CVE-2026-32879

CVE-2026-32879 affects New API (LLM gateway/AI asset management). Beginning with version 0.10.0, a logic flaw in the universal secure verification flow lets an authenticated user with a registered passkey satisfy secure verification without completing a WebAuthn assertion. Exploitation status is ...

CVE-2026-32879 New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAut...

EUVD-2026-14459

A security vulnerability has been detected in kalcaddle kodbox 1.64. This impacts the function loginAfter/tfaVerify of the file /workspace/source-code/plugins/client/controller/tfa/index.class.php of the component Password Login. The manipulation leads to improper authentication. The attack is...

GO-2026-4794 Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api

Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api...

CVE-2026-33488

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the createKeys function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the...

CVE-2026-4592 kalcaddle kodbox Password Login index.class.php tfaVerify improper authentication

A security vulnerability has been detected in kalcaddle kodbox 1.64. This impacts the function loginAfter/tfaVerify of the file /workspace/source-code/plugins/client/controller/tfa/index.class.php of the component Password Login. The manipulation leads to improper authentication. The attack is...

CVE-2026-33488

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the createKeys function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the...

CVE-2026-33488 AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the createKeys function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the...

CVE-2026-33488

WWBN AVideo CVE-2026-33488 affects versions up to 26.0 where the LoginControl plugin’s PGP 2FA key generation uses 512-bit RSA keys. The 512-bit modulus is factorable and, if an attacker obtains a user’s public key, can be factored on commodity hardware to derive the private key and decrypt 2FA c...

CVE-2026-33488 AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the createKeys function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the...

WWBN AVideo 加密问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained vulnerabilities related to encryption. These vulnerabilities stemmed from the use of weak RSA keys and the lack of authentication at the endpoint, which could lead...

Authentication Bypass

ralffreit/mfa-email is vulnerable to Authentication Bypass. The vulnerability is due to failure to properly reset the MFA code after successful authentication, which allows an attacker to bypass MFA by providing an empty code in subsequent login attempts...

AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin

Summary The createKeys function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, derive the complete private...

GHSA-6M5F-J7W2-W953 AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin

Summary The createKeys function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, derive the complete private...

Vikunja has TOTP Reuse During Validity Window

Summary Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Details The below code is called when a user that has 2FA is authenticating to the application. Once they submit a valid username-password-totp combination, the user gets authenticated...

GHSA-P747-QC5P-773R Vikunja has TOTP Reuse During Validity Window

Summary Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Details The below code is called when a user that has 2FA is authenticating to the application. Once they submit a valid username-password-totp combination, the user gets authenticated...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the caldav authentication process. An attacker can gain unauthorized access to sensitive project information by bypassing two-factor authentication using Basic Authentication...

Vikunja has a 2FA Bypass via Caldav Basic Auth

Summary The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc. Details...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the caldav authentication process. An attacker can gain unauthorized access to sensitive project information by bypassing two-factor authentication using Basic Authentication...

GHSA-47CR-F226-R4PQ Vikunja has a 2FA Bypass via Caldav Basic Auth

Summary The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc. Details...