Monthly
Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by reusing a partially authenticated session token, enabling unauthorized account access without completing the second authentication factor. The vulnerability affects all versions up to and including 2026.1.11, with no CVSS score or public exploit confirmation available at analysis time.
Devolutions Server versions 2026.1.11 and earlier allow authenticated remote attackers to bypass multi-factor authentication through improper validation of OAuth login requests, enabling account takeover without second-factor verification. CISA KEV status and exploit availability not confirmed at time of analysis.
A weak authentication vulnerability in the PickPlugins User Verification WordPress plugin (versions up to 2.0.45) allows attackers to bypass email verification mechanisms, enabling authentication abuse and unauthorized account creation or takeover. This vulnerability has been identified by Patchstack as an email verification bypass issue affecting the user verification functionality, potentially exposing sites using this plugin to account compromise and unauthorized access. The practical impact depends on how the plugin integrates with site authentication workflows, but successful exploitation could allow attackers to register accounts, access user data, or impersonate legitimate users.
A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network access to bypass authentication mechanisms and disclose sensitive information. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires network-level access but no special privileges. While no CVSS score or EPSS data is publicly available, the classification as CWE-1390 (Weak Authentication) and the emphasis on local network access indicates this is a network-adjacent threat with moderate real-world risk, particularly in environments where untrusted devices can connect to the local network.
Improper authentication in Acronis Cyber Protect 17.
A privilege escalation vulnerability in Inno Setup 6.2.1 and earlier versions allows local attackers to gain elevated privileges through DLL hijacking. This vulnerability requires user interaction but no authentication, enabling attackers to execute arbitrary code with higher privileges by placing a malicious DLL in a location searched by the installer. While not currently listed in CISA KEV, the vulnerability has a moderate EPSS score of 0.043% and affects a widely-used Windows installer creation tool.
Second improper authentication in Acronis Cyber Protect 16. CVSS 10.0.
Improper authentication in Acronis Cyber Protect 16. CVSS 10.0.
A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information. [CVSS 7.5 HIGH]
SolarWinds Web Help Desk has a second authentication bypass (EPSS 7.8%) providing yet another path to unauthenticated admin access.
Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by reusing a partially authenticated session token, enabling unauthorized account access without completing the second authentication factor. The vulnerability affects all versions up to and including 2026.1.11, with no CVSS score or public exploit confirmation available at analysis time.
Devolutions Server versions 2026.1.11 and earlier allow authenticated remote attackers to bypass multi-factor authentication through improper validation of OAuth login requests, enabling account takeover without second-factor verification. CISA KEV status and exploit availability not confirmed at time of analysis.
A weak authentication vulnerability in the PickPlugins User Verification WordPress plugin (versions up to 2.0.45) allows attackers to bypass email verification mechanisms, enabling authentication abuse and unauthorized account creation or takeover. This vulnerability has been identified by Patchstack as an email verification bypass issue affecting the user verification functionality, potentially exposing sites using this plugin to account compromise and unauthorized access. The practical impact depends on how the plugin integrates with site authentication workflows, but successful exploitation could allow attackers to register accounts, access user data, or impersonate legitimate users.
A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network access to bypass authentication mechanisms and disclose sensitive information. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires network-level access but no special privileges. While no CVSS score or EPSS data is publicly available, the classification as CWE-1390 (Weak Authentication) and the emphasis on local network access indicates this is a network-adjacent threat with moderate real-world risk, particularly in environments where untrusted devices can connect to the local network.
Improper authentication in Acronis Cyber Protect 17.
A privilege escalation vulnerability in Inno Setup 6.2.1 and earlier versions allows local attackers to gain elevated privileges through DLL hijacking. This vulnerability requires user interaction but no authentication, enabling attackers to execute arbitrary code with higher privileges by placing a malicious DLL in a location searched by the installer. While not currently listed in CISA KEV, the vulnerability has a moderate EPSS score of 0.043% and affects a widely-used Windows installer creation tool.
Second improper authentication in Acronis Cyber Protect 16. CVSS 10.0.
Improper authentication in Acronis Cyber Protect 16. CVSS 10.0.
A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information. [CVSS 7.5 HIGH]
SolarWinds Web Help Desk has a second authentication bypass (EPSS 7.8%) providing yet another path to unauthenticated admin access.