CVE-2026-56450

AIL did not restrict repeated failed attempts to verify a two-factor authentication OTP code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable...

EUVD-2026-38239

AIL did not restrict repeated failed attempts to verify a two-factor authentication OTP code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable...

CVE-2026-56450 AIL Framework - Missing Rate Limiting Enables Brute-Force Attacks Against Two-Factor Authentication Codes

AIL did not restrict repeated failed attempts to verify a two-factor authentication OTP code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable...

GHSA-6VP2-6R7M-2JVX Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour

Summary The public API role unassignment endpoint POST /api/public/v1/roles/unassign updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache TTL: 3600 seconds...

CVE-2024-48928 Piwigo's secret key can be brute forced

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secretkey configuration parameter is set to MD5RAND in MySQL. However, RAND only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is...

CVE-2025-11986

The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action wpajaxnoprivcryptoconnectajaxprocess that allows calling the register and savenft methods with only a...

EUVD-2025-60927

The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action wpajaxnoprivcryptoconnectajaxprocess that allows calling the register and savenft methods with only a...

CVE-2025-11986

CVE-2025-11986 affects the WordPress Crypto Tool plugin (

PT-2025-46266

Name of the Vulnerable Software and Affected Versions Crypto plugin for WordPress versions prior to 2.23 Description The software is susceptible to information exposure due to an unauthenticated AJAX action, wp ajax nopriv crypto connect ajax process, which allows calling the register and savenft...

Evaluating AI Cyber Capabilities with Crowdsourced Elicitation

As AI systems become increasingly capable, understanding their offensive cyber potential is critical for informed governance and responsible deployment. However, it's hard to accurately bound their capabilities, and some prior evaluations dramatically underestimated them. The art of extracting...

PT-2024-34162 · Unknown · Icg.Aspnetcore.Utilities.Cloudstorage

Name of the Vulnerable Software and Affected Versions: ICG.AspNetCore.Utilities.CloudStorage versions prior to 8.0.0 Description: The issue affects users of the ICG.AspNetCore.Utilities.CloudStorage library who set a duration for a SAS Uri with a value other than 1 hour, potentially resulting in ...

CVE-2022-2447

A flaw was found in Keystone. There is a time lag up to one hour in a default configuration between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected...

DEBIAN-CVE-2022-2447

A flaw was found in Keystone. There is a time lag up to one hour in a default configuration between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected...

PT-2022-16707

Name of the Vulnerable Software and Affected Versions Keystone affected versions not specified Description A flaw was found in Keystone, where there is a time lag of up to one hour in the default configuration between when the security policy says a token should be revoked and when it is actually...

Oracle Applications One-Hour Install Detect

We detected the remote web server as an Oracle Applications' One-Hour Install web server. This web server enables attackers to configure your Oracle Application server and Oracle Database server without any need for authentication. OpenVAS Vulnerability Test $Id: oracleonehourinstall.nasl 8023...

Oracle Applications One-Hour Install Detect

We detected the remote web server as an Oracle Applications SPDX-FileCopyrightText: 2001 Noam Rathaus SPDX-FileCopyrightText: 2001 SecuriTeam Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier:...