EUVD-2026-33069

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user - multi-user migration even when the device record has userId = null. In...

CVE-2026-47713 AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user - multi-user migration even when the device record has userId = null. In...

CVE-2026-22880

Mattermost Mobile Apps (versions

Brute Force

Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Brute Force via the authentication endpoints for the mobile client and authwebservice. An attacker can repeatedly attempt to guess user credentials by sending multiple authentication requests withou...

CVE-2025-62399

Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks...

Malicious code in etoro-cordova-prove-mobileauth (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in mobile-auth-library-react-native (npm)

--- -= Per source details. Do not edit below this line.=-...

Improper Export of Android Application Components

Overview Affected versions of this package are vulnerable to Improper Export of Android Application Components in AuthenticationAgentActivity.cs, which can allow denial of service to applications on the same device using MSAL.NET for authentication. A malicious application installed by the victim...

Vulnerability fixed in SonicWall SSL-VPN products

SonicWall has fixed a vulnerability in SMA 100 series SSL VPNs. An authenticated malicious party can exploit the vulnerability exploit the vulnerability to establish a link to the mobile MFA device of another user and thus potentially gain access to sensitive data in the victim's context. SonicWa...

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-35078 Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors an...

MAL-2023-527 Malicious code in ing-orange-lu-luxtrust-oaw-mobile-authentication (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c47e898a8d28683ffbebd031a0d10c1a1d610661c8b876689bdc85931ceda9f9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

ZOHO ManageEngine ADSelfService Plus 安全漏洞

ZOHO ManageEngine ADSelfService Plus is ZOHO's integrated self-service password management and single sign-on solution for Active Directory and cloud applications. A security vulnerability exists in ZOHO ManageEngine ADSelfService Plus prior to version 6218, which originated from a denial of...

FreedomPop Account Hijacking Flaws Remain Unpatched

It took close to two months, but free wireless and mobile provider FreedomPop has acknowledged reports of a serious vulnerability in its service. U.K.-based researcher Paul Moore told Threatpost that FreedomPop, which has been operating in the U.K. since last September, finally responded to a bug...

New Relic: Mobile Authentication Endpoint Credentials Brute-Force Vulnerability

Dear, Your web authentication login endpoint, https://login.newrelic.com/login, currently properly protects against brute-force attacks. After a couple of 100 automated login attempts, a Captcha is required to login to the account under attack, even from a different IP address. Perfect, good job....

PayPal 2FA Bypass Shows Difficulty of Getting Authentication Right

Oftentimes, looking at a given security vulnerability or mistake by a vendor, it’s easy to wonder how on earth the bug got through in the first place or the company didn’t catch the problem earlier. That definitely could have been the case with the recently disclosed bypass of PayPal’s two-factor...

Twitter Downplays SMS-Spoofing Issue

Twitter officials say that a researcher’s claims that the service is open to an SMS-spoofing vulnerability are not completely accurate, and that Twitter users in the United States are not vulnerable to the attack. Moxie Marlinspike of Twitter’s security team said that the company in August had...

When, Not Whether, Is the Question for Mobile Authentication, Research Finds

The findings from a recent study carried out by Microsoft Research and the University of South Carolina suggest that we should be asking ourselves when to require authentication rather than whether to require authentication. The research puts forth the idea of tailoring authentication requirement...