Lucene search
K

23 matches found

EUVD
EUVD
added 2 days ago5 views

EUVD-2026-40950

MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as well as previously issued temporary passwords, furthermore, password resets are not limited in any way. An attacker who...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 11:53 a.m.7 views

CVE-2026-56223

Capgo

9.3CVSS6AI score0.00244EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 11:53 a.m.30 views

CVE-2026-56223 Capgo - Account Takeover via Cross-Domain SSO Email Assertion in provision-user

Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a...

9.3CVSS0.00244EPSS
Exploits0References2
NVD
NVD
added 2026/06/19 10:16 p.m.18 views

CVE-2026-56081

Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account...

9.3CVSS0.00351EPSS
Exploits0References2
CVE
CVE
added 2026/06/19 9:39 p.m.19 views

CVE-2026-56081

Cap-go before 12.128.2 contains an authentication logic flaw allowing an attacker to register and take control of an account bound to a victim’s unverified email. By enabling two-factor authentication on the pre-registered account, the attacker can read and modify the account’s state and enforce ...

9.3CVSS5.9AI score0.00351EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.16 views

PT-2026-51039

Name of the Vulnerable Software and Affected Versions Cap-go versions prior to 12.128.2 Description An authentication logic flaw allows an attacker to register and control an account linked to a victim's email address before the email is verified. By enabling two-factor authentication on this...

9.3CVSS5.9AI score0.00351EPSS
Exploits0References4
NVD
NVD
added 2026/06/17 3:16 p.m.9 views

CVE-2026-48117

DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account using a victim's email address with an attacker-controlled password before the victim completed accoun...

6.8CVSS0.00184EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/15 10:7 a.m.11 views

CVE-2026-49757 OAuth2/OIDC account takeover in AshAuthentication via email-based user matching

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address an upsert on the email field, or a user-defined sign-in...

9.2CVSS5.3AI score0.00563EPSS
Exploits1References5
GithubExploit
GithubExploit
added 2026/06/11 2:6 a.m.58 views

Exploit for Improper Authentication in Pocketbase

CVE-2026-44166 — PocketBase OAuth2 Account Pre-Hijacking Self...

7.6CVSS5.4AI score0.00247EPSS
Exploits1
Snyk
Snyk
added 2026/05/05 9:17 p.m.7 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the OAuth2 autolinking process. An attacker can gain unauthorized access to a victim's account by pre-registering an unverified user with the victim's email address using one OAuth2 provider, and then waiting...

7.6CVSS5.8AI score0.00247EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.7 views

PT-2026-29593

Name of the Vulnerable Software and Affected Versions Reviactyl versions 26.2.0-beta.1 through 26.2.0-beta.4 Description A flaw in the OAuth authentication process allowed for automatic linking of social accounts based solely on matching email addresses. An attacker could create or control a soci...

9.1CVSS5.9AI score0.00455EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added 2026/03/18 11:49 p.m.6 views

CVE-2026-32700

A flaw was found in Devise, an authentication solution for Rails. A race condition in the Confirmable module allows a remote attacker to confirm an email address they do not own. By sending two concurrent email change requests, an attacker can desynchronize the confirmation token and unconfirmed...

6.8CVSS5.8AI score0.00275EPSS
Exploits0References7
OSV
OSV
added 2026/03/18 9:16 p.m.4 views

UBUNTU-CVE-2026-32700

Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option the default when using...

6CVSS5.8AI score0.00275EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/01/05 8:49 p.m.5 views

CVE-2025-64425 Coolify has host header injection in forgot password

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will...

8.5CVSS6.6AI score0.00356EPSS
Exploits1References2
OpenVAS
OpenVAS
added 2025/12/05 12:0 a.m.9 views

SOGo <= 5.12.4 XSS Vulnerability

SOGo is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:alinto:sogo"; if...

6.1CVSS6AI score0.00259EPSS
Exploits2References1
PyPA
PyPA
added 2025/10/20 8:15 p.m.11 views

PYSEC-2025-187

Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim. This issue has been...

7.1CVSS5.7AI score0.00231EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2025/10/20 8:3 p.m.6 views

EUVD-2025-35097

Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim. This issue has been...

7.1CVSS6.4AI score0.00231EPSS
Exploits0References3
CVE
CVE
added 2025/09/02 12:0 a.m.17 views

CVE-2025-54599

The CVE-2025-54599 entry concerns Bevy Event service versions through 2025-07-22 (used for eBay Seller Events). Affected component is the SSO configuration handling that allows account takeover when a victim changes the configured email address. The root cause is a misconfiguration of SSO, enabli...

7.5CVSS6.4AI score0.00388EPSS
Exploits1References3Affected Software1
Snyk
Snyk
added 2025/01/15 9:25 p.m.4 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication through the SAML SSO implementation process which allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. Note: This is...

9.1CVSS6.8AI score0.00584EPSS
Exploits0References2
CNNVD
CNNVD
added 2023/05/29 12:0 a.m.4 views

Citadel 安全漏洞

Citadel is an asset management software from Citadel, Inc. in the United States. A security vulnerability exists in Citadel webcit 932, which originates from a vulnerability that allows an attacker to store a victim's email message in the attacker's IMAP mailbox, which can be exploited by an...

3.7CVSS5.2AI score0.00665EPSS
Exploits1References4
Rows per page
Query Builder