Monthly
Authentication replay in Misskey before 2026.6.0 lets an attacker reuse a valid TOTP code that should be single-use, because UserAuthService fails to invalidate a code after its first successful use within the same time step. An adversary who concurrently captures a victim's password and one TOTP value can replay that code to authenticate, enabling unauthorized actions up to account takeover. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the vendor fixed the flaw in release 2026.6.0.
TOTP replay vulnerability in Logto prior to 1.41.0 allows an attacker who holds a victim's first-factor credentials and captures a live TOTP code to replay that code within the same RFC 6238 acceptance window, bypassing multi-factor authentication entirely. The root cause is otplib's stateless verification call with window=1, which validates the time-based OTP cryptographically but does not persist the last-accepted time-step counter - leaving used codes valid for replay until the 30-second window expires. No public exploit or CISA KEV listing exists at time of analysis, but successful exploitation yields full account compromise (C:H, I:H) because MFA is the terminal authentication barrier.
Authentication bypass in the MERCURY MIPC252W IP camera (firmware v1.0.5 Build 230306 Rel.79931n) lets an attacker on the same local network replay a captured RTSP Digest authentication exchange to view the live video feed without knowing the device credentials. The root cause is that the RTSP server never expires or invalidates authentication nonces, so a sniffed nonce/response pair remains valid on new connections indefinitely. No public exploit is identified at time of analysis and EPSS is low (0.19%), but the barrier to abuse is minimal for anyone already positioned on the LAN.
Single-use authorization-code enforcement can be bypassed under concurrency in the better-auth OAuth provider (@better-auth/oauth-provider 1.6.0 through 1.6.10, the embedded plugin in better-auth 1.4.8-beta.7 through 1.6.10, and the legacy oidc-provider and mcp plugins). Because the POST /oauth2/token authorization_code grant redeems the code via a non-atomic find-then-delete, two concurrent requests carrying the same code both pass the read step and each mint a fresh access, refresh, and id token for the original user's scope. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it CVSS 4.0 7.6 (High) with high confidentiality and integrity impact.
Refresh-token family forking in better-auth's OAuth provider plugin (@better-auth/oauth-provider 1.6.0–1.6.10, and embedded in better-auth 1.4.8-beta.7–1.5.x) lets a race condition on the /oauth2/token refresh_token grant split one parent refresh token into multiple valid child families, defeating RFC 9700 reuse detection. An attacker holding a stolen refresh token who times two concurrent redemptions can obtain a persistent, independently-rotating branch that survives revocation of the legitimate user's branch and never trips family-invalidation. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV, but the security impact is indefinite unauthorized access plus detection bypass at the victim's full authorization scope.
Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.
TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted multiple times instead of being invalidated after first use, weakening 2FA on both the web login flow and the Basic Auth X-Gitea-OTP header path. An attacker who observes a legitimate TOTP code (via interception, shoulder-surfing, or logging) can replay it within its validity window to authenticate as the victim. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in Gitea 1.26.3.
SAML assertion replay in Rancher's Assertion Consumer Service (ACS) handler lets a person-in-the-middle who captures a victim's SAML response reuse that assertion to authenticate as the victim, because the handler never enforces one-time use. Rancher 2.14.0 through 2.14.2 are affected, and because Rancher governs downstream Kubernetes clusters, a successful replay can yield administrative control. No public exploit identified at time of analysis; the issue is not on the CISA KEV list, and the carried CVSS 4.0 base score is 9.5 driven largely by the scope/subsequent-system impact.
Rolling-code authentication in the Alps Alpine RKES (FCC ID CWTR53R0, 433 MHz) can be bypassed by an attacker within RF range who captures two consecutive key fob transmissions and replays them in sequence to lock or unlock the target vehicle. Replaying the first captured signal causes the receiver to enter a vulnerable state, after which replaying the second signal completes a successful unauthorized lock or unlock operation. No active exploitation confirmed per CISA KEV and no public exploit code identified, though the attack is technically accessible to anyone with commodity software-defined radio hardware given CVSS AV:A/AC:L/PR:N.
Insufficient session expiration in Apache Shiro's RememberMe feature allows a stolen cookie to be replayed indefinitely, bypassing the configured cookie age restriction. All shiro-web deployments from version 1.2.4 through the entire 2.x line and the 3.0.0-alpha-1 pre-release are affected whenever RememberMe is enabled. An attacker who intercepts a victim's RememberMe cookie - through network interception, XSS, or similar means - can reuse it without time limit, effectively maintaining persistent unauthorized access to the victim's session even after the configured expiration has elapsed. No public exploit code or CISA KEV listing has been identified at time of analysis.
