Lucene search
K

1406 matches found

NVD
NVD
added 2 days ago8 views

CVE-2026-56308

Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and...

8.4CVSS0.00244EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago9 views

EUVD-2026-43230

Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and...

8.4CVSS6.1AI score0.00244EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago27 views

CVE-2026-56308 Capgo - Insufficient Authentication in Email Change Endpoint

Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and...

8.4CVSS0.00244EPSS
Exploits0References2
NVD
NVD
added 4 days ago7 views

CVE-2026-55377

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new...

8.1CVSS0.00259EPSS
Exploits0References4
NVD
NVD
added 4 days ago6 views

CVE-2026-55370

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window ...

6.4CVSS0.00199EPSS
Exploits0References4
OSV
OSV
added 4 days ago2 views

CVE-2026-55377 Logto: Account Center MFA management step-up bypass via WebAuthn registration verification

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new...

8.1CVSS6.1AI score0.00259EPSS
Exploits0References6
CVE
CVE
added 4 days ago12 views

CVE-2026-55377

Technical details about CVE-2026-55377 are not publicly available in the provided documents. Monitor for updates.

8.1CVSS6.1AI score0.00259EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-43011

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window ...

6.4CVSS6.1AI score0.00199EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago35 views

CVE-2026-55370 Logto: TOTP code can be replayed within the RFC 6238 validity window (one-time use violation)

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window ...

6.4CVSS0.00199EPSS
Exploits0References4
CVE
CVE
added 4 days ago10 views

CVE-2026-55370

Technical details about CVE-2026-55370 are not publicly available in the provided documents. Monitor for updates.

6.4CVSS6.1AI score0.00199EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/07 5:29 p.m.33 views

CVE-2026-48949 Joomla! Core - [20260703] - XSS in MFA method management

Lack of validation leads to an XSS vulnerability in the MFA management views...

8.4CVSS0.00147EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/07 5:29 p.m.8 views

CVE-2026-48949

Lack of validation leads to an XSS vulnerability in the MFA management views...

8.4CVSS5.9AI score0.00147EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/07/07 5:29 p.m.7 views

CVE-2026-48949 Joomla! Core - [20260703] - XSS in MFA method management

Lack of validation leads to an XSS vulnerability in the MFA management views...

8.4CVSS5.9AI score0.00147EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/07 5:29 p.m.5 views

EUVD-2026-42060

Lack of validation leads to an XSS vulnerability in the MFA management views...

8.4CVSS5.9AI score0.00147EPSS
Exploits0References1
CVE
CVE
added 2026/07/07 5:29 p.m.12 views

CVE-2026-48949

CVE-2026-48949 affects Joomla! Core — XSS in MFA method management due to lack of input validation in MFA management views. Affected component: core MFA method management in Joomla. Root cause: insufficient validation enabling cross-site scripting. Impact: XSS in MFA management interfaces; exact ...

8.4CVSS5.9AI score0.00147EPSS
Exploits0References1Affected Software1
The Hacker News
The Hacker News
added 2026/07/07 3:14 p.m.18 views

DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts

A Microsoft 365 device code phishing campaign has been observed leveraging collaboration-themed lures to take control of victim accounts between the last week of June 2026 and into early July, per findings from ZeroBEC. "The campaign did not depend on a fake Microsoft password page. It used a...

6.1AI score
Exploits0
OSV
OSV
added 2026/07/07 11:45 a.m.4 views

PYSEC-2026-2005 vantage6 vulnerable to a username timing attack on recover password/MFA token

Impact Much like https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes /recover/lost and /2fa/lost, which send emails to users if they have lost their password or MFA token. Usernames can be...

5.3CVSS6.1AI score0.00394EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.9 views

PT-2026-56222

Name of the Vulnerable Software and Affected Versions Joomla! Core affected versions not specified Description Insufficient validation in the MFA management views allows for Cross-Site Scripting XSS, a technique where malicious scripts are injected into trusted websites. Recommendations At the...

8.4CVSS6.1AI score0.00147EPSS
Exploits0References5
CVE
CVE
added 2026/07/06 7:23 p.m.13 views

CVE-2026-14536

CVE-2026-14536 affects Devolutions Server 2026.2.9.0. The issue is improper enforcement of a mandatory multi-factor authentication policy, allowing an attacker with valid credentials to bypass MFA and authenticate without completing MFA due to an invalid default MFA value. The available sources d...

8.8CVSS6AI score0.00231EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/07/06 7:23 p.m.6 views

EUVD-2026-41905

Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an...

6AI score0.00231EPSS
Exploits0References1
Rows per page
Query Builder