Authentication Bypass
Monthly
Authentication bypass in VMware/Spring's Spring Authorization Server (versions 7.0.0-7.0.4, 1.5.0-1.5.6, 1.4.0-1.4.9, and 1.3.0-1.3.10) allows a low-privileged authenticated actor to circumvent authentication controls and access protected resources across a security boundary. The CVSS 9.6 (Critical) rating reflects a scope change with high confidentiality and integrity impact but no availability effect. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the near-maximum score in a widely deployed OAuth2/OIDC authorization component makes this a high-priority patch.
Local privilege escalation in ESET Inspect Connector for Windows lets a low-privileged local user escalate to elevated (SYSTEM-level) privileges by abusing an improperly authenticated ALPC (Asynchronous Local Procedure Call) IPC channel. The affected component is the endpoint agent that links ESET Inspect (EDR) to protected Windows hosts; a non-privileged process can issue unauthenticated requests to a privileged service endpoint that fails to verify the caller. The issue was reported and fixed by ESET, is not listed in CISA KEV, and has no public exploit identified at time of analysis.
Authorization bypass in the WPBot AI ChatBot plugin for WordPress (all versions ≤ 8.5.6) permits any subscriber-level authenticated user to invoke the plugin's RAG document re-embedding functionality without authorization, directly modifying the rag_documents database table and triggering calls to the site owner's paid AI APIs (OpenAI, Gemini, OpenRouter, or xAI). The root cause is a missing capability check in class-qcld-bot-rag.php, confirmed by Wordfence and traceable to specific code paths in qcld-wpwbot.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.3 Medium score reflects constrained direct security impact - though financial harm from API credit exhaustion represents the primary real-world risk.
Unauthorized deletion of chat session records in the WPBot WordPress plugin affects all versions through 8.5.6, allowing unauthenticated remote attackers to wipe arbitrary conversation history and user records by supplying a crafted userid parameter to unprotected endpoints. The root cause is a missing authorization check (CWE-862) in the chat sessions module, confirmed by Wordfence with source-level references to the vulnerable code in wpbot-chat-sessions.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS-assigned score of 5.3 Medium reflects the limited scope: data deletion with no confidentiality or availability impact on the service itself.
Authorization bypass in the Themify Builder WordPress plugin (all versions through 7.7.7) permits any authenticated subscriber-level user to overwrite or delete CSS stylesheet files for arbitrary posts - including private and draft posts owned by other users - and modify plugin-scoped font options site-wide. The CSRF nonce (tf_nonce) nominally required to gate these actions is broadcast to every authenticated user visiting any public front-end builder page via wp_localize_script, making it trivially collectible and rendering it ineffective as a security control. No active exploitation is confirmed (not in CISA KEV) and no public exploit has been identified at time of analysis.
Authorization bypass in The Cache Purger WordPress plugin (all versions through 2.3.20) allows any subscriber-level authenticated user to permanently destroy the plugin's entire cache-purge audit log (wp-content/purge.log). The root cause is that the tcp_log_purge nonce - the only credential required to trigger log deletion - is rendered in the WordPress admin bar on frontend pages visible to all authenticated users, including the lowest-privilege subscribers, making the authorization check trivially bypassable. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Improper TLS hostname verification in the Snowflake Connector for Python (versions before 4.7.1) lets an on-path attacker defeat HTTPS certificate validation, accepting any certificate signed by any trusted CA regardless of the requested hostname. An adversary who can intercept traffic can decrypt and tamper with connector sessions, exposing Snowflake credentials, query results, and staged file data, and can inject arbitrary SQL bounded by the victim role's privileges. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the reporting vendor (Snowflake) rates it CVSS 4.0 9.2.
Authentication bypass in the miniOrange SAML Single Sign On - SSO Login plugin for WordPress (all versions through 5.4.3) lets unauthenticated attackers forge SAML assertions and seize any account, including administrator. The plugin trusts the SignatureMethod algorithm declared inside the attacker-supplied SAMLResponse, enabling an RSA-to-HMAC signature confusion attack that yields valid WordPress auth cookies and full admin takeover. Reported by Wordfence; no public exploit identified at time of analysis, but the flaw is trivially exploitable and carries a 9.8 CVSS.
Sensitive information exposure in the List Category Posts WordPress plugin (all versions through 0.95.0) allows authenticated contributors to read non-public posts belonging to other users - including pending-review, scheduled, and trashed content with full body text, excerpts, authors, and custom-field metadata. Exploitation requires only a contributor-level account and the ability to embed the native [catlist] shortcode in a draft post, then preview it, triggering the flawed sanitize_status logic. This is a confirmed bypass of the incomplete authorization fix shipped in version 0.93.0 for CVE-2025-11377, indicating the root authorization flaw was never fully remediated. No public exploit code or CISA KEV listing is identified at time of analysis.
Missing authorization in the Catch Themes Demo Import WordPress plugin (versions up to and including 3.3) allows any subscriber-level authenticated user to force-install a hardcoded third-party plugin onto the target WordPress site. The vulnerability exists because catch_themes_demo_import_activate_plugin(), hooked on admin_init, invokes Plugin_Upgrader::install() to fetch and install 'essential-content-types' from WordPress.org before performing the current_user_can('activate_plugins') capability check - a classic authorization-check inversion. No public exploit code has been identified at time of analysis, and the constrained impact (only one hardcoded plugin can be installed, not arbitrary ones) meaningfully limits real-world severity despite the low authentication requirement.
Access-control bypass in Keycloak (fixed in 26.5.3) lets a disabled user account still obtain valid tokens through the JWT authorization grant preview feature. When that feature is enabled, Keycloak omits the account-enabled check during JWT authorization grant processing, so a low-privileged remote attacker who can present a valid assertion token from an external identity provider can mint a JWT for an account an administrator has explicitly disabled, regaining access to protected resources. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds heap write in QEMU lets a local attacker operating inside a guest virtual machine corrupt memory in the host emulator process, enabling information disclosure, data-integrity corruption, or denial of service. The flaw stems from cpu_physical_memory_map() returning a shorter buffer length than the caller assumes, so subsequent writes spill past the allocation. Rated CVSS 7.8 (CWE-787); no public exploit identified at time of analysis, but multiple distributions (Red Hat, Ubuntu, SUSE, Debian) have shipped fixes.
Authorization bypass in RafyMrX TOKO-ONLINE-ROTI allows a low-privileged remote attacker to manipulate the `kd_cs` parameter in `proses/add.php` to access or modify data belonging to other customers, a classic CWE-639 Insecure Direct Object Reference pattern. The application up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is confirmed affected, with no vendor patch available after the vendor failed to respond to responsible disclosure. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity of parameter manipulation makes this trivially reproducible with standard HTTP tooling.
Missing authentication in @andrea9293/mcp-documentation-server v1.13.0 exposes its document-management Web UI/API on all network interfaces (0.0.0.0:3080) instead of localhost, letting any adjacent-network client read, add, search, and delete documents in the MCP knowledge base without credentials. Rated CVSS 8.8 (CWE-306), the flaw is exploitable by unauthenticated attackers reachable over the same LAN, VM network, Docker bridge, or VPN. A detailed proof-of-concept exists in the reporter's advisory, though there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV; the vendor fixed it in v1.13.1.
Cross-user state leakage in Lookyloo's PlaywrightCapture Python library allows one capture operation to inherit sensitive data from another when multiple Capture objects run within the same Python process. Because capture-specific settings (HTTP headers, cookies, browser storage, HTTP credentials, proxy, user-agent, geolocation) were stored as mutable class-level rather than instance-level variables, a concurrent or subsequent capture in a multi-user deployment can disclose or reuse another user's authentication cookies, credentials, and captured request data. Exploitation requires low privileges (PR:L, a legitimate user of a shared deployment); a vendor patch exists (commit 1e354b9) and no public exploit identified at time of analysis.
Sandbox escape with SYSTEM-level code execution in Sandboxie-Plus before 1.17.6 allows a process confined inside a sandbox to run arbitrary code in an unsandboxed host process. The privileged GuiServer service trusts attacker-supplied thread and function-pointer values from a GUI window-hook registration request and dispatches them via QueueUserAPC while running as SYSTEM, defeating the core isolation guarantee of the product. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the mechanism is a full sandbox-to-host escape.
Authentication bypass in Qinglong (whyour/qinglong) task-management platform before 2.20.1 lets an unauthenticated remote attacker reset administrator credentials on an already-initialized instance by sending PUT /open/user/init. The flaw stems from a path-rewrite ordering mistake: the init-guard middleware whitelists /open/* through JWT auth, then rewrites it to /api/user/init after the guard's initialization check has already been bypassed. No public exploit identified at time of analysis, but the fixing PR diff publicly discloses the exact bypass, making weaponization trivial; CVSS 4.0 base score is 9.3 (Critical).
Challenge bypass in Anubis Web AI Firewall (versions 1.22.0 through pre-1.26.0-pre1) allows unauthenticated remote HTTP clients to circumvent bot-challenge enforcement by supplying a crafted X-Original-URI header. PathChecker.Check() in lib/policy/checker.go unconditionally trusted this client-controlled header over the actual request path, enabling any client to match default ALLOW rules (e.g., ^/\.well-known/.*$) and reach upstream resources without completing the Anubis challenge. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, but the bypass is trivially reproducible with a single HTTP header manipulation.
Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker impersonate any account, including admin. The header-login feature's getRequestIp() in server/lib/headerLoginAuth.js trusts the client-supplied X-Forwarded-For header instead of the real TCP socket peer, so an attacker who can reach the HTTP port can spoof a trusted source IP and submit HEADER_LOGIN_ID for any username to receive a valid meteor_login_token session. Tracked by the vendor as 'ProxyBleed' (GHSA-jggc-qvfc-jr6x); CVSS 9.8. No public exploit identified at time of analysis and not listed in CISA KEV.
Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user with write access to their own board relocate cards, lists, or swimlanes into a private board they do not belong to. The DDP update allow rules only authorize against the document's stored (source) boardId and never validate the attacker-supplied destination boardId in the update modifier, so /cards/update, /lists/update, and /swimlanes/update can be abused to inject content across a trust boundary. No public exploit identified at time of analysis, but the fixing commit and advisory publicly document the exact bypass, lowering the barrier to reproduction.
Unauthorized full-board read access in Wekan prior to v9.35 allows any authenticated user to exfiltrate the entire contents of any private board - cards, comments, attachments, member lists, and activity logs - by calling the `cloneBoard` Meteor method with an arbitrary board ID. The root cause is that `models/import.js` invokes the board exporter directly without calling `canExport()` or verifying source-board membership, the same guard correctly applied by the REST export route. No public exploit code has been identified at time of analysis, but the attack requires only a valid account and knowledge of a target board's ID, making it trivially reproducible by any developer familiar with the Meteor DDP protocol.
Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider account asserting a victim's email or username to hijack the victim's existing Wekan account. The vulnerable Accounts.onCreateUser hook in server/models/users.js merged incoming OIDC identities into any local account whose email OR username matched, without verifying ownership or checking email_verified, letting the attacker inherit the victim's boards, attachments, API tokens, and admin status. No public exploit identified at time of analysis, but the fix is confirmed in version 9.32 and the flaw carries a CVSS 4.0 base score of 9.2 (critical).
Broken access control in Wekan's open-source kanban server (all releases prior to 9.32) lets any authenticated user copy a private board they have no membership in. The vulnerable copyBoard Meteor DDP method in server/publications/boards.js accepts a caller-supplied board ID without verifying this.userId, membership, or admin rights, so an attacker can exfiltrate the board's cards, checklists, custom fields, labels, and rules into a board they own. No public exploit identified at time of analysis; the flaw is authenticated-only (PR:L) with an EPSS/KEV signal absent from the input.
Incorrect authorization in Wekan's REST API (all versions prior to 9.32) permits any read-only board member to invoke write-level operations - creating, modifying, or deleting custom fields and dropdown items - on boards they should only be able to view. Six route handlers in server/models/customFields.js apply the read-level checkBoardAccess guard to mutating HTTP methods (POST, PUT, DELETE), instead of the write-level checkBoardWriteAccess. No public exploit or CISA KEV listing has been identified at time of analysis, but the logic flaw is straightforward to exploit by any authenticated board member with API access.
Missing authorization in the MCP Python SDK (the `mcp` PyPI package) versions 1.23.0 through 1.27.1 lets any authenticated client of a multi-client server enumerate, read the results of, consume messages from, or cancel tasks belonging to other clients. The default handlers wired up by `server.experimental.enable_tasks()` for tasks/list, tasks/get, tasks/result, and tasks/cancel key solely on the task identifier and never bind a task to the session that created it. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the upstream fix, deprecation warnings, and detailed advisory confirm the flaw; it is resolved in version 1.27.2.
Cross-session message injection in the MCP Python SDK (the 'mcp' package on PyPI) prior to 1.27.2 allows an authenticated client holding a valid bearer token to hijack another principal's session on the SSE and stateful Streamable HTTP transports. Because SseServerTransport and StreamableHTTPSessionManager route inbound requests using only the session_id query parameter or Mcp-Session-Id header - never checking that the caller is the same authenticated principal who created the session - any bearer-token-authenticated client who learns a victim's session ID can inject arbitrary JSON-RPC messages into that session. There is no public exploit identified at time of analysis and no CISA KEV listing; the flaw is fixed in version 1.27.2.
Privilege escalation in TDengine Enterprise (prior to 3.4.1.15) allows any authenticated low-privilege SQL user to abort active shared-storage migrations by issuing KILL SSMIGRATE commands that should be restricted to administrators. The MND_OPER_SSMIGRATE_DB privilege gate was inadvertently commented out in mndProcessKillSsMigrateReq, collapsing authorization enforcement entirely for this operation. No public exploit or active exploitation has been identified at time of analysis; a vendor-released patch is available in version 3.4.1.15.
Network policy bypass in Cilium 1.19.0-1.19.4 allows workloads inside a Kubernetes namespace to reach peers that CIDR-based ipBlock NetworkPolicies should block. The flaw surfaces exclusively when Cilium is deployed with a custom clusterName (any value other than the default 'any'): the network-policy parser in parseNetworkPolicyPeer erroneously instantiates an empty pod selector for selectorless ipBlock peers, which compiles into a wildcard namespace-allow rule instead of a pure CIDR rule. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-namespace traffic mirroring in Cilium's Gateway API implementation allows authenticated Kubernetes users holding HTTPRoute create or update permissions to duplicate HTTP traffic to arbitrary Services in any namespace, bypassing the ReferenceGrant authorization mechanism intended to enforce cross-namespace access control. Affected branches are Cilium 1.17.x before 1.17.17, 1.18.x before 1.18.11, and 1.19.x before 1.19.5. No public exploit or active exploitation has been identified at time of analysis; the attack surface is significantly narrowed by Gateway API being disabled by default and exploitation requiring elevated Kubernetes RBAC permissions.
Authorization bypass in MantisBT's SOAP API, REST API, and web-based bug update interface allows authenticated lower-privileged users to assign unreleased product versions to issues, circumventing the `report_issues_for_unreleased_versions_threshold` access control. All three issue-update pathways in versions 2.28.3 and earlier were unprotected: the SOAP handler (`mc_issue_api.php`), the web form (`bug_update.php`), and the REST command layer (`IssueAddCommand.php`). No public exploit code and no active exploitation (CISA KEV) have been identified; vendor-released patch version 2.28.4 closes all three vectors.
Unauthorized configuration write in Dashy self-hosted dashboard (versions prior to 4.0.8) lets unauthenticated users or non-admin authenticated users overwrite the central config.yaml via the config-saving endpoint when the deployment uses OIDC authentication, bypassing configured permission controls. Successful abuse enables tampering with dashboard configuration and potential service disruption. No public exploit identified at time of analysis; not listed in CISA KEV.
Unauthorized access in Dell ThinOS 10 (versions prior to 2605_10.2100) stems from an obsolete UI feature (CWE-448) that a low-privileged local attacker can abuse to bypass authentication controls. With valid low-level local access to the thin-client, an attacker can leverage the leftover interface path to reach functionality or data they should not have, yielding high confidentiality, integrity, and availability impact per the CVSS 7.8 (High) rating. No public exploit identified at time of analysis; the flaw was reported by Dell and disclosed in advisory DSA-2026-300.
Local credential theft in the garminconnect Python library (versions <= 0.3.4) stems from writing its OAuth token store to disk without an explicit file mode, so under the default umask 022 the file garmin_tokens.json - containing the DI refresh token - is created world-readable (0o644). Any unprivileged co-tenant on a shared Linux or macOS host can read the token and exchange it at Garmin's OAuth endpoint for fresh access tokens, gaining persistent access to the victim's Garmin Connect account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix in 0.3.5 is confirmed and the issue is trivially reproducible under default configuration.
Protection mechanism failure in Dell ThinOS 10 (versions prior to 2605_10.2100) allows an unauthenticated attacker with physical device access to bypass encryption controls and gain unauthorized read and write access to data stored on the thin client. The flaw, classified as CWE-693, indicates the encryption or authentication protection subsystem can be circumvented without any credentials, consistent with the Authentication Bypass tag and CVSS PR:N rating. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the physical access constraint limits but does not eliminate risk in environments with unattended or theft-prone thin clients.
mTLS authentication bypass in the Red Hat Ansible Automation Platform (AAP) Gateway Envoy proxy allows unauthenticated remote attackers to inject spoofed events into protected Event-Driven Ansible (EDA) event streams. The non-mTLS route to EDA event streams fails to strip the client-supplied Subject HTTP header even though the source defines requestHeadersToRemove for it, so an attacker can forge a Subject value matching a legitimate client certificate's Distinguished Name and impersonate an authenticated client. No public exploit identified at time of analysis; the issue is tracked by Red Hat (CWE-290, CVSS 8.2) but is not on CISA KEV and no EPSS score was provided.
Album ownership takeover in immich before 3.0.3 allows a user with shared-album editor access to escalate to full owner by abusing the PUT /albums/:id/user/:userId endpoint (CWE-863, Incorrect Authorization). Because the endpoint fails to enforce owner-only restrictions on role changes, an editor can demote the legitimate owner and promote themselves across two sequential requests, gaining deletion and member-eviction control over the album and its assets. Publicly available exploit code exists and a vendor patch (v3.0.3) has shipped, though it is not currently listed in CISA KEV.
Improper authorization in SpecterOps BloodHound through 9.4.0 lets any authenticated user tamper with the global custom-node graph schema by calling POST, PUT, and DELETE operations on the /api/v2/custom-nodes endpoints, which enforced only that a caller was logged in rather than that they held write permissions. Because custom node kinds are a shared, tenant-wide schema construct, a single low-privileged account can create, alter, or delete node types that affect every user and tenant on the instance. Publicly available exploit code exists and a vendor patch (commit 8f79035) is available; there is no CISA KEV listing, so exploitation is not confirmed as active.
Authorization bypass in FastGPT's workflow engine allows any authenticated platform user to invoke another user's private HTTP toolsets by crafting a workflow node ID in the form http-<victim_toolset_app_id>/<tool_name>. Affected versions span 4.14.17 through pre-4.15.0-beta5; the normal toolset access routes enforce ownership, but the workflow save path and the /api/v2/chat/completions runtime endpoint omit the same check, enabling cross-tenant tool execution. No public exploit code or CISA KEV listing exists at time of analysis; the AC:H vector reflects that exploitation requires prior knowledge of a victim's toolset app ID.
Broken object-level authorization in Kanboard through 1.2.52 lets any authenticated user who belongs to at least one project move, corrupt, or hide tasks in any other project on the same instance, including private projects they have no role on. The BoardAjaxController save() drag-and-drop endpoint checks the caller's role against the attacker-supplied project_id but never confirms the supplied task_id belongs to that project, and because task IDs are sequential integers shared instance-wide they are trivially enumerable. Publicly available exploit code exists and a vendor patch (commit 564cc30) is available, but this is not listed in CISA KEV and there is no public exploit identified as actively exploited in the wild.
MantisBT's REST and SOAP APIs fail to enforce the $g_set_status_threshold authorization gate, allowing any authenticated user holding the UPDATER role (the default update permission) to change an issue's workflow status to values that should require DEVELOPER-level access or higher. The vulnerability is confirmed patched in release 2.28.4 with no public exploit or KEV listing. Because UPDATER is the default role for ordinary authenticated contributors, this flaw is broadly reachable on any MantisBT instance where the API is accessible without further hardening of role assignments.
Unauthenticated information disclosure in GPUStack through version 2.2.1 lets remote attackers reach the worker port's unprotected /serveLogs and /debug endpoints to stream live inference logs - including user prompts and model completions - and to alter worker runtime configuration such as log levels and memory profiling output. Because the flaw is missing authentication (CWE-306) on network-exposed endpoints, exploitation requires no credentials and no user interaction; publicly available exploit code exists, though the issue is not listed in CISA KEV. VulnCheck reported it and the vendor fixed it in commit 4e20551.
Privilege escalation to administrator in MantisBT 2.28.3 and earlier lets a low-privileged or self-registered user impersonate any account, including the administrator, through the SOAP API's flawed mci_check_login() function. Because the function accepts any valid cookie_string without checking that it belongs to the supplied username, an attacker who knows a target username (e.g. 'administrator') and possesses their own MANTIS_STRING_COOKIE can authenticate as that user without a password. With self-registration enabled by default ($g_allow_signup = ON), this is exploitable from zero prior access, granting full read/write and destructive control over all projects, issues, and user data. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the underlying bug is trivially reliable.
Same-Origin Policy bypass in Lightpanda headless browser before 0.3.1 allows an attacker-controlled site to impersonate an arbitrary victim origin. Because origin computation searched for the '@' userinfo delimiter across the entire URL string rather than only the authority component, a URL like http://attacker.com/@victim.com/ was fetched from attacker.com yet treated as origin http://victim.com, breaking the fundamental web isolation boundary. No public exploit identified at time of analysis and not listed in CISA KEV, but the CVSS 9.3 rating and the trivial, deterministic nature of the parsing flaw make it a high-priority fix for any automation pipeline using Lightpanda.
Privilege escalation via improper access control in Cisco RoomOS software allows an authenticated attacker with low-level privileges to gain full control over affected collaboration endpoints, with high impact to confidentiality, integrity, and availability. The issue was discovered internally by Cisco's RoomOS engineering team during a proactive security review and is one of several access-control weaknesses grouped under CVE-2026-20150 and resolved in a single hardening release. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
File Browser prior to 2.63.17 retains stale public directory share records after a shared directory is deleted via a trailing-slash path, because the Bolt storage backend queries for shares using the unnormalized path before trimming the slash - causing the exact-match share record (stored as '/a') to be missed by a query against '/a/'. If the directory is subsequently recreated at the same path, any holder of the original share URL immediately gains unauthorized read access to the new directory contents. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Server-side template injection in Frappe ERPNext (versions before 15.111.0 and 16.22.0) lets an authenticated user holding only a standard operational role inject a malicious template payload into a configuration field, causing the server to render it and disclose data the user is not authorized to see. Because the flaw is rooted in an authorization failure (CWE-863), it effectively bypasses ERPNext's role/permission boundaries. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a fixed release is available from the vendor.
Account takeover in Penpot before 2.14.5 allows an authenticated registered user to hijack any non-blocked profile without knowing its password. The flaw chains three defects: create-team-invitations leaks invitation tokens, prepare-register-profile embeds an existing profile's id into the prepared-register JWE, and register-profile then mints a session on an invitation email match while skipping password verification (CWE-287). No public exploit has been identified, but the fix commit and PR diff are public and the CVSS base score is 9.9.
Authentication bypass (account takeover) in Vaultwarden before 1.36.0 allows an attacker who controls a federated identity provider identity to log in as an arbitrary local user by asserting that user's email address. The flaw exists because the SSO login flow validated the IdP 'email_verified' claim only during new-user creation, but skipped it when SSO_SIGNUPS_MATCH_EMAIL=true linked an incoming IdP identity to a pre-existing local account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is confirmed in release 1.36.0.
Vaultwarden's SSO discovery endpoint exposed real organization SSO metadata - including organizationIdentifier values - to unauthenticated requests for arbitrary email addresses, enabling organization enumeration and authentication workflow abuse. All Vaultwarden deployments prior to 1.36.0 with SSO enabled are affected; an attacker with network access could query the `/organizations/domain/sso/verified` endpoint with any email address to harvest real org names and identifiers, then leverage those identifiers to obtain a valid pre-validation JWT through the `prevalidate()` flow without legitimate credentials. No public exploit code is identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 through 4.16.0, where access tokens are issued without the client_id claim. Because the JWT verifier keys scope loading on client_id, a holder of a legitimately-issued low-scope OAuth access token can invoke APIs requiring higher scopes - file, share, workflow, user setting, WebDAV account, and potentially admin - as the enforcement layer degrades to non-scoped session authentication. No public exploit identified at time of analysis, but the root cause is confirmed by the vendor's fix commit and advisory GHSA-vgj4-345g-jcf8, with the issue resolved in 4.16.1.
Path traversal via improper authorization in Cloudreve's WebDAV handler lets a scoped WebDAV account escape its configured root folder, reading and listing files anywhere the server process can reach, and - with a writable credential - creating, overwriting, moving, or deleting them. All versions prior to 4.16.1 are affected. No public exploit is identified at time of analysis and it is not listed in CISA KEV, though the flaw is straightforward to trigger once a low-privileged WebDAV credential is held.
Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tenant's dataset content via the POST /api/core/chat/record/getCollectionQuote endpoint. The endpoint validates the caller's chat and collection context but fails to bind the initialId center-node lookup to that authorized context, so an attacker supplying a foreign dataset data id as initialId (while using their own valid appId, chatId, chatItemDataId, and collectionId) receives the victim tenant's dataset quote or full-text content. This is an authenticated (PR:L) authorization flaw with no public exploit identified at time of analysis and no CISA KEV listing; EPSS data was not provided.
Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugin reverse-call endpoints, because /api/invoke/* trusts tokens signed with INVOKE_TOKEN_SECRET whose default value is the literal string 'token' and which official deployment templates never set. By self-signing an HS256 JWT, an attacker can call /api/invoke/userInfo to read cross-tenant user PII via arbitrary tmbId values, or /api/invoke/fileUpload to write attacker-controlled content into chat files. No public exploit identified at time of analysis and not listed in CISA KEV, but the trivial exploitation and hardcoded-secret root cause make this high priority for self-hosted deployments.
Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled web content reach an unauthenticated local agent endpoint from inside the sandbox, compromising the session. Affecting Cursor Cloud Agent sessions prior to the 03/31/2026 fix, an attacker who gets a browsing agent to load malicious content can run code in the sandbox and read repository contents, environment variables, credentials, and GitHub App access tokens scoped to that session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw is a missing-authentication (CWE-306) authentication-bypass class issue with high confidentiality, integrity, and availability impact to the affected session.
Authentication bypass in HKUDS LightRAG before 1.5.4 lets a remote unauthenticated attacker defeat X-API-Key protection when the server runs in the API-key-only profile (LIGHTRAG_API_KEY set, AUTH_ACCOUNTS unset). Because auth.py falls back to a public hardcoded DEFAULT_TOKEN_SECRET and /auth-status and /login freely mint guest JWTs, combined_dependency honored a guest token before ever checking the API key, exposing document read/upload/delete, graph mutation, and query endpoints. No public exploit is identified at time of analysis, but the underlying fix (PR #3319) ships a regression test showing that forging a valid guest token with the default secret is trivial; fixed in 1.5.4.
Missing authorization on device receiver endpoints in ICU Scandinavia Boomerang exposes facility and quality-assurance installations to unauthenticated read and write access over adjacent networks. Any attacker with network adjacency can retrieve complete facility configurations and inject arbitrary data into the sensor database without supplying credentials, violating both confidentiality and integrity of operational sensor records. No public exploit has been identified at time of analysis, but CERT-PL's coordinated disclosure and a vendor-confirmed patch in version 2.4.18.029 indicate a concrete, addressable risk for organizations running unpatched deployments.
Privilege escalation in CRI-O (the OCI container runtime used by Red Hat OpenShift Container Platform 4 and many Kubernetes clusters) lets an attacker who can set container environment variables inject a newline into the HOME variable and append arbitrary lines to /etc/passwd, enabling creation of a rootful or otherwise privileged account inside the container. It is a bypass of the incomplete fix for CVE-2022-4318, whose HOME sanitization was insufficient. No public exploit identified at time of analysis and it is not listed in CISA KEV.
ImageMagick's `-script` operation bypasses the configured security policy file path restrictions in versions before 7.1.2-26 (7.x branch) and before 6.9.13-51 (6.9.13-x branch), enabling a local attacker with low privileges to read files from paths explicitly denied by the security policy. The CVSS 4.0 score of 4.8 reflects the local-only attack surface, low-privilege requirement, and confidentiality-only impact with no code execution possible. No public exploit code has been identified and this vulnerability is not confirmed actively exploited (CISA KEV).
Denial of service in Grav CMS 2.0.1 lets a trusted package source or admin-level uploader bypass the newly added decompression-bomb size cap and exhaust disk space or inodes on the host. The 2.0.1 cap trusts the attacker-forgeable uncompressed size declared in each ZIP central-directory entry rather than the actual inflated stream, so a crafted archive declaring tiny sizes slips past the check while extraction writes the real, far larger payload. This is an incomplete fix for GHSA-928x-9mpw-8h56, corrected in 2.0.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Broken authorization in PraisonAI Platform before 0.1.9 lets any authenticated workspace member modify shared label taxonomy and issue-label associations they should not control, renaming and recoloring shared labels and adding or removing labels on issues created by owners or admins. The flaw (CWE-862, missing authorization) stems from label PATCH and issue-label POST/DELETE endpoints trusting workspace membership without enforcing owner/admin role checks. Reported by VulnCheck with a vendor patch available; there is no public exploit identified at time of analysis and it is not in CISA KEV.
Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.received' events when the framework runs in AgentMail webhook mode. Because incoming payloads are trusted without validating the Svix signature (CWE-287), an attacker can POST crafted JSON to the webhook endpoint and cause configured agents to process attacker-chosen sender addresses and message bodies. A vendor patch exists (4.6.78); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invocation endpoints when the deployment runs with PRAISONAI_CALL_AUTH=disabled. Because the localhost-only safeguard derives the bind host from the client-supplied HTTP Host header, an attacker on the network can send a spoofed 'Host: 127.0.0.1' header to defeat the restriction and both enumerate and invoke registered agents. Vendor patch is available (reported by VulnCheck); no public exploit identified at time of analysis and it is not listed in CISA KEV.
PraisonAI's tool approval caching mechanism in versions before 1.6.78 allows an attacker who influences an AI agent's behavior within a session to bypass human-in-the-loop oversight by reusing a single user-granted approval across tool calls with entirely different, unreviewed arguments. The flaw (CWE-863: Incorrect Authorization) directly undermines the security boundary that tool approval is designed to enforce, enabling arbitrary file write operations after approval of a benign operation. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA's KEV catalog; however, the CVSS 4.0 score of 6.9 with high integrity impact reflects meaningful risk for any deployment relying on tool approval as a control.
Permission bypass in n8n's external secrets handling allows authenticated low-privilege users to exfiltrate secrets they are not authorized to access by exploiting a mismatch between the platform's static validation layer and its runtime expression engine. Affected are all n8n instances running versions before 1.123.61 (1.x branch), 2.27.4, or 2.28.1 (2.x branch) that have both an external secrets provider and Advanced Permissions configured. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the confidentiality impact is high for affected deployments given that secrets such as API keys and credentials may be fully exposed.
Unauthorized external secret disclosure in n8n before 2.28.1 allows authenticated project editors to read plaintext secret values from external secret managers by embedding references in workflow node expressions. The flaw bypasses the intended access control model: users with project editor roles - who are not granted explicit secrets access permissions - can nonetheless resolve and exfiltrate secrets via expression syntax. No public exploit or active exploitation has been identified, but the CVSS 4.0 vector assigns SC:H (high confidentiality impact on subsequent systems), reflecting that secrets stored in downstream vaults or secret managers are fully exposed to insufficiently privileged users.
