Monthly
Authentication bypass in Dell ECS Geo replication (versions 3.8.1.0-3.8.1.7) and Dell ObjectScale (prior to 4.3.0.0) allows unauthenticated remote attackers to access data in transit by exploiting assumed-immutable data assumptions. The vulnerability affects the replication authentication mechanism, enabling unauthorized data exposure without requiring valid credentials or user interaction.
Multi-factor authentication bypass in eLabFTW through version 5.4.1 allows attackers with valid primary credentials to complete login using an attacker-controlled TOTP secret, circumventing the second factor requirement and gaining unauthorized account access. The vulnerability stems from inconsistent MFA state preservation across authentication steps. This issue is patched in version 5.4.2.
Zitadel versions 2.31.0 through 3.4.6 and 4.10.x accept truncated opaque OIDC access tokens as valid when shortened to 80 characters, allowing attackers to bypass token validation and gain unauthorized access to protected resources. This affects deployments using the v2 token format where the symmetric encryption scheme fails to properly validate token length, enabling token forgery or reuse attacks.
An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2.6.1.0. A specially crafted database record can lead to unauthorized access. An attacker can modify a local database to trigger this vulnerability.
Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CVE-2025-46647 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This vulnerability exists in RupeeWeb trading platform due to improper implementation of OTP validation mechanism in certain API endpoints. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication bypass in Dell ECS Geo replication (versions 3.8.1.0-3.8.1.7) and Dell ObjectScale (prior to 4.3.0.0) allows unauthenticated remote attackers to access data in transit by exploiting assumed-immutable data assumptions. The vulnerability affects the replication authentication mechanism, enabling unauthorized data exposure without requiring valid credentials or user interaction.
Multi-factor authentication bypass in eLabFTW through version 5.4.1 allows attackers with valid primary credentials to complete login using an attacker-controlled TOTP secret, circumventing the second factor requirement and gaining unauthorized account access. The vulnerability stems from inconsistent MFA state preservation across authentication steps. This issue is patched in version 5.4.2.
Zitadel versions 2.31.0 through 3.4.6 and 4.10.x accept truncated opaque OIDC access tokens as valid when shortened to 80 characters, allowing attackers to bypass token validation and gain unauthorized access to protected resources. This affects deployments using the v2 token format where the symmetric encryption scheme fails to properly validate token length, enabling token forgery or reuse attacks.
An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2.6.1.0. A specially crafted database record can lead to unauthorized access. An attacker can modify a local database to trigger this vulnerability.
Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CVE-2025-46647 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This vulnerability exists in RupeeWeb trading platform due to improper implementation of OTP validation mechanism in certain API endpoints. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.