Vendor
high
advisory
CVE-2026-59713: Leantime OIDC Login CSRF leading to Session Fixation
3 TTPs 1 CVECVE-2026-59713 identifies a high-severity OIDC login Cross-Site Request Forgery (CSRF) vulnerability in Leantime's verifyState() method, allowing attackers to craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation and log victims into an attacker's session.
Leantime
csrf
oidc
session-fixation
web-application
vulnerability
3t
1c
high
advisory
CVE-2026-59712: Leantime JSON-RPC API Authorization Bypass Leads to Credential Disclosure
3 TTPs 1 CVE 3 IOCsAn authenticated user can exploit CVE-2026-59712, an authorization bypass vulnerability in Leantime's JSON-RPC API `Users::getUser` method, to retrieve sensitive user credential information including password hashes, TOTP secrets, and session tokens for any user, leading to account enumeration, offline password cracking, 2FA bypass, and session hijacking.
Leantime
authorization-bypass
credential-disclosure
api-exploitation
web-vulnerability
cve
3t
1c
3i