Lucene search
K

90 matches found

NVD
NVD
added 2026/06/20 4:17 p.m.15 views

CVE-2026-56295

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the requireapikeyexpiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with...

6.3CVSS0.00188EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/20 3:24 p.m.8 views

EUVD-2026-38122

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the requireapikeyexpiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with...

6.3CVSS5.9AI score0.00188EPSS
Exploits0References2
CVE
CVE
added 2026/06/20 3:24 p.m.17 views

CVE-2026-56295

Capgo is affected pre-12.128.2 by an authorization bypass in webhook management endpoints. The issue allows legacy non-expiring API keys to bypass the require_apikey_expiration policy because checkWebhookPermission does not call apikeyHasOrgRightWithPolicy, enabling those keys to list, create, an...

6.3CVSS5.9AI score0.00188EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/20 3:24 p.m.31 views

CVE-2026-56295 Capgo - Policy Enforcement Bypass in Webhook Management Endpoints via Non-Expiring API Keys

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the requireapikeyexpiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with...

6.3CVSS0.00188EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:15 p.m.10 views

CVE-2026-24467

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable...

9.8CVSS5.7AI score0.009EPSS
Exploits1References1
Snyk
Snyk
added 2026/05/07 9:34 p.m.8 views

Improper Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the token revocation process. An attacker can maintain unauthorized access by using a stolen access token that was issued with no expiration, as the token cannot be invalidated through...

9.1CVSS5.8AI score
Exploits0References3
NVD
NVD
added 2026/05/07 7:16 p.m.11 views

CVE-2026-41902

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

9.1CVSS0.00246EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/07 12:0 a.m.10 views

FreeScout 代码问题漏洞

FreeScout is a lightweight and powerful free open-source help desk and shared inbox built using PHP Laravel framework by FreeScout Inc. Versions of FreeScout prior to 1.8.217 contained code vulnerabilities. This vulnerability stemmed from the/user-setup/hash endpoint, which did not expire the...

9.1CVSS5.9AI score0.00246EPSS
Exploits0References2
NVD
NVD
added 2026/04/20 4:16 p.m.5 views

CVE-2026-24467

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable...

9.8CVSS0.009EPSS
Exploits1References4
CVE
CVE
added 2026/04/20 3:40 p.m.36 views

CVE-2026-24467

OpenAEV (versions 1.0.0 up to 2.0.12) suffers password reset token weaknesses that enable unauthenticated account takeover and platform compromise. The root cause is password reset tokens that never expire and are only 8 digits long, allowing token accumulation and rapid brute-forcing across mult...

9.8CVSS5.7AI score0.009EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/20 3:40 p.m.2 views

CVE-2026-24467 OpenAEV's Improper Password Reset Token Management Leads to Unauthenticated Account Takeover and Platform Compromise

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable...

9CVSS5.7AI score0.009EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/03/27 12:0 a.m.7 views

PT-2026-28620

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description A flaw exists in AVideo where WebSocket tokens do not expire as intended due to a commented-out timeout validation within the verifyTokenSocket function located in...

5.4CVSS5.9AI score0.00247EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.7 views

Wallos 代码问题漏洞

Wallos is an open-source personal subscription tracker developed by Miguel Ribeiro. Versions of Wallos prior to 4.7.2 had code vulnerabilities. These vulnerabilities stemmed from the fact that the password reset token never expired, allowing attackers to use it at any time after intercepting the...

7.1CVSS5.9AI score0.00264EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/02/27 12:0 a.m.7 views

PT-2026-22393

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.1.0 Description Vikunja, an open-source self-hosted task management platform, has a business logic flaw in its password reset mechanism within the vikunja/api. This allows password reset tokens to be reused...

9.9CVSS5.9AI score0.22162EPSS
Exploits70References145
CVE
CVE
added 2026/02/17 11:35 a.m.10 views

CVE-2026-2247

CVE-2026-2247 describes an SQL injection in Clicldeu SaaS during report generation via the mobile app’s Day-to-day section. The vulnerability arises when a previously authenticated remote attacker uses a malicious payload in the URL generated after downloading a student’s report card, with the PD...

8.3CVSS5.9AI score0.00248EPSS
Exploits0References1
Microsoft KB
Microsoft KB
added 2026/01/13 4:0 p.m.67 views

January 13, 2026—KB5073695 (Monthly Rollup)

January 13, 2026—KB5073695 Monthly Rollup Windows Secure Boot certificate expirationImportant: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices for the past...

9.8CVSS7.5AI score0.1911EPSS
Exploits2
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2017-9314

Malware in sbrugna...

8.8CVSS8.8AI score0.02808EPSS
Exploits1References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.13 views

EUVD-2025-19121

Malicious code in bioql PyPI...

8.7CVSS9.2AI score0.00448EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/05/23 5:38 a.m.5 views

CVE-2023-26041

Nextcloud Talk is a fully on-premises audio/video and chat communication service. When cron jobs were misconfigured and therefore messages are not expired, the API would still return them while they were then hidden by the frontend code. It is recommended that the Nextcloud Talk is upgraded to...

4.3CVSS6.9AI score0.00799EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 10:38 p.m.9 views

CVE-2022-28205

An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future...

9.8CVSS6.8AI score0.01427EPSS
Exploits1References1
Rows per page
Query Builder