CVE-2026-45332

Affected software: Automad (flat-file CMS/template engine). Vulnerability: Broken Access Control allowing an unauthenticated attacker to retrieve bcrypt password hashes of all administrator accounts (and, in 2.0.0-beta.27, TOTP secrets) via the publicly accessible /_api/user-collection/create-fir...

Improper Authentication

github.com/zitadel/zitadel is vulnerable to improper authentication. The vulnerability is due to MFA being enforced only when explicitly required by policy, which allows an attacker to bypass additional authentication factors and exploit weaker single-factor sessions, potentially compromising...

CVE-2026-33627

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery...

EUVD-2026-1040

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This...

CVE-2025-55000

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected...

CVE-2025-55003

OpenBao CVE-2025-55003 affects OpenBao MFA (TOTP) in versions ≤ 2.3.1, where normalization in the TOTP library allowed whitespace-containing codes to bypass rate limiting and reuse existing MFA codes. The issue is fixed in version 2.3.2. Per the CVE, the exploitation vector is network with low co...

PT-2024-29567 · Craft Cms · Craft Cms

Name of the Vulnerable Software and Affected Versions: Craft CMS versions prior to 5.2.3 Description: Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that th...

CVE-2023-35785

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange...

totp-rs 安全漏洞

totp-rs is a tool for creating 2FA authentication tokens. A security vulnerability exists in versions of totp-rs prior to 1.1.0 that stems from the creation of 2FA authentication tokens for each time-based one-time password TOTP...

django-mfa3 授权问题漏洞

django-mfa3 is a stubborn Django application that handles multi-factor authentication MFA via FIDO2, TOTP and recovery code. A security vulnerability exists in django-mfa3. No information about this vulnerability is available at this time, so please stay tuned to CNNVD or the vendor announcement...

PT-2022-12323 · Gitea · Gitea

Name of the Vulnerable Software and Affected Versions: Gitea versions prior to 1.5.0 Description: The issue allows a malicious user to bypass authentication, potentially gaining privileges. Specifically, it enables the reuse of one-time passwords, including the TOTP code for 2FA, which can be...

CVE-2021-32033

Protectimus SLIM NFC 70 10.01 devices allow a Time Traveler attack in which attackers can predict TOTP passwords in certain situations. The time value used by the device can be set independently from the used seed value for generating time-based one-time passwords, without authentication. Thus, a...

Protectimus SLIM NFC 授权问题漏洞

SLiM Simple Login Manager is a simple, lightweight and easily configurable login manager. A security vulnerability exists in Protectimus SLIM NFC 70, which stems from a Time Traveler attack allowed in Protectimus SLIM NFC 70 version 10.01 devices. An attacker could exploit the vulnerability to be...

DEBIAN-CVE-2020-28924

An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limi...

PYSEC-2019-29

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforcescope is false. Users with a role on a project are able to view any other users' credentials,...

PT-2008-1794 · Webportal · Webportal Cms

Name of the Vulnerable Software and Affected Versions: WebPortal CMS version 0.6-beta Description: The issue allows remote attackers to obtain access to any account via a lostpass action because the actions.php file in WebPortal CMS generates predictable passwords containing only the time of day...