5 matches found
CVE-2026-56081
Cap-go before 12.128.2 contains an authentication logic flaw allowing an attacker to register and take control of an account bound to a victim’s unverified email. By enabling two-factor authentication on the pre-registered account, the attacker can read and modify the account’s state and enforce ...
CVE-2026-6046 Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server
Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels ...
PT-2026-43349
Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover Pre-ATO vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the OAuth2 autolinking process. An attacker can gain unauthorized access to a victim's account by pre-registering an unverified user with the victim's email address using one OAuth2 provider, and then waiting...
Improper Authentication
Overview github.com/pocketbase/pocketbase/forms is a realtime backend in 1 file Affected versions of this package are vulnerable to Improper Authentication in the OAuth2 autolinking process. An attacker can gain unauthorized access to a victim's account by pre-registering an unverified user with...