1242 matches found
CVE-2026-56308
Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and...
EUVD-2026-43230
Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and...
CVE-2026-55377
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new...
CVE-2026-55370
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window ...
CVE-2026-55377
Technical details about CVE-2026-55377 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-55370
Technical details about CVE-2026-55370 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-55370 Logto: TOTP code can be replayed within the RFC 6238 validity window (one-time use violation)
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window ...
CVE-2026-48949 Joomla! Core - [20260703] - XSS in MFA method management
Lack of validation leads to an XSS vulnerability in the MFA management views...
CVE-2026-48949
Lack of validation leads to an XSS vulnerability in the MFA management views...
CVE-2026-48949
CVE-2026-48949 affects Joomla! Core — XSS in MFA method management due to lack of input validation in MFA management views. Affected component: core MFA method management in Joomla. Root cause: insufficient validation enabling cross-site scripting. Impact: XSS in MFA management interfaces; exact ...
CVE-2026-48949 Joomla! Core - [20260703] - XSS in MFA method management
Lack of validation leads to an XSS vulnerability in the MFA management views...
EUVD-2026-42060
Lack of validation leads to an XSS vulnerability in the MFA management views...
DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts
A Microsoft 365 device code phishing campaign has been observed leveraging collaboration-themed lures to take control of victim accounts between the last week of June 2026 and into early July, per findings from ZeroBEC. "The campaign did not depend on a fake Microsoft password page. It used a...
PT-2026-56222
Name of the Vulnerable Software and Affected Versions Joomla! Core affected versions not specified Description Insufficient validation in the MFA management views allows for Cross-Site Scripting XSS, a technique where malicious scripts are injected into trusted websites. Recommendations At the...
CVE-2026-14536
CVE-2026-14536 affects Devolutions Server 2026.2.9.0. The issue is improper enforcement of a mandatory multi-factor authentication policy, allowing an attacker with valid credentials to bypass MFA and authenticate without completing MFA due to an invalid default MFA value. The available sources d...
EUVD-2026-41905
Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an...
CVE-2026-14536
Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an...
PT-2026-55970
Name of the Vulnerable Software and Affected Versions Devolutions Server version 2026.2.9.0 Description Improper enforcement of a mandatory multi-factor authentication policy allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing...
Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts
Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface CLI, compromising dozens of accounts in the process. The activity, per Huntress, originates from an IPv6 address range 2a0a:d683::/32 controlled by...
CVE-2026-56350
n8n before 2.8.0 contains an authentication bypass vulnerability allowing authenticated SSO users to disable SSO enforcement through the API. Attackers can create local password credentials to authenticate directly, bypassing organizational SSO policies and identity-provider-enforced multi-factor...