Lucene search
+L

79 matches found

circl
circl
added 2026/07/06 5:19 p.m.5 views

CVE-2026-52889

creationtimestamp| type| source ---|---|--- 2026-07-06 17:19:00+00:00| seen| https://bsky.app/profile/suriq.io/post/3mpylw6zxqa23 2026-07-06 17:28:04+00:00| seen| https://bsky.app/profile/stackflag.bsky.social/post/3mpymggmgx42r...

5.9AI score
Exploits0References2
nvd
nvd
added 2026/06/30 2:16 p.m.11 views

CVE-2026-35098

KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where...

6.9CVSS0.00323EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/30 1:37 p.m.37 views

CVE-2026-35098 Improper Restriction of Excessive Authentication Attempts in KTM System e-BOK

KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where...

6.9CVSS0.00323EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/30 1:37 p.m.8 views

CVE-2026-35098

KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where...

6.9CVSS5.8AI score0.00323EPSS
Exploits0References3
attackerkb
attackerkb
added 2026/06/30 1:37 p.m.6 views

CVE-2026-35097

KTM System e-BOK enforces a maximum password length of six numeric digits and does not permit the use of any alphabetic, special, or extended characters. This issue was fixed in the patch published in June 2026...

6.9CVSS5.8AI score0.00249EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2026/06/30 1:37 p.m.9 views

CVE-2026-35097 Weak Password Requirements in KTM System e-BOK

KTM System e-BOK enforces a maximum password length of six numeric digits and does not permit the use of any alphabetic, special, or extended characters. This issue was fixed in the patch published in June 2026...

6.9CVSS5.8AI score0.00249EPSS
Exploits0References2
cve
cve
added 2026/06/30 1:37 p.m.16 views

CVE-2026-35098

KTM System e-BOK is affected by CVE-2026-35098 due to no rate limiting on login attempts, enabling brute-force attacks for user accounts. When paired with CVE-2026-35097 (six-digit numeric passwords), the risk increases. A patch was released in June 2026 to fix this issue. The CVSS metrics from C...

6.9CVSS5.8AI score0.00323EPSS
Exploits0References2
cve
cve
added 2026/06/30 1:37 p.m.12 views

CVE-2026-35097

The CVE affects KTM System e-BOK, where the password policy allows only numeric passwords up to six digits. Root cause is a restricted character set and short max length, resulting in weak credential requirements. The issue has been addressed by a patch published in June 2026. Remediation recomme...

6.9CVSS5.8AI score0.00249EPSS
Exploits0References2
euvd
euvd
added 2026/06/30 1:37 p.m.9 views

EUVD-2026-40325

KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where...

6.9CVSS5.8AI score0.00323EPSS
Exploits0References2
redhatcve
redhatcve
added 2026/06/05 7:11 p.m.9 views

CVE-2026-8760

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to otplloginaction was placed only inside the OTP-generation branch and is never...

9.8CVSS5.4AI score0.00595EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/05/28 8:12 p.m.12 views

CVE-2026-45010

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

9.3CVSS6AI score0.00339EPSS
Exploits0References1
cve
cve
added 2026/05/27 5:31 a.m.28 views

CVE-2026-8760

The CVE-2026-8760 issue affects the Login with OTP WordPress plugin, vulnerable in all versions up to and including 1.6. The root cause is an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added in otpl_login_action() is applied only in the OTP-generation path and is not evaluate...

9.8CVSS5.7AI score0.00595EPSS
Exploits0References10
euvd
euvd
added 2026/05/27 5:31 a.m.14 views

EUVD-2026-32084

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to otplloginaction was placed only inside the OTP-generation branch and is never...

9.8CVSS7.2AI score0.00628EPSS
Exploits0References10
ptsecurity
ptsecurity
added 2026/05/27 12:0 a.m.13 views

PT-2026-43506

Name of the Vulnerable Software and Affected Versions Login with OTP plugin for WordPress versions prior to 1.7 Description An authentication bypass exists due to an incomplete fix in the otpl login action function. The rate-limit and lockout checks are only applied during the OTP generation phas...

9.8CVSS5.8AI score0.00595EPSS
Exploits0References15
nvd
nvd
added 2026/05/15 7:17 p.m.31 views

CVE-2026-45010

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

9.3CVSS0.00339EPSS
Exploits0References2
euvd
euvd
added 2026/05/15 6:36 p.m.16 views

EUVD-2026-30595

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

9.1CVSS6AI score0.00339EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/05/15 6:36 p.m.6 views

CVE-2026-45010

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

9.1CVSS6AI score0.00339EPSS
Exploits0References3
osv
osv
added 2026/05/06 8:42 p.m.8 views

GHSA-9PQ7-MFWH-XX2J phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id

Summary The /admin/check endpoint in AuthenticationController implements SkipsAuthenticationCheck, making it reachable without any prior authentication. An anonymous attacker Bob can POST arbitrary user-id and token values to brute-force any user's 6-digit TOTP code. No rate limiting exists. The...

9.1CVSS6.1AI score0.00339EPSS
Exploits0References4
redhatcve
redhatcve
added 2026/04/02 10:53 a.m.7 views

CVE-2026-2696

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

5.3CVSS5.9AI score0.00301EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/04/01 6:0 a.m.5 views

CVE-2026-2696

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

5.3CVSS5.9AI score0.00301EPSS
Exploits0References1
Rows per page
Query Builder