Skip to main content

Authentication Bypass

31228 CVEs technique

Monthly

CVE-2026-20896 CRITICAL PATCH NEWS Act Now

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any source IP to impersonate arbitrary users because the image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default. When an operator enables reverse-proxy header authentication (e.g. X-WEBAUTH-USER), the wildcard trust list means Gitea accepts those identity headers from any client rather than only from a trusted front-end proxy, granting full account takeover including administrator access. No public exploit has been identified at time of analysis, and the issue is patched in Gitea 1.26.3.

Authentication Bypass Gitea Docker Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2026-14608 LOW Monitor

Authorization bypass in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows authenticated remote attackers to view student records they are not authorized to access. By manipulating the ID parameter in POST requests to /index.php?action=view_student, a low-privileged user can enumerate or access other students' data. A public proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no active exploitation confirmed in CISA KEV.

Authentication Bypass PHP
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14614 MEDIUM This Month

Keycloak's ClientResource admin API component, when Fine-Grained Admin Permissions v2 (FGAP v2) is enabled, permits a delegated administrator to attach or detach hidden client scopes that fall outside their authorized management boundary. By injecting unauthorized scopes into client configurations, an attacker can manipulate the contents of OAuth2/OIDC security tokens issued to end-users, causing downstream applications to grant privilege levels beyond what the original access policy intended. No public exploit is identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the token-injection impact class carries meaningful risk in federated identity deployments.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-14613 MEDIUM This Month

Keycloak's Fine-Grained Admin Permissions v2 (FGAP v2) fails to enforce group-level authorization when a restricted administrator queries role-to-group assignments, exposing group names and custom attributes beyond the admin's intended scope. Restricted admins holding only role-view permission can enumerate all groups assigned to that role, bypassing the group-level access controls that FGAP v2 is designed to enforce. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog; however, the EPSS risk is compounded in deployments where group attributes carry sensitive operational metadata.

Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7 Authentication Bypass +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14460 HIGH PATCH This Week

Local privilege escalation via argument injection in TUBITAK BILGEM's pardus-software (the Pardus Linux application/software center) affects versions up to and including 1.0.4 and is fixed in 1.0.5. A low-privileged local user can abuse a missing authorization check (CWE-862) to inject attacker-controlled arguments into a privileged backend operation, and because the CVSS scope is Changed with High confidentiality, integrity, and availability impact, this realistically yields code execution or full compromise of the underlying system. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but the 8.8 CVSS and scope change make it a serious local escalation issue.

Authentication Bypass Pardus Software
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-59234 MEDIUM PATCH This Month

{id} path parameter in GET /calendar/event/delete/{id}. The delete handler calls Calendar::find($id)->delete() with no user_id or company_id scoping, meaning possession of a valid session is the only gate to destroying arbitrary records. No public exploit has been identified at time of analysis; a confirmed fix is available in the v5.5.3 release.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-46730 MEDIUM PATCH This Month

Incorrect authorization in Dell PowerProtect Data Domain permits a high-privileged local attacker to execute commands outside their authorized scope across a broad span of affected versions covering the main release line and all three active LTS branches. The root cause (CWE-863) indicates the appliance's Data Domain OS fails to enforce authorization boundaries correctly for certain operations accessible to already-elevated users, enabling privilege escalation within an authenticated administrative session. No public exploit code or active exploitation is confirmed at time of analysis; the CVSS 4.2 Medium score accurately reflects the significant access prerequisites - local presence plus high-level credentials - required to trigger the flaw.

Authentication Bypass Dell Data Domain Operating System
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-41123 MEDIUM PATCH This Month

Improper access control in the RBAC implementation of Dell PowerProtect Data Domain allows a low-privileged authenticated remote attacker to tamper with information beyond their authorized role scope. Affected releases span the main 7.7.1.0-8.6 line and three LTS tracks covering LTS2024, LTS2025, and LTS2026. No public exploit code has been identified and exploitation has not been confirmed by CISA KEV, placing this as a medium-priority issue requiring patch scheduling rather than emergency response.

Authentication Bypass Dell Data Domain Operating System
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44268 MEDIUM PATCH This Month

Incorrect permission assignment on a critical resource in Dell PowerProtect Data Domain exposes sensitive data to high-privileged local attackers across a broad range of supported release trains. The flaw (CWE-732) means a resource - likely a file, directory, or configuration object - carries overly permissive access controls, allowing a local attacker operating with elevated privileges to read data they are not authorized to access. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the breadth of affected versions (seven release trains spanning 2024-2026 LTS and mainline builds) increases aggregate exposure across enterprise backup environments.

Authentication Bypass Dell Powerprotect Data Domain
NVD VulDB
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-44269 MEDIUM PATCH This Month

Link-following exploitation in Dell PowerProtect Data Domain enables a high-privileged local attacker to read files outside their intended access scope by manipulating symbolic or hard links before file access operations resolve. Affected across multiple release trains - mainline 7.7.1.0 through 8.6, LTS2026 8.6.1.10 and below, LTS2025 8.3.1.30 and below, and LTS2024 7.13.1.70 and below. No public exploit code or active exploitation confirmed at time of analysis; risk is bounded by the requirement for pre-existing high-privilege local access.

Authentication Bypass Dell Powerprotect Data Domain
NVD VulDB
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-35159 MEDIUM PATCH This Month

Physical-access authentication bypass in Dell Client Platform BIOS (CWE-305) affects a sweeping range of Dell consumer, gaming, and enterprise platforms - including Inspiron, Alienware, Latitude, OptiPlex, and Precision lines. An unauthenticated attacker with physical access and the ability to meet high-complexity attack conditions can bypass the primary BIOS authentication mechanism, resulting in information disclosure and, per the CVSS integrity metric (I:H), potential high-integrity impact. Notably, the declared impact in the description is limited to 'Information Disclosure' while the supplied CVSS vector assigns I:H, a discrepancy that warrants clarification from Dell's advisory DSA-2026-195. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Dell Information Disclosure Inspiron 15 3520 G15 5530 +175
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-11398 MEDIUM This Month

Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-11900 MEDIUM This Month

Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ad Inserter Ad Manager Adsense Ads
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-9230 MEDIUM This Month

{id}/emails endpoint then honors that nonce without an ownership check. Attackers exploiting this can overwrite victim quiz result pages and redirect quiz notification emails to attacker-controlled addresses - a vector for targeted phishing against quiz respondents. No public exploit or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references that substantially lower the barrier to exploitation.

Authentication Bypass WordPress Quiz And Survey Master Qsm Easy Quiz And Survey Maker
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-9180 MEDIUM This Month

Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.

