Nicolas CARPi

4 exploits Active since Jun 2021
CVE-2026-28510 WRITEUP MEDIUM WRITEUP
elabftw allows MFA bypass during login
eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2.
CVSS 5.9
CVE-2021-32698 WRITEUP MEDIUM WRITEUP
elabftw < 4.0.0 - Blind Server-Side Request Forgery
eLabFTW is an open source electronic lab notebook for research labs. This vulnerability allows an attacker to make GET requests on behalf of the server. It is "blind" because the attacker cannot see the result of the request. Issue has been patched in eLabFTW 4.0.0.
CVSS 6.8
CVE-2021-41171 WRITEUP MEDIUM WRITEUP
elabftw < 4.1.0 - Brute-Force Protection Bypass via PHPSESSID Manipulation
eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies. This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading.
CVSS 5.9
CVE-2025-62793 WRITEUP MEDIUM WRITEUP
elabftw < 5.3.0 - Stored Cross-Site Scripting via SVG File Upload
eLabFTW is an open source electronic lab notebook for research labs. The application served uploaded SVG files inline. Because SVG supports active content, an attacker could upload a crafted SVG that executes script when viewed, resulting in stored XSS under the application origin. A victim who opens the SVG URL or any page embedding it could have their session hijacked, data exfiltrated, or actions performed on their behalf. This vulnerability is fixed n 5.3.0.
CVSS 6.8