Lucene search
K

1230 matches found

Snyk
Snyk
added 2026/03/18 7:48 p.m.3 views

Authentication Bypass by Primary Weakness

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

9.2CVSS5.9AI score0.00362EPSS
Exploits1References2
CISA
CISA
added 2026/03/18 12:0 p.m.13 views

CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization

CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment.1 To defend against similar malicious cyber...

5.9AI score
Exploits0References10
NVD
NVD
added 2026/03/18 12:16 a.m.6 views

CVE-2026-25937

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue...

6.5CVSS0.00292EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/18 12:0 a.m.14 views

GLPI 授权问题漏洞

GLPI is an open-source IT and asset management software developed by GLPI. This software provides a comprehensive IT resource management interface, allowing you to create databases to manage various IT assets such as computers, monitors, servers, printers, network devices, telephones, and even...

6.5CVSS5.8AI score0.00292EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/18 12:0 a.m.7 views

ApostropheCMS 安全漏洞

ApostropheCMS is a full-stack content management system open source by Apostrophe Technologies. Versions of ApostropheCMS prior to 4.28.0 contained security vulnerabilities, which were caused by incorrect MongoDB queries and could lead to bypassing multi-factor authentication...

8.1CVSS5.8AI score0.00362EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/17 11:16 p.m.3 views

CVE-2026-25937 GLPI has a MFA bypass

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue...

6.5CVSS5.8AI score0.00292EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/17 11:16 p.m.3 views

CVE-2026-25937

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue...

6.5CVSS5.8AI score0.00292EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/17 11:16 p.m.32 views

CVE-2026-25937 GLPI has a MFA bypass

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue...

6.5CVSS0.00292EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/17 9:31 a.m.5 views

EUVD-2026-12554

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider...

7.7CVSS5.8AI score0.00256EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/17 9:31 a.m.6 views

Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider...

8.8CVSS5.8AI score0.00256EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 2026/03/17 8:34 a.m.34 views

CVE-2026-4208 Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider...

7.7CVSS0.00256EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/13 7:15 p.m.3 views

EUVD-2026-12081

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and...

5CVSS5.9AI score0.00097EPSS
Exploits0References1
CVE
CVE
added 2026/03/13 7:15 p.m.13 views

CVE-2026-31798

CVE-2026-31798 affects JumpServer’s Custom SMS API Client. The root cause is improper certificate validation, enabling an attacker to intercept MFA/OTP verification codes before delivery to the user’s phone. Impact is limited to credentials/OTP confidentiality with network exposure, as per the pr...

5CVSS5.9AI score0.00097EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/03/13 7:15 p.m.8 views

CVE-2026-31798 JumpServer Improper Certificate Validation in Custom SMS API Client

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and...

5CVSS5.9AI score0.00097EPSS
Exploits0References3
OSV
OSV
added 2026/03/13 12:28 p.m.3 views

BIT-PARSE-2026-31875 Parse Server MFA recovery codes not consumed after use

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.33, when multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a...

8.2CVSS5.8AI score0.0044EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/11 6:30 p.m.5 views

Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered...

4.2CVSS5.8AI score0.00251EPSS
Exploits0References8Affected Software1
OSV
OSV
added 2026/03/11 6:30 p.m.8 views

GHSA-8G9R-9WJW-37J4 Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered...

4.2CVSS5.9AI score0.00251EPSS
Exploits0References8
NVD
NVD
added 2026/03/11 6:16 p.m.4 views

CVE-2026-31875

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as...

8.2CVSS0.0044EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/11 6:4 p.m.5 views

CVE-2026-31875

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as...

8.2CVSS5.8AI score0.0044EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/11 6:4 p.m.3 views

CVE-2026-31875 Parse Server MFA recovery codes not consumed after use

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as...

8.2CVSS5.8AI score0.0044EPSS
Exploits0References3
Rows per page
Query Builder