5018 matches found
CVE-2026-29108
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...
PT-2026-26763
Name of the Vulnerable Software and Affected Versions Vikunja affected versions not specified Description A flaw exists where a Time-based One-Time Password TOTP used for successful 2FA authentication can be reused within its 30-second validity window, allowing subsequent authentication attempts...
PT-2026-26752
Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.1.0 Description The Caldav endpoint allows login using Basic Authentication, which bypasses the TOTP for accounts with 2FA enabled. This allows access to project information normally protected by 2FA, such as projec...
Vikunja has TOTP Reuse During Validity Window
Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window...
Vikunja has a 2FA Bypass via Caldav Basic Auth
The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc...
EUVD-2026-13372
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...
CVE-2026-29108
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...
When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures
In this article 1. A wide range of tax-themed campaigns 2. How to protect users and organization against tax-themed campaigns 3. Microsoft Defender detection and hunting guidance 4. Indicators of compromise During tax season, threat actors reliably take advantage of the urgency and familiarity of...
PT-2026-26446
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...
Linux Distros Unpatched Vulnerability : CVE-2026-25937
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's...
CVE-2026-32730
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...
CVE-2026-32730 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...
CVE-2026-32730
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...
CVE-2026-32730 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...
CVE-2026-32730
CVE-2026-32730 affects ApostropheCMS: the bearer token authentication flow can bypass MFA/TOTP if a password-verification token (incompleteToken) is used as a bearer token. The root cause is a MongoDB query bug in the getBearer() logic: it checks for requirementsToVerify with $ne: [] (not equal t...
CVE-2026-32730 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...
Authentication Bypass by Primary Weakness
Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...
EUVD-2026-12975
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware...
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware Summary The bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...
CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization
CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment.1 To defend against similar malicious cyber...