Authentication Bypass

CORS origin reflection in RustFS's S3 listener exposes stored object data to cross-origin theft via browser-credentialed requests against all versions prior to 1.0.0-beta.2. When the RUSTFS_CORS_ALLOWED_ORIGINS environment variable is unset - the default state - the ConditionalCorsLayer middleware reflects any incoming Origin header verbatim as Access-Control-Allow-Origin while simultaneously asserting Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: *, including on preflight and error responses, nullifying the browser's same-origin policy protections. An unauthenticated attacker (PR:N) who lures a victim with ambient RustFS credentials to a malicious web page can exfiltrate object storage contents; no confirmed active exploitation (CISA KEV) and no public exploit identified at time of analysis. The fix is vendor-released in 1.0.0-beta.2.

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remote attackers to forge valid internode RPC requests by exploiting a hardcoded fallback secret 'rustfsadmin' used when neither RUSTFS_RPC_SECRET nor the global S3 secret key is configured. With a CVSS of 9.8 and full CIA impact, this represents a critical pre-auth compromise vector against the storage cluster's internal trust boundary. No public exploit identified at time of analysis, though the fallback secret is publicly visible in the source tree, making weaponization trivial.

Improper authorization in RustFS prior to 1.0.0-beta.2 allows authenticated users to perform unauthorized cross-bucket object copies via the S3-compatible UploadPartCopy operation, bypassing destination-bucket policy constraints on permitted copy sources. The Rust-based distributed object storage system validates GetObject on the source and PutObject on the destination independently but never checks whether the destination bucket actually permits the specified source, enabling lateral data movement between buckets. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0-beta.2 allows remote attackers to repeatedly invoke profiling endpoints that the admin router whitelists from authentication. Each request triggers a fixed 60-second CPU profiling operation and leaks the server's absolute filesystem path in the response. CVSS 4.0 scores this 8.8 (High) driven by high availability impact; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Unauthenticated webhook event injection in Symfony's Mailtrap Mailer bridge (symfony/mailtrap-mailer) allows any remote attacker who knows the webhook endpoint URL to POST arbitrary forged event payloads - delivery, bounce, open, click, or spam - regardless of whether a signing secret is configured. The root cause is that `MailtrapRequestParser::doParse()` accepts the configured secret as a parameter but never reads it, leaving the `X-Mt-Signature` HMAC header completely unchecked. Successful exploitation enables suppression-list poisoning, delivery-metrics fraud, and manipulation of application logic that reacts to email events. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vendor patch is available in versions 7.4.12 and 8.0.12.

Unauthenticated webhook event injection in Symfony's Mailjet Mailer and LOX24 SMS Notifier bridges allows remote attackers to POST arbitrary forged payloads to an application's webhook endpoint, even when a webhook secret is configured. The root cause is that both `MailjetRequestParser::doParse()` and `Lox24RequestParser::doParse()` accept a secret parameter but silently discard it, returning the payload unconditionally. Attackers who can discover the webhook URL can fabricate bounce, spam, open, click, or delivery events, leading to suppression-list corruption and delivery-metrics fraud. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.

CPU and log amplification in opentelemetry-go's baggage parser allows remote unauthenticated attackers to trigger denial-of-service by submitting oversized or malformed W3C baggage headers to any instrumented Go service. PR #7880 inadvertently removed the upfront raw-length check and per-member size guard from `baggage.Parse`, meaning the parser now fully tokenizes and percent-decodes every member of an arbitrarily large input rather than rejecting it early. A publicly available proof-of-concept exists (GHSA-5wrp-cwcj-q835); the vulnerability is not yet listed in CISA KEV, and impact is bounded to availability with no confirmed confidentiality or integrity consequence.

Cross-tenant data exposure in OpenReplay self-hosted session replay suite (versions prior to 1.26.0) allows an attacker holding any valid API key for their own tenant to enumerate sessions and retrieve sensitive session event data belonging to other tenants. The flaw stems from app_apikey routes in the Python API that validate the API key and the existence of a projectKey independently, but never confirm the two belong to the same tenant. No public exploit identified at time of analysis, though the trivial nature of the abuse (substituting a browser-visible projectKey) makes weaponization straightforward.

In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.

EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authenticated low-privileged users to exfiltrate all field values from arbitrary Contact, Lead, Account, or User records prior to version 9.3.5. By supplying a target entity's email address as an attacker-controlled lookup key, the endpoint resolves and returns the full record without enforcing read:own or read:team ACL restrictions. A publicly available proof-of-concept exists; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), but the low attack complexity and public POC meaningfully elevate real-world risk.

{id}/pin endpoint, where the server returns a 403 Forbidden response but the targeted record is already persistently modified. A publicly available exploit exists; this vulnerability is not confirmed actively exploited per CISA KEV, and impact is constrained to unauthorized data integrity modification without confidentiality or availability consequences.

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.

Unauthenticated remote root access on SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 is achievable by submitting a hardcoded credential to recovery endpoints (mgmt.php, npcmd.php) in the web management interface. Attackers can then enable filtered SSH/Telnet services to obtain persistent root-level shell access. CVSS is 9.8 with publicly available exploit code, though no public exploit identified at time of analysis in CISA KEV.

