cybersec
Jul 10, 2026 · 6 min Type JugglingCVE-2026-30849: When `0` Was a Valid Password
MantisBT's SOAP login trusted whatever type the XML said the password was. On MySQL, that one missing type hint let an integer slip into a string comparison — and the database happily agreed that a random session cookie equals zero.
— The database said zero equals everything