Lucene search
+L

304 matches found

ptsecurity
ptsecurity
added 4 days ago7 views

PT-2026-57554

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description Insufficient verification during the email change process allows an attacker with access to a valid session cookie or an authenticated browser to change the account email address. This occurs becaus...

8.4CVSS6.1AI score0.00244EPSS
Exploits0References8
cvelist
cvelist
added 6 days ago37 views

CVE-2026-55377 Logto: Account Center MFA management step-up bypass via WebAuthn registration verification

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new...

8.1CVSS0.00259EPSS
Exploits0References4
nessus
nessus
added 6 days ago6 views

Devolutions Server 2026.2.4.0 <= 2026.2.9.0 MFA Bypass (DEVO-2026-0023)

The version of Devolutions Server installed on the remote host is 2026.2.4.0 prior or equal to 2026.2.9.0 and is, therefore, affected by an authentication bypass vulnerability: - Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an...

8.8CVSS6.2AI score0.00231EPSS
Exploits0References2
osv
osv
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-534 Sentry's improper authentication on SAML SSO process allows user identity linking

Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via Sentry's private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the sa...

9.1CVSS5.8AI score0.00623EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.21 views

PT-2026-50713

Name of the Vulnerable Software and Affected Versions Webmin versions prior to 2.641 Description Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header. This behavior allows the bypass of additional multi-factor authentication MFA...

6.9CVSS5.8AI score0.00308EPSS
Exploits0References9
osv
osv
added 2026/06/17 10:7 p.m.3 views

CVE-2024-24769 Vantage6: No limit on emails sent for password/MFA reset

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a l...

2.1CVSS5.9AI score0.00278EPSS
Exploits0References5
attackerkb
attackerkb
added 2026/06/05 6:5 p.m.11 views

CVE-2026-45749

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The POST /users/totp/disable and POST /users/totp/backup-codes endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical...

8.1CVSS5.5AI score0.00324EPSS
Exploits1References3Affected Software1
ptsecurity
ptsecurity
added 2026/06/05 12:0 a.m.18 views

PT-2026-47021

Name of the Vulnerable Software and Affected Versions Termix versions prior to 2.3.2 Description Termix is a web-based server management platform providing SSH terminal, tunneling, and file editing capabilities. The endpoints "/users/totp/disable" and "/users/totp/backup-codes" allow MFA-critical...

8.1CVSS5.5AI score0.00324EPSS
Exploits1References6
nessus
nessus
added 2026/05/29 12:0 a.m.11 views

Devolutions Server 2026.1.x < 2026.1.19 Multiple Vulnerabilities (DEVO-2026-0013)

The version of Devolutions Server installed on the remote host is 2026.1.x prior to 2026.1.19. It is, therefore, affected by multiple vulnerabilities: - Improper handling of factor key state in the multi-factor authentication management feature allows an attacker with knowledge of a user's passwo...

7.6CVSS5.8AI score0.00215EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/05/28 12:0 a.m.14 views

PT-2026-44419

Name of the Vulnerable Software and Affected Versions Casdoor versions prior to 2.362.1 Description An authentication bypass exists that allows attackers to impersonate users, bypass multifactor authentication, and gain persistent unauthorized access. The issue occurs because the...

9.1CVSS5.8AI score0.00201EPSS
Exploits0References8
hackread
hackread
added 2026/05/22 7:59 p.m.19 views

FBI Warns of Kali365 Phishing Service Targeting Microsoft 365 Account

FBI warns of Kali365, a PaaS scam kit that lets cybercriminals bypass MFA and hijack Microsoft 365 accounts without passwords...

5.8AI score
Exploits0
cnnvd
cnnvd
added 2026/05/12 12:0 a.m.13 views

Parse Server 竞争条件问题漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were vulnerabilities due to concurrency issues in versions of Parse Server prior to 8.6.76 and 9.9.0-alpha.2. These vulnerabilities stemmed from concurrency...

5.9CVSS5.8AI score0.00236EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/05/08 12:35 p.m.10 views

CVE-2022-50994 DrayTek Vigor 2960 < 1.5.1.4 OS Command Injection via mainfunction.cgi

DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit...

9.2CVSS6.6AI score0.01432EPSS
Exploits0References3
veracode
veracode
added 2026/05/08 6:43 a.m.14 views

Improper Authentication

github.com/mattermost/mattermost-server is vulnerable to improper authentication. The vulnerability is due to the failure to enforce multi-factor authentication on WebSocket connections, which allows an unauthenticated attacker to access sensitive information through WebSocket events...

7.5CVSS5.8AI score0.00297EPSS
Exploits0References3Affected Software1
ptsecurity
ptsecurity
added 2026/05/08 12:0 a.m.27 views

PT-2026-38912

Name of the Vulnerable Software and Affected Versions DrayTek Vigor 2960 versions prior to 1.5.1.4 Description An OS command injection issue exists in the CGI login handler. Unauthenticated remote attackers can execute arbitrary commands with web server privileges by injecting shell metacharacter...

9.2CVSS6.1AI score0.01432EPSS
Exploits0References5
nvd
nvd
added 2026/05/05 1:16 p.m.14 views

CVE-2026-28510

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with...

5.9CVSS0.00254EPSS
Exploits0References2
mssecure
mssecure
added 2026/04/09 3:0 p.m.10 views

Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees

In this article 1. Storm-2755’s attack chain 2. Defending against Storm-2755 and AiTM campaigns 3. Microsoft Defender detection and hunting guidance 4. Indicators of compromise Microsoft Incident Response – Detection and Response Team DART researchers observed an emerging, financially motivated...

8.7CVSS6.6AI score0.00759EPSS
Exploits1
redhatcve
redhatcve
added 2026/04/02 4:56 p.m.4 views

CVE-2026-4925

Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication MFA configuration via a crafted request. This issue affects Server: from 2026.1.6 through 2026.1.11...

5CVSS5.9AI score0.00194EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/04/01 3:4 p.m.3 views

CVE-2026-5175

Improper access control in the multi-factor authentication MFA management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests. This issue affects Server: from...

5.9AI score0.00254EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/04/01 2:50 p.m.3 views

CVE-2026-4924

Improper authentication in the two-factor authentication 2FA feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session...

5.9AI score0.00326EPSS
Exploits0References1
Rows per page
Query Builder