72 matches found
EUVD-2026-34153
Mercusys AC12G EU V1 with firmware AC12GEUV1200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network...
CVE-2026-35675
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...
Weak Password Recovery Mechanism for Forgotten Password
Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the updatePassword function. An attacker can enumerate valid user accounts and forcibly chan...
CVE-2026-31242
The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. Th...
PT-2026-40129
The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. Th...
CVE-2026-24468
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...
CVE-2026-24468
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...
EUVD-2026-23883
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...
CVE-2026-24468 OpenAEV Vulnerable to Username/Email Enumeration Through Differential HTTP Responses in Password Reset API
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...
CVE-2026-24468
OpenAEV versions prior to 2.0.13 expose an account-enumeration flaw via the /api/reset login parameter. If the email does not exist, the API returns 400 Bad Request; if the email exists, it returns 200. This observable response difference enables an attacker to reliably determine which emails are...
PT-2026-33788
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...
OpenAEV 安全漏洞
OpenAEV is an open-source personal planning platform under the OpenAEV Platform. Versions of OpenAEV from 1.11.0 to 2.0.13 contained security vulnerabilities. These vulnerabilities stemmed from differences in responses made by the/api/reset endpoint for valid and invalid usernames, which could...
CVE-2026-33877
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint /api/v1/@apostrophecms/login/reset-request that allows unauthenticated username and email enumeration. When a user is not found,...
CVE-2026-35660 OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset
OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey ...
CVE-2026-35660
OpenClaw is affected by a vulnerability in the Gateway agent’s /reset endpoint, prior to version 2026.3.23. The flaw grants callers with operator.write permission the ability to reset admin sessions by invoking /reset or /new with an explicit sessionKey, bypassing operator.admin requirements and ...
EUVD-2026-21466
OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey ...
PT-2026-31971
OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey ...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.23 contained security vulnerabilities. These vulnerabilities stemmed from insufficient access control in the Gateway proxy/reset endpoint, which could allow callers with the...
CVE-2026-25043
Budibase (open‑source low‑code platform) has a vulnerability in the password reset flow prior to v3.23.25 due to absence of rate limiting, CAPTCHA, or abuse prevention on the Forgot Password endpoint. An unauthenticated attacker can flood a single email address with password‑reset requests, causi...
Missing Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization in the agent process when the /reset or /new endpoints are accessed with only operator.write permissions. An attacker can gain unauthorized administrative access by...