CVE-2026-5229 Receive Notifications After Form Submitting – Form Notify for Any Forms <= 1.1.10 - Unauthenticated Authentication Bypass via LINE OAuth Callback

The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email...

CVE-2026-5229

The Form Notify plugin for WordPress is vulnerable to an Authentication Bypass in versions up to 1.1.10 due to trusting user-controlled cookie data to select the WordPress account after a LINE OAuth login. If LINE omits an email address, the plugin uses the 'form_notify_line_email' cookie without...

PT-2026-36000

Name of the Vulnerable Software and Affected Versions Tenda W3002R/A302/W309R wireless routers version V5.07.64 en Description Insufficient session validation allows unauthenticated attackers to modify DNS settings. By sending GET requests to the '/goform/AdvSetDns' endpoint using a crafted admin...

CVE-2026-5617

CVE-2026-5617 affects the WordPress plugin Login as User (all versions up to 1.0.3). The handle_return_to_admin() function trusts a client-controlled cookie (oclaup_original_admin) to select the target user for “Return to Admin,” without server-side verification of the cookie’s legitimacy. This e...

CVE-2025-62797 CSRF in FluxCP account endpoints allows account takeover / state-changing actions

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A critical Cross-Site Request Forgery CSRF vulnerability exists in the FluxCP-based website template used by multiple rAthena/Ragnarok servers. State-changing POST endpoints accept browser-initiated requests that are authoriz...

EUVD-2024-31245

An insufficient session expiration vulnerability CWE-613 and an incorrect authorization vulnerability CWE-863 in FortiIsolator 2.4.0 through 2.4.4, 2.3 all versions, 2.2.0, 2.1 all versions, 2.0 all versions authentication mechanism may allow remote unauthenticated attacker to deauthenticate logg...

PT-2024-31991 · Mecha Cms · Mecha Cms

Name of the Vulnerable Software and Affected Versions: Mecha CMS version 3.0.0 Description: The issue allows an attacker to construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the deletion of arbitrary files or website...

CLSA-2024-1714728328 Fix CVE(s): CVE-2022-31629, CVE-2024-2756

SECURITY UPDATE: possible insecure cookie abuse - debian/patches/php-7.3-CVE-2024-2756.patch: fix Host-/Secure- cookie bypass due to partial CVE-2022-31629 fix - CVE-2024-2756...

CLSA-2024-1714728164 Fix CVE(s): CVE-2022-31629, CVE-2024-2756

SECURITY UPDATE: possible insecure cookie abuse - debian/patches/php-7.3-CVE-2024-2756.patch: fix Host-/Secure- cookie bypass due to partial CVE-2022-31629 fix - CVE-2024-2756...

CVE-2023-45660 Require strict cookies for image proxy requests in Nextcloud Mail

Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0...

USN-4609-1 gosa vulnerabilities

Fabian Henneke discovered that GOsa incorrectly handled client cookies. An authenticated user could exploit this with a crafted cookie to perform file deletions in the context of the user account that runs the web server. CVE-2019-14466 It was discovered that GOsa incorrectly handled user access...