CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/05/28 4:19 p.m.•9 views

CVE-2026-9091

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social-login binding flow that bypasses MFA. The binding-rule path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, so users authenticating through this path are logged in without MFA enforcement...

5.3CVSS5.9AI score0.00037EPSS

Vulnrichment•added 2026/05/28 4:19 p.m.•8 views

CVE-2026-9091 CVE-2026-9091

5.9AI score0.00037EPSS

Cvelist•added 2026/05/28 4:19 p.m.•27 views

CVE-2026-9091 CVE-2026-9091

0.00037EPSS

CNNVD•added 2026/05/28 12:0 a.m.•10 views

Casdoor 安全漏洞

Casdoor is an open-source platform developed by Casdoor that supports various authentication and authorization protocols. Versions of Casdoor prior to 2.362.0 contained a security vulnerability. This vulnerability stemmed from logical flaws in the social login binding process, allowing users to...

5.3CVSS5.9AI score0.00037EPSS

Exploits0References2

Positive Technologies•added 2026/05/28 12:0 a.m.•11 views

PT-2026-44707

An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2...

5.1CVSS5.8AI score0.00029EPSS

Exploits1References3

Tenable Nessus•added 2026/05/28 12:0 a.m.•12 views

Debian dla-4602 : lemonldap-ng - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4602 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4602-1 [email protected]...

8CVSS6AI score0.00064EPSS

Exploits0References6

CERT•added 2026/05/28 12:0 a.m.•7 views

Casdoor contains multiple authentication bypass and access management vulnerabilities

Overview Casdoor versions 2.362.0 and earlier contain several identity and access management vulnerabilities that enable broad authentication bypass and privilege escalation. These flaws relate to Casdoor’s Security Assertion Markup Language SAML processing, account binding, and token exchange...

9.8CVSS5.9AI score0.00054EPSS

Exploits0

CNNVD•added 2026/05/28 12:0 a.m.•6 views

Drupal TFA Basic Plugins 安全漏洞

Drupal TFA Basic Plugins is a set of Drupal two-factor authentication extensions developed by the Drupal company. Versions 7.x-1.0 to 7.x-1.2 of Drupal TFA Basic Plugins contain security vulnerabilities. These vulnerabilities stem from access bypass issues, which could allow users with...

5.1CVSS5.8AI score0.00029EPSS

Exploits1References2

Positive Technologies•added 2026/05/28 12:0 a.m.•7 views

PT-2026-44420

5.9AI score0.00037EPSS

Exploits0References2

Malwarebytes•added 2026/05/27 11:41 a.m.•9 views

Kali365 phishing kit bypasses MFA and steals Microsoft logins

When the Federal Bureau of Investigation FBI publishes a dedicated public service announcement about a new phishing kit, it’s worth paying attention to. The agency is now warning about “Kali365,” a phishing‑as‑a‑service PhaaS platform that helps even low‑skilled attackers hijack Microsoft 365...

5.9AI score

Exploits0

Ubuntu•added 2026/05/27 8:39 a.m.•10 views

USN-8315-1: MediaWiki vulnerabilities

It was discovered that MediaWiki incorrectly handled group membership visibility in the OATHAuth extension. An authenticated attacker could use this issue to determine if other users had two-factor authentication enabled. CVE-2026-34087 It was discovered that MediaWiki incorrectly handled...

7.5CVSS5.8AI score0.0004EPSS

Exploits0

OSV•added 2026/05/27 8:39 a.m.•4 views

USN-8315-1 mediawiki vulnerabilities

7.5CVSS5.8AI score0.0004EPSS

Cvelist•added 2026/05/27 5:31 a.m.•27 views

CVE-2026-8903 Two-factor authentication (formerly IP Vault) <= 2.1 - Cross-Site Request Forgery to Settings Update

The Two-factor authentication formerly IP Vault plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipvsavechanges function. This makes it possible for unauthenticated attackers to...

4.3CVSS0.00023EPSS

EUVD•added 2026/05/27 5:31 a.m.•9 views

EUVD-2026-32073

Vulnrichment•added 2026/05/27 5:31 a.m.•9 views

CVE-2026-8903 Two-factor authentication (formerly IP Vault) <= 2.1 - Cross-Site Request Forgery to Settings Update

CVE•added 2026/05/27 5:31 a.m.•12 views

CVE-2026-8903

The CVE concerns the WordPress plugin “Two-factor authentication (formerly IP Vault)” up to version 2.1. It is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation in ipv_save_changes. This allows unauthenticated attackers to modify the plugin’s firewall and two-f...

CNNVD•added 2026/05/27 12:0 a.m.•6 views

WordPress plugin Two-factor authentication 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

Patchstack•added 2026/05/26 5:22 p.m.•7 views

WordPress Two-factor authentication (formerly IP Vault) plugin <= 2.1 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin IP Vault – WP Firewall versions = 2.1...

4.3CVSS5.8AI score0.00023EPSS

Exploits0References1Affected Software1

NVD•added 2026/05/26 5:16 p.m.•12 views

CVE-2026-48897

Insufficient state checks lead to a vector that allows to bypass 2FA checks...

8.2CVSS0.00002EPSS