CVE-2026-32865

OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing...

PT-2026-26307

OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing...

CVE-2026-29067

ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password rese...

CVE-2026-29067

ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password rese...

CVE-2026-29067

ZITADEL (open source identity management) versions 4.0.0-rc.1 through 4.7.0 have a vulnerability in the password reset flow (login V2). The system uses the Forwarded or X-Forwarded-Host header to build the password reset confirmation URL sent by email, which could lead to improper confirmation li...

FUXA has a hardcoded fallback JWT signing secret

FUXA used a static fallback JWT signing secret frangoteam751 when no secretCode was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in...

GHSA-8HF7-H89P-3PQJ MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field

Summary A Stored Cross-site Scripting XSS vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The android:host attribute from elements is rendered in HTML reports without...

CVE-2025-48936

Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...

CVE-2025-48936 ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection

Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...

Whale Song Code

During the Cold War, the US Navy tried to make a secret code out of whale song. The basic plan was to develop coded messages from recordings of whales, dolphins, sea lions, and seals. The submarine would broadcast the noises and a computer--the Combo Signal Recognizer CSR--would detect the specif...

BIT-GITLAB-2020-13304

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions...

WhatsApp's New Secret Code Feature Lets Users Protect Private Chats with Password

Meta-owned WhatsApp has launched a new Secret Code feature to help users protect sensitive conversations with a custom password on the messaging platform. The feature has been described as an "additional way to protect those chats and make them harder to find if someone has access to your phone o...

CVE-2023-49097 ZITADEL vulnerable account takeover via malicious host header injection

ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicio...

CVE-2023-49097 ZITADEL vulnerable account takeover via malicious host header injection

ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicio...

Amazon S3 Droppy 1.4.6 Shell Upload

============================================================================================================================ | Title : Amazon S3 Droppy v 1.4.6 File Upload Vulnerability | | Author : indoushka | | email : [email protected] | | Tested on : windows 10 Français V.Pro | | Vendo...

Simple Single Sign On <= 4.1.0 - Authentication Bypass

The plugin leaks its OAuth clientsecret, which could be used by attackers to gain unauthorized access to the site. When we click the "Single Sign On" button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in. The button invokes the following URL:...

UBUNTU-CVE-2020-13304

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions...

CVE-2017-8173

Maya-L02,VKY-L09,VTR-L29,Vicky-AL00A,Victoria-AL00A,Warsaw-AL00 smart phones with software of earlier than Maya-L02C636B126 versions,earlier than VKY-L29C10B151 versions,earlier than VTR-L29C10B151 versions,earlier than Vicky-AL00AC00B162 versions,earlier than Victoria-AL00AC00B167 versions,earli...

Android Qualcomm WLAN Information Disclosure Vulnerability (CNVD-2017-34647)

Android on Google Pixel and Nexus is a Linux-based open source operating system for the Google Pixel and Nexus smartphones developed by Google Inc. and the Open Handset Alliance OHA, with Qualcomm WLAN being one of the components used. Qualcomm WLAN is a wireless LAN component developed by Qualco...

FRP bypass vulnerability in multiple Huawei phones

Maya-L02, VKY-L09, Vicky-AL00A, Warsaw-AL00 are all smartphones from Huawei Huawei. Several Huawei phones are vulnerable to FRP bypass vulnerability. The attacker can bypass the FRP function by entering the configuration process through a secret code during the FRP reset of the phone and performi...