EUVD-2026-38239

AIL did not restrict repeated failed attempts to verify a two-factor authentication OTP code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable...

Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs

Cybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool RAT and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft. "According to the functionalities of the CloudZ RAT and Pheno plugin, this was...

CVE-2026-42514

CVE-2026-42514 affects e-Sushrut HMIS. The issue is exposure of OTPs in plaintext within API responses, enabling a remote attacker to intercept responses containing valid OTPs. If exploited, an attacker could impersonate a target user and gain unauthorized access to user accounts. Metrics indicat...

CVE-2026-42514 Sensitive Data Exposure Vulnerability in e-Sushrut HMIS

This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vulnerability could allow an attacker to impersonate the target...

CDAC e-Sushrut 安全漏洞

CDAC e-Sushrut is a system platform provided by the Indian CDAC company that facilitates hospital information management and medical process support. There is a security vulnerability in CDAC e-Sushrut, which stems from plaintext exposure of OTPs in API responses. This vulnerability could allow...

New DHL Phishing Scam Uses 11-Step Attack Chain to Steal Passwords

Forcepoint’s X-Labs reports an 11-step DHL phishing scam that uses fake OTP codes and EmailJS to harvest user credentials and device telemetry...

CVE-2026-33473

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue...

CVE-2026-33627

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery...

OATH Toolkit 2.6.14

OATH Toolkit attempts to collect several tools that are useful when deploying technologies related to OATH, such as HOTP one-time passwords. It is a fork of the earlier HOTP Toolkit...

New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale

Cybersecurity researchers have documented four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman that are capable of facilitating credential theft at scale. BlackForce, first detected in August 2025, is designed to steal credentials and perform Man-in-the-Browser MitB...

CVE-2025-42615

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

CVE-2025-61482

Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets,...

CVE-2025-61482

Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets,...

PT-2025-43966

Name of the Vulnerable Software and Affected Versions privacyIDEA Authenticator version 4.3.0 Description A flaw exists in the handling of OTP/TOTP/HOTP values within the privacyIDEA Authenticator application on Android. A local attacker with root access can bypass two-factor authentication by...

EUVD-2007-2760

Malware in sbrugna...

EUVD-2024-21075

Malicious code in bioql PyPI...

EUVD-2024-1031

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2007-2768

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenSSH, when using OPIE One-Time Passwords in Everything for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a...

Veeam My Account Portal - MFA Guide

Updated MFA Requirements Starting July 7, 2026, logging in to Veeam Data Cloud cloud.veeam.com using a Veeam Account will require that the Veeam Account have Multi-Factor Authentication MFA enabled. Please note: if MFA is already enabled on your Veeam Account, no action is required. When accessin...

Scammers Impersonate Authorities to Swipe OTPs with Remote Access Apps

SUMMARY Cybersecurity researchers at Group-IB have discovered a sophisticated refund scam where scammers are using remote access tools…...