Lucene search
+L

67 matches found

NVD
NVD
added 2 days ago8 views

CVE-2026-33684

WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The setapisignUp method in the...

5.3CVSS0.00329EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago32 views

CVE-2026-33684 AVideo's Privilege AVideo: Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions

WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The setapisignUp method in the...

5.3CVSS0.00329EPSS
Exploits0References1
CVE
CVE
added 2 days ago14 views

CVE-2026-33684

Summary: CVE-2026-33684 affects WWBN AVideo prior to 29.0. The set_api_signUp API path accepts and applies user-supplied emailVerified, canUpload, canStream, and canCreateMeet values to new accounts without confirming a valid APISecret, enabling CAPTCHA-solved (anonymous) or APISecret-authenticat...

5.3CVSS6.1AI score0.00329EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.4 views

PT-2026-56552

Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.6.0 Description An issue exists where the server fails to verify if the email address provided in the body of the 'POST /auth-requests/admin-request' endpoint belongs to the authenticated user. This allo...

9.3CVSS6.1AI score0.00186EPSS
Exploits0References10
OSV
OSV
added 2026/07/07 3:26 p.m.7 views

GO-2026-5907 Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder

Coder's OIDC emailverified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder...

7.4CVSS5.9AI score0.00479EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/07/06 8:50 p.m.7 views

Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking

Summary Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string "false" or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based accou...

7.4CVSS5.9AI score0.00479EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/22 5:25 p.m.2 views

Missing Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization in the setapisignUp process. An attacker can gain unauthorized permissions by supplying crafted parameters during account registration,...

6.9CVSS5.9AI score0.00329EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/20 12:34 a.m.11 views

EUVD-2026-38092

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful,...

9.4CVSS5.9AI score0.00188EPSS
Exploits0References3
CVE
CVE
added 2026/06/19 9:39 p.m.41 views

CVE-2026-56073

CVE-2026-56073 affects Cap-go before 12.128.2. An authentication bypass in OTP verification lets an attacker bypass email verification by manipulating server responses, intercepting OTP requests and falsely marking verification as successful. This enables unauthorized 2FA enablement and potential...

9.4CVSS5.9AI score0.00188EPSS
Exploits0References2
NVD
NVD
added 2026/06/02 7:16 a.m.14 views

CVE-2026-8293

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email...

7.5CVSS0.00236EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 4:16 p.m.28 views

CVE-2026-35675

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...

8.8CVSS0.00324EPSS
Exploits0References2
OSV
OSV
added 2026/04/18 1:0 a.m.6 views

GHSA-6G38-8J4P-J3PR Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass

Summary Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The...

9.8CVSS5.7AI score0.00809EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/04/18 1:0 a.m.15 views

Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass

Summary Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The...

9.8CVSS5.7AI score0.00809EPSS
Exploits1References6Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/03 11:2 p.m.6 views

CVE-2026-34736

Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users...

5.3CVSS5.8AI score0.00211EPSS
Exploits0References1
NVD
NVD
added 2026/04/02 7:21 p.m.7 views

CVE-2026-34736

Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users...

5.3CVSS0.00211EPSS
Exploits0References2
CVE
CVE
added 2026/04/02 6:29 p.m.18 views

CVE-2026-34736

Open edX Platform experiened an account-activation bypass vulnerability (CVE-2026-34736). In affected versions from maple up to just before ulmo, an unauthenticated attacker could bypass email verification by chaining two issues: the OAuth2 password grant issuing tokens to inactive users, and the...

5.3CVSS5.8AI score0.00211EPSS
Exploits0References2
OSV
OSV
added 2026/04/02 6:29 p.m.2 views

CVE-2026-34736 Open edX Platform: Account Activation Bypass via activation_key Exposure in REST API

Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users...

5.3CVSS5.9AI score0.00211EPSS
Exploits0References4
CVE
CVE
added 2026/03/25 4:14 p.m.12 views

CVE-2026-32497

CVE-2026-32497 affects the WordPress plugin User Verification . The vulnerability is a weak authentication issue that enables authentication abuse via an email verification bypass in versions up to and including 2.0.45 (range: n/a through 2.0.45). Multiple sources corroborate the flaw and list th...

5.3CVSS5.8AI score0.00221EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/24 4:27 a.m.5 views

CVE-2026-4283

The WP DSGVO Tools GDPR plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the super-unsubscribe AJAX action accepting a processnow parameter from unauthenticated users, which bypasses the intended email-confirmation...

9.1CVSS5.8AI score0.00431EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/03/23 2:36 p.m.7 views

WordPress User Verification plugin <= 2.0.45 - Email Verification Bypass vulnerability

Email Verification Bypass vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin User Verification versions = 2.0.45...

5.3CVSS5.8AI score0.00221EPSS
Exploits0Affected Software1
Rows per page
Query Builder