CVE-2026-57574
Description
Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a vulnerability in Time-based One-Time Password (TOTP) authentication in UserAuthService where insufficient validation of used tokens allows the reuse of a single-use code within its valid time step. If both credentials and a TOTP code are obtained concurrently, an attacker may reuse the code to perform unauthorized actions, potentially leading to account takeover. This issue is fixed in version 2026.6.0.
Is your site exposed to CVE-2026-57574?
Run a free security scan — no signup, results in seconds.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2026-57574? +
How do I check if I'm vulnerable to CVE-2026-57574? +
Related Vulnerabilities
Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key …
Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the …
The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic …
SMB forced authentication vulnerability in versions prior to 2025.35.000 of Sage 200 Spain. This vulnerability allows an authenticated attacker with …
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie …
Transmitted data is logged between the device and the backend service. An attacker could use these logs to perform a …