Hono's jwt and jwk middleware components fail to enforce the Bearer scheme in the Authorization header, allowing any two-part header value - such as 'Basic <token>' or 'Token <token>' - to pass JWT verification identically to a correctly formed Bearer request. All Hono releases prior to 4.12.21 on any supported JavaScript runtime are affected when these middlewares protect routes. No public exploit identified at time of analysis, and this is not listed in CISA KEV; real-world exploitation requires the attacker to already possess a valid, properly signed JWT.

Algorithm allow-list bypass in PyJWT 2.9.0-2.12.1 permits an attacker who controls a registered JWK/JWKS private key to circumvent caller-enforced algorithm restrictions during JWT signature verification. The library correctly checks the token header's alg claim against the caller-supplied allow-list, but then performs the actual cryptographic verification using the algorithm bound to the PyJWK object rather than the header-declared algorithm - creating a exploitable mismatch. Specifically, the documented PyJWKClient.get_signing_key_from_jwt() flow is affected, meaning applications relying on this pattern for algorithm-restricted JWT validation may accept tokens signed with algorithms they explicitly prohibited. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication bypass in PyJWT versions prior to 2.13.0 allows remote attackers to forge valid JSON Web Tokens by exploiting an algorithm confusion flaw where the library fails to validate that a JSON Web Key intended for asymmetric verification is not reused as an HMAC shared secret. An attacker who knows the issuer's public key (typically distributed openly via JWKS endpoints) can sign HMAC-algorithm tokens with that public key and have them accepted as legitimate. No public exploit identified at time of analysis, though the underlying algorithm-confusion class is a well-documented JWT attack pattern.

Authentication bypass in the Kidsview mobile application allows a person with physical access to a smartphone to gain full, unauthorized access to the device owner's account by interacting with the app's push notifications, entirely circumventing the normal login flow. Affected versions are those prior to 4.4.3, as confirmed by the vendor fix. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing, but the attack requires no credentials and no user assistance - only physical device possession.

Unauthenticated password reset in Mennekes Amtron EV charging stations running firmware 5.22.3 and earlier allows remote attackers to seize the operator account by sending a crafted POST to /operator/operator. CVSS 4.0 of 9.3 with PR:N/UI:N and CWE-287 reflects a complete authentication bypass, and the CVSS exploit maturity flag (E:P) plus the cyberdanube research disclosure indicate publicly available exploit code exists, though the vulnerability is not currently listed in CISA KEV.

Authentication bypass in phpMyFAQ before 4.1.3 lets any unauthenticated remote attacker reset arbitrary user passwords - including SuperAdmin - by sending a PUT request to /api/user/password/update with only a valid username/email pair, with no token, rate limit, or out-of-band confirmation. The vendor-issued GHSA-w9xh-5f39-vq89 advisory and VulnCheck disclosure document the flaw, and publicly available exploit code exists in the form of a PoC curl invocation; no CISA KEV listing or EPSS score is provided in the input.

Authentication bypass in phpMyFAQ versions prior to 4.1.3 lets remote unauthenticated attackers create and modify FAQ entries, categories, and questions through the REST API v4.0 by submitting an empty x-pmf-token header that matches the default empty api.apiClientToken value. The flaw stems from strict string comparison logic that cannot distinguish an unconfigured token from an attacker-supplied empty one, exposing every default installation. No public exploit identified at time of analysis, but the GHSA advisory includes a detailed proof-of-concept walkthrough.

SNS signature verification bypass in the Elixir ex_aws_sns library (versions 2.0.1 through 2.3.4) allows remote unauthenticated attackers to forge messages that pass ExAws.SNS.verify_message/1 checks. The verify_message/1 routine fetched the signing certificate from the attacker-supplied SigningCertURL field without restricting the scheme to HTTPS or the host to an AWS SNS certificate domain, so an attacker can host their own certificate, sign a forged payload, and have verification return :ok. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the upstream fix is published on GitHub (commit 1853d28) and shipped in 2.3.5.

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value by validating catalog record size Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure. Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.

In the Linux kernel, the following vulnerability has been resolved: fanotify: fix false positive on permission events fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check. Fix by skipping over detached marks that are not in the current group.

Missing authorization on the bulk appointments REST API endpoint in Simply Schedule Appointments WordPress plugin (all versions up to and including 1.6.11.8) permits unauthenticated mass modification and disclosure of customer appointment data. The flaw is compounded by a static, user-independent nonce embedded in the HTML source of any page rendering the [ssa_booking] shortcode, meaning a single anonymous page visit yields a credential sufficient to target every appointment in the system. An attacker can overwrite customer PII, alter payment status, and hijack meeting URLs across all bookings, or enumerate full customer records via the bulk endpoint response - no account or session required. No public exploit code and no CISA KEV listing are identified at time of analysis.

Missing authorization on three AJAX handlers in the Visualizer: Tables and Charts Manager plugin for WordPress (by Themeisle) allows authenticated attackers with Subscriber-level access to create arbitrary chart posts and read or overwrite chart data owned by any site user, including administrators. The wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and wp_ajax_visualizer-upload-data actions invoke renderChartPages() and uploadData() without any current_user_can() capability check; the nonce validation in uploadData() is further trivialized by the absence of an action argument, making it bypassable with any valid WordPress nonce. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 4.0.1.

