WordPress Two-factor authentication (formerly IP Vault) plugin <= 2.1 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin IP Vault – WP Firewall versions = 2.1...

CVE-2026-48896

Insufficient state checks lead to a vector that allows to bypass 2FA checks...

CVE-2026-48896

Insufficient state checks lead to a vector that allows to bypass 2FA checks...

EUVD-2026-31890

Insufficient state checks lead to a vector that allows to bypass 2FA checks...

CVE-2026-48897

Insufficient state checks lead to a vector that allows to bypass 2FA checks...

EUVD-2026-31883

Insufficient state checks lead to a vector that allows to bypass 2FA checks...

PT-2026-43314

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Insufficient state checks create a vector that allows the bypass of two-factor authentication 2FA checks. Recommendations At the moment, there is no information...

PT-2026-43315

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Insufficient state checks create a vector that allows the bypass of two-factor authentication 2FA checks. Recommendations At the moment, there is no information...

npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks

GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for installation. Called staged publishing, the feature is now generally available on...

Authen::TOTP 安全特征问题漏洞

Authen::TOTP is a two-factor authentication OTP generation and verification tool developed by tchatzi’s developer. Prior to version 0.1.1 of Authen::TOTP, there were security vulnerabilities related to the use of the Perl built-in rand function for generating secrets. This function is predictable...

Domijn: The Security of Domain Registrars and the Risk of a Domain Name Takeover

Domain names are key assets for organisation. They anchor an organisation's online presence and reputation, and serve as linking pin for web services and, e.g., email. Consequently, a malicious takeover of a domain can lead to significant damages. Organisations register domain names through...

CVE-2026-45010 phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

CVE-2026-45010

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

GHSA-3MV2-VMWH-RWFX AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA

Summary Type: Cross-site request forgery on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest call, no isTokenValid check, n...

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the set.json.php process. An attacker can disable a user's two-factor authentication by tricking a logged-in user into...

AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA

Summary Type: Cross-site request forgery on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest call, no isTokenValid check, n...

Two-Factor Authentication Bypass via Pending Session Token Replay

None...

PT-2026-43462

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier Description A cross-site request forgery CSRF issue exists in the 2FA toggle functionality. The endpoint "plugin/LoginControl/set.json.php" accepts POST requests with the parameters type=set2FA and value=false ...

Trog::TOTP 安全特征问题漏洞

Trog::TOTP is a Perl module developed by TEODESIAN’s individual developers, which supports time-based one-time password generation and two-factor authentication. Versions of Trog::TOTP prior to 1.006 contained security vulnerabilities. These vulnerabilities stemmed from the use of the built-in Pe...

phpMyFAQ 安全漏洞

phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.1.2 contained security vulnerabilities. These vulnerabilities stemmed from the lack of limits on the number of authentication attempts at the /admin/check endpoint, allowing...