cbcvebase.
CVE-2026-34456
published 2026-04-01

CVE-2026-34456: Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.46%
36.3th percentile
Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.

Affected

2 ranges
VendorProductVersion rangeFixed in
reviactylpanel
reviactylreviactyl
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.