VYPR
High severity8.8NVD Advisory· Published Mar 17, 2026· Updated Apr 25, 2026

CVE-2026-4208

CVE-2026-4208

Description

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ralffreit/mfa-emailPackagist
< 1.0.71.0.7
ralffreit/mfa-emailPackagist
>= 2.0.0, < 2.0.12.0.1

Affected products

3
  • Mrsilaz/MFA Mail2 versions
    cpe:2.3:a:mrsilaz:mfa_mail:2.0.0:*:*:*:*:typo3:*:*+ 1 more
    • cpe:2.3:a:mrsilaz:mfa_mail:2.0.0:*:*:*:*:typo3:*:*
    • cpe:2.3:a:mrsilaz:mfa_mail:*:*:*:*:*:typo3:*:*range: <1.0.7
  • ghsa-coords
    Range: < 1.0.7

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.