Lucene search
+L

2195 matches found

CVE
CVE
added yesterday9 views

CVE-2024-23565

CVE-2024-23565 affects HCL Aftermarket EPC. The vulnerability arises from a lack of proper mail-rate limiting in the Forget Password workflow, allowing email flooding by a human attacker or automated process (virus/bot). Consequences cited include potential denial of service and logic/other impac...

5.3CVSS5.4AI score
Exploits0References1
CVE
CVE
added 2 days ago17 views

CVE-2026-63089

CVE-2026-63089 – WireGuard Easy : A cryptographically weak one-time link token generation in WireGuard Easy (through 15.3.0) allows unauthenticated network attackers to recover peer credentials. The token is computed as CRC32 over a random value constrained to 0-999, enabling brute-forcing a keys...

9.3CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-45013

WireGuard Easy through 15.3.0, fixed in commit 66b292b, contains a cryptographically weak one-time link token generation vulnerability that allows unauthenticated network attackers to recover WireGuard peer credentials by brute-forcing a keyspace of at most 1000 candidate tokens per client ID, as...

9.3CVSS6.1AI score
Exploits0References3
NVD
NVD
added 2 days ago6 views

CVE-2026-44596

Yamcs is a mission control framework. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core, handled by yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java, lacked any rate limiting, account lockout, or failed-attempt throttling, so an unauthenticated remote attack...

9.8CVSS0.00052EPSS
Exploits3References5
Cvelist
Cvelist
added 2 days ago32 views

CVE-2026-44596 Yamcs: No Rate Limiting on Authentication Endpoint

Yamcs is a mission control framework. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core, handled by yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java, lacked any rate limiting, account lockout, or failed-attempt throttling, so an unauthenticated remote attack...

6.5CVSS0.00052EPSS
Exploits3References5
CVE
CVE
added 2 days ago44 views

CVE-2026-44596

Summary (CVE-2026-44596) Yamcs’ authentication endpoint POST /auth/token (in yamcs-core) lacked rate limiting, account lockout, and throttling for failed attempts prior to v5.12.7. An unauthenticated remote attacker could perform unlimited password-guessing against any user account, enabling brut...

9.8CVSS6.2AI score0.00052EPSS
Exploits3References5Affected Software1
RedhatCVE
RedhatCVE
added 2 days ago8 views

CVE-2026-8609

A flaw was found in Grafana. An unauthenticated attacker can repeatedly access the OAuth login route with unique values. This can lead to unbounded memory growth, eventually exhausting system memory and causing the Grafana instance to crash. This results in a denial of service for legitimate user...

7.5CVSS6.1AI score0.00397EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2 days ago10 views

PT-2026-60569

WireGuard Easy through 15.3.0, fixed in commit 66b292b, contains a cryptographically weak one-time link token generation vulnerability that allows unauthenticated network attackers to recover WireGuard peer credentials by brute-forcing a keyspace of at most 1000 candidate tokens per client ID, as...

9.3CVSS6.1AI score
Exploits0References5
RedhatCVE
RedhatCVE
added 4 days ago9 views

CVE-2026-53539

A flaw was found in Python-Multipart, a streaming multipart parser. A remote attacker can exploit this vulnerability by submitting a specially crafted application/x-www-form-urlencoded body. This can cause the QuerystringParser to perform inefficient processing, leading to excessive CPU...

7.5CVSS6.1AI score0.00263EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-43560

PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any...

8.7CVSS6.1AI score0.00304EPSS
Exploits0References3
NVD
NVD
added 5 days ago7 views

CVE-2026-61458

PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any...

8.7CVSS0.00304EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-61458 PasswordPusher < 2.9.2 Passphrase Brute-Force via Unthrottled Endpoint

PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any...

8.7CVSS0.00304EPSS
Exploits0References2
CVE
CVE
added 5 days ago10 views

CVE-2026-61458

PasswordPusher

8.7CVSS6.1AI score0.00304EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-57885

Name of the Vulnerable Software and Affected Versions PasswordPusher versions prior to 2.9.2 Description An issue exists where passphrase-protected pushes are susceptible to brute-force attacks. The 'POST /p/:token/access' endpoint lacks route-specific rate limiting and per-push lockout mechanism...

8.7CVSS6.1AI score0.00304EPSS
Exploits0References4
NVD
NVD
added 2026/07/08 5:17 p.m.10 views

CVE-2026-59897

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware o...

5.3CVSS0.00126EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/08 4:6 p.m.34 views

CVE-2026-59897 Hono: API Gateway v1 adapter can drop a distinct repeated request header value during de-duplication

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware o...

4.8CVSS0.00126EPSS
Exploits0References3
NVD
NVD
added 2026/07/06 11:16 p.m.10 views

CVE-2026-53646

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a ClientPasswordReset record already exists for a client from a previous unexpired reset request, subsequent calls to the resetpassword guest API endpoint reuse the existing token instea...

7.7CVSS0.00215EPSS
Exploits1References1
OSV
OSV
added 2026/07/06 10:58 p.m.6 views

CVE-2026-53646 FOSSBilling: Client password reset token reuse allows persistent account takeover

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a ClientPasswordReset record already exists for a client from a previous unexpired reset request, subsequent calls to the resetpassword guest API endpoint reuse the existing token instea...

7.7CVSS6AI score0.00215EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/07/06 9:10 p.m.32 views

CVE-2026-41899 Coolify unauthenticated feedback endpoint allows Discord webhook abuse

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, POST /api/feedback has no authentication, no rate limiting, and no input validation, allowing arbitrary content to be forwarded directly to a Discord webhook and enabling...

6.5CVSS0.003EPSS
Exploits0References3
CVE
CVE
added 2026/07/06 9:10 p.m.15 views

CVE-2026-41899

CVE-2026-41899 affects Coolify prior to 4.0.0-beta.474. The POST /api/feedback endpoint is unauthenticated, lacks rate limiting and input validation, allowing arbitrary content to reach a Discord webhook and enabling spam, content injection, and webhook abuse. Remediation: upgrade to Coolify 4.0....

6.5CVSS6AI score0.003EPSS
Exploits0References3
Rows per page
Query Builder