PT-2026-24690

Impact When multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recover...

PT-2026-24794

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUT CUSTOMER AUTH BAD CREDENTIALS or is unknown...

Pocket ID 输入验证错误漏洞

Pocket ID is an open-source identity provider that supports passwordless authentication. Versions of Pocket ID from 2.0.0 to 2.4.0 had a vulnerability related to input validation errors. This vulnerability stemmed from defects in the callback URL validation process, which could lead to the...

PT-2026-24603

Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost...

Pocket ID 安全漏洞

Pocket ID is an open-source identity provider that supports passwordless authentication. Versions of Pocket ID prior to 2.4.0 contained a security vulnerability. This vulnerability stemmed from the OIDC token endpoint only refusing authorization codes when the client ID was incorrect and the code...

CVE-2026-28512 Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...

CVE-2026-28512

Technical details for CVE-2026-28512 are not provided in the supplied documents; only the high-level description is present. Monitor for official updates and vendor advisories for affected products and fixes.

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the OIDC token exchange process. An attacker can obtain tokens for unauthorized clients or reuse expired authorization codes by submitting a valid authorization code with a different client ID or by using an...

CVE-2026-29784

Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost...

CVE-2026-29784

Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost...

CVE-2026-29784 Ghost: Incomplete CSRF protections around OTC use

Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost...

CVE-2026-29784

Ghost (Node.js CMS) is affected between v5.101.6 and v6.19.2. The vulnerability is due to incomplete CSRF protections around /session/verify, allowing OTCs to be used in login sessions other than the requesting session. This could enable phishing attackers to take over a Ghost site in certain sce...

SUSE CVE-2025-64175

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs' 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim's username and password, they can use any unused recovery code e.g., from their own account to...

PT-2026-23607

Name of the Vulnerable Software and Affected Versions Ghost versions 5.101.6 through 6.19.2 Description Incomplete CSRF protections around the /session/verify API endpoint allowed the use of One-Time Codes OTCs in login sessions different from the requesting session. This could potentially allow...

CVE-2025-70231

D-Link DIR-513 version 1.10 contains a critical-level vulnerability. When processing POST requests related to verification codes in /goform/formLogin, it enters /goform/getAuthCode but fails to filter the value of the FILECODE parameter, resulting in a path traversal vulnerability...

Libssh: incorrect return code handling in ssh_kdf() in libssh

A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the sshkdf function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenl...

CVE-2026-1627

An attacker may exploit the use of outdated and weak MAC algorithms in the device’s SSH service to potentially compromise the integrity of the SSH session, allowing manipulation of transmitted data if the attacker can interact with the network traffic...

CVE-2026-1627

The CVE concerns the SSH service on a device using outdated/weak MAC algorithms, which can undermine the integrity of an SSH session. The underlying issue is the use of weak MACs during authenticated network traffic, enabling a potentially attacker-controlled manipulation of transmitted data if t...

PT-2026-22177

Name of the Vulnerable Software and Affected Versions versions prior to 2026-27141 Description A missing nil check allows a server to panic when receiving specific HTTP/2 frames, specifically those ranging from 0x0a to 0x0f. This issue does not have any reported real-world incidents or estimated...

$300 a Month Android Malware ‘Oblivion’ Uses Fake Updates to Hijack Phones

Cybersecurity researchers at Certo reveal Oblivion, a new Android Trojan targeting major brands like Samsung and Xiaomi. It bypasses security to steal passwords and bank codes...