CVE-2026-44547

CVE-2026-44547 affects ChurchCRM 7.2.0–7.2.2, where an incomplete fix for CVE-2026-4058 left the public login path exploitable. The hardening commit was merged but silently stripped from src/api/routes/public/public-user.php before any 7.2.x tag was cut, so all 7.2.x releases remain vulnerable. T...

CVE-2026-44547 ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release...

EUVD-2026-26380

U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthoriz...

CVE-2026-36959

U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthoriz...

CVE-2026-31822

Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting XSS vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is...

CVE-2026-31888

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

GHSA-GQC5-XV7M-GCJQ Shopware has user enumeration via distinct error codes on Store API login endpoint

Summary The Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown CHECKOUTCUSTOMERNOTFOUND. The "not found" response also echoes the...

CVE-2026-31888

Shopware’s Store API login (POST /store-api/account/login) before versions 6.7.8.1 and 6.6.10.15 exposes a user enumeration flaw: it returns different error codes for a registered email vs. an unknown email and echoes the probed address, while the storefront login unifies errors. This inconsisten...

CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

EUVD-2026-10916

Sylius has a XSS vulnerability in checkout login form...

CVE-2026-31822

Sylius (PHP/Symfony eCommerce framework) has an XSS vulnerability in the shop checkout login form handled by ApiLoginController. When a login fails, AuthenticationFailureHandler returns a JSON message that is rendered into the DOM via innerHTML, allowing injected HTML/JS in the message to execute...

CVE-2026-31822 Sylius has a XSS vulnerability in checkout login form

Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting XSS vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is...

PT-2026-24476

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 2.0.16 Sylius versions prior to 2.1.12 Sylius versions prior to 2.2.3 Description Sylius, an Open Source eCommerce Framework on Symfony, contains a cross-site scripting XSS issue in the shop checkout login form. The...

GO-2026-4344 File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login in github.com/filebrowser/filebrowser

File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login in github.com/filebrowser/filebrowser...

CVE-2026-23849

File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuri...

CVE-2026-23849 File Browser vulnerable to Username Enumeration via Timing Attack in /api/login

File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuri...

CVE-2026-23849

CVE-2026-23849 – File Browser (github.com/filebrowser/filebrowser) shows a timing-based username enumeration flaw in the /api/login flow. The JSONAuth.Auth logic short-circuits when a user is not found, returning quickly, while a valid user triggers bcrypt password verification (users.CheckPwd) w...

CVE-2026-23849 File Browser vulnerable to Username Enumeration via Timing Attack in /api/login

File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuri...

CVE-2025-55462

A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticat...