Lucene search
K

7 matches found

CVE
CVE
added 2026/06/24 8:29 p.m.19 views

CVE-2026-52809

Gogs (CVE-2026-52809) generates password-reset tokens using the ActivateCodeLives lifetime, not the configured ResetPasswordCodeLives. As a result, even if an admin sets a short RESET_PASSWORD_CODE_LIVES (e.g., 10 minutes), reset tokens remain valid for the full activation lifetime (e.g., 180 min...

6.8CVSS5.9AI score0.00202EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 8:29 p.m.29 views

CVE-2026-52809 Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES

Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives the account-activation lifetime, not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted fr...

6.8CVSS0.00202EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/04/22 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2026-31523

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - nvme-pci: ensure we're polling a polled queue A user can change the polled queue count at run time. There's a brief window during a reset where a hipri task may...

4.7CVSS6AI score0.00089EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/11 6:37 p.m.32 views

CVE-2026-31881 Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

7.7CVSS0.0043EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/11 6:37 p.m.1 views

CVE-2026-31881 Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

7.7CVSS5.9AI score0.0043EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/11 12:0 a.m.5 views

PT-2026-24792

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

7.7CVSS5.9AI score0.0043EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2025/09/29 12:0 a.m.5 views

CVE-2025-56234

ATNA2000 from Nanda Automation Technology vendor has a denial-of-service vulnerability. For the processing of TCP RST packets, PLC ATNA2000 has a wide acceptable range of sequence numbers. It does not require the sequence number to exactly match the next expected sequence value, just to be within...

6.5AI score0.00312EPSS
Exploits0References1
Rows per page
Query Builder