CVE-2026-31476

In the Linux kernel component ksmbd, CVE-2026-31476 describes a logic flaw where a multichannel session binding request that fails (for example, due to a wrong password) could cause the targeted session to be marked SMB2_SESSION_EXPIRED. Because the failed binding may reference a session from ano...

CVE-2026-31476 ksmbd: do not expire session on binding failure

In the Linux kernel, the following vulnerability has been resolved: ksmbd: do not expire session on binding failure When a multichannel session binding request fails e.g. wrong password, the error path unconditionally sets sess-state = SMB2SESSIONEXPIRED. However, during binding, sess points to t...

PT-2026-34381

In the Linux kernel, the following vulnerability has been resolved: ksmbd: do not expire session on binding failure When a multichannel session binding request fails e.g. wrong password, the error path unconditionally sets sess-state = SMB2 SESSION EXPIRED. However, during binding, sess points to...

Linux Distros Unpatched Vulnerability : CVE-2026-31476

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ksmbd: do not expire session on binding failure When a multichannel session binding request fails e.g. wrong password, the error path unconditionally sets...

CVE-2025-68402

FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. passwordverify is currently being called with a constructed string SHA-256 nonce + part of a bcrypt hash instead of the raw user password. Due to bcrypt’s 72-byte...

CVE-2025-11750

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system...

EUVD-2025-32508

For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one...

CVE-2021-20598

Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions allows a remote unauthenticated attacker to lockout a legitimate user by continuously trying login with incorrect...

CVE-2022-47070

NVS365 V01 is vulnerable to Incorrect Access Control. After entering a wrong password, the url will be sent to the server twice. In the second package, the server will return the correct password information...

CVE-2022-0143 LDAP Connector: When startTLS is used then LDAP connector ignores the wrong password

When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management IDM and Remote Connector Server RCS...

CVE-2022-34174

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm...

Default credentials

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm...

Mitsubishi Electric MELSEC iQ-R series 授权问题漏洞

The Mitsubishi Electric MELSEC iQ-R series is a programmable logic controller from Mitsubishi Electric, Japan. An authorization issue vulnerability exists in the Mitsubishi Electric MELSEC iQ-R series, which arises from a flaw in the logic of the product login module. An attacker could lock out a...

CVE-2017-6900

An issue was discovered in Riello NetMan 204 14-2 and 15-2. The issue is with the login script and wrongpass Python script used for authentication. When calling wrongpass, the variables $VAL0 and $VAL1 should be enclosed in quotes to prevent the potential for Bash command injection. Further to...

CVE-2019-7639

An issue was discovered in gsi-openssh-server 7.9p1 on Fedora 29. If PermitPAMUserChange is set to yes in the /etc/gsissh/sshdconfig file, logins succeed with a valid username and an incorrect password, even though a failure entry is recorded in the /var/log/messages file...

CVE-2017-7898

An Improper Restriction of Excessive Authentication Attempts issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions;...

Fedora 25 : php-pecl-zip (2016-ea58a428a1)

Version 1.13.5 - Fixed bug php72660 NULL pointer dereference in zendvirtualcwd. Laruence - Fixed bug php68302 impossible to compile php with zip support. cmb - Fixed bug php70752 Depacking with wrong password leaves 0 length files. cmb Note that Tenable Network Security has extracted the precedin...