Authentication replay in Misskey before 2026.6.0 lets an attacker reuse a valid TOTP code that should be single-use, because UserAuthService fails to invalidate a code after its first successful use within the same time step. An adversary who concurrently captures a victim's password and one TOTP value can replay that code to authenticate, enabling unauthorized actions up to account takeover. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the vendor fixed the flaw in release 2026.6.0.
TOTP replay vulnerability in Logto prior to 1.41.0 allows an attacker who holds a victim's first-factor credentials and captures a live TOTP code to replay that code within the same RFC 6238 acceptance window, bypassing multi-factor authentication entirely. The root cause is otplib's stateless verification call with window=1, which validates the time-based OTP cryptographically but does not persist the last-accepted time-step counter - leaving used codes valid for replay until the 30-second window expires. No public exploit or CISA KEV listing exists at time of analysis, but successful exploitation yields full account compromise (C:H, I:H) because MFA is the terminal authentication barrier.
Authentication bypass in the MERCURY MIPC252W IP camera (firmware v1.0.5 Build 230306 Rel.79931n) lets an attacker on the same local network replay a captured RTSP Digest authentication exchange to view the live video feed without knowing the device credentials. The root cause is that the RTSP server never expires or invalidates authentication nonces, so a sniffed nonce/response pair remains valid on new connections indefinitely. No public exploit is identified at time of analysis and EPSS is low (0.19%), but the barrier to abuse is minimal for anyone already positioned on the LAN.
Single-use authorization-code enforcement can be bypassed under concurrency in the better-auth OAuth provider (@better-auth/oauth-provider 1.6.0 through 1.6.10, the embedded plugin in better-auth 1.4.8-beta.7 through 1.6.10, and the legacy oidc-provider and mcp plugins). Because the POST /oauth2/token authorization_code grant redeems the code via a non-atomic find-then-delete, two concurrent requests carrying the same code both pass the read step and each mint a fresh access, refresh, and id token for the original user's scope. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it CVSS 4.0 7.6 (High) with high confidentiality and integrity impact.
Refresh-token family forking in better-auth's OAuth provider plugin (@better-auth/oauth-provider 1.6.0–1.6.10, and embedded in better-auth 1.4.8-beta.7–1.5.x) lets a race condition on the /oauth2/token refresh_token grant split one parent refresh token into multiple valid child families, defeating RFC 9700 reuse detection. An attacker holding a stolen refresh token who times two concurrent redemptions can obtain a persistent, independently-rotating branch that survives revocation of the legitimate user's branch and never trips family-invalidation. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV, but the security impact is indefinite unauthorized access plus detection bypass at the victim's full authorization scope.
Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.
TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted multiple times instead of being invalidated after first use, weakening 2FA on both the web login flow and the Basic Auth X-Gitea-OTP header path. An attacker who observes a legitimate TOTP code (via interception, shoulder-surfing, or logging) can replay it within its validity window to authenticate as the victim. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in Gitea 1.26.3.
SAML assertion replay in Rancher's Assertion Consumer Service (ACS) handler lets a person-in-the-middle who captures a victim's SAML response reuse that assertion to authenticate as the victim, because the handler never enforces one-time use. Rancher 2.14.0 through 2.14.2 are affected, and because Rancher governs downstream Kubernetes clusters, a successful replay can yield administrative control. No public exploit identified at time of analysis; the issue is not on the CISA KEV list, and the carried CVSS 4.0 base score is 9.5 driven largely by the scope/subsequent-system impact.
Rolling-code authentication in the Alps Alpine RKES (FCC ID CWTR53R0, 433 MHz) can be bypassed by an attacker within RF range who captures two consecutive key fob transmissions and replays them in sequence to lock or unlock the target vehicle. Replaying the first captured signal causes the receiver to enter a vulnerable state, after which replaying the second signal completes a successful unauthorized lock or unlock operation. No active exploitation confirmed per CISA KEV and no public exploit code identified, though the attack is technically accessible to anyone with commodity software-defined radio hardware given CVSS AV:A/AC:L/PR:N.
Insufficient session expiration in Apache Shiro's RememberMe feature allows a stolen cookie to be replayed indefinitely, bypassing the configured cookie age restriction. All shiro-web deployments from version 1.2.4 through the entire 2.x line and the 3.0.0-alpha-1 pre-release are affected whenever RememberMe is enabled. An attacker who intercepts a victim's RememberMe cookie - through network interception, XSS, or similar means - can reuse it without time limit, effectively maintaining persistent unauthorized access to the victim's session even after the configured expiration has elapsed. No public exploit code or CISA KEV listing has been identified at time of analysis.