Monthly
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (CWE-620), letting an attacker who holds any temporary or low-privilege session set a new password without proving they know the old one. Because the CVSS 4.0 vector reflects a low-privilege (PR:L) network attacker with high confidentiality and integrity impact, a hijacked or briefly-borrowed session can be converted into permanent control, locking legitimate users out. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so risk is credible but not confirmed as actively exploited.
Privilege escalation in Siemens CPCI85 Central Processing/Communication and SICORE Base System (all versions before V26.20 / V26.20.0) lets an already-authenticated attacker abuse insufficient validation of authentication credentials when modifying administrative accounts through the web API. By exploiting this weak credential re-verification (CWE-620), an attacker with existing access can bypass security controls and obtain unauthorized elevated privileges over the device. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Password validation bypass in OpenProject's REST API allows an attacker who has already seized a valid user session to change that account's password without supplying the current password, exploiting CWE-620 (Unverified Password Change) via a crafted PATCH request to /api/v3/users/me. Affected versions are all OpenProject releases prior to 17.3.2 and 17.4.0 (CPE cpe:2.3:a:opf:openproject:*:*:*:*:*:*:*:*). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, when chained with a session-takeover primitive, it converts transient access into persistent account control.
Authentication bypass and account takeover in OpenAM Community Edition (OpenIdentity Platform) through 16.0.6 allows unauthenticated attackers to log in as any user who has authenticated via the OAuth2 module. The OAuth2 module silently rewrites a local user's password to the literal value of their own username, after which the default ldapService chain accepts the username as both identifier and password at the standard authenticate endpoint - no IdP interaction needed. No public exploit identified at time of analysis, but the attack requires only knowledge of a target username once the password-rewrite has fired.
Account takeover in Flowise (the open-source low-code LLM application builder) before version 3.0.10 stems from the account settings Security section accepting a password change without requiring the current password or any re-verification. Any authenticated user - or an attacker who hijacks or coerces an existing authenticated session - can silently reset the account credential and seize full control of the account. Publicly available exploit code exists (documented PoC with repro steps and screenshot in the GitHub Security Advisory GHSA-fjh6-8679-9pch), but there is no public exploit identified as actively exploited and it is not listed in CISA KEV.
Account takeover in Flowise versions 3.0.7 and earlier allows an authenticated user to change their account email address via the profile endpoint without re-authenticating or confirming the change to the original email. Because email serves as both login identifier and password-recovery channel, an attacker who has hijacked a session (e.g., via XSS, stolen token, or unattended workstation) can pivot to permanent account ownership. Publicly available exploit code exists in the GitHub Security Advisory with reproduction steps, but no public exploit identified as actively used in the wild.
Unauthenticated administrator password reset in KMW KM-IP521 and KM-IP421 CCTV cameras allows remote network-based attackers to reset the admin credential to a known value and obtain full control of the device, including live video feeds and configuration. The flaw is classified under CWE-620 (Unverified Password Change) and was disclosed via CISA's ICS-CERT coordination channel with a CVSS 9.1 rating. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the trivial attack complexity and lack of authentication make it high-priority for any internet- or LAN-exposed deployments.
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attackers with hijacked tokens to lock out legitimate users and maintain persistent access to compromised accounts including administrator accounts. Publicly available exploit code demonstrates the attack chain. All versions prior to 6.10.5 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The vendor has released patched versions 6.10.5 and 7.0.0-rc3 that enforce password-only verification during password change operations.
Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (CWE-620), letting an attacker who holds any temporary or low-privilege session set a new password without proving they know the old one. Because the CVSS 4.0 vector reflects a low-privilege (PR:L) network attacker with high confidentiality and integrity impact, a hijacked or briefly-borrowed session can be converted into permanent control, locking legitimate users out. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so risk is credible but not confirmed as actively exploited.
Privilege escalation in Siemens CPCI85 Central Processing/Communication and SICORE Base System (all versions before V26.20 / V26.20.0) lets an already-authenticated attacker abuse insufficient validation of authentication credentials when modifying administrative accounts through the web API. By exploiting this weak credential re-verification (CWE-620), an attacker with existing access can bypass security controls and obtain unauthorized elevated privileges over the device. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Password validation bypass in OpenProject's REST API allows an attacker who has already seized a valid user session to change that account's password without supplying the current password, exploiting CWE-620 (Unverified Password Change) via a crafted PATCH request to /api/v3/users/me. Affected versions are all OpenProject releases prior to 17.3.2 and 17.4.0 (CPE cpe:2.3:a:opf:openproject:*:*:*:*:*:*:*:*). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, when chained with a session-takeover primitive, it converts transient access into persistent account control.
Authentication bypass and account takeover in OpenAM Community Edition (OpenIdentity Platform) through 16.0.6 allows unauthenticated attackers to log in as any user who has authenticated via the OAuth2 module. The OAuth2 module silently rewrites a local user's password to the literal value of their own username, after which the default ldapService chain accepts the username as both identifier and password at the standard authenticate endpoint - no IdP interaction needed. No public exploit identified at time of analysis, but the attack requires only knowledge of a target username once the password-rewrite has fired.
Account takeover in Flowise (the open-source low-code LLM application builder) before version 3.0.10 stems from the account settings Security section accepting a password change without requiring the current password or any re-verification. Any authenticated user - or an attacker who hijacks or coerces an existing authenticated session - can silently reset the account credential and seize full control of the account. Publicly available exploit code exists (documented PoC with repro steps and screenshot in the GitHub Security Advisory GHSA-fjh6-8679-9pch), but there is no public exploit identified as actively exploited and it is not listed in CISA KEV.
Account takeover in Flowise versions 3.0.7 and earlier allows an authenticated user to change their account email address via the profile endpoint without re-authenticating or confirming the change to the original email. Because email serves as both login identifier and password-recovery channel, an attacker who has hijacked a session (e.g., via XSS, stolen token, or unattended workstation) can pivot to permanent account ownership. Publicly available exploit code exists in the GitHub Security Advisory with reproduction steps, but no public exploit identified as actively used in the wild.
Unauthenticated administrator password reset in KMW KM-IP521 and KM-IP421 CCTV cameras allows remote network-based attackers to reset the admin credential to a known value and obtain full control of the device, including live video feeds and configuration. The flaw is classified under CWE-620 (Unverified Password Change) and was disclosed via CISA's ICS-CERT coordination channel with a CVSS 9.1 rating. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the trivial attack complexity and lack of authentication make it high-priority for any internet- or LAN-exposed deployments.
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attackers with hijacked tokens to lock out legitimate users and maintain persistent access to compromised accounts including administrator accounts. Publicly available exploit code demonstrates the attack chain. All versions prior to 6.10.5 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The vendor has released patched versions 6.10.5 and 7.0.0-rc3 that enforce password-only verification during password change operations.
Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.