CVE-2026-45749

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The POST /users/totp/disable and POST /users/totp/backup-codes endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical...

CVE-2026-45610 WWBN AVideo plugin/LoginControl/set.json.php: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and...

CVE-2026-45610

CVE-2026-45610 relates to a CSRF vulnerability in WWBN AVideo where plugin/LoginControl/set.json.php exposes a 2FA disable action (type=set2FA) without CSRF protection. The code path checks only User::isLogged() and then directly calls LoginControl::setUser2FA(User::getId(), …) based on POST valu...

GHSA-3MV2-VMWH-RWFX AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA

Summary Type: Cross-site request forgery on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest call, no isTokenValid check, n...

CVE-2025-8850 Insecure API Design in danny-avila/librechat

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...

FIWARE Keyrock 安全漏洞

FIWARE Keyrock is a FIWARE open source component responsible for identity management. A cryptographic vulnerability exists in FIWARE Keyrock 8.4 and earlier versions, which stems from the algorithm used to create the disable2fakey being predictable, and can be exploited by an attacker to predict...

PT-2024-29781 · Fiware · Fiware Keyrock

Name of the Vulnerable Software and Affected Versions: FIWARE Keyrock versions = 8.4 Description: The issue is related to insufficiently random values used for generating password reset tokens, allowing attackers to predict the token and disable two-factor authorization for any user. This makes i...

CVE-2022-31886

Marval MSM v14.19.0.12476 is vulnerable to Cross Site Request Forgery CSRF. An attacker can disable the 2FA by sending the user a malicious form...

PT-2021-15381 · Joomla · Joomla!

Name of the Vulnerable Software and Affected Versions: Joomla! versions 3.2.0 through 3.9.24 Description: An issue was discovered in the usage of the insecure rand function within the process of generating the 2FA secret. Recommendations: For versions 3.2.0 through 3.9.24, consider updating to a...

CVE-2018-20231

Cross Site Request Forgery CSRF in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfaenabletfa parameter due to missing nonce validation...