Authentication bypass in the n8n Chat Trigger node allows unauthenticated network access to protected webhook endpoints when the node is explicitly configured with n8n User Auth - a non-default operator setting. Affected releases span all 1.x builds before 1.123.22, the entire 2.0.0-2.9.2 range, and 2.10.0. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the CVSS 4.0 score of 6.3 with AT:P correctly reflects that real-world exposure is bounded by the non-default configuration prerequisite.
Input validation bypass in n8n's Guardrail node (versions before 2.10.0) allows end users interacting with affected workflows to circumvent AI safety guardrail instructions through crafted inputs, undermining workflow integrity. Any n8n deployment running a workflow that incorporates the Guardrail node is exposed; instances not using that node are entirely unaffected regardless of version. No public exploit code has been identified and this CVE does not appear in CISA KEV; a vendor-confirmed patch is available in n8n 2.10.0.
Cross-tenant record injection in Roskus Prospero Flow CRM before 5.14.0 allows any authenticated user to silently insert customer, lead, and product records into a competing company's tenant by manipulating the company_id field in an uploaded Excel spreadsheet. The three affected import handlers (CustomerImport, LeadImport, ProductImport) map company_id directly from the user-controlled file without verifying it matches the authenticated session's own company, collapsing the multi-tenant data isolation boundary. No public exploit has been identified at time of analysis; vendor-released patch v5.14.0 is available and confirmed.
Broken function-level authorization in Prospero Flow CRM before 5.5.3 lets any authenticated low-privileged user (e.g. the standard 'User'/'Usuario' role) read every bank account record belonging to their company via GET /api/bank-account. The API route is guarded only by auth:api with no permission gate — unlike the web equivalent, which enforces can('read bank') — so any valid bearer token returns sensitive banking data (IBAN, SWIFT/BIC, account identifiers). A vendor patch exists (5.5.3) and the fixing commit is public; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV.
Denial of service in Red Hat OpenShift GitOps (Argo CD operator) lets a tenant who controls a namespace-scoped Argo CD instance delete a ClusterRole belonging to a cluster-scoped Argo CD instance by crafting a name collision. Because the ClusterRole reconciler skips ownership validation (CWE-862), a low-privileged tenant can disrupt a higher-privileged, cluster-wide GitOps instance across the trust boundary. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the cross-tenant scope change makes it a meaningful multi-tenancy integrity concern.
SQL injection in Apache Fineract's Report Execution API (the runreports endpoint) in all versions up to and including 1.14.0 lets an authenticated user holding report-run permission inject arbitrary SQL through crafted report parameter values, because those values are concatenated into the generated query without sufficient validation. This yields unauthorized read access to data well beyond what the report was scoped to expose, and by extension other database contents. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; the upstream fix landed in PR #5980, which introduces a configurable InputValidator/validation-profile framework.
Authentication bypass in the Shibboleth WordPress plugin before 2.5.4 lets remote unauthenticated attackers forge identity headers and log in when the HTTP header identity mode is enabled without an anti-spoofing key. Because the plugin fails open rather than closed, any request carrying identity headers is trusted as an authenticated session, and with automatic account creation plus the default administrator role mapping an attacker can provision and sign in as a brand-new administrator. Rated CVSS 8.1 (CWE-287); publicly available exploit code exists (WPScan), but it is not listed in CISA KEV.
Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contributor-level (or higher) user to duplicate arbitrary posts they do not own by exploiting a missing per-object authorization check in the plugin's AJAX post-duplication action. The attacker gains a published copy of the target post under their own ownership and can extract private post metadata, including secrets stored by other Kali Forms instances on the same site. A publicly available proof-of-concept exists per WPScan; the vulnerability is not currently listed in the CISA KEV catalog, though the low privilege bar and default-enabled feature make it an actionable risk on any multi-user WordPress installation running the affected plugin.
Arbitrary physical memory read/write in the ASUS System Control Interface (v3 and legacy) and ASUS Business Manager driver allows a local administrator to issue crafted IOCTL requests that bypass OS-enforced memory protections, per an ASUS-published advisory. The flaw (CWE-822, Untrusted Pointer Dereference) turns the signed ASUS driver into a read/write primitive over physical memory, enabling privilege escalation from admin to kernel and potential defense evasion. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.
Arbitrary file operations in ASUS Aura Wallpaper Service allow a low-privileged local user to send crafted commands that carry an attacker-controlled file path, bypassing the service's intended path restrictions and abusing its higher-privileged context. Because the service exposes a communication channel that fails to properly restrict callers or validate file names (CWE-923), a local user can read, write, or manipulate files outside the intended scope, with high impact to confidentiality, integrity, and availability; on certain ASUS models exploitation can also render a single feature unavailable. No public exploit is identified at time of analysis, and it is not listed in CISA KEV, but the CVSS 4.0 base score of 8.5 (High) reflects meaningful impact despite the local vector and high attack complexity.
Authentication bypass in Ciena Navigator Network Control Suite (NCS 8.1), Manage Control Plane (MCP ≤ 8.0), and Blue Planet components (Inventory, Orchestration, Route Optimization & Analysis, Unified Assurance & Analytics, Planner Plus) allows an unauthenticated network attacker to manipulate HTTP request paths and headers to reach protected functionality while also evading audit logging. Rated CVSS 9.8 with a fully remote, low-complexity, no-interaction vector, this flaw hands attackers administrative-level access to carrier-grade network control and orchestration platforms. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the trivial exploitation profile makes it a high-priority patch for affected operators.
Incorrect access control in CAXPerts UniversalPlantViewer WebServices Server v2.7.6 allows any authenticated low-privilege user to invoke the /api/License/deactivateOffline endpoint and strip the server's license, rendering the service inoperable. The flaw (CWE-284) grants low-privileged accounts an action that should be restricted to administrative roles, providing a trivial denial-of-service primitive against industrial plant visualization infrastructure. No public exploit identified at time of analysis, though a researcher disclosure post on Medium appears to document the discovery.
Missing authorization on the `/api/v1/users/` backend user endpoint in xianyu-auto-reply allows remote unauthenticated attackers to access or manipulate user account data without any credentials. The flaw (CWE-862) affects all commits up to dcb445ad97816ad65299a7580ee0c8c8f929da84 in this FastAPI-based Python backend for automating Xianyu marketplace replies. A public exploit exists (CVSS 4.0 E:P), though no active exploitation is confirmed in CISA KEV; the vendor-issued patch commit is the recommended remediation given the project's rolling release model.
CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
ColdFusion is affected by an Insufficient Session Expiration vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
Security feature bypass in Adobe ColdFusion allows a low-privileged, network-based attacker to defeat access controls and obtain unauthorized read access to data outside their intended authorization boundary. Adobe PSIRT classifies the root cause as improper input validation and tags it an authentication bypass; the CVSS 3.1 score is 7.7 with a changed scope, reflecting impact that crosses a security boundary. No public exploit has been identified at time of analysis, and no EPSS or CISA KEV data was provided.
Arbitrary code execution in Adobe ColdFusion allows an attacker with low-privileged access on an adjacent network to bypass authorization controls (CWE-863) and run code in the context of the current user, with a scope change that lets the impact extend beyond the vulnerable component. Adobe PSIRT reported the flaw and published advisory APSB26-82; it is tagged as RCE and authentication bypass with a CVSS 3.1 base score of 9.0. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the incorrect-authorization-to-RCE pattern in ColdFusion has historically drawn rapid attacker interest.
Missing authentication in Adobe ColdFusion allows an unauthenticated attacker on an adjacent network to trigger arbitrary code execution in the context of the current user, without any user interaction. The flaw (CWE-306) bypasses authentication on a critical function and carries a scope change, meaning the impact reaches beyond the vulnerable component. There is no public exploit identified at time of analysis, but the issue was reported by Adobe PSIRT and addressed in advisory APSB26-82.
Privilege escalation in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) allows a remote, unauthenticated attacker to bypass authorization checks and gain unauthorized read and write access. Because the CVSS vector marks scope as changed (S:C) with PR:N and no user interaction, the attacker can act beyond the ColdFusion application boundary, yielding the maximum CVSS base score of 10.0. No public exploit is identified at time of analysis, and EPSS is low at 0.24% (15th percentile), indicating no observed weaponization yet despite the critical rating.
Unauthenticated abuse of the operator's NetLicensing credential affects Labs64 netlicensing-mcp (FastMCP server) versions <= 0.1.5 when run in HTTP transport mode. The ApiKeyMiddleware forwards requests that carry no client API key straight to the tool handlers, and the downstream client falls back to the server-side NETLICENSING_API_KEY environment variable, so any network-reachable attacker can invoke every MCP tool (list/create/update/delete of products, licenses, licensees, tokens) under the operator's identity and account quota. Publicly available exploit code exists (a self-contained Docker/Python PoC in the advisory), no public active exploitation is confirmed, and the issue is fixed in 0.1.6.
Navigation input validation bypass in Google Chrome prior to 150.0.7871.125 enables a remote attacker who has already compromised the renderer process to circumvent navigation restrictions through a crafted HTML page. The flaw is classified as a second-stage, chained exploit - the attacker must first achieve renderer process compromise before this vulnerability becomes exploitable. With integrity rated High (I:H) and no confidentiality or availability impact, the practical danger is unauthorized navigation control, potentially enabling redirect-based phishing, cross-origin frame manipulation, or security boundary bypass. No public exploit code or active exploitation has been identified at time of analysis; EPSS probability stands at 0.26% (17th percentile), consistent with low current threat activity.
Same Origin Policy bypass in Google Chrome's V8 JavaScript engine (prior to 150.0.7871.125) allows a remote attacker to cross origin security boundaries via a crafted HTML page, enabling high-impact integrity violations against cross-origin content. Exploitation requires the victim to visit the malicious page (UI:R), limiting automated mass exploitation - a constraint confirmed by SSVC's Automatable:no finding. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog; EPSS at 0.26% (17th percentile) is consistent with no observed active exploitation at time of analysis.
Same-origin policy bypass in Google Chrome prior to 150.0.7871.125 enables remote attackers to manipulate cross-origin content integrity through the browser's HTML-in-Canvas rendering subsystem. Exploitation requires a victim to visit a crafted HTML page, making this a socially-engineered attack rather than a fully autonomous one. No active exploitation has been recorded (CISA KEV: absent, SSVC exploitation: none), and EPSS sits at 0.26% - indicating low real-world exploitation activity at time of analysis.
NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause missing authentication for a critical function. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.
Missing authentication in NVIDIA TensorRT-LLM for Linux lets an attacker reach the disaggregated orchestrator's FastAPI server directly and read, write, or delete internal cluster state, resulting in information disclosure, data tampering, and denial of service. The flaw (CWE-306) affects the orchestration layer that coordinates disaggregated prefill/decode inference workers. No public exploit identified at time of analysis, and the CVSS 3.1 base score is 7.3 with a local attack vector despite the request-based nature of the issue.
