication and potentially take over accounts by exploiting how Grafana validates Azure A...

Duplicate Advisory: User account enumeration in eZ Publish Ibexa Kernel

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gmrf-99gw-vvwj. This link is maintained to preserve external references. Original Description This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open...

CVE-2022-46382

RackN Digital Rebar through 4.6.14, 4.7 through 4.7.22, 4.8 through 4.8.5, 4.9 through 4.9.12, and 4.10 through 4.10.8 has Insecure Permissions. After signing into Digital Rebar, users are issued authentication tokens tied to their account to perform actions within Digital Rebar. During the...

Hackers Exploiting Infected Android Devices to Register Disposable Accounts

An analysis of SMS phone-verified account PVA services has led to the discovery of a rogue platform built atop a botnet involving thousands of infected Android phones, once again underscoring the flaws with relying on SMS for account validation. SMS PVA services, since gaining prevalence in 2018,...

CVE-2021-3391

MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message...

Nextcloud: Create alias does not validate account id

The request to create a new alias does not validate that account id belongs to the current user. Also we don't validate that the account id exists. curl 'http://localhost:50001/index.php/apps/mail/api/accounts/2000/aliases' \ -H 'Connection: keep-alive' \ -H 'Pragma: no-cache' \ -H 'Cache-Control...