CVE-2026-43926

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

CVE-2026-27886

Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessibl...

PT-2026-40972

Name of the Vulnerable Software and Affected Versions Strapi versions 4.0.0 through 5.36.1 Description Strapi did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessible...

CVE-2026-41276

Flowise (FlowiseAI Flowise) has a REST-authentication bypass vulnerability in the AccountService.resetPassword flow. Before version 3.1.0, an attacker who knows a user’s email can request a password reset with a null/empty token, bypass the need for a valid reset token, and set the user’s passwor...

WordPress plugin WP Front-end login and register 跨站脚本漏洞

WP Front-end login and register is a WordPress front-end account management plugin, mainly used in the front-end of the site to achieve user registration, login and password change functions, without having to jump to the WordPress background. WordPress WP Front-end login and register has a...

CVE-2022-24743

Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue ...

Combodo iTop 安全特征问题漏洞

Combodo iTop is a French company Combodo ITIL-based development and for the daily operation of the IT environment of open source Web applications. The program provides incident management, configuration management and problem management. A security signature issue vulnerability exists in Combodo...

CVE-2022-32211

A SQL injection vulnerability exists in Rocket.Chat v3.18.6, v4.4.4 and v4.7.3 which can allow an attacker to retrieve a reset password token through or a 2fa secret...

Stripo Inc: Password token leak via Host header

Password token leak via Host header -------------- Vulnerability Description: Token will be leaked by the Server to that third party site and that token can be used by third parties to reset the password and take over the account & directly login in your account Steps To Reproduce: 1 Send reset...

Password retrieve logic vulnerability summary-vulnerability warning-the black bar safety net

0x00 background description Please note these two articles: Password retrieve function there may be a problem Password retrieve function there may be issues supplemented From the above two documents the past six months, recently finishing a password to get back to the mind map, open the collectio...