Authorization bypass in the Equalize Digital Accessibility Checker WordPress plugin (all versions through 1.42.0) allows low-privileged authenticated users to corrupt accessibility audit integrity site-wide. Authenticated attackers holding subscriber-level accounts or higher can invoke AJAX endpoints in class-ajax.php to modify the ignore state, ignore reason, and ignore comment of any accessibility issue across the entire site, effectively hiding or dismissing audit findings they are not authorized to manage. The vulnerability is amplified by a mass-modification code path triggered when the largeBatch=true parameter is supplied, enabling bulk suppression of all findings sharing a common object identifier in a single request. No public exploit code or CISA KEV listing has been identified at time of analysis.

Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private project resources despite administrative revocation. Affected are all GitLab CE/EE instances running versions 18.9 through 18.10.6, 18.11 through 18.11.3, and 19.0.0 - patched versions 18.10.7, 18.11.4, and 19.0.1 were released 2026-05-27. A publicly available exploit exists via HackerOne report #3554993, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authorization bypass in the WordPress '3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On' plugin (all versions through 2.0.1) permits any subscriber-level authenticated user to overwrite the plugin's entire settings store via an exposed REST API endpoint with no privilege validation. The flaw stems from CWE-862 (Missing Authorization) in the REST route handler at /wp-json/ar_try_on/v1/settings, allowing arbitrary data to be written directly to the ar_try_on_settings database option. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the low authentication bar (subscriber account) makes it accessible to a broad attacker pool on sites with open user registration.

Unauthorized access in the SMTP2GO for WordPress plugin (all versions through 1.16.0) allows authenticated attackers holding only subscriber-level accounts to either wipe all SMTP delivery log records from the WordPress database or export a full CSV of those logs - exposing recipient addresses, sender addresses, message subjects, and API response data. The flaw stems from missing authorization checks on administrative actions within the plugin's WordPress admin class (WordpressPluginAdmin.php), meaning low-privileged users can invoke privileged log-management operations without restriction. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege bar makes this accessible to any registered WordPress user.

Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration data to unauthenticated remote attackers, including Google Maps API keys and GeoNames service credentials. The flaw (CWE-862 Missing Authorization) exists at specific request-handling code paths in geo-mashup.php (lines 515, 528, and 1525), where the plugin returns configuration data without verifying requester authorization. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially exploitable with no authentication, no complexity, and no user interaction required against any affected installation.

Insecure Direct Object Reference in WPEverest's User Registration & Membership WordPress plugin (all versions through 5.1.5) allows deletion of arbitrary media attachments by exploiting missing ownership validation on user-controlled attachment IDs. Authenticated users at subscriber level or above can permanently destroy any media file uploaded by any other user, including administrators, by submitting a crafted attachment ID to the plugin's frontend handler. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV; however, the low barrier to exploitation - any registered site user qualifies - elevates practical risk on membership-driven WordPress sites.

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.

Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.

CSV Injection protection bypass in json-2-csv (npm) allows formula injection to survive the preventCsvInjection sanitization option when injection characters are preceded by leading spaces. Versions 3.15.0 through 5.5.10 are affected. An attacker who can supply JSON input values with space-prefixed formula strings (e.g., ' =SUM(A1:A10)') causes the resulting CSV to carry live spreadsheet formulas, which execute when a recipient opens the file in Excel, Google Sheets, or LibreOffice. Publicly available exploit code exists (Snyk/Gist POC); no confirmed active exploitation (not in CISA KEV).

Insecure Direct Object Reference in the Meta Field Block WordPress plugin (all versions through 1.5.1) allows authenticated attackers with Contributor-level access to read arbitrary user meta, post meta, and term meta data from any object in the database by supplying unchecked object IDs and types via block attributes. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) confirms this is remotely exploitable with low privilege and no user interaction, with a full confidentiality impact on metadata. Risk is materially elevated on sites running WooCommerce or similar plugins that persist PII - names, billing addresses, phone numbers, emails - in meta fields. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers trigger refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and for certain payment methods divert the refunded funds to an attacker-controlled bank account. The CVSS 8.6 score reflects the network-reachable, no-auth, no-interaction attack path against a financial workflow; publicly available exploit code exists per WPScan, though there is no public exploit identified at time of analysis confirming active exploitation in CISA KEV.

Cross-room message disclosure in Rocket.Chat allows any authenticated DDP user to read arbitrary messages - including those in private channels, direct messages, and E2EE rooms - by invoking the autoTranslate.translateMessage Meteor method with a target message ID. The flaw stems from missing access control and identity checks in the server-side method handler, with an upstream fix merged in PR #40528. No public exploit identified at time of analysis, though the trivial DDP call pattern makes weaponization straightforward.

