Lucene search
K

12 matches found

Vulnrichment
Vulnrichment
added 2026/04/07 7:3 p.m.1 views

CVE-2026-39322 PolarLearn: Any password authenticates banned accounts and grants API access

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and...

9.2CVSS5.9AI score0.00239EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2026/03/07 12:0 a.m.2 views

VulnCheck KEV: CVE-2026-21891

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a...

9.8CVSS5.8AI score0.02169EPSS
In wildExploits1References24
OSV
OSV
added 2026/03/06 5:35 p.m.8 views

CVE-2026-28514 Rocket.Chat: Users can login with any password via the EE ddp-streamer-service

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows a...

9.3CVSS5.8AI score0.00498EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/01/08 2:0 p.m.4 views

CVE-2026-21891 ZimaOS has Authentication Bypass via System-Level Username

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a...

9.4CVSS6.4AI score0.02169EPSS
Exploits1References1
CVE
CVE
added 2026/01/08 2:0 p.m.26 views

CVE-2026-21891

Summary (CVE-2026-21891): ZimaOS ≤ 1.5.0 contains an authentication bypass in the login function where username validation is performed but password handling for known system service accounts is flawed. This can allow an attacker to gain authenticated access using any password when a common syste...

9.8CVSS6.4AI score0.02169EPSS
In wildExploits1References1Affected Software1
Veracode
Veracode
added 2025/12/13 4:36 a.m.4 views

Improper Authentication

org.jenkins-ci.plugins, active-directory is vulnerable to improper authentication. The vulnerability is due to improper handling of cached successful authentications in Windows/ADSI mode, which allows an attacker to log in as any user using any password while the valid authentication session...

9.8CVSS7.3AI score0.0168EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2023/08/14 5:15 a.m.5 views

CVE-2023-3266

A non-feature complete authentication mechanism exists in the production application allowing an attacker to bypass all authentication checks if LDAP authentication is selected.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an...

9.8CVSS5.8AI score0.0082EPSS
Exploits0References1
OSV
OSV
added 2023/05/02 10:7 a.m.6 views

USN-6053-1 php7.0 vulnerability

It was discovered that PHP incorrectly handled certain invalid Blowfish password hashes. An invalid password hash could possibly allow applications to accept any password as valid, contrary to expectations...

8.1CVSS6.7AI score0.00944EPSS
Exploits1References2
BDU FSTEC
BDU FSTEC
added 2022/07/06 12:0 a.m.4 views

The vulnerability of the Countly-server data analysis software, which allows a hacker to change the password of an arbitrary user and increase their privileges.

The vulnerability of the Countly-server data analysis software Countly is related to the lack of a password recovery mechanism. Exploiting this vulnerability allows a malicious actor to change the password of an arbitrary user and increase their privileges...

8.1CVSS7.6AI score0.01294EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2019/08/15 5:15 p.m.1 views

DEBIAN-CVE-2019-11187

Incorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the case-insensitive substring "success" when an arbitrary password is provided...

9.8CVSS8.7AI score0.01749EPSS
Exploits0References1
OSV
OSV
added 2018/01/02 11:29 p.m.23 views

CVE-2017-1000433

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password...

8.1CVSS8.3AI score
Exploits0References4
OSV
OSV
added 2009/12/23 6:30 p.m.1 views

UBUNTU-CVE-2009-4402

The default configuration of SQL-Ledger 2.8.24 allows remote attackers to perform unspecified administrative operations by providing an arbitrary password to the admin interface...

7.5CVSS6AI score0.01391EPSS
Exploits0References2
Rows per page
Query Builder