GHSA-RH3W-4CCX-PRF9 Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP

Summary A logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip th...

New AI-Powered Bluekit Phishing Kit Targets Major Platforms with MFA Bypass Attacks

Bluekit Phishing Kit is a new PhaaS tool that targets major platforms, using AiTM techniques to steal session data and bypass MFA protections...

PT-2026-37144

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9 Description A logic error in the two-factor authentication 2FA reset process inverts the authorization check. This allows non-admin users to remove the Time-based One-Time Password TOTP configuration of other...

Phishing and MFA exploitation: Targeting the keys to the kingdom

In 2025, attackers increasingly targeted weaknesses in multi-factor authentication MFA workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations. Phishi...

CVE-2026-40582

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication...

GRC-demo-poc-oscal

GRC-OSCAL — continuous compliance, demonstrated A working pro...

CVE-2026-40582

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication...

ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the/api/public/user/login endpoint, which only verified the username and password before returning the user’s API key. This...

CVE-2026-40582 ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication...

EUVD-2026-23601

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication...

CVE-2026-40582

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication...

CVE-2026-40582 ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication...

CVE-2026-40582

ChurchCRM prior to version 7.2.0 had an authentication bypass in the /api/public/user/login endpoint. It returned the user’s API key after validating only username and password, bypassing account lockout and 2FA checks, enabling access to protected API endpoints with the user’s privileges if the ...

GHSA-GGMG-CQG6-J45G Sentry: Improper authentication on SAML SSO process allows user identity linking

Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same...

Sentry: Improper authentication on SAML SSO process allows user identity linking

Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same...

PT-2026-33527

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.2.0 Description The '/api/public/user/login' endpoint validates only the username and password before returning the user's API key. This process bypasses the standard authentication flow, which includes account...

Quest KACE SMA 13.0.x < 13.0.385 / 13.1.x < 13.1.81 / 13.2.x < 13.2.183 / 14.0.x < 14.0.341 / 14.1.x < 14.1.101 Multiple Vulnerabilities

The version of Quest KACE Systems Management Appliance SMA running on the remote host is 13.0.x prior to 13.0.385, 13.1.x prior to 13.1.81, 13.2.x prior to 13.2.183, 14.0.x prior to 14.0.341, or 14.1.x prior to 14.1.101. It is, therefore, affected by multiple vulnerabilities, including: - An...

CVE-2026-33667

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirmotp action of the twofactorauthentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing bruteforceblockafterfailedlogins setting...

CVE-2026-33667 OpenProject: 2FA OTP Verification Missing Rate Limiting

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirmotp action of the twofactorauthentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing bruteforceblockafterfailedlogins setting...

CVE-2026-33667 OpenProject: 2FA OTP Verification Missing Rate Limiting

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirmotp action of the twofactorauthentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing bruteforceblockafterfailedlogins setting...