Lucene search
K

91 matches found

NVD
NVD
added 2 days ago6 views

CVE-2026-53642

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverified email address emailapproved = 0 can access all client-area pages e.g. /client/balance,...

5.3CVSS0.00226EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2 days ago4 views

CVE-2026-53642

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverified email address emailapproved = 0 can access all client-area pages e.g. /client/balance,...

5.3CVSS6AI score0.00226EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/23 6:11 p.m.35 views

CVE-2026-54320 Daytona: Cross-tenant organization takeover via invitation acceptance with an unverified email

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted and declined by a user whose email matched the invitation but had not been verified. Daytona authenticates users via OIDC and...

8.4CVSS0.00215EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/23 6:11 p.m.8 views

CVE-2026-54320

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted and declined by a user whose email matched the invitation but had not been verified. Daytona authenticates users via OIDC and...

8.4CVSS6.2AI score0.00215EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/23 6:11 p.m.17 views

CVE-2026-54320

CVE-2026-54320 refers to Daytona’s cross-tenant takeover vulnerability prior to version 0.184.0. The issue allowed an unverified email that matched an invitation’s target to accept it (or decline) and join the target organization, since invitation acceptance/declination did not require email veri...

8.4CVSS6.2AI score0.00215EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 1:16 p.m.12 views

CVE-2025-71337

Flowise before 3.0.10 affected versions 3.0.7 and earlier contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the...

8.7CVSS0.00296EPSS
Exploits1References2
CVE
CVE
added 2026/06/23 12:12 p.m.13 views

CVE-2025-71337

CVE-2025-71337 affects Flowise before 3.0.10 (impacted: 3.0.7 and earlier). A authenticated user can change the account email via the account profile endpoint without confirming the change to the original email or re-entering the current password, enabling potential account takeover and abuse of ...

8.7CVSS5.8AI score0.00296EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/06/23 12:12 p.m.35 views

CVE-2025-71337 Flowise - Unverified Email Change via Account Profile Endpoint

Flowise before 3.0.10 affected versions 3.0.7 and earlier contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the...

8.7CVSS0.00296EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.25 views

PT-2026-51579

🚨 CVE-2026-54320 Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted and declined by a user whose email matched the invitation but had not been verified. Daytona authenticates user...

8.4CVSS6.2AI score0.00215EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.11 views

PT-2026-51490

Name of the Vulnerable Software and Affected Versions Flowise versions 3.0.7 and earlier Description An authenticated user can change the account email address, which serves as the login identifier and password-recovery channel, via the account profile endpoint. This process occurs without...

8.7CVSS5.8AI score0.00296EPSS
Exploits1References8
NVD
NVD
added 2026/06/19 10:16 p.m.24 views

CVE-2026-56081

Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account...

9.3CVSS0.00351EPSS
Exploits0References2
CVE
CVE
added 2026/06/19 9:39 p.m.20 views

CVE-2026-56081

Cap-go before 12.128.2 contains an authentication logic flaw allowing an attacker to register and take control of an account bound to a victim’s unverified email. By enabling two-factor authentication on the pre-registered account, the attacker can read and modify the account’s state and enforce ...

9.3CVSS5.9AI score0.00351EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/19 9:39 p.m.19 views

CVE-2026-56081 Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email

Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account...

9.3CVSS0.00351EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/13 12:34 a.m.13 views

EUVD-2026-36629

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 3...

8.7CVSS5.4AI score0.00258EPSS
Exploits0References3
NVD
NVD
added 2026/06/12 10:16 p.m.12 views

CVE-2026-53868

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 3...

8.7CVSS0.00258EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 9:57 p.m.5 views

CVE-2026-53868 Capgo < 12.128.2 - Denial of Service via Unverified Email Account Registration and Deletion

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 3...

8.7CVSS5.5AI score0.00258EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 9:57 p.m.29 views

CVE-2026-53868 Capgo < 12.128.2 - Denial of Service via Unverified Email Account Registration and Deletion

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 3...

8.7CVSS0.00258EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 9:57 p.m.25 views

CVE-2026-53868

Capgo before 12.128.2 contains a denial-of-service vulnerability where attackers can register accounts with arbitrary, unverified emails and then delete them, causing pending deletions that lock legitimate users out for up to 30 days. Root cause: unverified email ownership in account lifecycle op...

8.7CVSS5.5AI score0.00258EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.10 views

PT-2026-49045

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description A denial of service issue exists where attackers can register accounts using arbitrary email addresses without verification. By initiating the deletion process for these accounts, attackers can lock...

8.7CVSS5.4AI score0.00258EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/01 10:4 p.m.18 views

CVE-2026-9092

Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the emailverified claim from upstream providers; the idp.UserInfo struct does not even...

9.1CVSS5.8AI score0.00316EPSS
Exploits0References1
Rows per page
Query Builder