CVE-2026-43926

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

CVE-2026-43926 FOSSBilling's password reset confirmation endpoint lacks rate limiting

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

PT-2026-46229

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

CVE-2025-64097 NervesHub has Insufficient Token Entropy that Allows Authentication Bypass via Brute Force

NervesHub is a web service that allows users to manage over-the-air OTA firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens...

CVE-2025-64097

NervesHub (OTA firmware management service) is affected by CVE-2025-64097 due to tokens used for user/API authentication having a predictable format from 1.0.0 up to 2.3.0. The root cause is insufficient entropy in tokens, allowing brute-forcing to gain unauthorized access to user accounts or API...

CVE-2025-64097 NervesHub has Insufficient Token Entropy that Allows Authentication Bypass via Brute Force

NervesHub is a web service that allows users to manage over-the-air OTA firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens...

CVE-2025-3895 Low token entropy in MegaBIP

Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords including these belonging to...

CVE-2025-3895 Low token entropy in MegaBIP

Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords including these belonging to...

Ovarro TBox RTUs 安全特征问题漏洞

Ovarro TBox RTUs is a modular remote monitoring and automation solution from Ovarro Germany. The Ovarro TBox RTUs suffers from a security signature issue vulnerability that arises from the use of insufficient entropy to generate software security tokens, where the random seed used to generate the...

Dropbox: Significant Two step verification Authentication Bypass

This report described a concern with our “Trust this Computer” feature in Dropbox web sign in. The way our “Trust this Computer” feature works, at a high level, is that while authenticating using 2FA, the user can request that this device be trusted in the future so they don’t have to use 2FA...

CVE-2017-0897

ExpressionEngine version 2.x 2.11.8 and version 3.x 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution...