15 matches found
CVE-2026-42866
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's writetxt, writecsv, writejson, and commented-but-shipping scanfile helpers open their output as openf"user.", where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A userna...
OpenClaw Telegram allowlist authorization accepted mutable usernames
Summary Telegram allowlist authorization could match on @username mutable/recyclable instead of immutable numeric sender IDs. Impact Operators who treat Telegram allowlists as strict identity controls could unintentionally grant access if a username changes hands identity rebinding/spoof risk. Th...
EUVD-2025-206614
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account...
CVE-2025-15030
CVE-2025-15030 affects the WordPress plugin User Profile Builder up to version 3.15.2. The vulnerability arises from an improper password reset flow, allowing unauthenticated actors to reset any user’s password by supplying a username (e.g., administrator) and a crafted request; no valid reset to...
PT-2026-5609
Name of the Vulnerable Software and Affected Versions User Profile Builder WordPress plugin versions prior to 3.15.2 Description The User Profile Builder WordPress plugin does not have a secure password reset process. This allows unauthenticated requests to reset the password for any user,...
CVE-2025-14975
The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account...
EUVD-2025-206542
The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account...
CVE-2025-62510
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In version 1.4.0, a regression allowed folder visibility/ownership to be inferred from folder names. Low-privilege users could see or interact with folders matching their username and, in some...
CVE-2023-49259
The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up-time, and can be guessed in a reasonable time...
PT-2024-13716 · Hongdian · H8951-4G-Esp +1
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The authentication cookies are generated using an algorithm based on the username, a hardcoded secret, and the up-time, and can be guessed in a reasonab...
CVE-2023-25403
CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication...
CVE-2016-10833
cPanel before 55.9999.141 mishandles username-based blocking for PRE requests in cPHulkd SEC-104...
CVE-2016-10833
cPanel before 55.9999.141 mishandles username-based blocking for PRE requests in cPHulkd SEC-104...
Juniper DX crossite scripting
Web administration system log crossite scripting thorugh username...
PT-2005-1470 · Citrusdb · Citrusdb
Name of the Vulnerable Software and Affected Versions: CitrusDB versions 0.3.6 and earlier Description: The issue allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in t...