Authentication bypass in VMware/Spring's Spring Authorization Server (versions 7.0.0-7.0.4, 1.5.0-1.5.6, 1.4.0-1.4.9, and 1.3.0-1.3.10) allows a low-privileged authenticated actor to circumvent authentication controls and access protected resources across a security boundary. The CVSS 9.6 (Critical) rating reflects a scope change with high confidentiality and integrity impact but no availability effect. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the near-maximum score in a widely deployed OAuth2/OIDC authorization component makes this a high-priority patch.
Local privilege escalation in ESET Inspect Connector for Windows lets a low-privileged local user escalate to elevated (SYSTEM-level) privileges by abusing an improperly authenticated ALPC (Asynchronous Local Procedure Call) IPC channel. The affected component is the endpoint agent that links ESET Inspect (EDR) to protected Windows hosts; a non-privileged process can issue unauthenticated requests to a privileged service endpoint that fails to verify the caller. The issue was reported and fixed by ESET, is not listed in CISA KEV, and has no public exploit identified at time of analysis.
Authorization bypass in the WPBot AI ChatBot plugin for WordPress (all versions ≤ 8.5.6) permits any subscriber-level authenticated user to invoke the plugin's RAG document re-embedding functionality without authorization, directly modifying the rag_documents database table and triggering calls to the site owner's paid AI APIs (OpenAI, Gemini, OpenRouter, or xAI). The root cause is a missing capability check in class-qcld-bot-rag.php, confirmed by Wordfence and traceable to specific code paths in qcld-wpwbot.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.3 Medium score reflects constrained direct security impact - though financial harm from API credit exhaustion represents the primary real-world risk.
Unauthorized deletion of chat session records in the WPBot WordPress plugin affects all versions through 8.5.6, allowing unauthenticated remote attackers to wipe arbitrary conversation history and user records by supplying a crafted userid parameter to unprotected endpoints. The root cause is a missing authorization check (CWE-862) in the chat sessions module, confirmed by Wordfence with source-level references to the vulnerable code in wpbot-chat-sessions.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS-assigned score of 5.3 Medium reflects the limited scope: data deletion with no confidentiality or availability impact on the service itself.
Authorization bypass in the Themify Builder WordPress plugin (all versions through 7.7.7) permits any authenticated subscriber-level user to overwrite or delete CSS stylesheet files for arbitrary posts - including private and draft posts owned by other users - and modify plugin-scoped font options site-wide. The CSRF nonce (tf_nonce) nominally required to gate these actions is broadcast to every authenticated user visiting any public front-end builder page via wp_localize_script, making it trivially collectible and rendering it ineffective as a security control. No active exploitation is confirmed (not in CISA KEV) and no public exploit has been identified at time of analysis.
Authorization bypass in The Cache Purger WordPress plugin (all versions through 2.3.20) allows any subscriber-level authenticated user to permanently destroy the plugin's entire cache-purge audit log (wp-content/purge.log). The root cause is that the tcp_log_purge nonce - the only credential required to trigger log deletion - is rendered in the WordPress admin bar on frontend pages visible to all authenticated users, including the lowest-privilege subscribers, making the authorization check trivially bypassable. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Improper TLS hostname verification in the Snowflake Connector for Python (versions before 4.7.1) lets an on-path attacker defeat HTTPS certificate validation, accepting any certificate signed by any trusted CA regardless of the requested hostname. An adversary who can intercept traffic can decrypt and tamper with connector sessions, exposing Snowflake credentials, query results, and staged file data, and can inject arbitrary SQL bounded by the victim role's privileges. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the reporting vendor (Snowflake) rates it CVSS 4.0 9.2.
Authentication bypass in the miniOrange SAML Single Sign On - SSO Login plugin for WordPress (all versions through 5.4.3) lets unauthenticated attackers forge SAML assertions and seize any account, including administrator. The plugin trusts the SignatureMethod algorithm declared inside the attacker-supplied SAMLResponse, enabling an RSA-to-HMAC signature confusion attack that yields valid WordPress auth cookies and full admin takeover. Reported by Wordfence; no public exploit identified at time of analysis, but the flaw is trivially exploitable and carries a 9.8 CVSS.
Sensitive information exposure in the List Category Posts WordPress plugin (all versions through 0.95.0) allows authenticated contributors to read non-public posts belonging to other users - including pending-review, scheduled, and trashed content with full body text, excerpts, authors, and custom-field metadata. Exploitation requires only a contributor-level account and the ability to embed the native [catlist] shortcode in a draft post, then preview it, triggering the flawed sanitize_status logic. This is a confirmed bypass of the incomplete authorization fix shipped in version 0.93.0 for CVE-2025-11377, indicating the root authorization flaw was never fully remediated. No public exploit code or CISA KEV listing is identified at time of analysis.
Missing authorization in the Catch Themes Demo Import WordPress plugin (versions up to and including 3.3) allows any subscriber-level authenticated user to force-install a hardcoded third-party plugin onto the target WordPress site. The vulnerability exists because catch_themes_demo_import_activate_plugin(), hooked on admin_init, invokes Plugin_Upgrader::install() to fetch and install 'essential-content-types' from WordPress.org before performing the current_user_can('activate_plugins') capability check - a classic authorization-check inversion. No public exploit code has been identified at time of analysis, and the constrained impact (only one hardcoded plugin can be installed, not arbitrary ones) meaningfully limits real-world severity despite the low authentication requirement.
Access-control bypass in Keycloak (fixed in 26.5.3) lets a disabled user account still obtain valid tokens through the JWT authorization grant preview feature. When that feature is enabled, Keycloak omits the account-enabled check during JWT authorization grant processing, so a low-privileged remote attacker who can present a valid assertion token from an external identity provider can mint a JWT for an account an administrator has explicitly disabled, regaining access to protected resources. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds heap write in QEMU lets a local attacker operating inside a guest virtual machine corrupt memory in the host emulator process, enabling information disclosure, data-integrity corruption, or denial of service. The flaw stems from cpu_physical_memory_map() returning a shorter buffer length than the caller assumes, so subsequent writes spill past the allocation. Rated CVSS 7.8 (CWE-787); no public exploit identified at time of analysis, but multiple distributions (Red Hat, Ubuntu, SUSE, Debian) have shipped fixes.
Authorization bypass in RafyMrX TOKO-ONLINE-ROTI allows a low-privileged remote attacker to manipulate the `kd_cs` parameter in `proses/add.php` to access or modify data belonging to other customers, a classic CWE-639 Insecure Direct Object Reference pattern. The application up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is confirmed affected, with no vendor patch available after the vendor failed to respond to responsible disclosure. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity of parameter manipulation makes this trivially reproducible with standard HTTP tooling.
Missing authentication in @andrea9293/mcp-documentation-server v1.13.0 exposes its document-management Web UI/API on all network interfaces (0.0.0.0:3080) instead of localhost, letting any adjacent-network client read, add, search, and delete documents in the MCP knowledge base without credentials. Rated CVSS 8.8 (CWE-306), the flaw is exploitable by unauthenticated attackers reachable over the same LAN, VM network, Docker bridge, or VPN. A detailed proof-of-concept exists in the reporter's advisory, though there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV; the vendor fixed it in v1.13.1.
Cross-user state leakage in Lookyloo's PlaywrightCapture Python library allows one capture operation to inherit sensitive data from another when multiple Capture objects run within the same Python process. Because capture-specific settings (HTTP headers, cookies, browser storage, HTTP credentials, proxy, user-agent, geolocation) were stored as mutable class-level rather than instance-level variables, a concurrent or subsequent capture in a multi-user deployment can disclose or reuse another user's authentication cookies, credentials, and captured request data. Exploitation requires low privileges (PR:L, a legitimate user of a shared deployment); a vendor patch exists (commit 1e354b9) and no public exploit identified at time of analysis.
Sandbox escape with SYSTEM-level code execution in Sandboxie-Plus before 1.17.6 allows a process confined inside a sandbox to run arbitrary code in an unsandboxed host process. The privileged GuiServer service trusts attacker-supplied thread and function-pointer values from a GUI window-hook registration request and dispatches them via QueueUserAPC while running as SYSTEM, defeating the core isolation guarantee of the product. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the mechanism is a full sandbox-to-host escape.
Authentication bypass in Qinglong (whyour/qinglong) task-management platform before 2.20.1 lets an unauthenticated remote attacker reset administrator credentials on an already-initialized instance by sending PUT /open/user/init. The flaw stems from a path-rewrite ordering mistake: the init-guard middleware whitelists /open/* through JWT auth, then rewrites it to /api/user/init after the guard's initialization check has already been bypassed. No public exploit identified at time of analysis, but the fixing PR diff publicly discloses the exact bypass, making weaponization trivial; CVSS 4.0 base score is 9.3 (Critical).
Challenge bypass in Anubis Web AI Firewall (versions 1.22.0 through pre-1.26.0-pre1) allows unauthenticated remote HTTP clients to circumvent bot-challenge enforcement by supplying a crafted X-Original-URI header. PathChecker.Check() in lib/policy/checker.go unconditionally trusted this client-controlled header over the actual request path, enabling any client to match default ALLOW rules (e.g., ^/\.well-known/.*$) and reach upstream resources without completing the Anubis challenge. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, but the bypass is trivially reproducible with a single HTTP header manipulation.
Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker impersonate any account, including admin. The header-login feature's getRequestIp() in server/lib/headerLoginAuth.js trusts the client-supplied X-Forwarded-For header instead of the real TCP socket peer, so an attacker who can reach the HTTP port can spoof a trusted source IP and submit HEADER_LOGIN_ID for any username to receive a valid meteor_login_token session. Tracked by the vendor as 'ProxyBleed' (GHSA-jggc-qvfc-jr6x); CVSS 9.8. No public exploit identified at time of analysis and not listed in CISA KEV.
Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user with write access to their own board relocate cards, lists, or swimlanes into a private board they do not belong to. The DDP update allow rules only authorize against the document's stored (source) boardId and never validate the attacker-supplied destination boardId in the update modifier, so /cards/update, /lists/update, and /swimlanes/update can be abused to inject content across a trust boundary. No public exploit identified at time of analysis, but the fixing commit and advisory publicly document the exact bypass, lowering the barrier to reproduction.
Unauthorized full-board read access in Wekan prior to v9.35 allows any authenticated user to exfiltrate the entire contents of any private board - cards, comments, attachments, member lists, and activity logs - by calling the `cloneBoard` Meteor method with an arbitrary board ID. The root cause is that `models/import.js` invokes the board exporter directly without calling `canExport()` or verifying source-board membership, the same guard correctly applied by the REST export route. No public exploit code has been identified at time of analysis, but the attack requires only a valid account and knowledge of a target board's ID, making it trivially reproducible by any developer familiar with the Meteor DDP protocol.
Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider account asserting a victim's email or username to hijack the victim's existing Wekan account. The vulnerable Accounts.onCreateUser hook in server/models/users.js merged incoming OIDC identities into any local account whose email OR username matched, without verifying ownership or checking email_verified, letting the attacker inherit the victim's boards, attachments, API tokens, and admin status. No public exploit identified at time of analysis, but the fix is confirmed in version 9.32 and the flaw carries a CVSS 4.0 base score of 9.2 (critical).
Broken access control in Wekan's open-source kanban server (all releases prior to 9.32) lets any authenticated user copy a private board they have no membership in. The vulnerable copyBoard Meteor DDP method in server/publications/boards.js accepts a caller-supplied board ID without verifying this.userId, membership, or admin rights, so an attacker can exfiltrate the board's cards, checklists, custom fields, labels, and rules into a board they own. No public exploit identified at time of analysis; the flaw is authenticated-only (PR:L) with an EPSS/KEV signal absent from the input.
Incorrect authorization in Wekan's REST API (all versions prior to 9.32) permits any read-only board member to invoke write-level operations - creating, modifying, or deleting custom fields and dropdown items - on boards they should only be able to view. Six route handlers in server/models/customFields.js apply the read-level checkBoardAccess guard to mutating HTTP methods (POST, PUT, DELETE), instead of the write-level checkBoardWriteAccess. No public exploit or CISA KEV listing has been identified at time of analysis, but the logic flaw is straightforward to exploit by any authenticated board member with API access.
Missing authorization in the MCP Python SDK (the `mcp` PyPI package) versions 1.23.0 through 1.27.1 lets any authenticated client of a multi-client server enumerate, read the results of, consume messages from, or cancel tasks belonging to other clients. The default handlers wired up by `server.experimental.enable_tasks()` for tasks/list, tasks/get, tasks/result, and tasks/cancel key solely on the task identifier and never bind a task to the session that created it. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the upstream fix, deprecation warnings, and detailed advisory confirm the flaw; it is resolved in version 1.27.2.
Cross-session message injection in the MCP Python SDK (the 'mcp' package on PyPI) prior to 1.27.2 allows an authenticated client holding a valid bearer token to hijack another principal's session on the SSE and stateful Streamable HTTP transports. Because SseServerTransport and StreamableHTTPSessionManager route inbound requests using only the session_id query parameter or Mcp-Session-Id header - never checking that the caller is the same authenticated principal who created the session - any bearer-token-authenticated client who learns a victim's session ID can inject arbitrary JSON-RPC messages into that session. There is no public exploit identified at time of analysis and no CISA KEV listing; the flaw is fixed in version 1.27.2.
Privilege escalation in TDengine Enterprise (prior to 3.4.1.15) allows any authenticated low-privilege SQL user to abort active shared-storage migrations by issuing KILL SSMIGRATE commands that should be restricted to administrators. The MND_OPER_SSMIGRATE_DB privilege gate was inadvertently commented out in mndProcessKillSsMigrateReq, collapsing authorization enforcement entirely for this operation. No public exploit or active exploitation has been identified at time of analysis; a vendor-released patch is available in version 3.4.1.15.
Network policy bypass in Cilium 1.19.0-1.19.4 allows workloads inside a Kubernetes namespace to reach peers that CIDR-based ipBlock NetworkPolicies should block. The flaw surfaces exclusively when Cilium is deployed with a custom clusterName (any value other than the default 'any'): the network-policy parser in parseNetworkPolicyPeer erroneously instantiates an empty pod selector for selectorless ipBlock peers, which compiles into a wildcard namespace-allow rule instead of a pure CIDR rule. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-namespace traffic mirroring in Cilium's Gateway API implementation allows authenticated Kubernetes users holding HTTPRoute create or update permissions to duplicate HTTP traffic to arbitrary Services in any namespace, bypassing the ReferenceGrant authorization mechanism intended to enforce cross-namespace access control. Affected branches are Cilium 1.17.x before 1.17.17, 1.18.x before 1.18.11, and 1.19.x before 1.19.5. No public exploit or active exploitation has been identified at time of analysis; the attack surface is significantly narrowed by Gateway API being disabled by default and exploitation requiring elevated Kubernetes RBAC permissions.
Authorization bypass in MantisBT's SOAP API, REST API, and web-based bug update interface allows authenticated lower-privileged users to assign unreleased product versions to issues, circumventing the `report_issues_for_unreleased_versions_threshold` access control. All three issue-update pathways in versions 2.28.3 and earlier were unprotected: the SOAP handler (`mc_issue_api.php`), the web form (`bug_update.php`), and the REST command layer (`IssueAddCommand.php`). No public exploit code and no active exploitation (CISA KEV) have been identified; vendor-released patch version 2.28.4 closes all three vectors.
Unauthorized configuration write in Dashy self-hosted dashboard (versions prior to 4.0.8) lets unauthenticated users or non-admin authenticated users overwrite the central config.yaml via the config-saving endpoint when the deployment uses OIDC authentication, bypassing configured permission controls. Successful abuse enables tampering with dashboard configuration and potential service disruption. No public exploit identified at time of analysis; not listed in CISA KEV.
Unauthorized access in Dell ThinOS 10 (versions prior to 2605_10.2100) stems from an obsolete UI feature (CWE-448) that a low-privileged local attacker can abuse to bypass authentication controls. With valid low-level local access to the thin-client, an attacker can leverage the leftover interface path to reach functionality or data they should not have, yielding high confidentiality, integrity, and availability impact per the CVSS 7.8 (High) rating. No public exploit identified at time of analysis; the flaw was reported by Dell and disclosed in advisory DSA-2026-300.
Local credential theft in the garminconnect Python library (versions <= 0.3.4) stems from writing its OAuth token store to disk without an explicit file mode, so under the default umask 022 the file garmin_tokens.json - containing the DI refresh token - is created world-readable (0o644). Any unprivileged co-tenant on a shared Linux or macOS host can read the token and exchange it at Garmin's OAuth endpoint for fresh access tokens, gaining persistent access to the victim's Garmin Connect account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix in 0.3.5 is confirmed and the issue is trivially reproducible under default configuration.
Protection mechanism failure in Dell ThinOS 10 (versions prior to 2605_10.2100) allows an unauthenticated attacker with physical device access to bypass encryption controls and gain unauthorized read and write access to data stored on the thin client. The flaw, classified as CWE-693, indicates the encryption or authentication protection subsystem can be circumvented without any credentials, consistent with the Authentication Bypass tag and CVSS PR:N rating. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the physical access constraint limits but does not eliminate risk in environments with unattended or theft-prone thin clients.
mTLS authentication bypass in the Red Hat Ansible Automation Platform (AAP) Gateway Envoy proxy allows unauthenticated remote attackers to inject spoofed events into protected Event-Driven Ansible (EDA) event streams. The non-mTLS route to EDA event streams fails to strip the client-supplied Subject HTTP header even though the source defines requestHeadersToRemove for it, so an attacker can forge a Subject value matching a legitimate client certificate's Distinguished Name and impersonate an authenticated client. No public exploit identified at time of analysis; the issue is tracked by Red Hat (CWE-290, CVSS 8.2) but is not on CISA KEV and no EPSS score was provided.
Album ownership takeover in immich before 3.0.3 allows a user with shared-album editor access to escalate to full owner by abusing the PUT /albums/:id/user/:userId endpoint (CWE-863, Incorrect Authorization). Because the endpoint fails to enforce owner-only restrictions on role changes, an editor can demote the legitimate owner and promote themselves across two sequential requests, gaining deletion and member-eviction control over the album and its assets. Publicly available exploit code exists and a vendor patch (v3.0.3) has shipped, though it is not currently listed in CISA KEV.
Improper authorization in SpecterOps BloodHound through 9.4.0 lets any authenticated user tamper with the global custom-node graph schema by calling POST, PUT, and DELETE operations on the /api/v2/custom-nodes endpoints, which enforced only that a caller was logged in rather than that they held write permissions. Because custom node kinds are a shared, tenant-wide schema construct, a single low-privileged account can create, alter, or delete node types that affect every user and tenant on the instance. Publicly available exploit code exists and a vendor patch (commit 8f79035) is available; there is no CISA KEV listing, so exploitation is not confirmed as active.
Authorization bypass in FastGPT's workflow engine allows any authenticated platform user to invoke another user's private HTTP toolsets by crafting a workflow node ID in the form http-<victim_toolset_app_id>/<tool_name>. Affected versions span 4.14.17 through pre-4.15.0-beta5; the normal toolset access routes enforce ownership, but the workflow save path and the /api/v2/chat/completions runtime endpoint omit the same check, enabling cross-tenant tool execution. No public exploit code or CISA KEV listing exists at time of analysis; the AC:H vector reflects that exploitation requires prior knowledge of a victim's toolset app ID.
Broken object-level authorization in Kanboard through 1.2.52 lets any authenticated user who belongs to at least one project move, corrupt, or hide tasks in any other project on the same instance, including private projects they have no role on. The BoardAjaxController save() drag-and-drop endpoint checks the caller's role against the attacker-supplied project_id but never confirms the supplied task_id belongs to that project, and because task IDs are sequential integers shared instance-wide they are trivially enumerable. Publicly available exploit code exists and a vendor patch (commit 564cc30) is available, but this is not listed in CISA KEV and there is no public exploit identified as actively exploited in the wild.
MantisBT's REST and SOAP APIs fail to enforce the $g_set_status_threshold authorization gate, allowing any authenticated user holding the UPDATER role (the default update permission) to change an issue's workflow status to values that should require DEVELOPER-level access or higher. The vulnerability is confirmed patched in release 2.28.4 with no public exploit or KEV listing. Because UPDATER is the default role for ordinary authenticated contributors, this flaw is broadly reachable on any MantisBT instance where the API is accessible without further hardening of role assignments.
Unauthenticated information disclosure in GPUStack through version 2.2.1 lets remote attackers reach the worker port's unprotected /serveLogs and /debug endpoints to stream live inference logs - including user prompts and model completions - and to alter worker runtime configuration such as log levels and memory profiling output. Because the flaw is missing authentication (CWE-306) on network-exposed endpoints, exploitation requires no credentials and no user interaction; publicly available exploit code exists, though the issue is not listed in CISA KEV. VulnCheck reported it and the vendor fixed it in commit 4e20551.
Privilege escalation to administrator in MantisBT 2.28.3 and earlier lets a low-privileged or self-registered user impersonate any account, including the administrator, through the SOAP API's flawed mci_check_login() function. Because the function accepts any valid cookie_string without checking that it belongs to the supplied username, an attacker who knows a target username (e.g. 'administrator') and possesses their own MANTIS_STRING_COOKIE can authenticate as that user without a password. With self-registration enabled by default ($g_allow_signup = ON), this is exploitable from zero prior access, granting full read/write and destructive control over all projects, issues, and user data. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the underlying bug is trivially reliable.
