Lucene search
K

289 matches found

Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.11 views

PT-2026-52655

Name of the Vulnerable Software and Affected Versions Lemur affected versions not specified Description Passwords are stored in plaintext in the users.password column when a user's password is updated. This occurs because the User model only triggers password hashing during the before insert even...

4.9CVSS5.8AI score
Exploits0References5
NVD
NVD
added 2026/06/24 1:16 p.m.10 views

CVE-2026-56272

Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database...

5.6CVSS0.00073EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/24 11:53 a.m.5 views

CVE-2026-56272

Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database...

5.6CVSS5.8AI score0.00073EPSS
Exploits0References3
CVE
CVE
added 2026/06/24 11:53 a.m.9 views

CVE-2026-56272

Flowise before 3.0.13 uses bcrypt with default salt rounds of 5 (32 iterations), yielding a higher risk of password hash cracking. The vulnerability allows attackers to crack hashes faster on modern GPUs, potentially compromising all user accounts in a database breach. Affected component is the b...

5.6CVSS5.8AI score0.00073EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/24 11:53 a.m.7 views

EUVD-2026-38748

Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database...

5.6CVSS5.8AI score0.00073EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 11:53 a.m.32 views

CVE-2026-56272 Flowise - Insufficient Password Salt Rounds in Bcrypt Hashing

Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database...

5.6CVSS0.00073EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:32 p.m.9 views

CVE-2026-45410

TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before...

5.3CVSS5.5AI score0.00205EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:30 p.m.9 views

CVE-2026-42610

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user EX: Content Editor with only pages.update permissions can bypass the existing Twig sandbox restrictions by utilizing the grav'accounts' service. Attacker can programmatically load administrative user objects and extra...

6.5CVSS5.4AI score0.0029EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:26 p.m.11 views

CVE-2026-39321

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the...

6.3CVSS5.4AI score0.0023EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/05 4:57 p.m.9 views

EUVD-2026-34863

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a ?password= query parameter, comparing the supplied...

8.2CVSS5.5AI score0.00357EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/05 4:57 p.m.11 views

CVE-2026-45327

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a ?password= query parameter, comparing the supplied...

8.2CVSS5.5AI score0.00357EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/06/05 4:57 p.m.33 views

CVE-2026-45327 TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a ?password= query parameter, comparing the supplied...

8.2CVSS0.00357EPSS
Exploits0References3
CVE
CVE
added 2026/06/05 4:57 p.m.18 views

CVE-2026-45327

TinyIce (Go) versions 0.8.95–2.4.1 expose a missing authentication on the WebRTC ingest endpoint POST /webrtc/source-offer?mount=, enabling unauthenticated stream injection. The issue is fixed in v2.5.0 by requiring either HTTP Basic auth or a ?password= query parameter, verifying the supplied pa...

8.2CVSS5.5AI score0.00357EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/05 4:3 p.m.14 views

NocoDB: User Enumeration via Sign-In Timing

Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. Details The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response ti...

6.3CVSS5.5AI score0.00197EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/05 4:3 p.m.9 views

GHSA-JR54-JWHJ-55GP NocoDB: User Enumeration via Sign-In Timing

Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. Details The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response ti...

6.3CVSS5.5AI score0.00197EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/05 12:0 a.m.18 views

PT-2026-46997

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description The shared-view password check used strict-equality === comparison for legacy plaintext passwords. This creates a timing oracle, allowing a network-positioned attacker to leak the password length...

6.9CVSS5.9AI score0.00253EPSS
Exploits0References8
GithubExploit
GithubExploit
added 2026/06/02 4:43 p.m.97 views

Exploit for CVE-2026-45332

CVE-2026-45332 — Broken Access Control in Automad CMS Proof o...

7.5CVSS5.8AI score0.00298EPSS
Exploits1
GithubExploit
GithubExploit
added 2026/06/01 2:24 p.m.80 views

portswigger-labs

PortSwigger Web Security Academy — Lab Notes Notes from compl...

5.8AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/05/30 8:13 a.m.16 views

CVE-2026-45332

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/05/29 9:58 p.m.25 views

Admidio's CSRF in registration `send_login` mode resets arbitrary user passwords

Summary modules/registration.php mode sendlogin regenerates a random password for useruuidassigned, stores its bcrypt hash in admusers.usrpassword, and emails the cleartext to that user. Every other state-changing mode in the same file assignmember, assignuser, deleteuser, createuser calls...

5.7AI score0.00015EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder