EUVD-2026-38097

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to...

CVE-2026-53981 Cap-go < v12.128.2 Account Takeover via Unauthenticated Email Change Mechanism

Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect...

EUVD-2026-30877

Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

PT-2026-41859

Name of the Vulnerable Software and Affected Versions Apache OFBiz versions prior to 24.09.06 Description Improper Authentication occurs due to a password-change logic flaw, which can lead to Remote Code Execution RCE, a process where an attacker can execute arbitrary commands on the target...

PT-2026-36878

Name of the Vulnerable Software and Affected Versions OpenC3 COSMOS versions prior to 6.10.5 OpenC3 COSMOS versions prior to 7.0.0-rc3 Description The password change functionality allows a user to change their password without providing the current password, as the system accepts a valid session...

blueprintUE self-hosted edition 安全漏洞

The blueprintUE self-hosted edition is an open-source data modeling and visualization tool developed by blueprintUE. Versions prior to blueprintUE self-hosted edition 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the password change form located at...

EUVD-2026-20828

A vulnerability was identified in Tenda AC15 15.03.05.18. This affects the function websGetVar of the file /goform/SysToolChangePwd. Such manipulation of the argument oldPwd/newPwd/cfmPwd leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available...

CVE-2026-35407

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given...

[SECURITY] [DLA 4517-1] roundcube security update

Debian LTS Advisory DLA-4517-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin March 30, 2026 https://wiki.debian.org/LTS Package : roundcube Version : 1.4.15+dfsg.1-1+deb11u8 CVE ID : not yet available Debian Bug : 1131182 1132268 Multiple vulnerabilities were...

Frigate 授权问题漏洞

Frigate is a complete native NVR developed by Blake Blackshear, designed specifically for home assistants with AI object detection capabilities. Versions of Frigate prior to 0.17.0-beta1 contained an authorization vulnerability. This vulnerability stemmed from the fact that changing passwords did...

CVE-2025-41257

Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other vulnerabilities can lead to unauthorized account access and potential system compromise...

CVE-2025-41257 Suprema BioStar 2 Insecure Password Change

Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other vulnerabilities can lead to unauthorized account access and potential system compromise...

CVE-2026-1994 s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover

The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to...

CVE-2026-24432

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 lack cross-site request forgery CSRF protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered b...

Nagios XI 安全漏洞

Nagios XI is a suite of IT infrastructure monitoring solutions from US-based Nagios. The solution supports monitoring and alerting of applications, services, operating systems, and more. A security vulnerability exists in Nagios XI versions prior to 2024R1.1.3 that stems from a password change th...

CVE-2025-52079

The administrator password setting of the D-Link DIR-820L 1.06B02 is has Improper Access Control and is vulnerable to Unverified Password Change via crafted POST request to /getset.ccp...

EUVD-2008-0258

Malware in sbrugna...

CVE-2025-7718

The CVE-2025-7718 entry concerns the Resideo Plugin for Resideo - Real Estate WordPress Theme. Affected versions up to 2.5.4 allow privilege escalation via account takeover because the plugin does not properly validate a user’s identity before updating sensitive details (e.g., email). This enable...

Linux Distros Unpatched Vulnerability : CVE-2017-8879

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access...

CVE-2024-42850

An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity requirements...