Same-Origin Policy bypass in Lightpanda headless browser before 0.3.1 allows an attacker-controlled site to impersonate an arbitrary victim origin. Because origin computation searched for the '@' userinfo delimiter across the entire URL string rather than only the authority component, a URL like http://attacker.com/@victim.com/ was fetched from attacker.com yet treated as origin http://victim.com, breaking the fundamental web isolation boundary. No public exploit identified at time of analysis and not listed in CISA KEV, but the CVSS 9.3 rating and the trivial, deterministic nature of the parsing flaw make it a high-priority fix for any automation pipeline using Lightpanda.
Privilege escalation via improper access control in Cisco RoomOS software allows an authenticated attacker with low-level privileges to gain full control over affected collaboration endpoints, with high impact to confidentiality, integrity, and availability. The issue was discovered internally by Cisco's RoomOS engineering team during a proactive security review and is one of several access-control weaknesses grouped under CVE-2026-20150 and resolved in a single hardening release. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
File Browser prior to 2.63.17 retains stale public directory share records after a shared directory is deleted via a trailing-slash path, because the Bolt storage backend queries for shares using the unnormalized path before trimming the slash - causing the exact-match share record (stored as '/a') to be missed by a query against '/a/'. If the directory is subsequently recreated at the same path, any holder of the original share URL immediately gains unauthorized read access to the new directory contents. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Server-side template injection in Frappe ERPNext (versions before 15.111.0 and 16.22.0) lets an authenticated user holding only a standard operational role inject a malicious template payload into a configuration field, causing the server to render it and disclose data the user is not authorized to see. Because the flaw is rooted in an authorization failure (CWE-863), it effectively bypasses ERPNext's role/permission boundaries. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a fixed release is available from the vendor.
Account takeover in Penpot before 2.14.5 allows an authenticated registered user to hijack any non-blocked profile without knowing its password. The flaw chains three defects: create-team-invitations leaks invitation tokens, prepare-register-profile embeds an existing profile's id into the prepared-register JWE, and register-profile then mints a session on an invitation email match while skipping password verification (CWE-287). No public exploit has been identified, but the fix commit and PR diff are public and the CVSS base score is 9.9.
Authentication bypass (account takeover) in Vaultwarden before 1.36.0 allows an attacker who controls a federated identity provider identity to log in as an arbitrary local user by asserting that user's email address. The flaw exists because the SSO login flow validated the IdP 'email_verified' claim only during new-user creation, but skipped it when SSO_SIGNUPS_MATCH_EMAIL=true linked an incoming IdP identity to a pre-existing local account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is confirmed in release 1.36.0.
Vaultwarden's SSO discovery endpoint exposed real organization SSO metadata - including organizationIdentifier values - to unauthenticated requests for arbitrary email addresses, enabling organization enumeration and authentication workflow abuse. All Vaultwarden deployments prior to 1.36.0 with SSO enabled are affected; an attacker with network access could query the `/organizations/domain/sso/verified` endpoint with any email address to harvest real org names and identifiers, then leverage those identifiers to obtain a valid pre-validation JWT through the `prevalidate()` flow without legitimate credentials. No public exploit code is identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 through 4.16.0, where access tokens are issued without the client_id claim. Because the JWT verifier keys scope loading on client_id, a holder of a legitimately-issued low-scope OAuth access token can invoke APIs requiring higher scopes - file, share, workflow, user setting, WebDAV account, and potentially admin - as the enforcement layer degrades to non-scoped session authentication. No public exploit identified at time of analysis, but the root cause is confirmed by the vendor's fix commit and advisory GHSA-vgj4-345g-jcf8, with the issue resolved in 4.16.1.
Path traversal via improper authorization in Cloudreve's WebDAV handler lets a scoped WebDAV account escape its configured root folder, reading and listing files anywhere the server process can reach, and - with a writable credential - creating, overwriting, moving, or deleting them. All versions prior to 4.16.1 are affected. No public exploit is identified at time of analysis and it is not listed in CISA KEV, though the flaw is straightforward to trigger once a low-privileged WebDAV credential is held.
Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tenant's dataset content via the POST /api/core/chat/record/getCollectionQuote endpoint. The endpoint validates the caller's chat and collection context but fails to bind the initialId center-node lookup to that authorized context, so an attacker supplying a foreign dataset data id as initialId (while using their own valid appId, chatId, chatItemDataId, and collectionId) receives the victim tenant's dataset quote or full-text content. This is an authenticated (PR:L) authorization flaw with no public exploit identified at time of analysis and no CISA KEV listing; EPSS data was not provided.
Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugin reverse-call endpoints, because /api/invoke/* trusts tokens signed with INVOKE_TOKEN_SECRET whose default value is the literal string 'token' and which official deployment templates never set. By self-signing an HS256 JWT, an attacker can call /api/invoke/userInfo to read cross-tenant user PII via arbitrary tmbId values, or /api/invoke/fileUpload to write attacker-controlled content into chat files. No public exploit identified at time of analysis and not listed in CISA KEV, but the trivial exploitation and hardcoded-secret root cause make this high priority for self-hosted deployments.
Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled web content reach an unauthenticated local agent endpoint from inside the sandbox, compromising the session. Affecting Cursor Cloud Agent sessions prior to the 03/31/2026 fix, an attacker who gets a browsing agent to load malicious content can run code in the sandbox and read repository contents, environment variables, credentials, and GitHub App access tokens scoped to that session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw is a missing-authentication (CWE-306) authentication-bypass class issue with high confidentiality, integrity, and availability impact to the affected session.
Authentication bypass in HKUDS LightRAG before 1.5.4 lets a remote unauthenticated attacker defeat X-API-Key protection when the server runs in the API-key-only profile (LIGHTRAG_API_KEY set, AUTH_ACCOUNTS unset). Because auth.py falls back to a public hardcoded DEFAULT_TOKEN_SECRET and /auth-status and /login freely mint guest JWTs, combined_dependency honored a guest token before ever checking the API key, exposing document read/upload/delete, graph mutation, and query endpoints. No public exploit is identified at time of analysis, but the underlying fix (PR #3319) ships a regression test showing that forging a valid guest token with the default secret is trivial; fixed in 1.5.4.
Missing authorization on device receiver endpoints in ICU Scandinavia Boomerang exposes facility and quality-assurance installations to unauthenticated read and write access over adjacent networks. Any attacker with network adjacency can retrieve complete facility configurations and inject arbitrary data into the sensor database without supplying credentials, violating both confidentiality and integrity of operational sensor records. No public exploit has been identified at time of analysis, but CERT-PL's coordinated disclosure and a vendor-confirmed patch in version 2.4.18.029 indicate a concrete, addressable risk for organizations running unpatched deployments.
Privilege escalation in CRI-O (the OCI container runtime used by Red Hat OpenShift Container Platform 4 and many Kubernetes clusters) lets an attacker who can set container environment variables inject a newline into the HOME variable and append arbitrary lines to /etc/passwd, enabling creation of a rootful or otherwise privileged account inside the container. It is a bypass of the incomplete fix for CVE-2022-4318, whose HOME sanitization was insufficient. No public exploit identified at time of analysis and it is not listed in CISA KEV.
ImageMagick's `-script` operation bypasses the configured security policy file path restrictions in versions before 7.1.2-26 (7.x branch) and before 6.9.13-51 (6.9.13-x branch), enabling a local attacker with low privileges to read files from paths explicitly denied by the security policy. The CVSS 4.0 score of 4.8 reflects the local-only attack surface, low-privilege requirement, and confidentiality-only impact with no code execution possible. No public exploit code has been identified and this vulnerability is not confirmed actively exploited (CISA KEV).
Denial of service in Grav CMS 2.0.1 lets a trusted package source or admin-level uploader bypass the newly added decompression-bomb size cap and exhaust disk space or inodes on the host. The 2.0.1 cap trusts the attacker-forgeable uncompressed size declared in each ZIP central-directory entry rather than the actual inflated stream, so a crafted archive declaring tiny sizes slips past the check while extraction writes the real, far larger payload. This is an incomplete fix for GHSA-928x-9mpw-8h56, corrected in 2.0.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Broken authorization in PraisonAI Platform before 0.1.9 lets any authenticated workspace member modify shared label taxonomy and issue-label associations they should not control, renaming and recoloring shared labels and adding or removing labels on issues created by owners or admins. The flaw (CWE-862, missing authorization) stems from label PATCH and issue-label POST/DELETE endpoints trusting workspace membership without enforcing owner/admin role checks. Reported by VulnCheck with a vendor patch available; there is no public exploit identified at time of analysis and it is not in CISA KEV.
Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.received' events when the framework runs in AgentMail webhook mode. Because incoming payloads are trusted without validating the Svix signature (CWE-287), an attacker can POST crafted JSON to the webhook endpoint and cause configured agents to process attacker-chosen sender addresses and message bodies. A vendor patch exists (4.6.78); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invocation endpoints when the deployment runs with PRAISONAI_CALL_AUTH=disabled. Because the localhost-only safeguard derives the bind host from the client-supplied HTTP Host header, an attacker on the network can send a spoofed 'Host: 127.0.0.1' header to defeat the restriction and both enumerate and invoke registered agents. Vendor patch is available (reported by VulnCheck); no public exploit identified at time of analysis and it is not listed in CISA KEV.
PraisonAI's tool approval caching mechanism in versions before 1.6.78 allows an attacker who influences an AI agent's behavior within a session to bypass human-in-the-loop oversight by reusing a single user-granted approval across tool calls with entirely different, unreviewed arguments. The flaw (CWE-863: Incorrect Authorization) directly undermines the security boundary that tool approval is designed to enforce, enabling arbitrary file write operations after approval of a benign operation. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA's KEV catalog; however, the CVSS 4.0 score of 6.9 with high integrity impact reflects meaningful risk for any deployment relying on tool approval as a control.
Permission bypass in n8n's external secrets handling allows authenticated low-privilege users to exfiltrate secrets they are not authorized to access by exploiting a mismatch between the platform's static validation layer and its runtime expression engine. Affected are all n8n instances running versions before 1.123.61 (1.x branch), 2.27.4, or 2.28.1 (2.x branch) that have both an external secrets provider and Advanced Permissions configured. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the confidentiality impact is high for affected deployments given that secrets such as API keys and credentials may be fully exposed.
Unauthorized external secret disclosure in n8n before 2.28.1 allows authenticated project editors to read plaintext secret values from external secret managers by embedding references in workflow node expressions. The flaw bypasses the intended access control model: users with project editor roles - who are not granted explicit secrets access permissions - can nonetheless resolve and exfiltrate secrets via expression syntax. No public exploit or active exploitation has been identified, but the CVSS 4.0 vector assigns SC:H (high confidentiality impact on subsequent systems), reflecting that secrets stored in downstream vaults or secret managers are fully exposed to insufficiently privileged users.
