Monthly
Credential brute-forcing against TP-Link Archer C64 v1 routers is possible via an undocumented debug SSH service that shares credentials with the web admin interface but enforces no authentication rate-limiting. Adjacent attackers (same Wi-Fi or LAN segment) can iterate password guesses without lockout to recover the administrator password and take full control of the router. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (High) and a vendor patch is available.
Authentication bypass in the Kidsview mobile application allows a person with physical access to a smartphone to gain full, unauthorized access to the device owner's account by interacting with the app's push notifications, entirely circumventing the normal login flow. Affected versions are those prior to 4.4.3, as confirmed by the vendor fix. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing, but the attack requires no credentials and no user assistance - only physical device possession.
Authentication bypass in Slican telephone exchanges (IPL-256, IPM-032, CCT-1668, MAC-6400, CXS-0424) lets an unauthenticated remote attacker who dials the device's management modem while presenting a specific caller ID bypass admin authentication and obtain full access to the service protocol and configuration panel. Because this 'magic' caller ID works regardless of how the exchange is configured - and even temporarily re-enables remote management when an administrator has disabled it - the flaw behaves like a hidden backdoor rather than a normal misconfiguration. CVSS 4.0 rates it 9.3 (critical); no public exploit has been identified at time of analysis, and the issue remains permanently unpatched on End-of-Life CCT-1668, MAC-6400, and CXS-0424 units running firmware 4.xx and below.
Authentication bypass in Slican telephone exchanges (NCP, IPx, CCT-1668, MAC-6400, and CXS-0424 PBX systems) lets a remote attacker skip credential entry on the administrative protocol simply by issuing a specific command, granting full administrative control of the exchange. The flaw was reported by CERT Polska (cert.pl), carries a CVSS 4.0 base score of 9.3, and has no public exploit identified at time of analysis; however, the high score reflects unauthenticated network-reachable access with full confidentiality, integrity, and availability impact. Fixed firmware is available for current models, but the issue remains permanently unpatched on End-Of-Life CCT-1668, MAC-6400, and CXS-0424 units running version 4.xx and below.
Authentication bypass in the WordPress plugin 'Backup and Staging by WP Time Capsule' (all versions through 1.22.25) lets remote, unauthenticated attackers abuse an alternate password-recovery channel to gain unauthorized account access without valid credentials. The flaw, reported by Patchstack and tracked as EUVD-2026-32208, carries a CVSS 7.5 (confidentiality-only impact) but currently has no public exploit identified at time of analysis and a very low EPSS exploitation probability of 0.04% (13th percentile). Successful exploitation exposes sensitive access to the affected site, and the plugin's backup/staging role makes any resulting account takeover especially damaging.
Authentication bypass in Themeisle's 'Disable Comments for Any Post Types (Remove comments)' WordPress plugin (slug comments-plus), versions through 1.3.0, lets a low-privileged user abuse the password-recovery channel as an alternate authentication path. Classified CWE-288, the flaw carries a CVSS 7.1 with high availability impact and partial integrity impact. There is no public exploit identified at time of analysis, and EPSS is very low (0.05%, 16th percentile), indicating no observed mass exploitation.
Authentication bypass in the ZAYTECH "Smart Online Order for Clover" WordPress plugin (all versions up to and including 1.6.0) lets remote, unauthenticated attackers reach protected functionality through an alternate code path that fails to enforce the plugin's normal authentication checks (CWE-288). Exploitation requires no privileges, no user interaction, and low attack complexity, but CVSS scopes the impact as limited (low confidentiality, integrity, and availability). There is no public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), indicating no current evidence of widespread exploitation.
Authentication bypass in the KiviCare Clinic & Patient Management WordPress plugin (versions through 4.3.0) lets remote unauthenticated attackers abuse the password-recovery flow as an alternate channel to take over user accounts. Because the recovery process can be exploited to gain access without valid credentials, an attacker can compromise clinic accounts and read sensitive data. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed mass-exploitation pressure yet.
Physical-access PIN lock bypass in AppLockZ 4.2.11 for Android exposes protected applications to unauthorized access without valid credentials. The root cause is architectural: the lock mechanism is implemented as a UI overlay rather than through Android's secure authentication APIs, leaving it vulnerable to circumvention via exposed activity routes reachable through advertisement or browser intents. An attacker with physical possession of the device can navigate cascading interface flows to evade lockscreen verification and access apps protected by AppLockZ (e.g., Chrome), resulting in information disclosure. No active exploitation is confirmed in CISA KEV, and the EPSS score of 0.04% reflects minimal real-world exploitation probability at this time.
PIN lock bypass in SailingLab AppLock 4.3.8 for Android exposes protected applications to anyone with brief physical device access. The root cause is architectural: the lock is implemented as a screen overlay rather than through Android's secure authentication APIs, meaning the underlying apps remain accessible via exposed intent routes triggered through advertisement or browser interactions. An attacker with physical access can navigate cascading UI flows to dismiss or circumvent the overlay entirely, gaining access to locked apps such as Chrome, resulting in information disclosure and unintended privilege escalation. No public exploit is confirmed in CISA KEV, but a researcher disclosure is publicly available on GitHub, and EPSS is negligible at 0.04% (11th percentile), consistent with the physical-access-only attack vector.
Credential brute-forcing against TP-Link Archer C64 v1 routers is possible via an undocumented debug SSH service that shares credentials with the web admin interface but enforces no authentication rate-limiting. Adjacent attackers (same Wi-Fi or LAN segment) can iterate password guesses without lockout to recover the administrator password and take full control of the router. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (High) and a vendor patch is available.
Authentication bypass in the Kidsview mobile application allows a person with physical access to a smartphone to gain full, unauthorized access to the device owner's account by interacting with the app's push notifications, entirely circumventing the normal login flow. Affected versions are those prior to 4.4.3, as confirmed by the vendor fix. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing, but the attack requires no credentials and no user assistance - only physical device possession.
Authentication bypass in Slican telephone exchanges (IPL-256, IPM-032, CCT-1668, MAC-6400, CXS-0424) lets an unauthenticated remote attacker who dials the device's management modem while presenting a specific caller ID bypass admin authentication and obtain full access to the service protocol and configuration panel. Because this 'magic' caller ID works regardless of how the exchange is configured - and even temporarily re-enables remote management when an administrator has disabled it - the flaw behaves like a hidden backdoor rather than a normal misconfiguration. CVSS 4.0 rates it 9.3 (critical); no public exploit has been identified at time of analysis, and the issue remains permanently unpatched on End-of-Life CCT-1668, MAC-6400, and CXS-0424 units running firmware 4.xx and below.
Authentication bypass in Slican telephone exchanges (NCP, IPx, CCT-1668, MAC-6400, and CXS-0424 PBX systems) lets a remote attacker skip credential entry on the administrative protocol simply by issuing a specific command, granting full administrative control of the exchange. The flaw was reported by CERT Polska (cert.pl), carries a CVSS 4.0 base score of 9.3, and has no public exploit identified at time of analysis; however, the high score reflects unauthenticated network-reachable access with full confidentiality, integrity, and availability impact. Fixed firmware is available for current models, but the issue remains permanently unpatched on End-Of-Life CCT-1668, MAC-6400, and CXS-0424 units running version 4.xx and below.
Authentication bypass in the WordPress plugin 'Backup and Staging by WP Time Capsule' (all versions through 1.22.25) lets remote, unauthenticated attackers abuse an alternate password-recovery channel to gain unauthorized account access without valid credentials. The flaw, reported by Patchstack and tracked as EUVD-2026-32208, carries a CVSS 7.5 (confidentiality-only impact) but currently has no public exploit identified at time of analysis and a very low EPSS exploitation probability of 0.04% (13th percentile). Successful exploitation exposes sensitive access to the affected site, and the plugin's backup/staging role makes any resulting account takeover especially damaging.
Authentication bypass in Themeisle's 'Disable Comments for Any Post Types (Remove comments)' WordPress plugin (slug comments-plus), versions through 1.3.0, lets a low-privileged user abuse the password-recovery channel as an alternate authentication path. Classified CWE-288, the flaw carries a CVSS 7.1 with high availability impact and partial integrity impact. There is no public exploit identified at time of analysis, and EPSS is very low (0.05%, 16th percentile), indicating no observed mass exploitation.
Authentication bypass in the ZAYTECH "Smart Online Order for Clover" WordPress plugin (all versions up to and including 1.6.0) lets remote, unauthenticated attackers reach protected functionality through an alternate code path that fails to enforce the plugin's normal authentication checks (CWE-288). Exploitation requires no privileges, no user interaction, and low attack complexity, but CVSS scopes the impact as limited (low confidentiality, integrity, and availability). There is no public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), indicating no current evidence of widespread exploitation.
Authentication bypass in the KiviCare Clinic & Patient Management WordPress plugin (versions through 4.3.0) lets remote unauthenticated attackers abuse the password-recovery flow as an alternate channel to take over user accounts. Because the recovery process can be exploited to gain access without valid credentials, an attacker can compromise clinic accounts and read sensitive data. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed mass-exploitation pressure yet.
Physical-access PIN lock bypass in AppLockZ 4.2.11 for Android exposes protected applications to unauthorized access without valid credentials. The root cause is architectural: the lock mechanism is implemented as a UI overlay rather than through Android's secure authentication APIs, leaving it vulnerable to circumvention via exposed activity routes reachable through advertisement or browser intents. An attacker with physical possession of the device can navigate cascading interface flows to evade lockscreen verification and access apps protected by AppLockZ (e.g., Chrome), resulting in information disclosure. No active exploitation is confirmed in CISA KEV, and the EPSS score of 0.04% reflects minimal real-world exploitation probability at this time.
PIN lock bypass in SailingLab AppLock 4.3.8 for Android exposes protected applications to anyone with brief physical device access. The root cause is architectural: the lock is implemented as a screen overlay rather than through Android's secure authentication APIs, meaning the underlying apps remain accessible via exposed intent routes triggered through advertisement or browser interactions. An attacker with physical access can navigate cascading UI flows to dismiss or circumvent the overlay entirely, gaining access to locked apps such as Chrome, resulting in information disclosure and unintended privilege escalation. No public exploit is confirmed in CISA KEV, but a researcher disclosure is publicly available on GitHub, and EPSS is negligible at 0.04% (11th percentile), consistent with the physical-access-only attack vector.