Authentication Bypass WordPress PHP Motopress Appointment Booking
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12557 MEDIUM This Month

Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthenticated remote attackers to read all plugin debug log entries stored in the wp_nf3_log database table or permanently delete every row from that table. The flaw originates from the plugin's failure to verify whether a requesting user holds any authorization before processing debug log actions, as confirmed by Wordfence with a direct reference to the vulnerable DebugLog.php route. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ninja Forms File Uploads
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-12729 MEDIUM This Month

Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to and including 2.3.0) allows any authenticated subscriber-level user to trigger a full data migration, manipulate documentation content, alter site options, and forcibly deactivate installed BetterDocs and BetterDocs Pro plugins. The vulnerable `do_migration()` function registered under the `wedocs_migrate_betterdocs_to_wedocs` AJAX action performs neither a nonce check via `check_ajax_referer()` nor a privilege check via `current_user_can()`, exposing sensitive administrative operations to the lowest authenticated user tier. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass WordPress Wedocs
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13768 CRITICAL PATCH CISA Act Now

Cloud takeover of Gardyn smart indoor garden devices is possible because a privileged Azure IoT Hub 'iothubowner' shared-access key is embedded in the product, letting a malicious actor query the IoT Hub Registry Manager to enumerate connection details for every Gardyn Home Kit and Studio device and then push arbitrary commands to a targeted unit. Because the key is service-level rather than per-device, one extracted credential compromises the entire fleet, and the attacker may pivot from a controlled device onto the victim's home or corporate LAN. This flaw was reported through CISA ICS-CERT (ICSA-26-183-03) and carries a CVSS 4.0 base score of 9.5, but no public exploit identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
9.5
EPSS
0.6%
CVE-2026-13728 MEDIUM This Month

WatchGuard Fireware OS deployed in FireCluster high-availability configurations falls back to a static, hard-coded encryption key to protect saved Access Portal credentials under unspecified exception circumstances, meaning any actor who can retrieve those encrypted credential stores can decrypt them offline using the known firmware key. Affected builds span Fireware OS 12.1 through 12.12 and 2025.1 through 2026.2; standalone Fireboxes and devices without Access Portal support are explicitly out of scope. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but CWE-798 class flaws become broadly exploitable once the static key is extracted from firmware through reverse engineering.

Authentication Bypass Watchguard Fireware Os
NVD VulDB
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-13722 HIGH This Week

Firmware signature validation bypass in WatchGuard Fireware OS lets an authenticated administrator upload a tampered firmware image through the backup/restore feature and have it installed despite failing integrity checks. Affecting Fireware OS branches 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2025.6.2, the flaw (CWE-347) enables persistent malicious code on the appliance. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high integrity/confidentiality/availability impact and the appliance's privileged network position make it significant.

Authentication Bypass Jwt Attack Watchguard Fireware Os
NVD VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-54998 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Exchange Online allows an already-authenticated attacker to elevate their permissions over the network by exploiting an incorrect authorization check (CWE-863). Because Exchange Online is a cloud-hosted, multi-tenant service, a low-privileged authenticated user could gain elevated access to confidential data, tamper with mail/configuration, and disrupt availability. No public exploit has been identified at time of analysis, and the EPSS/exploit-maturity signal (E:U) indicates exploit code is currently unproven.

Authentication Bypass Microsoft Microsoft Exchange Online
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-26145 CRITICAL PATCH NEWS NO ACTION Monitor

Privilege elevation in Microsoft Azure Synapse Analytics allows a network-based, authorized attacker to bypass improper access controls and gain higher privileges than assigned. The flaw carries a critical 9.8 CVSS with full confidentiality, integrity, and availability impact, though its EPSS probability is modest (0.33%, 24th percentile) and CISA SSVC records no observed exploitation. No public exploit has been identified at time of analysis, and Microsoft has released a fix through its Security Update Guide.

Authentication Bypass Microsoft Azure Synapse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-49353 npm HIGH PATCH GHSA This Week

Authentication-bypass leading to remote code execution in 9router (npm package 9router) lets attackers reach spawn-capable MCP routes that were meant to be loopback-only. This is an incomplete fix for CVE-2026-46339: the local-only gate in src/dashboardGuard.js decides 'local' from attacker-controllable Host and Origin headers instead of the TCP source address, so any proxied or tunneled (Cloudflare Tunnel / Tailscale) deployment can be tricked into treating remote requests as local. Combined with the deterministic, machine-ID-derived CLI token, a remote attacker can inject JSON-RPC into MCP child processes (node, python, npx, etc.) and execute code on the host; no public exploit identified at time of analysis, though detailed reproduction steps are published in the vendor advisory.

Authentication Bypass Python Information Disclosure RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-49352 npm CRITICAL PATCH GHSA Act Now

Authentication bypass in 9router (>= 0.2.21 through 0.4.41) lets any unauthenticated remote attacker forge a valid dashboard session cookie because the JWT signing key falls back to the publicly committed hardcoded string "9router-default-secret-change-me" whenever the JWT_SECRET environment variable is unset. Since this secret is identical across every release and visible in the public repository, an attacker can pre-compute a valid auth_token, bypass the /dashboard login, and reach every API endpoint to steal stored API keys and auth tokens or take over the instance. Publicly available exploit code exists (the advisory ships a working jose-based PoC); there is no CISA KEV listing and no confirmed active exploitation at time of analysis.

Authentication Bypass OpenSSL
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-49292 PyPI LOW GHSA Monitor

Kiwi TCMS exposes its /init-db/ database setup endpoint without authentication even after initial setup is complete, allowing any unauthenticated remote actor to invoke the Django migration runner against an already-initialized database. Despite the Authentication Bypass classification (CWE-862), real-world impact is severely limited because the underlying manage.py migrate command is idempotent - once migrations are applied, repeated invocations produce a confirmed no-op with no data loss, no state change, and no information disclosure. No public exploit code exists and no CVSS score was assigned, consistent with the vendor's own characterization that the severity is low.

Authentication Bypass
NVD GitHub
CVE-2026-54617 Maven CRITICAL GHSA Act Now

Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.

Path Traversal Authentication Bypass Nginx Java Information Disclosure
NVD GitHub
CVSS 3.1
9.8
CVE-2026-52830 PyPI CRITICAL PATCH GHSA Act Now

Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.

Authentication Bypass Python Path Traversal Microsoft
NVD GitHub
CVSS 3.1
9.4
EPSS
0.4%
CVE-2026-49283 PHP HIGH PATCH GHSA This Week

Authentication bypass and IdP impersonation in the SimpleSAMLphp saml2 library (and the saml2-legacy package) lets a malicious or lower-trust identity provider in a shared federation forge assertions for higher-trust IdPs when the HTTP-Artifact binding is used. Because the TLS-based validator applied to the SOAP ArtifactResponse returns normally instead of throwing when its public key does not match the embedded Response, an unsigned embedded SAML Response claiming a different issuer is accepted as valid, allowing an attacker to log into the SP as arbitrary users of a victim IdP. CVSS is 8.7; there is no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.7
CVE-2026-52735 Cargo CRITICAL PATCH GHSA Act Now

Consensus divergence in the Zcash Foundation's Zebra node (zebrad up to and including v4.4.1) lets a remote, unauthenticated attacker force a chain split between Zebra and zcashd validators without any mining capability. Zebra's P2SH signature-operation counter runs a pure-Rust path that short-circuits on disabled opcodes and undercounts sigops, so Zebra accepts blocks that zcashd rejects once the 20,000 block-sigop limit is straddled. There is no public exploit identified at time of analysis, but the advisory includes a concrete crafted redeem script demonstrating the divergence, and all default configurations are affected.

Authentication Bypass
NVD GitHub
CVE-2026-59100 LOW POC PATCH Monitor

Broken object level authorization in LobeChat through version 2.2.9 permits authenticated users to read and manipulate chat-group agent data belonging to other users by supplying arbitrary group identifiers to unguarded API operations. The getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup endpoints accept caller-controlled group IDs without validating ownership, enabling cross-user data access and modification. Publicly available exploit code exists per GitHub issue #16537, though the CVE is absent from the CISA KEV catalog and carries a CVSS 4.0 score of 2.3, indicating limited blast radius; real-world risk is elevated primarily in shared multi-tenant LobeChat deployments.

Authentication Bypass Lobehub
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-59098 HIGH POC PATCH This Week

Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' documents by abusing the retrieval-augmented-generation (RAG) semantic search, whose chunk model omits a user-identifier predicate. By supplying arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths, an attacker recovers text content, file names, and metadata belonging to other tenants. Publicly available exploit code exists and a vendor patch has been released; the flaw is not listed in CISA KEV and no active exploitation is reported.

Authentication Bypass Lobehub
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-59097 MEDIUM POC PATCH This Month

Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. No active exploitation is confirmed in CISA KEV, but a publicly available exploit exists, and the attack requires zero authentication, making exploitation trivially automatable against any network-exposed Taiga instance.

Authentication Bypass Taiga Back
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-59092 HIGH PATCH This Week

Information disclosure and denial of service in JuiceFS through 1.3.1 lets remote attackers reach Go pprof debug and Prometheus metrics endpoints that are inadvertently exposed because handlers are registered on the shared http.DefaultServeMux. By fetching /debug/pprof/cmdline an attacker recovers the process command line, which embeds the metadata engine connection string and its database credentials, effectively yielding full read/write control over filesystem metadata; other pprof and profiling handlers leak internal state and can be abused to exhaust resources. Reported by VulnCheck with an upstream fix in commit a46979c; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Denial Of Service Juicefs
NVD GitHub
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-58580 MEDIUM This Month

Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticated user to overwrite another user's message sub-resources - including plugin tool-call metadata, plugin state and error fields, text-to-speech records, and translation records - by submitting tRPC API requests that reference the victim's message identifier. Five MessageModel write methods (updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, updateTranslate) and one read method (findMessagePlugin) filter database rows by message ID alone, silently omitting the userId scope enforced in all sibling methods, causing the tampered content to be served back to the victim as their own data. No public exploit has been identified at time of analysis, and practical exploitation is gated by the requirement to possess a victim's non-enumerable message identifier.

Authentication Bypass Lobehub
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-49254 Go LOW POC PATCH GHSA Monitor

Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.

Google Authentication Bypass Redis Docker Information Disclosure
NVD GitHub
CVE-2026-49852 PyPI HIGH POC PATCH GHSA This Week

Authentication bypass in the joserfc Python library (PyPI, versions <= 1.6.7) lets remote attackers forge valid HS256/HS384/HS512 JWTs whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds the zero-length key straight into hmac.new(b'', ...) and OctKey.import_key only warns (never rejects) empty material, an attacker with no secret knowledge recomputes the identical HMAC digest and joserfc.jwt.decode accepts arbitrary forged claims (sub, admin, scopes, exp). A full working proof-of-concept is published in the advisory, though the flaw is gated on an operator-side misconfiguration (a secret sourced from an unset env var, missing DB/Redis row, or a '' fallback) rather than a default-config defect.

Authentication Bypass Python Canonical Redis
NVD GitHub VulDB
CVE-2026-8699 HIGH PATCH This Week

Stored cross-site scripting in the TP-Link Archer C5 v6.8 router web management interface lets an authenticated administrator inject persistent HTML/JavaScript into a user-controlled field that later executes in another administrator's browser session. The flaw affects ISP-managed firmware variants and can be leveraged for session hijacking and unauthorized modification of router configuration. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires existing admin access, sharply limiting real-world impact.

Authentication Bypass XSS Information Disclosure
NVD
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-50149 Go MEDIUM PATCH GHSA This Month

JWT authentication bypass in Project Contour (Kubernetes ingress controller) allows unauthenticated remote clients to reach protected upstream services without a valid JWT token when an HTTPProxy resource incorrectly combines `spec.virtualhost.tls.enableFallbackCertificate: true` with `spec.virtualhost.jwtProviders`. Contour fails to detect and reject this incompatible configuration, so any TLS client that omits an SNI extension or presents an SNI not matching any configured HTTPProxy FQDN is silently matched by the fallback certificate handler, which operates outside the JWT verification pipeline. No public exploit has been identified and this CVE is not in the CISA KEV catalog; a vendor-released patch (v1.33.5) is available.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
CVE-2026-50282 PHP MEDIUM PATCH GHSA This Month

Craft CMS versions 4.x prior to 4.17.14 and 5.x prior to 5.9.21 contain a missing authorization check (CWE-862) in the asset folder move operation that allows an authenticated user to delete a destination folder they lack delete permission on by exploiting the force=true overwrite path in AssetsController::actionMoveFolder(). The CVSS 4.0 score of 4.9 with PR:L and VI:H reflects a real but internally-scoped integrity impact: an attacker with move-but-not-delete rights can destroy asset content outside their permission boundary. No public exploit code exists and no active exploitation has been identified; the E:U supplemental metric in the provided vector corroborates this assessment.

Authentication Bypass Cms
NVD GitHub
CVSS 4.0
4.9
EPSS
0.2%
CVE-2026-54887 MEDIUM PATCH This Month

The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-based cookie computation deterministic and fully predictable to any network observer for the 0-to-15-second window before the first secret rotation. Any attacker who can observe a plaintext DTLS ClientHello during this window can forge valid cookies, bypassing the RFC 6347 §4.2.1 source address verification mechanism and enabling handshake amplification attacks with spoofed source IPs. No public exploit has been identified at time of analysis; vendor-released patches are available in OTP 29.0.3, 28.5.0.3, and 27.3.4.14.

Authentication Bypass Otp
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-50027 PyPI CRITICAL POC PATCH GHSA Act Now

Missing authentication in mcp-memory-service's HTTP REST server exposes every route under /api/documents/* without any credential check, even when the operator has enabled MCP_API_KEY or OAuth, so remote attackers can upload, read, and delete stored memories at will. Because the sibling /api/memories router correctly enforces auth (returning 401), the gap is an inconsistent, easily-discovered authentication boundary that grants full confidentiality, integrity, and availability impact. A working PoC and vendor GitHub Security Advisory (GHSA-84hp-mqvj-3p8h) exist, so publicly available exploit code exists, though no CISA KEV listing or EPSS score was provided.

Authentication Bypass Python Information Disclosure Docker
NVD GitHub
CVSS 3.1
9.8
CVE-2026-55119 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Talk Application allows a low-privileged, network-adjacent user to gain elevated privileges within the application through an improper access control (CWE-284) weakness, tracked as CVE-2026-55119 and rated CVSS 8.1. Ubiquiti tagged the issue as an Authentication Bypass, and a successful attack yields high confidentiality and integrity impact (C:H/I:H) over an existing authenticated session without any user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Talk Application
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-55114 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elevated privileges within the controller due to Improper Access Control (CWE-284). Tagged as an authentication/authorization bypass and reported via HackerOne, the flaw carries a CVSS 8.8 with full confidentiality, integrity, and availability impact once triggered. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Network Application
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-56842 HIGH PATCH This Week

Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain granted privileges within the controller even after those privileges are supposed to have been revoked, due to an Incorrect Authorization (CWE-863) flaw. The CVSS 3.1 base score is 7.5 (AV:N/AC:H/PR:L/UI:N) with high confidentiality, integrity, and availability impact, meaning an actor whose access was removed can continue to act with the old authorization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires prior authenticated access plus specific unstated conditions (AC:H).

Authentication Bypass Ubiquiti Unifi Network Application
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-55116 CRITICAL PATCH Act Now

Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways.

Authentication Bypass Ubiquiti Dream Machines Enterprise Fortress Gateway Dream Wall +4
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-55118 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network to elevate their permissions within the application by abusing an Improper Access Control weakness (CWE-284). The CVSS 3.1 score of 8.3 reflects that a network-reachable actor holding limited credentials can, under certain conditions, gain high integrity and availability impact over the controller. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Ubiquiti has published Security Advisory Bulletin 066 addressing it.

Authentication Bypass Ubiquiti Unifi Network Application
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-55112 HIGH PATCH This Week

Privilege escalation in UniFi OS running the UniFi Protect Application (versions below 5.1.19) allows a network-adjacent, low-privileged attacker to gain control of the underlying host device via improper access control. Affected hardware spans Ubiquiti's Dream Machines, Dream Wall, Dream Routers, Cloud Keys, Cloud Gateways, and Network/Enterprise Video Recorders. No public exploit identified at time of analysis; EPSS is low (0.19%) and CISA SSVC records no known exploitation, but the total technical impact and 8.8 CVSS make it a meaningful patch priority.

Authentication Bypass Ubiquiti Dream Machines Dream Wall Dream Routers +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-50746 CRITICAL PATCH NEWS Act Now

Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Ubiquiti Command Injection Unifi Connect Application
NVD
CVSS 3.1
10.0
EPSS
0.8%
CVE-2026-54400 CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Access Application
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-54408 CRITICAL PATCH Act Now

Authentication bypass in Ubiquiti's UniFi Protect Application (versions before 7.1.83) allows a network-adjacent attacker to access data streaming without valid credentials due to improper access control. An unauthenticated attacker on a reachable network can view video/data streams that should be protected, with SSVC flagging the flaw as automatable. No public exploit has been identified at time of analysis, and the EPSS probability is low (0.27%), but the CVSS 9.8 rating and network exposure make it a meaningful patch priority.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-54409 HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application (versions prior to 7.1.83) allows a network-adjacent attacker to circumvent authentication controls on UniFi Protect Cameras via an improper initialization flaw. The bypass yields total compromise of camera confidentiality, integrity, and availability, though exploitation depends on certain unspecified conditions and carries high attack complexity. No public exploit is identified at time of analysis, and EPSS probability is low (0.24%), consistent with the CISA SSVC assessment of no known exploitation.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-54407 HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints without valid credentials due to improper access control (CWE-284). Rated CVSS 8.6, the flaw combines low confidentiality and integrity impact with high availability impact, meaning an unauthenticated actor on the network could interact with protected surveillance-management functions. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network vector with no privileges required (AV:N/PR:N) makes it a meaningful exposure for internet- or LAN-reachable deployments.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-8079 HIGH This Week

Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the PDF generation workflow to have operations executed under another user's identity, exposing sensitive data and permitting unauthorized configuration changes. It affects all Flowmon releases before 12.5.9 (12.x branch) and before 13.0.10 (13.x branch). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).

Authentication Bypass Information Disclosure Flowmon
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-9272 HIGH This Week

SQL injection in Progress Flowmon ADS (Anomaly Detection System) before versions 12.5.6 and 13.0.5 allows a low-privileged authenticated user to read and modify application data by sending specially crafted requests. The CVSS 4.0 base score of 8.7 (High) reflects high confidentiality and integrity impact plus availability impact over the network with only low privileges required. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass SQLi Flowmon Ads
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-45045 Go MEDIUM PATCH GHSA This Month

IP header spoofing in GoFiber's BalancerForward proxy middleware allows any remote unauthenticated attacker to inject a forged X-Real-IP header that upstream servers treat as authoritative. The middleware calls Header.Add() rather than Header.Set() when stamping the real client IP, causing the attacker-supplied value to remain as the first header instance - the one read by nginx, Express, Apache, and most HTTP servers for rate limiting, IP-based ACLs, and audit logging. No public exploit has been identified at time of analysis, but exploitation requires only the ability to set an arbitrary HTTP header, making this trivially accessible to any network attacker targeting deployments using the BalancerForward helper.

Authentication Bypass Nginx Node.js Apache
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-4767 CRITICAL Act Now

Authentication abuse in TR7 Cyber Defense WAF-ASP (versions v1.0.324.900 through v1.4.0.116) lets remote unauthenticated attackers invoke a security-critical function that fails to enforce any authentication check, yielding full compromise of confidentiality, integrity, and availability per the CVSS 9.8 rating. Because WAF-ASP is a web application firewall, abusing this exposed function can subvert the very protection layer meant to shield downstream applications. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; disclosure comes from Turkey's national CERT (TR-CERT).

Authentication Bypass Waf Asp
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-58653 PyPI MEDIUM PATCH This Month

Cross-tenant authorization bypass in PraisonAI before 0.1.7 allows authenticated users to inject issues into projects belonging to other workspaces by supplying an unvalidated project_id in issue create and update request bodies. The server trusts the client-supplied project_id without verifying it belongs to the workspace identified in the URL, a classic IDOR pattern classified under CWE-639. An attacker can corrupt project statistics aggregation across tenant boundaries, undermining data integrity in multi-tenant deployments. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog.

Authentication Bypass Praisonai
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-57760 MEDIUM This Month

Missing authorization checks in the Sendcloud Shipping WordPress plugin (versions through 1.0.29) allow unauthenticated remote attackers to perform unauthorized integrity-impacting actions without credentials. Rooted in CWE-862, the plugin fails to enforce capability checks on one or more endpoints or AJAX handlers, enabling access control bypass as tagged by Patchstack. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; EPSS data was not provided, but the unauthenticated network vector (PR:N) lowers the bar for opportunistic probing.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57750 MEDIUM This Month

Broken access control in ez Form Calculator Premium WordPress plugin (versions up to and including 2.14.1.2) permits unauthenticated remote attackers to perform restricted plugin actions, resulting in unauthorized integrity modifications. Disclosed by Patchstack and classified under CWE-862 (Missing Authorization), the flaw requires no credentials, no user interaction, and no special configuration, lowering the exploitation barrier significantly. No public exploit code and no CISA KEV listing have been identified at the time of analysis, suggesting limited observed exploitation despite the low attack complexity.

Authentication Bypass Ez Form Calculator Premium
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57746 HIGH This Week

Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-privileged authenticated users (Subscriber role) reach functionality or data they should not, resulting in high confidentiality exposure and limited integrity impact per the CVSS vector. The flaw stems from missing authorization checks (CWE-862) on plugin actions, so any registered site user can abuse it. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the issue was reported through Patchstack.

Authentication Bypass Booked
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57731 MEDIUM This Month

Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users to access sensitive data they are not authorized to view. The flaw stems from missing authorization checks (CWE-862), enabling privilege escalation beyond the contributor role's intended scope - specifically a high confidentiality impact with no integrity or availability consequence per the CVSS vector. No public exploit code or active exploitation has been identified at time of analysis, though the low attack complexity and network-accessible attack vector lower the bar for abuse by any site user holding a contributor account.

Authentication Bypass Flatsome
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57730 MEDIUM This Month

Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level users to access restricted resources or perform actions beyond their intended authorization. The flaw stems from missing authorization checks (CWE-862) on one or more endpoints or actions within the theme, enabling low-privilege WordPress users to retrieve information they should not be permitted to view. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is limited to authenticated users, reducing opportunistic risk.

Authentication Bypass Flatsome
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57689 MEDIUM This Month

Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. No public exploit code is identified and the vulnerability is not listed in CISA KEV, but the low-complexity network vector makes it trivially exploitable by any subscriber-level user on affected sites.

Authentication Bypass Werkstatt
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57688 HIGH This Week

Missing authorization in the POS Entegratör WordPress plugin (versions <= 3.7.103, vendor gurmehub) lets unauthenticated remote attackers reach privileged plugin functions that lack capability checks, enabling unauthorized modification of data with limited service disruption. The flaw is remotely reachable with no authentication or user interaction (CVSS 8.2), but has no confidentiality impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Pos Entegrat R
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-57685 MEDIUM This Month

Broken access control in Martfury WooCommerce Marketplace WordPress Theme (versions <= 3.2.8) permits authenticated subscriber-level users to invoke functionality restricted to higher-privilege roles, achieving unauthorized integrity modifications. The flaw is rooted in CWE-862 (Missing Authorization), where theme-controlled endpoints or action handlers fail to verify that the requesting user holds sufficient capabilities beyond basic authentication. No public exploit or CISA KEV listing was present in the available data at time of analysis.

Authentication Bypass WordPress Martfury Woocommerce Marketplace Wordpress Theme
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-57680 MEDIUM This Month

Unauthenticated IDOR in the Kirki WordPress customizer toolkit (versions <= 6.0.11) allows remote unauthenticated attackers to reference and manipulate object identifiers they do not own, resulting in unauthorized modification of data and limited availability disruption. The vulnerability carries no confidentiality impact per the CVSS vector (C:N), but the combination of network-exploitability with zero authentication requirements (AV:N/AC:L/PR:N/UI:N) makes it trivially accessible to any internet-facing WordPress installation running an affected version. No public exploit code or CISA KEV listing has been identified at the time of analysis.

Authentication Bypass Kirki
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57669 MEDIUM This Month

Broken access control in the Advanced Contact Form 7 DB WordPress plugin (versions <= 2.0.9) permits subscriber-level authenticated users to read all stored contact form submissions without authorization. The root cause is a missing capability check (CWE-862) on a data retrieval endpoint, exposing names, email addresses, phone numbers, and message content submitted by site visitors. No public exploit or CISA KEV listing exists at time of analysis, but low attack complexity and high confidentiality impact make this a meaningful risk on any WordPress site that permits open user registration.

Authentication Bypass Advanced Contact Form 7 Db
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57355 MEDIUM This Month

Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticated users to perform privileged actions they should not be authorized to execute, resulting in high integrity impact. The vulnerability stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers, enabling low-privilege WordPress users to manipulate listing data, settings, or administrative functions beyond their intended role. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and network accessibility make this a realistic threat on any affected WordPress installation.

Authentication Bypass Classified Listing
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57353 MEDIUM This Month

Broken access control in Link Whisper Premium WordPress plugin versions 2.9.0 and below allows subscriber-level authenticated users to perform privileged actions that should be restricted to higher-capability roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to make unauthorized modifications with high integrity impact. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and network accessibility make this straightforward to exploit for any user holding even a basic WordPress account on the target site.

Authentication Bypass Link Whisper Premium
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-39448 HIGH This Week

Broken access control in the NOWPayments for WooCommerce WordPress plugin (versions <= 1.4.0) allows unauthenticated remote attackers to perform actions or modify state that should be restricted, without any authentication. The flaw stems from a missing authorization check (CWE-862) on a network-reachable endpoint, and per its CVSS 3.1 vector it affects integrity only (I:H) with no confidentiality or availability impact. No public exploit has been identified at time of analysis, though the vulnerability was cataloged by Patchstack, a specialist in WordPress plugin security research.

Authentication Bypass WordPress Nowpayments For Woocommerce
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-27433 MEDIUM This Month

Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticated remote attackers to perform unauthorized actions, resulting in limited integrity and availability impact without requiring any credentials or user interaction. The vulnerability stems from CWE-862 (Missing Authorization), where specific theme functionality fails to enforce permission checks before executing sensitive operations. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated, low-complexity attack profile makes opportunistic exploitation straightforward for any threat actor targeting WordPress installations.

Authentication Bypass Motors
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-69134 HIGH This Week

Arbitrary content deletion in the Merkulove 'OpenAI Chatbot for WordPress - Helper' plugin (versions 1.1.4 and earlier) lets remote unauthenticated attackers destroy site content by invoking a plugin action that lacks an authorization check. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H) confirms network-reachable, no-privilege, no-interaction exploitation with high availability impact and no confidentiality or integrity compromise. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass WordPress Openai Chatbot For Wordpress Helper
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-66076 MEDIUM This Month

Unauthenticated broken access control in Woostify Sites Library WordPress plugin versions up to and including 1.6.2 permits remote, unauthenticated attackers to bypass authorization checks and perform restricted actions against affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making automated scanning and exploitation straightforward. No active exploitation has been identified at time of analysis, and no public exploit code is known.

Authentication Bypass Woostify Sites Library
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-12472 MEDIUM This Month

Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass WordPress Kirki Freeform Page Builder Website Builder Customizer
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-11896 MEDIUM This Month

Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.14) exposes non-public, draft, trashed, and personal calendar events to unauthenticated remote attackers via the 'vcal' iCalendar export endpoint. By enumerating integer occurrence IDs in the 'vcal' parameter, an attacker can retrieve full iCalendar exports containing event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata that site owners explicitly withheld from public view. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and zero authentication requirement make opportunistic enumeration trivially feasible.

Authentication Bypass WordPress My Calendar Accessible Event Manager
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-12134 MEDIUM This Month

Authorization bypass in the JoomSport WordPress plugin (all versions through 5.7.8) permits any subscriber-level authenticated user to create arbitrary season groups or tamper with group names, participant records, and round-type options - sports league data that site administrators should exclusively control. The flaw, identified by Wordfence and rooted in CWE-862 (Missing Authorization), is exploitable by any registered WordPress user who can load a page rendering a JoomSport shortcode to harvest a required nonce. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS 4.3 Medium score accurately reflects a bounded, integrity-only impact with no path to code execution or privilege escalation.

Authentication Bypass WordPress Joomsport For Sports
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-12122 MEDIUM This Month

Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.

Authentication Bypass WordPress Information Disclosure Kirki Freeform Page Builder Website Builder Customizer
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-13459 MEDIUM This Month

Unauthorized wp_postmeta enumeration in JetFormBuilder (WordPress plugin, all versions through 3.6.3) allows unauthenticated remote attackers to extract arbitrary post meta values - including WooCommerce billing PII, payment tokens, and third-party plugin credentials - by exploiting a missing authorization check in the plugin's REST API generator endpoint. The flaw exists in the get_from_db generator function, which returns database values without verifying whether the requesting user is permitted to access them. No public exploit has been identified at time of analysis, but the attack is trivially executable against any site where a published JetFormBuilder form with a get_from_db field exists, as all required parameters (form ID, field name, generator ID) are discoverable by browsing the site's public forms.

Authentication Bypass WordPress Jetformbuilder Dynamic Blocks Form Builder
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2026-12657 MEDIUM This Month

Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. No public exploit code or CISA KEV listing has been identified, but the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms trivially exploitable, zero-barrier network access against default plugin configurations that utilize service-level access restrictions.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2026-9188 MEDIUM This Month

Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the `edit_key` - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer `client_id`, a publicly observable appointment timestamp `start_at`, and an enumerable integer `staff_id`. The unauthenticated REST endpoints for `tryCancel()` perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the attack requires only standard HTTP tooling and basic scripting against any site with cancellation or rescheduling features enabled.

Authentication Bypass WordPress Appointment Bookings For Zoom Googlemeet And More Wappointment
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-8147 HIGH PATCH This Week

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the `_before_request` authorization handler, so requests reach these endpoints without any validator running. No public exploit has been identified at time of analysis, though a fix commit and huntr bounty report are public.

Authentication Bypass Information Disclosure Mlflow Mlflow
NVD GitHub
CVSS 3.0
8.1
EPSS
0.3%
CVE-2026-5348 MEDIUM This Month

Unauthenticated curriculum exposure in the Academy LMS WordPress plugin (versions ≤ 3.8.1) allows any internet user to retrieve detailed topic and lesson structures from courses explicitly protected by private, draft, scheduled, or password-protected post statuses. The root cause is the plugin's '/topics' REST API endpoint registering with '__return_true' as its permission callback, entirely bypassing WordPress's built-in post visibility and enrollment enforcement. No exploit code has been publicly identified and the vulnerability is not listed in CISA KEV, but the zero-complexity network vector makes automated course ID enumeration trivially scriptable with standard HTTP tools.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-11600 MEDIUM This Month

Private content disclosure in the Envo's Templates & Widgets for Elementor and WooCommerce WordPress plugin (versions up to and including 1.4.26) allows authenticated attackers with Author-level access to expose private or draft Elementor-rendered pages and templates to anonymous visitors. The flaw is rooted in the Tabs and Off Canvas widgets passing a user-supplied post ID directly to Elementor's get_builder_content_for_display() without any post-status or capability check, meaning the rendered output of restricted content is served publicly once an Author configures the widget. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, making this a lower-urgency but real information-disclosure risk for WordPress sites with multiple or untrusted Author-level users.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11592 MEDIUM This Month

Authorization bypass in the Email Subscribers & Newsletters WordPress plugin (all versions through 5.9.27) allows contributor-level authenticated users to hijack the site's email infrastructure - overwriting sender identity, creating mailing lists, injecting arbitrary contacts, and dispatching mass email to arbitrary external recipients. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity, network-accessible exploitation requiring only a contributor account, which is commonly available on multi-author WordPress sites. No public exploit code has been identified at time of analysis, but the abuse potential - mass phishing campaigns sent through a trusted domain's authenticated mail relay - materially exceeds what the 4.3 CVSS score implies.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-57272 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer add-on (also branded 'Web Plugin' for GV-VMS and 'WS Player' for VMS-Cloud) lets an attacker abuse the 'byPass' WebSocket command by supplying an unchecked 'index' value, corrupting memory to achieve high-impact compromise (CVSS 8.3). The bundled component runs a local WebSocket server for GeoVision web interfaces (GV-VMS, GV-Cloud); because the server is reachable from a victim's browser, a malicious web page can drive the flaw with only user interaction and no authentication. No public exploit identified at time of analysis, though a Talos vulnerability report (TALOS-2026-2373) documents the issue.