Policy enforcement bypass in Red Hat Build of Keycloak's Client Policies framework allows unauthenticated remote attackers to obtain OAuth2 tokens via the Resource Owner Password Credentials (ROPC) grant even when an explicit `reject-ropc-grant` executor is configured to block it. The bypass is triggered specifically when certain condition providers - client-type, client-roles, client-attributes, or client-scopes - are used within the same policy, causing silent executor skipping rather than a fail-closed enforcement error. Successful exploitation results in unauthorized token issuance and potential information disclosure. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Signature policy bypass in Red Hat Build of Keycloak's JWE request object handling allows unauthenticated remote attackers to inject unauthorized claims into the OpenID Connect authorization flow. When a JWE-encrypted request object is submitted and its decrypted content is raw JSON, Keycloak improperly skips signature verification, violating both OIDC Core and Financial-grade API (FAPI) signing requirements. No public exploit code exists at time of analysis, but the integrity-only impact (CVSS I:H) is directly relevant to authorization trust boundaries, making this high-priority for FAPI-compliant or financial-sector Keycloak deployments.

Privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows authenticated subscriber-level users to overwrite arbitrary user profile fields - including administrator passwords and email addresses - by supplying a chosen user_id parameter to a vulnerable Edit-User form. This authorization-bypass flaw (CWE-862) enables full administrator account takeover through direct password replacement or email-redirect password reset, and no public exploit identified at time of analysis. The vulnerability requires a specific misconfiguration where the form's Roles setting is left empty, which limits exploitable installs but is a common default state.

Insecure Direct Object Reference in the Timetable and Event Schedule by MotoPress WordPress plugin (all versions through 2.4.16) allows authenticated contributors to bypass object-level authorization and read non-public content belonging to other users. The vulnerability exists in the action_get_event_data AJAX action, which accepts a user-controlled timeslot key with no ownership or visibility validation, exposing full WP_Post data - including post_content, post_excerpt, post_status, and post_author - for draft, pending, and private mp-event posts. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authorization bypass in FOX - Currency Switcher Professional for WooCommerce (all versions through 1.4.6) allows authenticated attackers with Subscriber-level access to impersonate higher-privileged roles - such as wholesale customers or administrators - to obtain discounted or otherwise role-restricted product pricing. The flaw stems from the plugin's fixed user-role pricing engine blindly trusting a client-supplied HTTP request parameter over the server-side session object when resolving a user's role for price calculation. No public exploit is identified at time of analysis, and real-world impact is bounded by a non-default configuration requirement, keeping the CVSS base score at 4.3.

Incorrect authorization enforcement in Red Hat Build of Keycloak allows an authenticated user with existing organization membership to retrieve organization metadata through the account API or via OIDC token requests using the 'organization' scope, even when an administrator has explicitly disabled the Organizations feature. The flaw (CWE-863) means the feature-disabled state is not enforced at the data-access layer, so tokens and API responses continue to carry organization claims. This can cause downstream resource servers that consume those tokens to make incorrect authorization decisions - for example, granting access based on organizational membership that should no longer be recognized. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.

Unauthorized email sending in the Everest Forms WordPress plugin (all versions up to and including 3.4.7) permits any authenticated attacker with Subscriber-level access or higher to dispatch test emails to arbitrary external addresses from the hosting server. The root cause is a missing capability check on the AJAX-exposed send_test_email() function (CWE-862), enabling low-privilege users to invoke a privileged server action without authorization. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the low barrier of entry (any registered user) elevates practical risk on sites with open registration.

RBAC authorization bypass in OpenStack Keystone allows any authenticated low-privilege user to inject arbitrary policy target attributes into the policy enforcement context, overwriting database-verified identity data and impersonating other users or projects. Affected deployments span Rocky (14.0.0) through all versions prior to 29.0.2, a roughly eight-year window introduced by commit 5ea59f52. No public exploit code or CISA KEV listing exists at time of analysis, but the network-exploitable, changed-scope nature of the flaw makes it a meaningful risk in multi-tenant OpenStack environments.

OpenStack Keystone's federated token rescoping mechanism allows authenticated federated users to indefinitely extend their session beyond operator-configured token lifetime policies by repeatedly calling POST /v3/auth/tokens before each token expires. The root cause is that handle_scoped_token() in the mapped authentication plugin omits the expires_at field from its response, causing the token provider to silently issue a fresh default-TTL token instead of inheriting the original token's expiry. This effectively renders token lifetime enforcement inoperative for all SAML2 and OpenID Connect-backed federated deployments running Keystone versions prior to 29.0.2. No public exploit code exists and this is not listed in CISA KEV, but the technique is trivially repeatable by any valid federated user.

User impersonation in OpenStack Keystone before 29.0.2 allows an authenticated attacker to obtain a valid Keystone token attributed to an arbitrary victim user by exploiting a missing ownership check in the application credential authentication plugin. The attacker supplies their own application credential ID and secret while embedding a different user's name and domain in the request body, and Keystone issues a project-scoped token carrying the intersection of the attacker's application credential roles and the victim's project roles. This enables audit log evasion, exposure of the victim's credentials, and unauthorized action within shared OpenStack projects. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Privilege escalation in OpenStack Keystone before 29.0.2 allows an authenticated attacker holding only the member role on a project to gain full admin access by chaining an application credential impersonation vulnerability with a logic flaw in Keystone trust delegation. When an attacker uses impersonated credentials to carry a victim admin's identity, Keystone's trust creation logic incorrectly validates delegated roles against the victim's actual database role assignments rather than the roles encoded in the requesting token - permitting the attacker to create a trust that confers the victim's admin role. The resulting trust persists independently and can be used to mint additional trusts and application credentials for sustained access, with all activity attributed to the victim's identity. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Broken access control in Pimcore's CustomReports bundle (composer package pimcore/pimcore, versions ≤ 12.3.5) lets an authenticated low-privileged backend user who holds only the generic `reports` permission read the full configuration of custom reports they were never granted access to. The report detail endpoint (`getAction`) validates only coarse `reports`/`reports_config` permissions, whereas the listing endpoint enforces per-report sharing rules through `loadForGivenUser()`; consequently a report hidden from a user's visible list can still be retrieved directly by name. A working proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-jwcc-gv4m-93x6), so publicly available exploit code exists, but there is no public evidence of active exploitation.

