Lucene search
K

33 matches found

CVE
CVE
added 3 days ago8 views

CVE-2026-56780

Modoboa prior to version 2.9.0 contains an insecure direct object reference in the PUT /api/v1/accounts/{pk}/password/ API. This flaw allows domain administrators to bypass object‑level access controls and change any user’s password, enabling full account takeover by resetting superadmin password...

7.7CVSS5.8AI score0.00265EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/06/06 5:28 p.m.90 views

Exploit for CVE-2025-2304

CVE-2025-2304-POC PoC for CVE-2025-2304 — Camaleon CMS 2.9.0...

9.4CVSS5.5AI score0.00566EPSS
Exploits16
NVD
NVD
added 2026/06/03 6:16 p.m.10 views

CVE-2026-36607

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint code=10, which lacks the rate limiting applied to the login endpoint code=7. An attacker on the adjacent network can attempt unlimited passwords without...

8.8CVSS0.00181EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/03 12:0 a.m.5 views

CVE-2026-36607

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint code=10, which lacks the rate limiting applied to the login endpoint code=7. An attacker on the adjacent network can attempt unlimited passwords without...

8.8CVSS5.8AI score0.00181EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/03 12:0 a.m.8 views

CVE-2026-36607

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint code=10, which lacks the rate limiting applied to the login endpoint code=7. An attacker on the adjacent network can attempt unlimited passwords without...

5.8AI score0.00181EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/03 12:0 a.m.9 views

EUVD-2026-34146

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint code=10, which lacks the rate limiting applied to the login endpoint code=7. An attacker on the adjacent network can attempt unlimited passwords without...

8.8CVSS5.8AI score0.00181EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/03 12:0 a.m.7 views

Mercusys AC12G 授权问题漏洞

The Mercusys AC12G is a Gigabit wireless router produced by the Chinese company Mercusys. The Mercusys AC12G EU V1 AC12G EU V1 version has a security vulnerability. This vulnerability stems from the lack of rate limiting on the TDDP password change endpoint, which may allow neighboring network...

8.8CVSS5.8AI score0.00181EPSS
Exploits0References1
CVE
CVE
added 2026/05/11 12:0 a.m.14 views

CVE-2026-38566

CVE-2026-38566 affects HireFlow v1.2. The issue is CSRF on all state-changing POST endpoints (e.g., /profile password change, /candidates/delete/, /feedback/add/, /interviews/add) due to missing CSRF token validation and no SESSION_COOKIE_SAMESITE configuration. Root cause: CSRF token validation ...

8.1CVSS6AI score0.00168EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.10 views

PT-2026-33986

Dovestones Softwares AD Self Update 4.0.0.5 is vulnerable to Cross Site Request Forgery CSRF. The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally...

5.7AI score0.001EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/03/23 12:0 a.m.15 views

Nexxt Solutions Nebula 300+ 安全漏洞

The Nexxt Solutions Nebula 300+ is a wireless router produced by the American company Nexxt Solutions. Versions of the Nebula 300+ prior to 12.01.01.37 contain security vulnerabilities. These vulnerabilities stem from the lack of cross-site request forgery protection in the status change manageme...

7.2CVSS5.7AI score0.00117EPSS
Exploits0References2
OSV
OSV
added 2026/02/02 8:42 a.m.3 views

BIT-DISCOURSE-2025-68659 Discourse has DoS vulnerability in username change endpoint

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and...

5.3CVSS5.5AI score0.00219EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/01/28 6:51 p.m.28 views

CVE-2025-68659 Discourse has DoS vulnerability in username change endpoint

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and...

4.3CVSS0.00219EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/01/28 6:51 p.m.4 views

CVE-2025-68659 Discourse has DoS vulnerability in username change endpoint

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and...

4.3CVSS5.9AI score0.00219EPSS
Exploits0References1
EUVD
EUVD
added 2026/01/10 1:6 a.m.6 views

EUVD-2026-1884

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint /account/changepassword was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker...

6.9CVSS6.6AI score0.0022EPSS
Exploits0References4
OSV
OSV
added 2026/01/10 1:6 a.m.3 views

CVE-2026-22603 OpenProject has no protection against brute-force attacks in the Change Password function

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint /account/changepassword was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker...

6.9CVSS7AI score0.0022EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/01/10 12:0 a.m.3 views

OpenProject 安全漏洞

OpenProject is a web-based project management software from OpenProject Open Source. A security vulnerability exists in OpenProject versions prior to 16.6.2 that stems from a lack of brute force protection in an unprotected password change endpoint, which could lead to account cracking and...

6.9CVSS6.7AI score0.0022EPSS
Exploits0References4
Snyk
Snyk
added 2025/12/10 9:31 p.m.1 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the port-change endpoint in the web port configuration process. An attacker can cause service disruption or loss of access by tricking an authenticated user into submitting a crafted request, which...

7.1CVSS6.6AI score0.00144EPSS
Exploits0References2
OSV
OSV
added 2025/12/10 9:31 p.m.5 views

GHSA-WRVC-X3WF-J5F5 1Panel contains a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery CSRF vulnerability in the web port configuration functionality. The port-change endpoint lacks CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a...

7.1CVSS6.9AI score0.00144EPSS
Exploits0References5
CVE
CVE
added 2025/11/19 12:0 a.m.17 views

CVE-2025-63207

The CVE-2025-63207 affects R.V.R Elettronica TEX: firmware TEXL-000400 and Web GUI TLAN-000400. It describes a broken access control flaw due to improper authentication checks on the /_Passwd.html endpoint, allowing an unauthenticated POST that can change Admin, Operator, and User passwords and p...

9.8CVSS6.9AI score0.06249EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2025/11/18 12:0 a.m.2 views

CVE-2025-63800

The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the password and repeatpassword parameters empty in the password change request, the...

6.5AI score0.00408EPSS
Exploits1References3
Rows per page
Query Builder