CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2026/02/06 6:15 p.m.•6 views

CVE-2025-64175

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code e.g., from their own account to...

8.8CVSS0.00424EPSS

OSV•added 2026/02/06 5:54 p.m.•4 views

GHSA-P6X6-9MX6-26WJ Gogs Vulnerable to 2FA Bypass via Recovery Code

Contact OpenAI Security Research at [email protected] to engage on this report. See PDF report for easier reading. Security Advisory: 2FA Bypass via Recovery Code Vulnerability Type: 2FA Authentication Bypass Affected Software: GOGS Severity: High Date: Aug 5, 2025 Discoverer: OpenAI...

7.7CVSS5.8AI score0.00424EPSS

Exploits0References5

Github Security Blog•added 2026/02/06 5:54 p.m.•40 views

Gogs Vulnerable to 2FA Bypass via Recovery Code

8.8CVSS5.8AI score0.00424EPSS

Exploits0References5Affected Software1

Cvelist•added 2026/02/06 5:41 p.m.•25 views

CVE-2025-64175 Gogs Vulnerable to 2FA Bypass via Recovery Code

7.7CVSS0.00424EPSS

ATTACKERKB•added 2026/02/06 5:41 p.m.•3 views

CVE-2025-64175

Exploits0References2Affected Software1

EUVD•added 2026/02/06 5:41 p.m.•4 views

EUVD-2025-206882

Vulnrichment•added 2026/02/06 5:41 p.m.•3 views

CVE-2025-64175 Gogs Vulnerable to 2FA Bypass via Recovery Code

CVE•added 2026/02/06 5:41 p.m.•8 views

CVE-2025-64175

Gogs 2FA bypass CVE-2025-64175 affects version 0.13.3 and earlier. Root cause: the UseRecoveryCode check does not scope recovery codes by user, performing a global lookup for any unused code and ignoring the authenticating user’s ID. Exploitation requires victim credentials, after which an attack...

8.8CVSS5.5AI score0.00424EPSS

Exploits0References1Affected Software1

OSV•added 2026/02/06 5:41 p.m.•6 views

CVE-2025-64175 Gogs Vulnerable to 2FA Bypass via Recovery Code

CNNVD•added 2026/02/06 12:0 a.m.•3 views

Exploits0References3

Gogs 安全漏洞

Gogs Go Git Service is a self-service Git hosting service developed by the Gogs team using the Go language. It supports creating and migrating public/private repositories, as well as adding and removing repository collaborators. Gogs versions 0.13.3 and earlier have security vulnerabilities. Thes...

8.8CVSS6.1AI score0.00424EPSS

Positive Technologies•added 2026/02/06 12:0 a.m.•3 views

PT-2026-6864

7.7CVSS5.8AI score0.00424EPSS

Exploits0References6

Positive Technologies•added 2026/02/06 12:0 a.m.•5 views

PT-2026-6751

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.13.4 Gogs versions 0.14.0+dev Description Gogs, an open source self-hosted Git service, has a flaw in its Two-Factor Authentication 2FA recovery code validation process. The validation does not verify that the recovery...

9.9CVSS5.5AI score0.27661EPSS

Exploits44References122

NVD•added 2026/02/03 7:16 p.m.•4 views

CVE-2026-25483

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script...

6.2CVSS0.003EPSS

Exploits1References4

CVE•added 2026/02/03 12:27 a.m.•16 views

CVE-2025-11173

CVE-2025-11173 affects Wikimedia Foundation OATHAuth via the file src/Special/OATHManage.Php. The issue impacts OATHAuth versions before 1.39.14, 1.43.4, and 1.44.1. Debian advisories (DSA-6085-1) indicate fixes are available: oldstable (bookworm) upgrades to 1:1.39.17-1~deb12u1, stable (trixie) ...

5.3AI score0.00356EPSS

Vulnrichment•added 2026/02/03 12:27 a.m.•5 views

CVE-2025-11173 Reauth for enabling 2FA can be bypassed by submitting a form

Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php. This issue affects OATHAuth: from before 1.39.14, 1.43.4, 1.44.1...

5.3AI score0.00356EPSS

Cvelist•added 2026/02/03 12:27 a.m.•31 views

CVE-2025-11173 Reauth for enabling 2FA can be bypassed by submitting a form

Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php. This issue affects OATHAuth: from before 1.39.14, 1.43.4, 1.44.1...

0.00356EPSS

The Hacker News•added 2026/01/31 7:58 a.m.•12 views

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

Google-owned Mandiant on Friday said it identified an "expansion in threat activity" that uses tradecraft consistent with extortion-themed attacks orchestrated by a financially motivated hacking group known as ShinyHunters. The attacks leverage advanced voice phishing aka vishing and bogus...

6AI score

Exploits0

Tenable Nessus•added 2026/01/31 12:0 a.m.•6 views

Linux Distros Unpatched Vulnerability : CVE-2026-0723

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowe...

7.4CVSS5.9AI score0.00832EPSS

RedhatCVE•added 2026/01/27 3:23 p.m.•3 views

CVE-2025-59090

On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled...

9.3CVSS6AI score0.01039EPSS