Monthly
Mattermost fails to properly validate user identity in OpenID Connect authentication logic due to an overly permissive substring matching flaw in the IsSameUser() comparison function, allowing attackers with high privileges to take over arbitrary user accounts through the user discovery flow. This affects Mattermost versions 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0. While the CVSS score of 5.7 is moderate and requires high privilege access and user interaction, the core impact is account takeover with full account compromise possible.
CVE-2026-32953 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
embedded SwiFTP FTP server component contains a vulnerability that allows attackers to log in without valid credentials.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Deviceviewer versions up to 3.12.0.1 contains a vulnerability that allows attackers to change passwords without proper validation of the old password field (CVSS 6.5).
Mattermost Server versions 11.1.x through 11.1.2, 10.11.x through 10.11.9, and 11.2.x through 11.2.1 inadequately enforce login method restrictions, permitting authenticated users to circumvent SSO-only requirements by authenticating with a userID instead. This allows an attacker with valid credentials to gain unauthorized access to accounts restricted to single sign-on authentication. No patch is currently available for this vulnerability.
Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120. [CVSS 8.1 HIGH]
Incorrect Implementation of Authentication Algorithm vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. [CVSS 8.8 HIGH]
A remote code execution vulnerability in Cal.com (CVSS 9.8) that allows an attacker. Risk factors: public PoC available.
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.
Mattermost fails to properly validate user identity in OpenID Connect authentication logic due to an overly permissive substring matching flaw in the IsSameUser() comparison function, allowing attackers with high privileges to take over arbitrary user accounts through the user discovery flow. This affects Mattermost versions 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0. While the CVSS score of 5.7 is moderate and requires high privilege access and user interaction, the core impact is account takeover with full account compromise possible.
CVE-2026-32953 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
embedded SwiFTP FTP server component contains a vulnerability that allows attackers to log in without valid credentials.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Deviceviewer versions up to 3.12.0.1 contains a vulnerability that allows attackers to change passwords without proper validation of the old password field (CVSS 6.5).
Mattermost Server versions 11.1.x through 11.1.2, 10.11.x through 10.11.9, and 11.2.x through 11.2.1 inadequately enforce login method restrictions, permitting authenticated users to circumvent SSO-only requirements by authenticating with a userID instead. This allows an attacker with valid credentials to gain unauthorized access to accounts restricted to single sign-on authentication. No patch is currently available for this vulnerability.
Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120. [CVSS 8.1 HIGH]
Incorrect Implementation of Authentication Algorithm vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. [CVSS 8.8 HIGH]
A remote code execution vulnerability in Cal.com (CVSS 9.8) that allows an attacker. Risk factors: public PoC available.
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.