Lucene search
K

1388 matches found

EUVD
EUVD
added 2026/05/22 3:18 p.m.9 views

EUVD-2026-31450

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : Devolutions...

7.6CVSS5.8AI score0.00215EPSS
Exploits0References1
CVE
CVE
added 2026/05/22 3:18 p.m.20 views

CVE-2026-9047

CVE-2026-9047 concerns Devolutions Server for versions 2026.1.6.0 through 2026.1.16.0. The issue is described as improper handling of factor key state in the multi‑factor authentication management feature, enabling an attacker who knows a user’s password to bypass MFA after the user reconfigures ...

7.6CVSS5.8AI score0.00215EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/22 3:18 p.m.7 views

CVE-2026-9047

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : Devolutions...

7.6CVSS5.8AI score0.00215EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.10 views

PT-2026-42788

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : Devolutions...

5.8AI score0.00215EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/22 12:0 a.m.10 views

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. There were security vulnerabilities in the Devolutions Server version 2026.1.6.0 to 2026.1.16.0. These vulnerabilities...

7.6CVSS5.8AI score0.00215EPSS
Exploits0References1
The Hacker News
The Hacker News
added 2026/05/19 11:30 a.m.15 views

The New Phishing Click: How OAuth Consent Bypasses MFA

In February 2026, a phishing-as-a-service PhaaS platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries. The targets of the platform received a message asking them to enter a short code at microsoft.com/devicelogi...

5.9AI score
Exploits0
The Hacker News
The Hacker News
added 2026/05/18 1:0 p.m.14 views

How to Reduce Phishing Exposure Before It Turns into Business Disruption

What happens when a phishing email looks clean enough to pass through security, but dangerous enough to expose the business after one click? That is the gap many SOCs still struggle with: the attacks that leave teams unsure what was exposed, who else was targeted, and how far the risk has spread...

5.9AI score
Exploits0
HackRead
HackRead
added 2026/05/15 10:30 a.m.19 views

CalPhishing Scam Uses EvilTokens Kit, Outlook Invites to Steal M365 Sessions

Hackers are exploiting Outlook calendar invites and device code phishing to steal M365 session tokens, bypass MFA and breach enterprise accounts...

5.9AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/05/12 8:22 p.m.8 views

CVE-2026-44987

SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled non-default, they can res...

3.8CVSS5.7AI score0.00162EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/12 1:34 p.m.7 views

CVE-2026-43930

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password OTP login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive...

2.1CVSS5.8AI score0.00236EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/05/12 1:34 p.m.20 views

CVE-2026-43930

CVE-2026-43930 affects Parse Server. A race condition in the MFA SMS OTP login path before 8.6.76 and 9.9.0-alpha.2 can allow two concurrent /login requests carrying the same OTP to succeed, producing two valid session tokens. Impact is breaking single-use OTP; attacker must already know the vict...

5.9CVSS5.8AI score0.00236EPSS
Exploits0References3Affected Software1
SUSE CVE
SUSE CVE
added 2026/05/12 3:58 a.m.4 views

SUSE CVE-2025-6015

Vault and Vault Enterprise's “Vault” login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...

5.7CVSS5.8AI score0.00286EPSS
Exploits0References3
NVD
NVD
added 2026/05/08 11:16 p.m.21 views

CVE-2026-44987

SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled non-default, they can res...

3.8CVSS0.00162EPSS
Exploits0References2
CVE
CVE
added 2026/05/08 9:59 p.m.20 views

CVE-2026-44987

SysReptor (fully customizable pentest reporting platform) has a privilege-escalation issue in versions before 2026.29: users with User Admin permissions can change the emails of users with Superuser permissions. If the installed forgot-password feature is enabled (non-default), these users can re...

3.8CVSS5.7AI score0.00162EPSS
Exploits0References2
Joomla! Vulnerable Extensions List
Joomla! Vulnerable Extensions List
added 2026/05/07 12:0 a.m.5 views

[20260703] - Core - XSS in MFA method management

Lack of validation leads to an XSS vulnerability in the MFA management views...

8.4CVSS5.9AI score
Exploits0Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/06 8:21 p.m.10 views

CVE-2026-28510

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with...

5.9CVSS5.8AI score0.00254EPSS
Exploits0References1
The Hacker News
The Hacker News
added 2026/05/06 1:0 p.m.15 views

MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack

The Iranian state-sponsored hacking group known as MuddyWater aka Mango Sandstorm, Seedworm, and Static Kitten has been attributed to a ransomware attack in what has been described as a "false flag" operation. The attack, observed by Rapid7 in early 2026, has been found to leverage social...

5.8AI score
Exploits0
EUVD
EUVD
added 2026/05/05 12:28 p.m.8 views

EUVD-2026-27311

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with...

5.9CVSS5.8AI score0.00254EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/05 12:28 p.m.11 views

CVE-2026-28510 elabftw allows MFA bypass during login

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with...

5.9CVSS5.8AI score0.00254EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/05 12:28 p.m.40 views

CVE-2026-28510 elabftw allows MFA bypass during login

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with...

5.9CVSS0.00254EPSS
Exploits0References2
Rows per page
Query Builder