CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

CVE-2026-24000

Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limitin...

Mercusys AC12G 授权问题漏洞

The Mercusys AC12G is a Gigabit wireless router produced by the Chinese company Mercusys. The Mercusys AC12G EU V1 AC12G EU V1 version has a security vulnerability. This vulnerability stems from the lack of rate limiting on the TDDP password change endpoint, which may allow neighboring network...

CVE-2026-44611 MacGregor Voyage Data Recorder (VDR) G4e Use of Password Hash With Insufficient Computational Effort

Danelec MacGregor Voyage Data Recorder passwords are stored with a hashing method which limits password length and is susceptible to brute force attacks...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...

CVE-2026-24000

Fleet is open-source device management software. A vulnerability in versions prior to 4.80.1 lets attackers spoof the client’s apparent IP by abusing unvalidated headers (X-Forwarded-For, X-Real-IP, True-Client-IP) to bypass per-IP rate limiting. This affects how Fleet determines a client’s publi...

Inadequate Encryption Strength

github.com/enchant97/note-mark/backend is vulnerable to Inadequate Encryption Strength. The vulnerability is due to missing enforcement of minimum length and entropy requirements for the JWTSECRET value, which allows an attacker to brute-force weak secrets and forge valid JWT tokens...

GHSA-MXMP-WR3W-RVQX Fleet: IP spoofing allows bypassing API rate limiting

Summary A vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Impact Fleet extracted client IP...

GHSA-J8H8-75H3-JG53 Fleet has a rate limiting bypass via untrusted client IP headers

Impact Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limiting controls. Fleet determines a client’s public IP address using HTT...

PT-2026-40979

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.80.1 Description An issue in the IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. The software extracts client IP addresses from request headers...

PT-2026-40968

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.80.1 Description Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and...

CVE-2024-0391

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage...

CVE-2024-0391 Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage...

CVE-2024-0391

The CVE-2024-0391 issue affects WSO2 products with the email OTP flow, where the check user account lock states validation fails, enabling attacker enumeration of registered usernames. This disclosure indicates that valid usernames can be inferred, which could facilitate targeted brute-force or s...

CVE-2024-0391 Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage...

PT-2026-39580

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description The check user account lock states feature within the email OTP flow fails to validate user input. This allows an attacker to infer whether specific user account...

EUVD-2026-28547

Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This coul...

CVE-2026-34527

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high nibble of each byte is shifted right by 8 instead of 4, which always produces zero for an 8-bit...

EUVD-2026-27466

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high nibble of each byte is shifted right by 8 instead of 4, which always produces zero for an 8-bit...

PT-2026-37249

Affected Version: OpenMage LTS ≤ 20.16.0 confirmed on 20.16.0 Affected File: https://github.com/OpenMage/magento-lts/blob/main/app/code/core/Mage/Api/Model/Session.php – start method Summary The XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a...