Lucene search
+L

655 matches found

NVD
NVD
added 8 hours ago6 views

CVE-2026-16072

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface...

4.9CVSS
Exploits0References2
CVE
CVE
added 9 hours ago7 views

CVE-2026-16072

CVE-2026-16072 affects Keycloak’s organization management component. A delegated administrator with org-management permissions can create an invitation for a non-existent email address and then fetch the secret registration link via the API, enabling creation of new user accounts and their additi...

4.9CVSS5.3AI score
Exploits0References2
NVD
NVD
added 2 days ago5 views

CVE-2026-53514

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin's acceptInvitation,...

7.7CVSS0.00202EPSS
Exploits0References4
OSV
OSV
added 2 days ago4 views

CVE-2026-53514 Better Auth: Unauthorized invitation acceptance via unverified email match in organization plugin

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin's acceptInvitation,...

7.7CVSS6.1AI score0.00202EPSS
Exploits0References6
CVE
CVE
added 2 days ago12 views

CVE-2026-53514

Better Auth (organization plugin) exposes a vulnerability where an attacker with an unverified session for the invited email and a leaked invitationId can join the organization by calling acceptInvitation/rejectInvitation/getInvitation/listUserInvitations, due to email-string ownership checks not...

7.7CVSS6.1AI score0.00202EPSS
Exploits0References4
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-44986 Penpot: Pre-authenticated account takeover via team-invitation token + prepare-register-profile

Penpot is an open-source design tool for design and code collaboration. Prior to 2.14.5, Penpot exposed teamsinvitations.clj invitation tokens from create-team-invitations, embedded an existing profile id in auth.clj prepare-register-profile, and had auth.clj register-profile issue a session base...

9.9CVSS0.00283EPSS
Exploits0References4
CVE
CVE
added 2 days ago17 views

CVE-2026-44986

CVE-2026-44986 affects Penpot prior to 2.14.5. The issue allows a pre-authenticated account takeover via team invitation tokens: tokens from create-team-invitations were exposed, an existing profile id was embedded in auth.clj prepare-register-profile, and auth.clj register-profile could issue a ...

9.9CVSS6.1AI score0.00283EPSS
Exploits0References4
OSV
OSV
added 2 days ago4 views

CVE-2026-44986 Penpot: Pre-authenticated account takeover via team-invitation token + prepare-register-profile

Penpot is an open-source design tool for design and code collaboration. Prior to 2.14.5, Penpot exposed teamsinvitations.clj invitation tokens from create-team-invitations, embedded an existing profile id in auth.clj prepare-register-profile, and had auth.clj register-profile issue a session base...

9.9CVSS6.1AI score0.00283EPSS
Exploits0References6
NVD
NVD
added 2 days ago5 views

CVE-2026-56339

Capgo Cap-go/capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescindinvitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages NOORG vs...

8.7CVSS0.00276EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-44623

Capgo Cap-go/capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescindinvitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages NOORG vs...

8.7CVSS6.1AI score0.00276EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-56339 Capgo - Unauthenticated Organization Existence Enumeration via rescind_invitation RPC

Capgo Cap-go/capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescindinvitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages NOORG vs...

8.7CVSS0.00276EPSS
Exploits0References2
OSV
OSV
added 2 days ago3 views

CVE-2026-56339 Capgo - Unauthenticated Organization Existence Enumeration via rescind_invitation RPC

Capgo Cap-go/capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescindinvitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages NOORG vs...

8.7CVSS6.1AI score0.00276EPSS
Exploits0References4
NVD
NVD
added 2026/07/10 3:16 p.m.11 views

CVE-2026-56312

Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...

6.9CVSS0.00275EPSS
Exploits0References2
CVE
CVE
added 2026/07/10 1:57 p.m.8 views

CVE-2026-56312

Capgo before 12.128.2 is affected by an improper validation vulnerability in the accept_invitation endpoint. The issue allows bypassing captcha validation to create user accounts, potentially wasting invite links and enabling unauthorized account creation. Affected product/version: Capgo prior to...

6.9CVSS6.1AI score0.00275EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/10 1:57 p.m.30 views

CVE-2026-56312 Capgo - Account Creation Before CAPTCHA Validation in accept_invitation Endpoint

Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...

6.9CVSS0.00275EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/10 1:57 p.m.7 views

EUVD-2026-42884

Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...

6.9CVSS6.1AI score0.00275EPSS
Exploits0References2
OSV
OSV
added 2026/07/10 1:57 p.m.3 views

CVE-2026-56312 Capgo - Account Creation Before CAPTCHA Validation in accept_invitation Endpoint

Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...

6.9CVSS6.1AI score0.00275EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/07/07 8:54 p.m.7 views

Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin

Am I affected? Users are affected if all of the following are true: - Their application uses better-auth with the organization plugin import organization from "better-auth/plugins/organization". - Their application enables a sign-up surface that allows arbitrary unverified email registration. Mos...

7.7CVSS6AI score0.00202EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/07/07 8:54 p.m.6 views

Missing Authorization

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Missing Authorization in the acceptInvitation function of the organization plugin when the system relies solely on an unverified email-string equality check ...

7.7CVSS6.1AI score0.00202EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/07/07 8:54 p.m.5 views

NPM: Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin

NPM: Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin vulnerability discovered by ? in WordPress Npm better-auth versions 1.6.11...

7.7CVSS5.9AI score0.00202EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder