Skip to main content

CWE-1390

Weak Authentication

51 CVEs Avg CVSS 7.6 MITRE
13
CRITICAL
24
HIGH
13
MEDIUM
1
LOW
3
POC
0
KEV

Monthly

CVE-2026-57352 MEDIUM This Month

Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. No public exploit code or active exploitation has been identified at time of analysis, and CISA KEV listing is absent.

WordPress Information Disclosure Ald Dropshipping And Fulfillment For Aliexpress And Woocommerce
NVD
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-0274 HIGH PATCH This Week

Improper credential validation in the CommvaultSecurityIQ integration for Palo Alto Networks Cortex XSOAR and Cortex XSIAM allows remote attackers to read and modify protected resources without authentication. The CVSS 4.0 base score of 8.1 reflects high impact to confidentiality, integrity, and availability across a network-reachable attack surface, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Cortex Xsiam Commvaultsecurityiq Marketplace Cortex Xsoar Commvaultsecurityiq Marketplace
NVD VulDB
CVSS 4.0
8.1
EPSS
0.0%
CVE-2026-44237 HIGH PATCH This Week

Authentication bypass in FreePBX api module (versions prior to 17.0.8) allows OAuth2 access tokens to be issued without verifying the client_secret, because the ClientRepository validateClient() method unconditionally returns true. An attacker who knows or guesses a valid client_id can mint tokens granting API access to the PBX, leading to unauthorized read and write operations against telephony configuration. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Information Disclosure
NVD GitHub
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-49323 MEDIUM This Month

Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacker to permanently defeat the engine immobilizer by passively capturing a single WCM-to-ECM seed/key exchange. The Wireless Control Module derives its authentication response using a reversible, non-cryptographic operation, meaning the persistent per-vehicle ECM immobilizer secret can be mathematically reconstructed from one captured exchange - no brute force required. Once recovered, the secret enables independent ECM authentication and engine start without the physical key fob, nullifying the immobilizer entirely. No public exploit code has been identified at time of analysis, and no patch has been released; specific protocol details have been withheld by the researcher pending vendor remediation.

Information Disclosure Microsoft Scout Bobber Tech
NVD VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-49322 MEDIUM This Month

The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock PIN through a fatally weak authentication design in the Infotainment Digital Round display. The display's PIN verification relies on a non-cryptographic computation, meaning a passive observer who captures a single complete authentication exchange from the in-vehicle network can mathematically recover the exact PIN - no brute-force or active interaction required. Reported by ASRG against a product manufactured by Polaris Inc., this vulnerability defeats the motorcycle's primary user-authentication control; it is not listed in CISA KEV and no public exploit code has been identified at time of analysis.

Information Disclosure Microsoft Scout Bobber Tech
NVD VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-40417 HIGH PATCH Exploit Unlikely This Week

Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.

Information Disclosure Microsoft Dynamics 365 Business Central 2024 Release Wave 2 Microsoft Dynamics 365 Business Central 2026 Release Wave 1 Microsoft Dynamics 365 Business Central Release Wave 1 2025 Microsoft Dynamics 365 Business Central Release Wave 2 2025
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0204 HIGH This Week

A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions.

Information Disclosure Sonicos
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-6886 CRITICAL Act Now

Authentication bypass in Borg SPM 2007 allows remote unauthenticated attackers to impersonate any user and gain complete system access without credentials. This discontinued product (sales ended 2008) presents maximum network exposure (CVSS:4.0 9.3, AV:N/AC:L/PR:N) with trivial exploitation conditions. While no CISA KEV listing exists, the simplicity of exploitation combined with complete system compromise (VC:H/VI:H/VA:H) makes this critical for organizations still running this legacy software, though real-world deployment is likely minimal given the 18-year product discontinuation.

Authentication Bypass Borg Spm 2007
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-70994 HIGH CISA Act Now

Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-4924 HIGH This Week

Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by reusing a partially authenticated session token, enabling unauthorized account access without completing the second authentication factor. The vulnerability affects all versions up to and including 2026.1.11, with no CVSS score or public exploit confirmation available at analysis time.

Authentication Bypass Server
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
EPSS 0% CVSS 4.8
MEDIUM This Month

Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. No public exploit code or active exploitation has been identified at time of analysis, and CISA KEV listing is absent.

WordPress Information Disclosure Ald Dropshipping And Fulfillment For Aliexpress And Woocommerce
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Improper credential validation in the CommvaultSecurityIQ integration for Palo Alto Networks Cortex XSOAR and Cortex XSIAM allows remote attackers to read and modify protected resources without authentication. The CVSS 4.0 base score of 8.1 reflects high impact to confidentiality, integrity, and availability across a network-reachable attack surface, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Cortex Xsiam Commvaultsecurityiq Marketplace Cortex Xsoar Commvaultsecurityiq Marketplace
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Authentication bypass in FreePBX api module (versions prior to 17.0.8) allows OAuth2 access tokens to be issued without verifying the client_secret, because the ClientRepository validateClient() method unconditionally returns true. An attacker who knows or guesses a valid client_id can mint tokens granting API access to the PBX, leading to unauthorized read and write operations against telephony configuration. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM This Month

Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacker to permanently defeat the engine immobilizer by passively capturing a single WCM-to-ECM seed/key exchange. The Wireless Control Module derives its authentication response using a reversible, non-cryptographic operation, meaning the persistent per-vehicle ECM immobilizer secret can be mathematically reconstructed from one captured exchange - no brute force required. Once recovered, the secret enables independent ECM authentication and engine start without the physical key fob, nullifying the immobilizer entirely. No public exploit code has been identified at time of analysis, and no patch has been released; specific protocol details have been withheld by the researcher pending vendor remediation.

Information Disclosure Microsoft Scout Bobber Tech
NVD VulDB
EPSS 0% CVSS 4.1
MEDIUM This Month

The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock PIN through a fatally weak authentication design in the Infotainment Digital Round display. The display's PIN verification relies on a non-cryptographic computation, meaning a passive observer who captures a single complete authentication exchange from the in-vehicle network can mathematically recover the exact PIN - no brute-force or active interaction required. Reported by ASRG against a product manufactured by Polaris Inc., this vulnerability defeats the motorcycle's primary user-authentication control; it is not listed in CISA KEV and no public exploit code has been identified at time of analysis.

Information Disclosure Microsoft Scout Bobber Tech
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.

Information Disclosure Microsoft Dynamics 365 Business Central 2024 Release Wave 2 Microsoft Dynamics 365 Business Central 2026 Release Wave 1 +2
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions.

Information Disclosure Sonicos
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Authentication bypass in Borg SPM 2007 allows remote unauthenticated attackers to impersonate any user and gain complete system access without credentials. This discontinued product (sales ended 2008) presents maximum network exposure (CVSS:4.0 9.3, AV:N/AC:L/PR:N) with trivial exploitation conditions. While no CISA KEV listing exists, the simplicity of exploitation combined with complete system compromise (VC:H/VI:H/VA:H) makes this critical for organizations still running this legacy software, though real-world deployment is likely minimal given the 18-year product discontinuation.

Authentication Bypass Borg Spm 2007
NVD VulDB
EPSS 0% CVSS 7.3
HIGH Act Now

Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by reusing a partially authenticated session token, enabling unauthorized account access without completing the second authentication factor. The vulnerability affects all versions up to and including 2026.1.11, with no CVSS score or public exploit confirmation available at analysis time.

Authentication Bypass Server
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy