CVE-2026-20101
8.6
HIGH
EPSS 0.00
Cisco Secure Firewall ASA/FTD - DoS
A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition.
This vulnerability is due to insufficient error checking when processing SAML messages. An attacker could exploit this vulnerability by sending crafted SAML messages to the SAML service. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
CWE-330
Mar 04, 2026
CVE-2026-28415
4.3
MEDIUM
EPSS 0.00
Gradio <6.6.0 - Open Redirect
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.
CWE-200
Feb 27, 2026
CVE-2026-27755
9.8
CRITICAL
EPSS 0.00
SODOLA SL902-SWTGW124AS <200.1.20 - Auth Bypass
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a weak session identifier generation vulnerability that allows attackers to forge authenticated sessions by computing predictable MD5-based cookies. Attackers who know or guess valid credentials can calculate the session identifier offline and bypass authentication without completing the login flow, gaining unauthorized access to the device.
CWE-330
Feb 27, 2026
CVE-2026-23999
5.5
MEDIUM
EPSS 0.00
Fleet <4.80.1 - Predictable PIN Generation
Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known. Fleet’s device lock and wipe commands generate a 6-digit PIN that is displayed to administrators for unlocking a device. In affected versions, this PIN was deterministically derived from the current timestamp. An attacker with physical possession of a locked device and knowledge of the approximate time the lock command was issued could theoretically predict the correct PIN within a limited search window. However, successful exploitation is constrained by multiple factors: Physical access to the device is required, the approximate lock time must be known, the operating system enforces rate limiting on PIN entry attempts, attempts would need to be spread over, and device wipe operations would typically complete before sufficient attempts could be made. As a result, this issue does not allow remote exploitation, fleet-wide compromise, or bypass of Fleet authentication controls. Version 4.80.1 contains a patch. No known workarounds are available.
CWE-330
Feb 26, 2026
CVE-2026-27637
9.8
CRITICAL
EPSS 0.00
FreeScout <1.8.206 - Auth Bypass
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` — a well-documented and common exposure vector in Laravel applications — they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities.
CWE-330
Feb 25, 2026
CVE-2024-48928
7.5
HIGH
EPSS 0.00
Piwigo 14.x - Weak Secret Key Vulnerability
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is constructed partially from the secret key, and this can be used to check if the brute force succeeded. Trying all possible values takes approximately one hour. The impact of this is limited. The auto login key uses the user's password on top of the secret key. The pwg token uses the user's session identifier on top of the secret key. It seems that values for get_ephemeral_key can be generated when one knows the secret key. Version 15.0.0 contains a fix for the issue.
CWE-330
Feb 24, 2026
CVE-2025-15574
6.5
MEDIUM
EPSS 0.00
Solax Cloud MQTT - Authentication Bypass
When connecting to the Solax Cloud MQTT server the username is the "registration number", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the "registration number" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.
CWE-330
Feb 12, 2026
CVE-2025-64097
9.8
CRITICAL
EPSS 0.00
NervesHub <2.3.0 - Info Disclosure
NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens. Tokens included user-identifiable components and were not cryptographically secure, making them susceptible to guessing or enumeration. The vulnerability could have allowed unauthorized access to user accounts or API actions protected by these tokens. A fix is available in version 2.3.0 of NervesHub. This version introduces strong, cryptographically-random tokens using `:crypto.strong_rand_bytes/1`, hashing of tokens before database storage to prevent misuse even if the database is compromised, and context-aware token storage to distinguish between session and API tokens. There are no practical workarounds for this issue other than upgrading. In sensitive environments, as a temporary mitigation,
firewalling access to the NervesHub server can help limit exposure until an upgrade is possible.
CWE-330
Jan 22, 2026
CVE-2025-11723
6.5
MEDIUM
EPSS 0.00
Simply Schedule Appointments Booking Plugin <1.6.9.5 - Info Disclosure
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications.
CWE-330
Jan 06, 2026
CVE-2026-21444
5.5
MEDIUM
EPSS 0.00
libtpms <0.10.2 - Buffer Overflow
libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.
CWE-330
Jan 02, 2026
CVE-2025-11707
5.3
MEDIUM
EPSS 0.00
Login Lockdown & Protection <2.14 - Auth Bypass
The Login Lockdown & Protection plugin for WordPress is vulnerable to IP Block Bypass in all versions up to, and including, 2.14. This is due to $unblock_key key being insufficiently random allowing unauthenticated users, with access to an administrative user email, to generate valid unblock keys for their IP Address. This makes it possible for unauthenticated attackers to bypass blocks due to invalid login attempts.
CWE-330
Dec 13, 2025
CVE-2025-66511
4.8
MEDIUM
EPSS 0.00
Nextcloud Calendar <6.0.3 - Info Disclosure
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.
CWE-330
Dec 05, 2025
CVE-2025-13353
5.5
MEDIUM
EPSS 0.00
gokey <0.2.0 - Info Disclosure
In gokey versions <0.2.0,
a flaw in the seed decryption logic resulted in passwords incorrectly
being derived solely from the initial vector and the AES-GCM
authentication tag of the key seed.
This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets.
Impact
This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s
option) are not impacted. The confidentiality of the seed itself is
also not impacted (it is not required to regenerate the seed itself).
Specific impact includes:
* keys/secrets generated from a seed file may have lower entropy: it
was expected that the whole seed would be used to generate keys (240
bytes of entropy input), where in vulnerable versions only 28 bytes was
used
* a malicious entity could have recovered all passwords, generated
from a particular seed, having only the seed file in possession without
the knowledge of the seed master password
Patches
The code logic bug has been fixed in gokey version 0.2.0
and above. Due to the deterministic nature of gokey, fixed versions
will produce different passwords/secrets using seed files, as all seed
entropy will be used now.
System secret rotation guidance
It is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0
and above), and provision/rotate these secrets into respective systems
in place of the old secret. A specific rotation procedure is
system-dependent, but most common patterns are described below.
Systems that do not require the old password/secret for rotation
Such systems usually have a "Forgot password" facility or a
similar facility allowing users to rotate their password/secrets by
sending a unique "magic" link to the user's email or phone. In such
cases users are advised to use this facility and input the newly
generated password secret, when prompted by the system.
Systems that require the old password/secret for rotation
Such systems usually have a modal password rotation window
usually in the user settings section requiring the user to input the
old and the new password sometimes with a confirmation. To
generate/recover the old password in such cases users are advised to:
* temporarily download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective operating system to recover the old password
* use gokey version 0.2.0 or above to generate the new password
* populate the system provided password rotation form
Systems that allow multiple credentials for the same account to be provisioned
Such systems usually require a secret or a cryptographic
key as a credential for access, but allow several credentials at the
same time. One example is SSH: a particular user may have several
authorized public keys configured on the SSH server for access. For such
systems users are advised to:
* generate a new secret/key/credential using gokey version 0.2.0 or above
* provision the new secret/key/credential in addition to the existing credential on the system
* verify that the access or required system operation is still possible with the new secret/key/credential
* revoke authorization for the existing/old credential from the system
Credit
This vulnerability was found by Théo Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare's bug bounty program.
CWE-330
Dec 02, 2025