PT-2025-49302

Name of the Vulnerable Software and Affected Versions Nextcloud Twofactor WebAuthn versions prior to 1.4.2 Nextcloud Twofactor WebAuthn versions prior to 2.4.1 Description A missing ownership check allows an attacker to remove a user's WebAuthn two-factor authentication device by correctly guessi...

WebAuthn second factor provider for Nextcloud 安全漏洞

WebAuthn second factor provider for Nextcloud is an open source two-factor authentication software from Nextcloud. A security vulnerability exists in WebAuthn second factor provider for Nextcloud versions prior to 1.4.2 and prior to 2.4.1, which stems from a lack of ownership checking and could...

CVE-2025-27935

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

CVE-2025-27935 Authentication Bypass in OTP (One-time Passcode) IdP Adapter Integration Kit

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

EUVD-2025-201281

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

Ping Identity One-Time Passcode Integration Kit for PingFederate 安全漏洞

Ping Identity One-Time Passcode Integration Kit for PingFederate is a suite of software tools and adapters from Ping Identity USA. A security vulnerability exists in Ping Identity One-Time Passcode Integration Kit for PingFederate that stems from not properly validating the HTTP method and state,...

PT-2025-49136

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

Attackers have a new way to slip past MFA in educational orgs

Researchers are warning about a rise in cases of attackers using Evilginx to steal session cookies among educational institutions—letting them bypass the need for a multi-factor authentication MFA token. Evilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real...

WordPress WP 2FA plugin <= 2.9.3 - 2-Factor Authentication Bypass vulnerability

2-Factor Authentication Bypass vulnerability discovered by Benjamin Nadarević in WordPress Plugin WP 2FA versions = 2.9.3...

EUVD-2025-200110

Grav is vulnerable to Arbitrary File Read...

CVE-2025-66300 Grav is vulnerable to Arbitrary File Read

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files /grav/user/accounts/.yaml, which store hashed user password, 2FA secret, and the password...

CVE-2025-66300 Grav is vulnerable to Arbitrary File Read

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files /grav/user/accounts/.yaml, which store hashed user password, 2FA secret, and the password...

CVE-2025-66300

Grav is a file-based CMS affected by CVE-2025-66300. A low-privilege user with page-editing rights could exploit path traversal via the Frontmatter form to read server files, including Grav user accounts located at /grav/user/accounts/*.yaml, exposing password hashes, 2FA secrets, and password-re...

CVE-2025-66295

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences for example ..\Nijat or ../Nijat, Grav writes the account YAML file to an unintended path...

PT-2025-48559

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.8.0-beta.27 Description A user with limited privileges and page editing access can read any server file using the "Frontmatter" form. This includes Grav user account files located at /grav/user/accounts/.yaml, which...

FBI Reports $262M in ATO Fraud as Researchers Cite Growing AI Phishing and Holiday Scams

The U.S. Federal Bureau of Investigation FBI has warned that cybercriminals are impersonating financial institutions with an aim to steal money or sensitive information to facilitate account takeover ATO fraud schemes. The activity targets individuals, businesses, and organizations of varied size...

CVE-2025-12628

The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them...

Linux Distros Unpatched Vulnerability : CVE-2025-62398

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising...

EUVD-2025-198648

The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them...

CVE-2025-12628

The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them...