Skip to main content
CVE-2026-5296 MEDIUM PATCH This Month

Authorization bypass in GitLab Enterprise Edition allows authenticated users holding only developer-role permissions to circumvent flow restrictions when foundational flows are enabled at the group level. Affecting all EE versions from 18.7 through 19.0 (prior to the respective patch releases), this flaw stems from missing authorization checks (CWE-862) and results in a low-integrity-impact, network-accessible exploitation path. No active exploitation has been identified (SSVC: Exploitation none), and GitLab has released patches across all affected branches as of 2026-05-27.

Gitlab Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2601 MEDIUM PATCH This Month

GitLab Enterprise Edition exposes sensitive deployment data to authenticated users holding only developer-role permissions due to missing authorization checks on deployment-related project resources (CWE-862). Affected versions span a wide range - all EE releases from 11.5 through 18.10.6, 18.11.0 through 18.11.3, and 19.0.0 - making this broadly applicable across unpatched GitLab EE deployments. No public exploit identified at time of analysis per CISA KEV, though SSVC intelligence indicates proof-of-concept code exists, and a HackerOne report (3556381) corroborates researcher discovery.

Gitlab Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49054 MEDIUM This Month

Missing authorization in The Post Grid WordPress plugin (versions through 7.9.2) allows authenticated low-privileged users to bypass access control checks and read data restricted to higher-privileged roles. The flaw stems from inadequate capability enforcement within the plugin's request handling, enabling privilege escalation of access scope without elevated credentials. No public exploit identified at time of analysis, and CISA has not listed this in the KEV catalog; SSVC signals confirm no known active exploitation.

Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49052 MEDIUM This Month

Missing authorization in Wpmet's ElementsKit Elementor addons Lite plugin for WordPress (versions through 3.9.6) permits authenticated low-privilege users to invoke privileged plugin functionality without proper access control verification. The CVSS vector (PR:L, I:L) confirms the attack requires a valid low-privilege WordPress account - such as a Subscriber - but grants unintended write-level access to restricted plugin operations. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping real-world risk moderate; however, the network-accessible, low-complexity nature of the flaw means any authenticated user on an affected installation is a potential threat actor.

Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49051 MEDIUM This Month

Missing authorization in the WP Meta and Date Remover WordPress plugin (versions through 2.3.6) allows low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in unauthorized read access to restricted information. The CVSS vector (PR:L, C:L) confirms that exploitation requires a valid WordPress account and yields only partial confidentiality exposure with no integrity or availability impact. No public exploit code has been identified and CISA SSVC rates exploitation as none, making this a lower-urgency but real access control gap in WordPress environments running the affected plugin.

Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49047 MEDIUM This Month

Missing authorization in the DearFlip WordPress flipbook plugin (versions through 2.4.27) allows authenticated low-privileged users to bypass access control checks and read restricted data. The flaw, classified under CWE-862, permits exploitation of incorrectly configured access control security levels within the plugin's functionality. No public exploit code or active exploitation has been identified at time of analysis, and SSVC assessment rates technical impact as partial.

Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49045 MEDIUM This Month

Missing authorization in the Adminimize WordPress plugin (versions through 1.11.11) allows authenticated low-privileged users to exploit incorrectly configured access control security levels, resulting in unauthorized read access to restricted information. The flaw, classified under CWE-862, was discovered by Patchstack's audit team and affects the plugin's role-based admin interface customization logic. No public exploit or active exploitation has been identified at time of analysis, and SSVC assessment rates exploitation as none with only partial technical impact.

Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48973 MEDIUM This Month

Broken access control in the SVG Support WordPress plugin (versions through 2.5.14) allows low-privileged authenticated users to perform unauthorized actions due to missing authorization checks on one or more plugin functions. The vulnerability (CWE-862) enables an attacker with a basic WordPress account to circumvent access control restrictions and make unauthorized modifications, impacting integrity without exposing sensitive data or causing service disruption. No public exploit code or active exploitation has been identified at time of analysis, and SSVC assessment rates exploitation as none with partial technical impact.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48971 MEDIUM This Month

Missing authorization controls in the WebToffee Product Import Export for WooCommerce WordPress plugin (versions through 2.5.6) allow low-privileged authenticated users to access protected import/export functionality beyond their intended permission level, resulting in unauthorized read access to product data. The flaw is classified under CWE-862 (Missing Authorization), meaning the plugin fails to verify whether the requesting user is actually permitted to perform sensitive operations. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 4.3 reflects a limited-impact, network-accessible vulnerability constrained by the requirement for prior authentication.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9689 MEDIUM This Month

HTTP parameter pollution in Keycloak enables authentication bypass against deployments where OAuth/OIDC client applications are configured with permissive redirect URI patterns. An unauthenticated remote attacker who can trick a user into clicking a crafted authorization URL can inject duplicate HTTP parameters into the OAuth flow, causing the client application to prioritize attacker-supplied values over server-authoritative data - potentially hijacking the authentication process or gaining unauthorized resource access. No public exploit has been identified and EPSS (0.08%, 23rd percentile) signals low real-world exploitation probability; however, the authentication bypass impact is meaningful in identity-sensitive deployments.

Authentication Bypass Build Of Keycloak
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-21785 MEDIUM This Month

HCL BigFix Remote Control Server WebUI versions 10.1.0.0442 and earlier expose a misconfigured Content Security Policy that omits fallback directives, permitting browsers to bypass intended origin restrictions and load unauthorized external resources. The Changed Scope (S:C) in the CVSS vector confirms that exploitation can affect resources or contexts beyond the vulnerable WebUI component itself - consistent with the XSS tag indicating potential cross-origin script injection. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the high-privilege and user-interaction prerequisites substantially constrain the realistic attack surface.

XSS
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-45309 MEDIUM PATCH GHSA This Month

Path traversal in AsyncSSH 2.22.0's AuthorizedKeysFile %u token expansion allows an unauthenticated remote attacker to bypass SSH public-key authentication by supplying a crafted username containing directory traversal sequences. Servers configured with per-user key patterns such as AuthorizedKeysFile authorized_keys/%u are vulnerable when an attacker can place or reference a readable authorized-keys-format file at a filesystem path reachable by traversal from the configured directory. Publicly available exploit code exists demonstrating successful authentication bypass; KEV status is not confirmed at time of analysis.

SSH Path Traversal Suse
NVD GitHub
EPSS
0.2%
CVE-2026-44979 MEDIUM PATCH GHSA This Month

Proxy-Authorization header leakage in @hapi/wreck exposes forward-proxy credentials when redirect following is enabled and a 3xx response targets a different hostname. Prior to version 18.1.1, only Authorization and Cookie headers were stripped on cross-hostname redirects; the Proxy-Authorization header was forwarded intact to the redirect target, which may be an untrusted host outside the original trust boundary. No public exploit has been identified at time of analysis, but the impact is concrete credential exposure for any Node.js application using @hapi/wreck with redirect following explicitly enabled.

Information Disclosure
NVD GitHub
EPSS
0.1%
Prev Page 8 of 8

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy