5018 matches found
CVE-2026-21621
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
CVE-2026-21621
CVE-2026-21621 affects the Hex.pm application (hexpm/hexpm). The vulnerability arises from the OAuth client_credentials flow in Elixir.HexpmWeb.API.OAuthController (validate_scopes_against_key/2), where a read-only API key (domain: api, resource: read) loses its scope and is issued a broad api sc...
CVE-2026-21621 Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
EEF-CVE-2026-21621 Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
Authorities Shut Down Tycoon 2FA Phishing Platform Used to Bypass MFA
Europol and partners dismantle Tycoon 2FA phishing service used to bypass MFA, disrupting a global phishing-as-a-service operation targeting organisations...
Where Multi-Factor Authentication Stops and Credential Abuse Starts
Organizations typically roll out multi-factor authentication MFA and assume stolen passwords are no longer enough to access systems. In Windows environments, that assumption is often wrong. Attackers still compromise networks every day using valid credentials. The issue is not MFA itself, but...
SUSE CVE-2025-64175
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs' 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim's username and password, they can use any unused recovery code e.g., from their own account to...
Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks
Tycoon 2FA , one of the prominent phishing-as-a-service PhaaS toolkits that allowed cybercriminals to stage adversary-in-the-middle AitM credential harvesting attacks at scale, was dismantled by a coalition of law enforcement agencies and security companies. The subscription-based phishing kit,...
EUVD-2026-9791
EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...
CVE-2026-30777
EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...
CVE-2026-30777
EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...
CVE-2026-30777
EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...
CVE-2026-30777
EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...
EC-CUBE vulnerable to multi-factor authentication bypass
Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains the following vulnerability. Authentication bypass using an alternate path or channel CWE-288 - CVE-2026-30777 EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LT...
EC-CUBE 安全漏洞
EC-CUBE is an open-source e-commerce system developed by the Japanese company EC-CUBE. There is a security vulnerability in EC-CUBE, which stems from the possibility of bypassing multi-factor authentication. This vulnerability could allow attackers to access the management page without being...
PT-2026-23136
Name of the Vulnerable Software and Affected Versions EC-CUBE affected versions not specified Description The software contains a multi-factor authentication MFA bypass. An attacker with a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized...
PT-2026-23497
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...