WordExportBundle in Pimcore CMS enforces only feature-level permission (`word_export`) at export initiation but performs no object-level authorization check against the target document element, constituting a broken object-level authorization (BOLA) flaw. Authenticated low-privileged backend users holding the `word_export` permission can supply arbitrary `type/id` parameters to `wordExportAction()` to export full content - including titles, descriptions, and body - from pages, snippets, emails, or objects they are explicitly denied `view` access to. A publicly available proof-of-concept script is included in the GitHub security advisory GHSA-332x-r494-54fq confirming practical exploitability; the vulnerability is not currently listed in CISA KEV.

Cross-connection response leakage in Microsoft UFO's WebSocket layer allows an authenticated low-privileged user to receive protocol responses intended for a different authenticated session. The flaw stems from a singleton UFOWebSocketHandler design where per-connection state is stored in shared mutable instance fields, causing each new connection to overwrite the previous connection's protocol object reference. No public exploit or CISA KEV listing exists at time of analysis, but the attack complexity is low and exploitation requires only standard authenticated access to the same UFO instance.

Authenticated role spoofing in Microsoft UFO's WebSocket control plane (version 3.0.1-4-ge2626659) lets any client holding the shared server token impersonate the higher-privilege "constellation" role and hijack tasks belonging to other connected devices. The server trusts the client_type and target_id values carried in each TASK message instead of binding them to the role established when the WebSocket connection registered, and it also permits duplicate client_id registration that overwrites a live peer's stored socket and role. Rated CVSS 8.8 (high) with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis.

Authenticated cross-client stale result replay in Microsoft UFO's WebSocket task handling allows a low-privileged attacker to retrieve another user's completed automation session output. The framework accepts client-supplied session_id values without verifying ownership, so a requester who knows or can predict a prior session's identifier can hijack its stored result via the normal send_task_end() callback path. No public exploit has been identified at time of analysis, and KEV listing is absent, but the High confidentiality impact (C:H) is significant given UFO orchestrates device automation tasks that may capture sensitive screen content, documents, or credentials.

Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH while the module's deny_remote protection wrongly classifies the connection as a local terminal session. The root cause is an incomplete check of the utmpx ut_addr_v6 field that misreads IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) as having no remote address, which is the normal way Debian and Ubuntu record incoming IPv4 SSH connections when sshd listens on the IPv6 wildcard. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but the operation needed to trigger it is trivial once the operator possesses a registered token.

Symlink-based authentication bypass and file corruption in pam_usb before 0.8.7 lets a local, low-privileged user defeat USB hardware authentication and overwrite root-owned files. By planting symlinks in the pad directory or on individual pad files, an attacker abuses CWE-59 link-following during the one-time-pad rotation that pam_usb performs on login, redirecting privileged file operations. No public exploit code has been identified at time of analysis, the issue is not listed in CISA KEV, and no EPSS score is available; exploitation requires local access plus a triggering authentication event.

Authorization bypass in Symfony's HTTP method-scoped security attributes allows controllers protected by #[IsGranted], #[IsSignatureValid], or #[IsCsrfTokenValid] with a methods: ['GET'] filter to be reached via HEAD requests with all security checks silently skipped. Affected packages symfony/http-kernel and symfony/security-http versions 7.4.0-7.4.11 and 8.0.0-8.0.11 are vulnerable. Because Symfony's router serves HEAD using the GET handler but the attribute listeners only matched explicitly listed method strings, a HEAD request falls through unenforced - leaking response headers and triggering any controller side effects such as database writes or state mutations. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Cross-service CAS ticket replay in Symfony's Cas2Handler enables an attacker who controls any co-registered CAS application to authenticate as an arbitrary victim user against the target Symfony application. The flaw exists because Cas2Handler constructs the CAS service validation URL from the HTTP Host header - an attacker-supplied value - rather than a statically configured URL, a condition that exists by default since framework.trusted_hosts is not configured in standard Symfony installations. Affected packages are symfony/security-http and symfony/symfony from 7.1.0 through 7.4.11 and 8.0.0 through 8.0.11; no public exploit has been identified at time of analysis.

