CVE-2026-31282

Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because 1 local log...

PT-2026-32359

Name of the Vulnerable Software and Affected Versions Totara LMS versions prior to 19.1.6 Description Incorrect Access Control allows the login page code to be manipulated to reveal the login form. This can be combined with a missing rate-limit on the login form to facilitate a brute force attack...

HCL Velocity 安全漏洞

HCL Velocity is a value stream management and release platform developed by the Indian company HCL. There is a security vulnerability in HCL Velocity, which stems from the lack of rate limits being enforced for certain API calls, potentially leading to denial-of-service attacks...

GO-2026-4331 Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks in github.com/pterodactyl/wings

Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks in github.com/pterodactyl/wings...

CVE-2025-27157

Mastodon rate-limits are missing on /auth/setup in versions 4.2.0–4.2.15 and 4.3.0–4.3.3, enabling an attacker to craft requests that send emails to arbitrary addresses. The issue is fixed in 4.2.16 and 4.3.4. This CVE description documents the affected versions and the remediation. If exploiting...

Cuvva: Missing rate-limits at endpoints

This is similar to 230674, but it turns out we missed out a key endpoint while fixing that one - the legacy POST /1/verificationtokensend used by older apps on our system. This has now been resolved : Thanks to @introvertmac for flagging this!...