Authentication bypass in the n8n Chat Trigger node allows unauthenticated network access to protected webhook endpoints when the node is explicitly configured with n8n User Auth - a non-default operator setting. Affected releases span all 1.x builds before 1.123.22, the entire 2.0.0-2.9.2 range, and 2.10.0. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the CVSS 4.0 score of 6.3 with AT:P correctly reflects that real-world exposure is bounded by the non-default configuration prerequisite.
Input validation bypass in n8n's Guardrail node (versions before 2.10.0) allows end users interacting with affected workflows to circumvent AI safety guardrail instructions through crafted inputs, undermining workflow integrity. Any n8n deployment running a workflow that incorporates the Guardrail node is exposed; instances not using that node are entirely unaffected regardless of version. No public exploit code has been identified and this CVE does not appear in CISA KEV; a vendor-confirmed patch is available in n8n 2.10.0.
Cross-tenant record injection in Roskus Prospero Flow CRM before 5.14.0 allows any authenticated user to silently insert customer, lead, and product records into a competing company's tenant by manipulating the company_id field in an uploaded Excel spreadsheet. The three affected import handlers (CustomerImport, LeadImport, ProductImport) map company_id directly from the user-controlled file without verifying it matches the authenticated session's own company, collapsing the multi-tenant data isolation boundary. No public exploit has been identified at time of analysis; vendor-released patch v5.14.0 is available and confirmed.
Broken function-level authorization in Prospero Flow CRM before 5.5.3 lets any authenticated low-privileged user (e.g. the standard 'User'/'Usuario' role) read every bank account record belonging to their company via GET /api/bank-account. The API route is guarded only by auth:api with no permission gate — unlike the web equivalent, which enforces can('read bank') — so any valid bearer token returns sensitive banking data (IBAN, SWIFT/BIC, account identifiers). A vendor patch exists (5.5.3) and the fixing commit is public; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV.
Denial of service in Red Hat OpenShift GitOps (Argo CD operator) lets a tenant who controls a namespace-scoped Argo CD instance delete a ClusterRole belonging to a cluster-scoped Argo CD instance by crafting a name collision. Because the ClusterRole reconciler skips ownership validation (CWE-862), a low-privileged tenant can disrupt a higher-privileged, cluster-wide GitOps instance across the trust boundary. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the cross-tenant scope change makes it a meaningful multi-tenancy integrity concern.
SQL injection in Apache Fineract's Report Execution API (the runreports endpoint) in all versions up to and including 1.14.0 lets an authenticated user holding report-run permission inject arbitrary SQL through crafted report parameter values, because those values are concatenated into the generated query without sufficient validation. This yields unauthorized read access to data well beyond what the report was scoped to expose, and by extension other database contents. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; the upstream fix landed in PR #5980, which introduces a configurable InputValidator/validation-profile framework.
Authentication bypass in the Shibboleth WordPress plugin before 2.5.4 lets remote unauthenticated attackers forge identity headers and log in when the HTTP header identity mode is enabled without an anti-spoofing key. Because the plugin fails open rather than closed, any request carrying identity headers is trusted as an authenticated session, and with automatic account creation plus the default administrator role mapping an attacker can provision and sign in as a brand-new administrator. Rated CVSS 8.1 (CWE-287); publicly available exploit code exists (WPScan), but it is not listed in CISA KEV.
Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contributor-level (or higher) user to duplicate arbitrary posts they do not own by exploiting a missing per-object authorization check in the plugin's AJAX post-duplication action. The attacker gains a published copy of the target post under their own ownership and can extract private post metadata, including secrets stored by other Kali Forms instances on the same site. A publicly available proof-of-concept exists per WPScan; the vulnerability is not currently listed in the CISA KEV catalog, though the low privilege bar and default-enabled feature make it an actionable risk on any multi-user WordPress installation running the affected plugin.
Arbitrary physical memory read/write in the ASUS System Control Interface (v3 and legacy) and ASUS Business Manager driver allows a local administrator to issue crafted IOCTL requests that bypass OS-enforced memory protections, per an ASUS-published advisory. The flaw (CWE-822, Untrusted Pointer Dereference) turns the signed ASUS driver into a read/write primitive over physical memory, enabling privilege escalation from admin to kernel and potential defense evasion. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.
Arbitrary file operations in ASUS Aura Wallpaper Service allow a low-privileged local user to send crafted commands that carry an attacker-controlled file path, bypassing the service's intended path restrictions and abusing its higher-privileged context. Because the service exposes a communication channel that fails to properly restrict callers or validate file names (CWE-923), a local user can read, write, or manipulate files outside the intended scope, with high impact to confidentiality, integrity, and availability; on certain ASUS models exploitation can also render a single feature unavailable. No public exploit is identified at time of analysis, and it is not listed in CISA KEV, but the CVSS 4.0 base score of 8.5 (High) reflects meaningful impact despite the local vector and high attack complexity.
Authentication bypass in Ciena Navigator Network Control Suite (NCS 8.1), Manage Control Plane (MCP ≤ 8.0), and Blue Planet components (Inventory, Orchestration, Route Optimization & Analysis, Unified Assurance & Analytics, Planner Plus) allows an unauthenticated network attacker to manipulate HTTP request paths and headers to reach protected functionality while also evading audit logging. Rated CVSS 9.8 with a fully remote, low-complexity, no-interaction vector, this flaw hands attackers administrative-level access to carrier-grade network control and orchestration platforms. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the trivial exploitation profile makes it a high-priority patch for affected operators.
Incorrect access control in CAXPerts UniversalPlantViewer WebServices Server v2.7.6 allows any authenticated low-privilege user to invoke the /api/License/deactivateOffline endpoint and strip the server's license, rendering the service inoperable. The flaw (CWE-284) grants low-privileged accounts an action that should be restricted to administrative roles, providing a trivial denial-of-service primitive against industrial plant visualization infrastructure. No public exploit identified at time of analysis, though a researcher disclosure post on Medium appears to document the discovery.
Missing authorization on the `/api/v1/users/` backend user endpoint in xianyu-auto-reply allows remote unauthenticated attackers to access or manipulate user account data without any credentials. The flaw (CWE-862) affects all commits up to dcb445ad97816ad65299a7580ee0c8c8f929da84 in this FastAPI-based Python backend for automating Xianyu marketplace replies. A public exploit exists (CVSS 4.0 E:P), though no active exploitation is confirmed in CISA KEV; the vendor-issued patch commit is the recommended remediation given the project's rolling release model.
CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
ColdFusion is affected by an Insufficient Session Expiration vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
Security feature bypass in Adobe ColdFusion allows a low-privileged, network-based attacker to defeat access controls and obtain unauthorized read access to data outside their intended authorization boundary. Adobe PSIRT classifies the root cause as improper input validation and tags it an authentication bypass; the CVSS 3.1 score is 7.7 with a changed scope, reflecting impact that crosses a security boundary. No public exploit has been identified at time of analysis, and no EPSS or CISA KEV data was provided.
Arbitrary code execution in Adobe ColdFusion allows an attacker with low-privileged access on an adjacent network to bypass authorization controls (CWE-863) and run code in the context of the current user, with a scope change that lets the impact extend beyond the vulnerable component. Adobe PSIRT reported the flaw and published advisory APSB26-82; it is tagged as RCE and authentication bypass with a CVSS 3.1 base score of 9.0. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the incorrect-authorization-to-RCE pattern in ColdFusion has historically drawn rapid attacker interest.
Missing authentication in Adobe ColdFusion allows an unauthenticated attacker on an adjacent network to trigger arbitrary code execution in the context of the current user, without any user interaction. The flaw (CWE-306) bypasses authentication on a critical function and carries a scope change, meaning the impact reaches beyond the vulnerable component. There is no public exploit identified at time of analysis, but the issue was reported by Adobe PSIRT and addressed in advisory APSB26-82.
Privilege escalation in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) allows a remote, unauthenticated attacker to bypass authorization checks and gain unauthorized read and write access. Because the CVSS vector marks scope as changed (S:C) with PR:N and no user interaction, the attacker can act beyond the ColdFusion application boundary, yielding the maximum CVSS base score of 10.0. No public exploit is identified at time of analysis, and EPSS is low at 0.24% (15th percentile), indicating no observed weaponization yet despite the critical rating.
Unauthenticated abuse of the operator's NetLicensing credential affects Labs64 netlicensing-mcp (FastMCP server) versions <= 0.1.5 when run in HTTP transport mode. The ApiKeyMiddleware forwards requests that carry no client API key straight to the tool handlers, and the downstream client falls back to the server-side NETLICENSING_API_KEY environment variable, so any network-reachable attacker can invoke every MCP tool (list/create/update/delete of products, licenses, licensees, tokens) under the operator's identity and account quota. Publicly available exploit code exists (a self-contained Docker/Python PoC in the advisory), no public active exploitation is confirmed, and the issue is fixed in 0.1.6.
Navigation input validation bypass in Google Chrome prior to 150.0.7871.125 enables a remote attacker who has already compromised the renderer process to circumvent navigation restrictions through a crafted HTML page. The flaw is classified as a second-stage, chained exploit - the attacker must first achieve renderer process compromise before this vulnerability becomes exploitable. With integrity rated High (I:H) and no confidentiality or availability impact, the practical danger is unauthorized navigation control, potentially enabling redirect-based phishing, cross-origin frame manipulation, or security boundary bypass. No public exploit code or active exploitation has been identified at time of analysis; EPSS probability stands at 0.26% (17th percentile), consistent with low current threat activity.
Same Origin Policy bypass in Google Chrome's V8 JavaScript engine (prior to 150.0.7871.125) allows a remote attacker to cross origin security boundaries via a crafted HTML page, enabling high-impact integrity violations against cross-origin content. Exploitation requires the victim to visit the malicious page (UI:R), limiting automated mass exploitation - a constraint confirmed by SSVC's Automatable:no finding. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog; EPSS at 0.26% (17th percentile) is consistent with no observed active exploitation at time of analysis.
Same-origin policy bypass in Google Chrome prior to 150.0.7871.125 enables remote attackers to manipulate cross-origin content integrity through the browser's HTML-in-Canvas rendering subsystem. Exploitation requires a victim to visit a crafted HTML page, making this a socially-engineered attack rather than a fully autonomous one. No active exploitation has been recorded (CISA KEV: absent, SSVC exploitation: none), and EPSS sits at 0.26% - indicating low real-world exploitation activity at time of analysis.
NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause missing authentication for a critical function. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.
Missing authentication in NVIDIA TensorRT-LLM for Linux lets an attacker reach the disaggregated orchestrator's FastAPI server directly and read, write, or delete internal cluster state, resulting in information disclosure, data tampering, and denial of service. The flaw (CWE-306) affects the orchestration layer that coordinates disaggregated prefill/decode inference workers. No public exploit identified at time of analysis, and the CVSS 3.1 base score is 7.3 with a local attack vector despite the request-based nature of the issue.