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/27. Perl allow OS command injection via send_file() (Stig Palmquist <stig@...g.io>) Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases are available for Download (Douglas Bagnall <douglas.bagnall@...alyst.net.nz>) Multiple vulnerabilities in Jenkins plugins (Daniel Beck <ml@...kweb.net>) ARTEMIS-5996: CVE-2026-40914: Apache Artemis, Apache ActiveMQ Artemis: Address routing-type can be updated by STOMP protoc… (Justin Bertram <jbertram@...che.org>) [OSSA-2026-014] OpenStack Swift: Swift proxy-server denial of service via truncated s3api chunked upload (CVE-2026-4901… (Goutham Pacha Ravi <gouthampravi@...il.…) 9

Three distinct URL allowlist bypasses in Symfony's symfony/html-sanitizer component allow content authors to smuggle off-allowlist URLs past host and scheme restriction controls configured via allowLinkHosts(), allowLinkSchemes(), allowMediaHosts(), and allowMediaSchemes(). The root cause is a combination of parser-differential attacks exploiting divergence between RFC-3986 (used server-side) and the WHATWG URL Standard (used by browsers), plus misclassification of <area> elements as media rather than navigable links. Affected applications processing untrusted HTML with host/scheme allowlists in symfony/html-sanitizer 6.1.0-6.4.39, 7.0.0-7.4.11, and 8.0.0-8.0.11 are at risk; no public exploit identified at time of analysis and this CVE does not appear in CISA KEV.

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by deleting their own ~/.pamusb/device.pad file. The flawed pusb_pad_compare() check in src/pad.c only confirmed the user-side pad was readable and treated its absence as a non-fatal failure in certain code paths, so authentication succeeded without the physical USB device ever being verified. There is no public exploit identified at time of analysis, but the technique is trivial - a single file deletion by the account owner.

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authentication step over XDMCP when an administrator has set deny_remote=false - a common tweak for display managers like gdm-password or lightdm. Because the PAM_RHOST remote-client check is gated inside the same deny_remote conditional, disabling deny_remote inadvertently disables the safeguard that rejects remote connections, so a genuine remote XDMCP session is treated like a local one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (8.1) reflects full compromise of confidentiality, integrity, and availability if the attacker satisfies the configuration prerequisites.

Web application firewall body-inspection bypass in CrowdSec (the AppSec component, versions 1.5.0 through 1.7.7) lets unauthenticated remote attackers slip malicious payloads past every body-scanning WAF rule. When a request uses HTTP/1.1 'Transfer-Encoding: chunked' or HTTP/2 without a content-length, the parser treats the body as empty, so rules matching REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML silently fail and the request is forwarded as 'allow' with no WAF log entry. There is no public exploit identified at time of analysis and no KEV listing, but the trigger is trivial - flipping a single framing header - making this a high-confidence protection-mechanism failure rather than a memory-safety bug.

Cleartext transmission of TLS-bound data in Deno's Node.js compatibility layer (versions >= 2.0.0, < 2.7.8) allows an on-path attacker to read and tamper with traffic an application believed was encrypted. When the default `autoSelectFamily` option is enabled and the first connection attempt fails, the socket reinitialization path reuses a stale TLS upgrade hook tied to the dead handle, so the retry connection is never upgraded to TLS and any bytes written before the `secureConnect` event leave the host in plaintext. A full proof-of-concept is published in the vendor advisory (publicly available exploit code exists); the issue is fixed in Deno 2.7.8 and there is no public exploit identified in the wild at time of analysis.

Missing authentication in Gladinet Triofox's Cloud Server Agent Access Service (GladServerAgentService.exe) lets remote, unauthenticated attackers reach privileged HTTP endpoints exposed on TCP port 7878. The service processes requests to paths such as /resources, /status, /sysinfo, /woshome, /Settings, /schedule, and /DavCache without an authentication check (CWE-306), and the CVSS vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H) rates the impact as full confidentiality, integrity, and availability compromise. There is no public exploit identified at time of analysis and no EPSS score was provided, but the 9.8 base score and unauthenticated network reachability make this a critical-priority issue for any internet-exposed Triofox deployment.

Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated network attackers due to incorrect authorization checks (CWE-863). All GitLab installations running versions from 18.2 through the patched releases are affected - both Community and Enterprise editions. While the direct impact is limited to information disclosure (project enumeration rather than content access), exposed project names and IDs can facilitate targeted follow-on attacks against otherwise hidden repositories. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authorization bypass in GitLab Enterprise Edition allows authenticated users holding only developer-role permissions to circumvent flow restrictions when foundational flows are enabled at the group level. Affecting all EE versions from 18.7 through 19.0 (prior to the respective patch releases), this flaw stems from missing authorization checks (CWE-862) and results in a low-integrity-impact, network-accessible exploitation path. No active exploitation has been identified (SSVC: Exploitation none), and GitLab has released patches across all affected branches as of 2026-05-27.

Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo AI workflows to execute under another user's identity, crossing the trust boundary between accounts (CVSS scope: changed). The flaw stems from improper user identity resolution and affects GitLab Enterprise Edition 18.8 through 18.10.6, 18.11 through 18.11.3, and 19.0, with High confidentiality and integrity impact but no availability impact. No public exploit has been identified, CISA's SSVC marks exploitation as 'none,' and the High attack complexity (AC:H) combined with the 'under certain conditions' caveat indicates exploitation is non-trivial rather than push-button.

GitLab Enterprise Edition exposes sensitive deployment data to authenticated users holding only developer-role permissions due to missing authorization checks on deployment-related project resources (CWE-862). Affected versions span a wide range - all EE releases from 11.5 through 18.10.6, 18.11.0 through 18.11.3, and 19.0.0 - making this broadly applicable across unpatched GitLab EE deployments. No public exploit identified at time of analysis per CISA KEV, though SSVC intelligence indicates proof-of-concept code exists, and a HackerOne report (3556381) corroborates researcher discovery.

