EUVD-2026-22915

Mattermost versions 10.11.x = 10.11.12, 11.5.x = 11.5.0, 11.4.x = 11.4.2, 11.3.x = 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent...

GHSA-MH4X-RMRX-3HP4 Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement

Mattermost versions 10.11.x = 10.11.12, 11.5.x = 11.5.0, 11.4.x = 11.4.2, 11.3.x = 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent...

Mattermost 安全漏洞

Mattermost is an open-source collaboration platform developed by the American company Mattermost. Vulnerabilities exist in Mattermost versions 10.11.12 and earlier of the 10.11.x series, as well as versions 11.5.0 and earlier of the 11.5.x series, 11.4.2 and earlier of the 11.4.x series, and 11.3...

Parse Server: MFA recovery code single-use bypass via concurrent requests

Impact An attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and...

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions 4.5.0-RC1 to 4.16.18 and 5.0.0-RC1 to 5.8.22 of Craft CMS have security vulnerabilities. These vulnerabilities stem from TOCTOU race conditions in the token verification service, which may allow a single-use...

EUVD-2024-32087

Malicious code in bioql PyPI...

Improper Authorization

authentik is vulnerable to Improper Authorization. The vulnerability is due to missing session validation for single-use tokens in RAC endpoints, which allows an attacker to reuse a valid token from a shared URL to access another user’s session...

CVE-2025-53709

Secure-upload is a data submission service that validates single-use tokens when accepting submissions to channels. The service only installed on a small number of environments. Under specific circumstances, privileged users of secure-upload could have selected email templates not necessarily...

CVE-2024-3501

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or...

CVE-2024-3501

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or...

CVE-2024-3501 Exposure of Sensitive Information in lunary-ai/lunary

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or...

CVE-2024-3501 Exposure of Sensitive Information in lunary-ai/lunary

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or...

PT-2024-26289 · Lunary Ai · Lunary

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary versions up to and including 1.2.5 Description: An information disclosure issue exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens,...