Authentication Bypass Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13125 HIGH This Week

Missing authentication in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets any web page reach a locally-bound, unauthenticated WebSocket server and invoke sensitive APIs. By chaining the `create` method with `getScreenCapture`, a remote attacker who lures a victim to a malicious site can silently exfiltrate the contents of the user's screen. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; CVSS is 8.8 driven by network reach and a scope change into the browsing user's data.

Authentication Bypass Geowebplayer
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-50280 PHP MEDIUM PATCH GHSA This Month

Improper access control in Craft CMS 5.x allows a low-privileged, authenticated control-panel user to inject content into sections where they hold only read access, bypassing the editorial authorization model. The EntriesController::actionMoveToSection() endpoint validates the destination section using viewEntries permission rather than the required saveEntries permission, enabling an attacker to rewrite an entry's sectionId and persist it into protected sections. No public exploit has been identified at time of analysis, but the fix is available in version 5.9.21.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-50279 PHP HIGH PATCH GHSA This Week

Authorization bypass in Craft CMS versions 5.0.0-RC1 through 5.9.20 lets a low-privileged authenticated user spoof entry authorship by reassigning an entry's author to an arbitrary user without holding the dedicated peer-author-change permission. Because EntriesController::actionSaveEntry() checks edit permissions before applying request-controlled author changes and never re-runs authorization after mutating the author list, any existing author of an entry can hijack attribution. No public exploit has been identified at time of analysis; the flaw is fixed in 5.9.21.

Authentication Bypass
NVD GitHub
CVSS 4.0
7.6
EPSS
0.2%
CVE-2026-50284 PHP HIGH PATCH GHSA This Week

Broken authorization in Craft CMS lets a low-privilege authenticated user destroy other users' assets on a shared volume. AssetsController::actionDeleteFolder() checks only the deleteAssets:<volume-uid> permission for the target folder but never enforces deletePeerAssets:<volume-uid>, while the underlying Assets::deleteFoldersByIds() cascades deletion to every descendant folder and asset regardless of who uploaded them. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the vendor patched it in 4.17.15 and 5.9.22.

Authentication Bypass Cms
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-50283 PHP MEDIUM PATCH GHSA This Month

Unauthorized cross-volume asset deletion in Craft CMS versions 4.0.0-RC1 through 4.17.13 and 5.0.0-RC1 through 5.9.20 allows any authenticated user with file-replace permission in one volume to permanently delete assets from other volumes where they hold no delete permission. The flaw stems from a PHP ternary operator short-circuit in AssetsController::actionReplaceFile() that bypasses source-volume authorization when both assetId and sourceAssetId parameters are supplied together. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the low complexity of the attack logic and the CMS's sequential asset IDs make exploitation straightforward for any low-privilege authenticated insider or compromised account.

Authentication Bypass Cms
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any source IP to impersonate arbitrary users because the image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default. When an operator enables reverse-proxy header authentication (e.g. X-WEBAUTH-USER), the wildcard trust list means Gitea accepts those identity headers from any client rather than only from a trusted front-end proxy, granting full account takeover including administrator access. No public exploit has been identified at time of analysis, and the issue is patched in Gitea 1.26.3.

Authentication Bypass Gitea Docker +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Authorization bypass in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows authenticated remote attackers to view student records they are not authorized to access. By manipulating the ID parameter in POST requests to /index.php?action=view_student, a low-privileged user can enumerate or access other students' data. A public proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no active exploitation confirmed in CISA KEV.

Authentication Bypass PHP
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Keycloak's ClientResource admin API component, when Fine-Grained Admin Permissions v2 (FGAP v2) is enabled, permits a delegated administrator to attach or detach hidden client scopes that fall outside their authorized management boundary. By injecting unauthorized scopes into client configurations, an attacker can manipulate the contents of OAuth2/OIDC security tokens issued to end-users, causing downstream applications to grant privilege levels beyond what the original access policy intended. No public exploit is identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the token-injection impact class carries meaningful risk in federated identity deployments.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Data Grid 8 +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Keycloak's Fine-Grained Admin Permissions v2 (FGAP v2) fails to enforce group-level authorization when a restricted administrator queries role-to-group assignments, exposing group names and custom attributes beyond the admin's intended scope. Restricted admins holding only role-view permission can enumerate all groups assigned to that role, bypassing the group-level access controls that FGAP v2 is designed to enforce. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog; however, the EPSS risk is compounded in deployments where group attributes carry sensitive operational metadata.

Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation via argument injection in TUBITAK BILGEM's pardus-software (the Pardus Linux application/software center) affects versions up to and including 1.0.4 and is fixed in 1.0.5. A low-privileged local user can abuse a missing authorization check (CWE-862) to inject attacker-controlled arguments into a privileged backend operation, and because the CVSS scope is Changed with High confidentiality, integrity, and availability impact, this realistically yields code execution or full compromise of the underlying system. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but the 8.8 CVSS and scope change make it a serious local escalation issue.

Authentication Bypass Pardus Software
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

{id} path parameter in GET /calendar/event/delete/{id}. The delete handler calls Calendar::find($id)->delete() with no user_id or company_id scoping, meaning possession of a valid session is the only gate to destroying arbitrary records. No public exploit has been identified at time of analysis; a confirmed fix is available in the v5.5.3 release.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Incorrect authorization in Dell PowerProtect Data Domain permits a high-privileged local attacker to execute commands outside their authorized scope across a broad span of affected versions covering the main release line and all three active LTS branches. The root cause (CWE-863) indicates the appliance's Data Domain OS fails to enforce authorization boundaries correctly for certain operations accessible to already-elevated users, enabling privilege escalation within an authenticated administrative session. No public exploit code or active exploitation is confirmed at time of analysis; the CVSS 4.2 Medium score accurately reflects the significant access prerequisites - local presence plus high-level credentials - required to trigger the flaw.

Authentication Bypass Dell Data Domain Operating System
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Improper access control in the RBAC implementation of Dell PowerProtect Data Domain allows a low-privileged authenticated remote attacker to tamper with information beyond their authorized role scope. Affected releases span the main 7.7.1.0-8.6 line and three LTS tracks covering LTS2024, LTS2025, and LTS2026. No public exploit code has been identified and exploitation has not been confirmed by CISA KEV, placing this as a medium-priority issue requiring patch scheduling rather than emergency response.

Authentication Bypass Dell Data Domain Operating System
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Incorrect permission assignment on a critical resource in Dell PowerProtect Data Domain exposes sensitive data to high-privileged local attackers across a broad range of supported release trains. The flaw (CWE-732) means a resource - likely a file, directory, or configuration object - carries overly permissive access controls, allowing a local attacker operating with elevated privileges to read data they are not authorized to access. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the breadth of affected versions (seven release trains spanning 2024-2026 LTS and mainline builds) increases aggregate exposure across enterprise backup environments.