Authorization bypass in Himmelblau (the open-source Entra ID/Intune interoperability suite) versions 2.0.0 through 3.1.4 and the 2.3.x branch before 2.3.11 lets any authenticated user in the same Entra ID domain obtain a local Unix login session as a different user by presenting only their own valid credentials. The flaw lives in the token_validate function of the Device Authorization Grant flow, which matched only the domain portion of the User Principal Name and ignored the username (local part), so a low-privileged domain member can impersonate higher-value accounts on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the issue is a confirmed identity-spoofing defect fixed by the vendor.

Disclosure of builder-configured REST Authorization secrets in Budibase before 3.39.0 allows a low-privileged 'Basic' app user to exfiltrate stored credentials to an attacker-controlled server. Because the single-datasource GET/PUT routes enforce only a generic TABLE READ permission (which the Basic role inherits via the WRITE set) instead of a Builder/Admin or ownership check, an authenticated user can repoint a REST datasource's base URL and trigger a saved query that leaks the resolved auth headers. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is rated CVSS 8.1 (high).

Missing authorization in Budibase's webhook schema-building endpoint allows unauthenticated remote attackers to alter the body schema of a known webhook and, in turn, mutate the output schema of its associated automation trigger in any instance prior to 3.39.0. The CVSS 7.5 score is driven entirely by an integrity impact (I:H) with no confidentiality or availability effect, reflecting that an attacker can tamper with automation logic but not directly read data or crash the service. There is no public exploit identified at time of analysis, the issue is not listed in CISA KEV, and no EPSS score was provided in the source data.

Privilege escalation via missing authorization in Budibase before 3.38.2 lets any authenticated user — including low-privilege BASIC accounts and workspace-scoped builders — reach the worker's SCIM API and perform full CRUD on every user and group in the tenant. The SCIM router only enforced an Enterprise feature flag and SCIM context, never a role/admin check, so identity-management operations meant for administrators were exposed to all sessions. Fixed in 3.38.2; no public exploit identified at time of analysis, but the trivial nature of the flaw (a single missing middleware) makes it easy to weaponize once known.

Improper authorization in Frappe HR (HRMS) prior to version 16.5.0 allows any authenticated employee to read the leave records of other employees without permission. The root cause is CWE-863 (Incorrect Authorization) - the application authenticates the user but fails to enforce that the requesting employee is authorized to view the target employee's data. With a CVSS score of 6.5 (Medium) and a High confidentiality impact, this is a horizontal privilege escalation issue; no public exploit has been identified at time of analysis and it does not appear in the CISA KEV catalog.

Privilege escalation in kvf-admin v1.0.0 allows authenticated remote attackers to elevate their privileges by abusing insecure permission checks within the UserController.java component. The flaw maps to CWE-639 (Authorization Bypass Through User-Controlled Key), and while publicly available exploit code exists per the referenced GitHub issue, EPSS is very low (0.04%, 13th percentile), indicating limited observed exploitation activity. No CISA KEV listing exists, so this is not confirmed actively exploited.

Northern.tech Mender Client 5 before 5.0.4 allows a Cryptographic signature verification bypass.

Kirby CMS's content-locking feature leaks authenticated users' email addresses and internal identifiers to low-privilege Panel users who are explicitly prohibited from seeing those users under role-based `users.access` or `users.list` permission restrictions. Any low-privilege authenticated Panel user on an affected site can harvest admin email addresses and user IDs during active content lock windows (default 10 minutes) simply by triggering an edit conflict or inspecting Panel view payloads. No public exploit has been identified at time of analysis, and exploitation is bounded to sites with non-default user-visibility restrictions, but the harvested data directly enables downstream phishing, credential stuffing, and admin account enumeration.

{path}` endpoint. The WebDAV controller never attaches an authentication plugin, and `Tree::move()` deletes the source asset before resolving the current user or checking any per-asset permission, so even an unauthenticated request that errors out later still destroys the source file. A working proof-of-concept request is published in the GitHub Security Advisory (GHSA-wc7j-g8wx-m2qx); there is no CISA KEV listing and no EPSS score in the provided data, so this is not confirmed as actively exploited.

Missing authorization in The Post Grid WordPress plugin (versions through 7.9.2) allows authenticated low-privileged users to bypass access control checks and read data restricted to higher-privileged roles. The flaw stems from inadequate capability enforcement within the plugin's request handling, enabling privilege escalation of access scope without elevated credentials. No public exploit identified at time of analysis, and CISA has not listed this in the KEV catalog; SSVC signals confirm no known active exploitation.

