MFA Prompt Bombing: Why Your Second Factor Isn't Saving You

Multi-factor authentication MFA was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn't log in without the second factor. While that logic was sound, attackers have now figured out that they don't need to steal...

CVE-2025-67639

A cross-site request forgery CSRF vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account...

Raspberry Pi Imager 安全漏洞

Raspberry Pi Imager is an open source utility software for Raspberry Pi. A security vulnerability exists in Raspberry Pi Imager version 1.9.6, which stems from a public key authentication setting incorrectly re-adding the local idrsa.pub key to the authorizedkeys file of the Raspberry Pi, which...

EUVD-2017-17162

Malware in sbrugna...

EUVD-1999-0245

Malware in sbrugna...

EUVD-2017-3449

Malware in sbrugna...

EUVD-2022-29637

Malicious code in bioql PyPI...

CVE-2025-54599

The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows account takeover, if SSO is used, when a victim changes the email address that they have configured. To exploit this, an attacker would create their own account and perform an SSO login. The roo...

Linux Distros Unpatched Vulnerability : CVE-2018-3089

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization subcomponent: Core. The supported version that is affected is Prior to 5.2.16. Easi...

Linux Distros Unpatched Vulnerability : CVE-2021-2454

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization component: Core. The supported version that is affected is Prior to 6.1.24. Difficult...

CVE-2025-7710

The Brave Conversion Engine PRO plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.7.7. This is due to the plugin not properly restricting a claimed identity while authenticating with Facebook. This makes it possible for unauthenticated attackers t...

EUVD-2025-23239

ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices...

CVE-2025-6563 Cross-site scripting via dst parameter in RouterOS WiFi hotspot

A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the javascript protocol in the dst parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also...

Learning Digital Orca HCM 安全漏洞

Learning Digital Orca HCM is a digital learning platform from China-based Yiyu Digital Learning Digital. A security vulnerability exists in Learning Digital Orca HCM that stems from improper authentication. An attacker can exploit the vulnerability to log in to the system as any user...

CVE-2025-24032 PAM-PKCS#11 vulnerable to authentication bypass with default value for `cert_policy` (`none`)

PAM-PKCS11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if certpolicy is set to none the default value, then pampkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user...

udn News Security Breach

udn News is a news application from China United News udn Inc. A security vulnerability exists in udn News versions prior to 4.20.1 that originates from storing an unencrypted user session in a local database when a user logs in to the application, which can be retrieved by a malicious attacker w...

TOTOLINK A8000RU has an unspecified vulnerability

TOTOLINK A8000RU is a wireless router from China's Gion Electronics TOTOLINK. An unspecified vulnerability exists in the TOTOLINK A8000RU, which can be exploited by an attacker to log into the administrator account by providing a specially crafted session cookie...

CVE-2023-39546

CLUSTERPRO X Ver5.1 and earlier and EXPRESSCLUSTER X 5.1 and earlier, CLUSTERPRO X SingleServerSafe 5.1 and earlier, EXPRESSCLUSTER X SingleServerSafe 5.1 and earlier allows a attacker to log in to the product may execute an arbitrary command...

CVE-2023-33006

A cross-site request forgery CSRF vulnerability in Jenkins WSO2 Oauth Plugin 1.0 and earlier allows attackers to trick users into logging in to the attacker's account...

CVE-2022-43528

Under certain configurations, an attacker can login to Aruba EdgeConnect Enterprise Orchestrator without supplying a multi-factor authentication code. Successful exploitation allows an attacker to login using only a username and password and successfully bypass MFA requirements in Aruba EdgeConne...