Lucene search
K

36 matches found

Positive Technologies
Positive Technologies
added 2 days ago6 views

PT-2026-56067

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.34.2 Coder versions prior to 2.33.8 Coder versions prior to 2.32.7 Coder versions prior to 2.29.17 Description An issue exists where the PUT /api/v2/users/user/password endpoint only authorized the ActionUpdatePersona...

7.2CVSS6AI score
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/06/11 6:49 p.m.8 views

CVE-2026-47181 PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a...

8.7CVSS5.3AI score0.00251EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/04 12:46 p.m.6 views

CVE-2026-43926

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

6.3CVSS5.8AI score0.00217EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/06/04 12:0 a.m.8 views

FOSSBilling 安全漏洞

FOSSBilling is an open-source billing and customer management platform for hosting service providers and digital service providers. Versions of FOSSBilling prior to 0.8.0 contained security vulnerabilities. These vulnerabilities stemmed from the password reset confirmation endpoint being...

6.3CVSS5.3AI score0.00217EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/28 2:13 p.m.8 views

CVE-2026-35675

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...

8.8CVSS5.8AI score0.00324EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/20 3:45 p.m.29 views

CVE-2026-24468 OpenAEV Vulnerable to Username/Email Enumeration Through Differential HTTP Responses in Password Reset API

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

5.3CVSS0.00294EPSS
Exploits0References4
NVD
NVD
added 2026/04/15 8:16 p.m.6 views

CVE-2026-33877

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint /api/v1/@apostrophecms/login/reset-request that allows unauthenticated username and email enumeration. When a user is not found,...

3.7CVSS0.00365EPSS
Exploits1References2
CVE
CVE
added 2026/04/03 3:35 p.m.20 views

CVE-2026-25043

Budibase (open‑source low‑code platform) has a vulnerability in the password reset flow prior to v3.23.25 due to absence of rate limiting, CAPTCHA, or abuse prevention on the Forgot Password endpoint. An unauthenticated attacker can flood a single email address with password‑reset requests, causi...

7.5CVSS5.8AI score0.00297EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 2:59 p.m.4 views

CVE-2026-31881

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

9.8CVSS5.9AI score0.0043EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/10 6:31 p.m.4 views

EUVD-2025-208507

Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-27, fixed 2025-10-31...

9.4CVSS5.8AI score0.00389EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/10 12:0 a.m.2 views

CVE-2025-69614

Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-27, fixed 2025-10-31...

5.8AI score0.00389EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/04 1:57 a.m.5 views

CVE-2026-28358

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3...

6.9CVSS5.8AI score0.00601EPSS
Exploits0References1
OSV
OSV
added 2026/03/02 4:16 p.m.4 views

CVE-2026-28358 NocoDB: User Enumeration via Password Reset Endpoint

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3...

6.9CVSS5.8AI score0.00601EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/03/02 12:0 a.m.5 views

NocoDB 安全漏洞

NocoDB is an open-source alternative to Airtable. It converts any MySQL, PostgreSQL, SQL Server, SQLite, and MariaDB databases into intelligent spreadsheets. Versions of NocoDB prior to 0.301.3 contained a security vulnerability. This vulnerability stemmed from the password reset endpoint returni...

6.9CVSS5.9AI score0.00601EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/02/25 10:19 p.m.5 views

CVE-2025-62512

Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at...

6.9CVSS5.5AI score0.00766EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/02/24 12:0 a.m.7 views

PT-2026-21770

Name of the Vulnerable Software and Affected Versions Piwigo versions prior to 15.5.0 Description Piwigo is a photo gallery application for the web. The password reset functionality allows an unauthenticated attacker to determine if a given username or email address exists in the system. The...

6.9CVSS5.3AI score0.00766EPSS
Exploits1References7
Tenable Nessus
Tenable Nessus
added 2026/01/30 12:0 a.m.6 views

SmarterMail < 100.0.9511 Auth Bypass (CVE-2026-23760)

The version of SmarterTools SmarterMail installed on the remote host is prior to 100.0.9511. It is, therefore, affected by an authentication bypass vulnerability. SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The...

9.8CVSS8AI score0.96268EPSS
Exploits3References3
Veracode
Veracode
added 2025/10/22 3:44 a.m.8 views

Improper Access Control

flaskappbuilder is vulnerable to improper access control. The vulnerability is due to the password reset endpoint remaining accessible when using OAuth, LDAP, or other non-database authentication methods, which allows an attacker to reset passwords and create valid JWT tokens even for disabled us...

6.5CVSS7.3AI score0.00376EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-13659

Malicious code in bioql PyPI...

5.3CVSS6.5AI score0.00317EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2025/09/30 12:0 a.m.5 views

PT-2025-39957

Name of the Vulnerable Software and Affected Versions LatePoint plugin for WordPress versions through 5.1.94 Description The software is susceptible to Cross-Site Request Forgery due to the absence of nonce validation. This occurs on the change password function within the customer cabinet change...

8.8CVSS6.6AI score0.00204EPSS
Exploits0References10
Rows per page
Query Builder