TLS server impersonation in Erlang/OTP's public_key library lets a name-constrained subordinate CA forge a trusted identity for hostnames outside its permitted DNS subtree. By chaining a nameConstraints enforcement gap with a legacy CommonName fallback in pkix_verify_hostname/3, an attacker holding a DNS-restricted intermediate (e.g. permitted;DNS:allowed.example.com) can issue a SAN-less leaf whose CN is an out-of-scope host (e.g. victim.example.com) and have a stock ssl:connect client with verify_peer accept it. It affects OTP 19.3 through the fixed releases (public_key 1.4 onward) and is rated CVSS 4.0 7.6; there is no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication bypass via SQL injection in OpenRapid RapidCMS v1.3.1 allows unauthenticated remote attackers to manipulate the application's authentication logic by injecting crafted SQL payloads into the `name` cookie parameter processed by the `/template/default/menu.php` component. The CVSS 6.5 (AV:N/AC:L/PR:N/UI:N) score reflects trivial remote exploitability with no prior authentication required, though the confidentiality and integrity impacts are rated Low and availability is unaffected. A public researcher writeup is linked in references, suggesting exploit techniques are documented, but no confirmed active exploitation (CISA KEV) has been recorded and EPSS sits at 0.03% (11th percentile), indicating low observed exploitation activity at time of analysis.

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.

Authentication bypass in Symfony's X509Authenticator (security-http component) lets an attacker who holds any certificate issued by a trusted CA impersonate another user during client-certificate (mTLS) authentication. Symfony extracts the login identifier from the certificate Subject DN using an unanchored regex, so an attacker can embed 'emailAddress=victim@target' inside a free-text CN value and be authenticated as that victim. A vendor patch is available across all maintained branches; there is no public exploit identified at time of analysis, and no CVSS, EPSS, or CISA KEV data exists for this CVE.

Unauthorized file download in pretix's export API allows an authenticated attacker to retrieve export files belonging to other users by supplying a UUID not associated with their own account. Affected versions span a wide range from pretix 2024.10.0 through the 2026.4.x series prior to the 2026.4.2 patch. Exploitation is significantly constrained by the CVSS 4.0 AT:P (Attack Target: Prerequisite) condition - the attacker must independently obtain a valid UUID for a target file, making opportunistic exploitation unlikely absent a secondary information-disclosure weakness. No public exploit code exists and no active exploitation has been identified at time of analysis.

Missing authorization in ElementsKit Elementor addons Lite (WordPress plugin by Wpmet) through version 3.9.6 allows unauthenticated remote attackers to exploit incorrectly configured access control, resulting in limited unauthorized read access to protected data or functionality. The CVSS vector confirms network-based, zero-interaction exploitation with no authentication required, and SSVC classifies it as automatable - meaning attackers can scan and exploit at scale without manual intervention. No public exploit or CISA KEV listing exists at time of analysis, but the unauthenticated, low-complexity nature of the flaw makes it a realistic target for automated WordPress scanning campaigns.

Missing authorization in Wpmet's ElementsKit Elementor addons Lite plugin for WordPress (versions through 3.9.6) permits authenticated low-privilege users to invoke privileged plugin functionality without proper access control verification. The CVSS vector (PR:L, I:L) confirms the attack requires a valid low-privilege WordPress account - such as a Subscriber - but grants unintended write-level access to restricted plugin operations. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping real-world risk moderate; however, the network-accessible, low-complexity nature of the flaw means any authenticated user on an affected installation is a potential threat actor.

Missing authorization in the WP Meta and Date Remover WordPress plugin (versions through 2.3.6) allows low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in unauthorized read access to restricted information. The CVSS vector (PR:L, C:L) confirms that exploitation requires a valid WordPress account and yields only partial confidentiality exposure with no integrity or availability impact. No public exploit code has been identified and CISA SSVC rates exploitation as none, making this a lower-urgency but real access control gap in WordPress environments running the affected plugin.

Missing authorization in the DearFlip WordPress flipbook plugin (versions through 2.4.27) allows authenticated low-privileged users to bypass access control checks and read restricted data. The flaw, classified under CWE-862, permits exploitation of incorrectly configured access control security levels within the plugin's functionality. No public exploit code or active exploitation has been identified at time of analysis, and SSVC assessment rates technical impact as partial.

Missing authorization in the Adminimize WordPress plugin (versions through 1.11.11) allows authenticated low-privileged users to exploit incorrectly configured access control security levels, resulting in unauthorized read access to restricted information. The flaw, classified under CWE-862, was discovered by Patchstack's audit team and affects the plugin's role-based admin interface customization logic. No public exploit or active exploitation has been identified at time of analysis, and SSVC assessment rates exploitation as none with only partial technical impact.

Broken access control in the SVG Support WordPress plugin (versions through 2.5.14) allows low-privileged authenticated users to perform unauthorized actions due to missing authorization checks on one or more plugin functions. The vulnerability (CWE-862) enables an attacker with a basic WordPress account to circumvent access control restrictions and make unauthorized modifications, impacting integrity without exposing sensitive data or causing service disruption. No public exploit code or active exploitation has been identified at time of analysis, and SSVC assessment rates exploitation as none with partial technical impact.

{client_id}-sensors$', the unsanitized client_id value is embedded directly into the server-side regex, letting a crafted client_id (e.g., '.*' or 'legit|(admin)') alter the pattern's matching logic and grant access to topics the user should not reach. No public exploit has been identified at time of analysis, and the attack requires both valid MQTT credentials and a specifically configured authorization policy, but the high subsequent system impact (SC:H/SI:H per CVSS 4.0) elevates this beyond a simple medium-severity finding for affected deployments.