Grav Login Plugin Vulnerability Allows Two-Factor Authentication Bypass
A critical flaw in Grav versions before 2.0.4 permits attackers to bypass two-factor authentication by overwriting existing security secrets.
Grav versions prior to 2.0.4 are affected by a critical vulnerability, tracked as CVE-2026-62232, within the login plugin. The issue exists in the regenerate2FASecret task, which fails to verify user authorization during the pending TOTP challenge window, checking only for user existence.
An attacker who possesses a victim's password can exploit this flaw by calling the task without a CSRF nonce to overwrite the 2FA secret with a value of their choosing. This allows the attacker to generate a valid TOTP code and complete the authentication process, effectively reducing the security of the account to password-only protection.
Users of the Grav platform are advised to update to version 2.0.4 or later to address this vulnerability and restore proper two-factor authentication security.
Continue Reading
Critical Privilege Escalation Flaw Found in Bricksforge WordPress Plugin
A critical vulnerability in the Bricksforge WordPress plugin allows unauthenticated attackers to create unauthorized administrator accounts.
Clawvet API Server Vulnerability Exposes User Data via Hard-Coded Secret
A critical vulnerability in clawvet API versions before 0.7.5 allows unauthenticated attackers to forge session cookies and access sensitive user information.
Formalizing the Vulnerability Lifecycle
International agencies are pushing software vendors to adopt standardized vulnerability disclosure frameworks for better security.