CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CNNVD•added 2025/12/10 12:0 a.m.•3 views

Filament 安全漏洞

Filament is a collection of full-stack components for accelerated Laravel development from the Filament open source. A security vulnerability exists in Filament versions 4.0.0 through 4.3.0, which stems from a flaw in the handling of application-based multi-factor authentication recovery code tha...

8.1CVSS6.7AI score0.00307EPSS

Exploits0References3

Positive Technologies•added 2025/12/10 12:0 a.m.•4 views

PT-2025-50298

Name of the Vulnerable Software and Affected Versions Filament versions 4.0.0 through 4.3.0 Description Filament, a collection of full-stack components for accelerated Laravel development, has an issue in how it manages recovery codes for application-based multi-factor authentication. The flaw...

8.1CVSS6.9AI score0.00307EPSS

Exploits0References7

CVE•added 2025/12/09 10:38 p.m.•14 views

CVE-2025-67495

ZITADEL’s DOM-Based XSS in Zitadel V2 logout (CVE-2025-67495) affects 4.0.0-rc.1 through 4.7.0 via the /logout endpoint, where the post_logout_redirect parameter could be used to route malicious JavaScript to a user’s browser. The issue requires multiple active sessions in the same browser and is...

8CVSS6.5AI score0.00261EPSS

Exploits0References2Affected Software1

OSV•added 2025/12/09 10:38 p.m.•5 views

CVE-2025-67495 ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login

ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the postlogoutredirect GET parameter. As a result, unauthenticate...

8CVSS6.9AI score0.00261EPSS

OSV•added 2025/12/09 5:19 p.m.•3 views

GHSA-PVCV-Q3Q7-266G Filament multi-factor authentication (app) recovery codes can be used multiple times

A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and...

8.1CVSS5.5AI score0.00307EPSS

RedhatCVE•added 2025/12/09 12:29 p.m.•29 views

CVE-2025-42615

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

8.1CVSS7AI score0.00324EPSS

RedhatCVE•added 2025/12/09 8:27 a.m.•8 views

CVE-2025-66558

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would...

4.3CVSS6.6AI score0.00226EPSS

Positive Technologies•added 2025/12/09 12:0 a.m.•2 views

PT-2025-50278

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0-rc.1 through 4.7.0 Description ZITADEL, an open-source identity infrastructure tool, is susceptible to a DOM-Based Cross-Site Scripting XSS issue through the Zitadel V2 logout endpoint. The /logout API endpoint insecurel...

8CVSS6.3AI score0.00261EPSS

Snyk•added 2025/12/08 10:20 p.m.•3 views

Cross-site Scripting (XSS)

Overview github.com/zitadel/zitadel/internal/api/oidc is a package for identity infrastructure Affected versions of this package are vulnerable to Cross-site Scripting XSS via the postlogoutredirect parameter in the logout process. An attacker can execute arbitrary JavaScript code in the context ...

8CVSS5.6AI score0.00261EPSS

Snyk•added 2025/12/08 10:19 p.m.•1 views

Open Redirect

Overview github.com/zitadel/zitadel/internal/api/oidc is a package for identity infrastructure Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain...

8.5CVSS7.3AI score

NVD•added 2025/12/08 12:16 p.m.•3 views

CVE-2025-42615

8.1CVSS0.00324EPSS

EUVD•added 2025/12/08 12:1 p.m.•3 views

EUVD-2025-201703

8.1CVSS6.5AI score0.00324EPSS

Vulnrichment•added 2025/12/08 12:1 p.m.•2 views

CVE-2025-42615 Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerability-Lookup

8.1CVSS6.6AI score0.00324EPSS

Malwarebytes•added 2025/12/08 8:3 a.m.•5 views

A week in security (December 1 – December 7)

Last week on Malwarebytes Labs: Leaks show Intellexa burning zero-days to keep Predator spyware running How scammers use fake insurance texts to steal your identity Canadian police trialing facial recognition bodycams Update Chrome now: Google fixes 13 security issues affecting billions Attackers...

7.1AI score

Exploits0

Positive Technologies•added 2025/12/08 12:0 a.m.•3 views

PT-2025-49549

8.1CVSS7AI score0.00324EPSS

RedhatCVE•added 2025/12/05 9:34 p.m.•9 views

CVE-2025-27935

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

8.6CVSS7.1AI score0.00367EPSS

NVD•added 2025/12/05 6:15 p.m.•4 views

CVE-2025-66558

4.3CVSS0.00226EPSS

EUVD•added 2025/12/05 6:0 p.m.•3 views

EUVD-2025-201460

3.1CVSS6.1AI score0.00226EPSS