Monthly
Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. No public exploit code or active exploitation has been identified at time of analysis, and CISA KEV listing is absent.
Improper credential validation in the CommvaultSecurityIQ integration for Palo Alto Networks Cortex XSOAR and Cortex XSIAM allows remote attackers to read and modify protected resources without authentication. The CVSS 4.0 base score of 8.1 reflects high impact to confidentiality, integrity, and availability across a network-reachable attack surface, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authentication bypass in FreePBX api module (versions prior to 17.0.8) allows OAuth2 access tokens to be issued without verifying the client_secret, because the ClientRepository validateClient() method unconditionally returns true. An attacker who knows or guesses a valid client_id can mint tokens granting API access to the PBX, leading to unauthorized read and write operations against telephony configuration. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacker to permanently defeat the engine immobilizer by passively capturing a single WCM-to-ECM seed/key exchange. The Wireless Control Module derives its authentication response using a reversible, non-cryptographic operation, meaning the persistent per-vehicle ECM immobilizer secret can be mathematically reconstructed from one captured exchange - no brute force required. Once recovered, the secret enables independent ECM authentication and engine start without the physical key fob, nullifying the immobilizer entirely. No public exploit code has been identified at time of analysis, and no patch has been released; specific protocol details have been withheld by the researcher pending vendor remediation.
The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock PIN through a fatally weak authentication design in the Infotainment Digital Round display. The display's PIN verification relies on a non-cryptographic computation, meaning a passive observer who captures a single complete authentication exchange from the in-vehicle network can mathematically recover the exact PIN - no brute-force or active interaction required. Reported by ASRG against a product manufactured by Polaris Inc., this vulnerability defeats the motorcycle's primary user-authentication control; it is not listed in CISA KEV and no public exploit code has been identified at time of analysis.
Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions.
Authentication bypass in Borg SPM 2007 allows remote unauthenticated attackers to impersonate any user and gain complete system access without credentials. This discontinued product (sales ended 2008) presents maximum network exposure (CVSS:4.0 9.3, AV:N/AC:L/PR:N) with trivial exploitation conditions. While no CISA KEV listing exists, the simplicity of exploitation combined with complete system compromise (VC:H/VI:H/VA:H) makes this critical for organizations still running this legacy software, though real-world deployment is likely minimal given the 18-year product discontinuation.
Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.
Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by reusing a partially authenticated session token, enabling unauthorized account access without completing the second authentication factor. The vulnerability affects all versions up to and including 2026.1.11, with no CVSS score or public exploit confirmation available at analysis time.
Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. No public exploit code or active exploitation has been identified at time of analysis, and CISA KEV listing is absent.
Improper credential validation in the CommvaultSecurityIQ integration for Palo Alto Networks Cortex XSOAR and Cortex XSIAM allows remote attackers to read and modify protected resources without authentication. The CVSS 4.0 base score of 8.1 reflects high impact to confidentiality, integrity, and availability across a network-reachable attack surface, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authentication bypass in FreePBX api module (versions prior to 17.0.8) allows OAuth2 access tokens to be issued without verifying the client_secret, because the ClientRepository validateClient() method unconditionally returns true. An attacker who knows or guesses a valid client_id can mint tokens granting API access to the PBX, leading to unauthorized read and write operations against telephony configuration. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacker to permanently defeat the engine immobilizer by passively capturing a single WCM-to-ECM seed/key exchange. The Wireless Control Module derives its authentication response using a reversible, non-cryptographic operation, meaning the persistent per-vehicle ECM immobilizer secret can be mathematically reconstructed from one captured exchange - no brute force required. Once recovered, the secret enables independent ECM authentication and engine start without the physical key fob, nullifying the immobilizer entirely. No public exploit code has been identified at time of analysis, and no patch has been released; specific protocol details have been withheld by the researcher pending vendor remediation.
The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock PIN through a fatally weak authentication design in the Infotainment Digital Round display. The display's PIN verification relies on a non-cryptographic computation, meaning a passive observer who captures a single complete authentication exchange from the in-vehicle network can mathematically recover the exact PIN - no brute-force or active interaction required. Reported by ASRG against a product manufactured by Polaris Inc., this vulnerability defeats the motorcycle's primary user-authentication control; it is not listed in CISA KEV and no public exploit code has been identified at time of analysis.
Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions.
Authentication bypass in Borg SPM 2007 allows remote unauthenticated attackers to impersonate any user and gain complete system access without credentials. This discontinued product (sales ended 2008) presents maximum network exposure (CVSS:4.0 9.3, AV:N/AC:L/PR:N) with trivial exploitation conditions. While no CISA KEV listing exists, the simplicity of exploitation combined with complete system compromise (VC:H/VI:H/VA:H) makes this critical for organizations still running this legacy software, though real-world deployment is likely minimal given the 18-year product discontinuation.
Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.
Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by reusing a partially authenticated session token, enabling unauthorized account access without completing the second authentication factor. The vulnerability affects all versions up to and including 2026.1.11, with no CVSS score or public exploit confirmation available at analysis time.