CVE-2026-22751 Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions

Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use TOCTOU race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0....

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the authentication process. An attacker can gain unauthorized access to multiple authenticated...

CVE-2026-3590

Mattermost versions 10.11.x = 10.11.12, 11.5.x = 11.5.0, 11.4.x = 11.4.2, 11.3.x = 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent...

CVE-2026-3590

Mattermost versions 10.11.x = 10.11.12, 11.5.x = 11.5.0, 11.4.x = 11.4.2, 11.3.x = 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent...

Mattermost 安全漏洞

Mattermost is an open-source collaboration platform developed by the American company Mattermost. Vulnerabilities exist in Mattermost versions 10.11.12 and earlier of the 10.11.x series, as well as versions 11.5.0 and earlier of the 11.5.x series, 11.4.2 and earlier of the 11.4.x series, and 11.3...

BIT-PARSE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated...

CVE-2026-34224

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...

CVE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...

PT-2026-28613

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.64 Parse Server versions prior to 9.7.0-alpha.8 Description Parse Server is an open source backend deployable on Node.js infrastructure. An attacker with a valid authentication provider token and a single MFA...

FreePBX filestore authenticated command injection

This module exploits an authenticated command injection vulnerability CVE-2025-64328 in the FreePBX filestore module. The filestore module allows administrators to configure remote file storage backends SSH, FTP, etc. for backup and file management purposes. The vulnerability exists in the SSH...

CVE-2025-55705

This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. The lack of proper session management and expiration...

CVE-2025-55705 EVMAPA Insufficient Session Expiration

This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. The lack of proper session management and expiration...

Cross-site Scripting (XSS)

Overview github.com/zitadel/zitadel/internal/api/oidc is a package for identity infrastructure Affected versions of this package are vulnerable to Cross-site Scripting XSS via the postlogoutredirect parameter in the logout process. An attacker can execute arbitrary JavaScript code in the context ...

CVE-2025-0251 HCL IEM is affected by a concurrent login vulnerability

HCL IEM is affected by a concurrent login vulnerability. The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks...

PT-2025-30714 · Hcl · Hcl Iem

Name of the Vulnerable Software and Affected Versions: HCL IEM affected versions not specified Description: The application allows multiple concurrent sessions using the same user credentials, potentially introducing security risks. Recommendations: At the moment, there is no information about a...

CVE-2024-42176

HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user's account or sensitive information...

CVE-2024-10214

Mattermost versions 9.11.X = 9.11.1, 9.5.x = 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings...

CVE-2024-21900

creationtimestamp| type| source ---|---|--- 2024-03-08 18:26:58+00:00| seen| https://t.me/ctinow/203491 2024-03-08 18:32:04+00:00| seen| https://t.me/ctinow/203503 2024-03-10 08:00:37+00:00| seen| https://t.me/RussianOSINT/3820 2024-03-11 15:40:05+00:00| seen| https://t.me/truesecator/5506...

Red Hat Keycloak Security Vulnerability

Red Hat Keycloak is a suite of software from Red Hat, Inc. that provides authentication and management capabilities for modern applications and services. A security vulnerability exists in Red Hat Keycloak, which stems from the fact that if an attacker creates two or more user sessions and then...

Denial Of Service (DoS)

org.springframework.security:spring-security-oauth2-client is vulnerable to denial of service DoS attacks. An attacker is able to cause resource exhaustion via sending multiple requests initiating the authorization request for the authorization code grant using a single session or multiple...