CyberRota
← Ana sayfaya dön

CVE-2026-55370

MEDIUM · CVSS 6.4 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-10T20:16:46.333 · Çekilme zamanı: 2026-07-11T00:06:57.134899+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-55370
Severity
MEDIUM
CVSS
6.4
EPSS
Yok

Orijinal NVD Açıklaması

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window = 1 and did not persist or compare the accepted TOTP time-step counter. An attacker who has the victim's first factor and captures a live TOTP value can replay that value to satisfy MFA during the same acceptance window. This issue is fixed in version 1.41.0.