1336 matches found
CVE-2026-9091
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this pat...
BIT-JOOMLA-2026-48896 Joomla! Core - [20260511] - MFA Authentication Bypass
Insufficient state checks lead to a vector that allows to bypass 2FA checks...
CVE-2026-9091
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this pat...
CVE-2026-9091
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social-login binding flow that bypasses MFA. The binding-rule path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, so users authenticating through this path are logged in without MFA enforcement...
CVE-2026-9091 CVE-2026-9091
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this pat...
CVE-2026-9091 CVE-2026-9091
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this pat...
Casdoor 安全漏洞
Casdoor is an open-source platform developed by Casdoor that supports various authentication and authorization protocols. Versions of Casdoor prior to 2.362.0 contained a security vulnerability. This vulnerability stemmed from logical flaws in the social login binding process, allowing users to...
Casdoor contains multiple authentication bypass and access management vulnerabilities
Overview Casdoor versions 2.362.0 and earlier contain several identity and access management vulnerabilities that enable broad authentication bypass and privilege escalation. These flaws relate to Casdoor’s Security Assertion Markup Language SAML processing, account binding, and token exchange...
PT-2026-44420
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this pat...
Kali365 phishing kit bypasses MFA and steals Microsoft logins
When the Federal Bureau of Investigation FBI publishes a dedicated public service announcement about a new phishing kit, it’s worth paying attention to. The agency is now warning about “Kali365,” a phishing‑as‑a‑service PhaaS platform that helps even low‑skilled attackers hijack Microsoft 365...
CVE-2026-48896 Joomla! Core - [20260511] - MFA Authentication Bypass
Insufficient state checks lead to a vector that allows to bypass 2FA checks...
CVE-2026-48897 Joomla! Core - [20260512] - MFA Authentication Bypass
Insufficient state checks lead to a vector that allows to bypass 2FA checks...
CVE-2026-48897
CVE-2026-48897 relates to the Joomla! Core MFA authentication bypass. The issue is caused by insufficient state checks and, per the linked Joomla security advisory and NVD record, a vector that bypasses 2FA. Consequences stated include high impact on integrity with no confidentiality/availability...
MFA Prompt Bombing: Why Your Second Factor Isn't Saving You
Multi-factor authentication MFA was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn't log in without the second factor. While that logic was sound, attackers have now figured out that they don't need to steal...
CVE-2026-48136 - Authenticated Administrator Role-Based Access Control Bypass in Compliance
Symptoms - When Compliance is enabled on Check Point Multi-Domain Management, an authenticated administrator with read-write access to one Management Domain CMA can modify stored metadata associated with Compliance Best Practices in another Management Domain, where the administrator has no access...
CVE-2026-9047
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : Devolutions...
CVE-2026-9047
CVE-2026-9047 concerns Devolutions Server for versions 2026.1.6.0 through 2026.1.16.0. The issue is described as improper handling of factor key state in the multi‑factor authentication management feature, enabling an attacker who knows a user’s password to bypass MFA after the user reconfigures ...
CVE-2026-9047
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : Devolutions...
CVE-2026-9047
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : Devolutions...
CVE-2026-9047
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : Devolutions...