Authentication Bypass Dell Powerprotect Data Domain
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Link-following exploitation in Dell PowerProtect Data Domain enables a high-privileged local attacker to read files outside their intended access scope by manipulating symbolic or hard links before file access operations resolve. Affected across multiple release trains - mainline 7.7.1.0 through 8.6, LTS2026 8.6.1.10 and below, LTS2025 8.3.1.30 and below, and LTS2024 7.13.1.70 and below. No public exploit code or active exploitation confirmed at time of analysis; risk is bounded by the requirement for pre-existing high-privilege local access.

Authentication Bypass Dell Powerprotect Data Domain
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Physical-access authentication bypass in Dell Client Platform BIOS (CWE-305) affects a sweeping range of Dell consumer, gaming, and enterprise platforms - including Inspiron, Alienware, Latitude, OptiPlex, and Precision lines. An unauthenticated attacker with physical access and the ability to meet high-complexity attack conditions can bypass the primary BIOS authentication mechanism, resulting in information disclosure and, per the CVSS integrity metric (I:H), potential high-integrity impact. Notably, the declared impact in the description is limited to 'Information Disclosure' while the supplied CVSS vector assigns I:H, a discrepancy that warrants clarification from Dell's advisory DSA-2026-195. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Dell Information Disclosure +177
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ad Inserter Ad Manager Adsense Ads
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

{id}/emails endpoint then honors that nonce without an ownership check. Attackers exploiting this can overwrite victim quiz result pages and redirect quiz notification emails to attacker-controlled addresses - a vector for targeted phishing against quiz respondents. No public exploit or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references that substantially lower the barrier to exploitation.

Authentication Bypass WordPress Quiz And Survey Master Qsm Easy Quiz And Survey Maker
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.

Authentication Bypass WordPress PHP +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthenticated remote attackers to read all plugin debug log entries stored in the wp_nf3_log database table or permanently delete every row from that table. The flaw originates from the plugin's failure to verify whether a requesting user holds any authorization before processing debug log actions, as confirmed by Wordfence with a direct reference to the vulnerable DebugLog.php route. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ninja Forms File Uploads
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to and including 2.3.0) allows any authenticated subscriber-level user to trigger a full data migration, manipulate documentation content, alter site options, and forcibly deactivate installed BetterDocs and BetterDocs Pro plugins. The vulnerable `do_migration()` function registered under the `wedocs_migrate_betterdocs_to_wedocs` AJAX action performs neither a nonce check via `check_ajax_referer()` nor a privilege check via `current_user_can()`, exposing sensitive administrative operations to the lowest authenticated user tier. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass WordPress Wedocs
NVD
EPSS 1% CVSS 9.5
CRITICAL PATCH Act Now

Cloud takeover of Gardyn smart indoor garden devices is possible because a privileged Azure IoT Hub 'iothubowner' shared-access key is embedded in the product, letting a malicious actor query the IoT Hub Registry Manager to enumerate connection details for every Gardyn Home Kit and Studio device and then push arbitrary commands to a targeted unit. Because the key is service-level rather than per-device, one extracted credential compromises the entire fleet, and the attacker may pivot from a controlled device onto the victim's home or corporate LAN. This flaw was reported through CISA ICS-CERT (ICSA-26-183-03) and carries a CVSS 4.0 base score of 9.5, but no public exploit identified at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

WatchGuard Fireware OS deployed in FireCluster high-availability configurations falls back to a static, hard-coded encryption key to protect saved Access Portal credentials under unspecified exception circumstances, meaning any actor who can retrieve those encrypted credential stores can decrypt them offline using the known firmware key. Affected builds span Fireware OS 12.1 through 12.12 and 2025.1 through 2026.2; standalone Fireboxes and devices without Access Portal support are explicitly out of scope. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but CWE-798 class flaws become broadly exploitable once the static key is extracted from firmware through reverse engineering.

Authentication Bypass Watchguard Fireware Os
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Firmware signature validation bypass in WatchGuard Fireware OS lets an authenticated administrator upload a tampered firmware image through the backup/restore feature and have it installed despite failing integrity checks. Affecting Fireware OS branches 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2025.6.2, the flaw (CWE-347) enables persistent malicious code on the appliance. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high integrity/confidentiality/availability impact and the appliance's privileged network position make it significant.

Authentication Bypass Jwt Attack Watchguard +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Exchange Online allows an already-authenticated attacker to elevate their permissions over the network by exploiting an incorrect authorization check (CWE-863). Because Exchange Online is a cloud-hosted, multi-tenant service, a low-privileged authenticated user could gain elevated access to confidential data, tamper with mail/configuration, and disrupt availability. No public exploit has been identified at time of analysis, and the EPSS/exploit-maturity signal (E:U) indicates exploit code is currently unproven.

Authentication Bypass Microsoft Microsoft Exchange Online
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH NO ACTION Monitor

Privilege elevation in Microsoft Azure Synapse Analytics allows a network-based, authorized attacker to bypass improper access controls and gain higher privileges than assigned. The flaw carries a critical 9.8 CVSS with full confidentiality, integrity, and availability impact, though its EPSS probability is modest (0.33%, 24th percentile) and CISA SSVC records no observed exploitation. No public exploit has been identified at time of analysis, and Microsoft has released a fix through its Security Update Guide.

Authentication Bypass Microsoft Azure Synapse
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authentication-bypass leading to remote code execution in 9router (npm package 9router) lets attackers reach spawn-capable MCP routes that were meant to be loopback-only. This is an incomplete fix for CVE-2026-46339: the local-only gate in src/dashboardGuard.js decides 'local' from attacker-controllable Host and Origin headers instead of the TCP source address, so any proxied or tunneled (Cloudflare Tunnel / Tailscale) deployment can be tricked into treating remote requests as local. Combined with the deterministic, machine-ID-derived CLI token, a remote attacker can inject JSON-RPC into MCP child processes (node, python, npx, etc.) and execute code on the host; no public exploit identified at time of analysis, though detailed reproduction steps are published in the vendor advisory.

Authentication Bypass Python Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in 9router (>= 0.2.21 through 0.4.41) lets any unauthenticated remote attacker forge a valid dashboard session cookie because the JWT signing key falls back to the publicly committed hardcoded string "9router-default-secret-change-me" whenever the JWT_SECRET environment variable is unset. Since this secret is identical across every release and visible in the public repository, an attacker can pre-compute a valid auth_token, bypass the /dashboard login, and reach every API endpoint to steal stored API keys and auth tokens or take over the instance. Publicly available exploit code exists (the advisory ships a working jose-based PoC); there is no CISA KEV listing and no confirmed active exploitation at time of analysis.

Authentication Bypass OpenSSL
NVD GitHub
LOW Monitor

Kiwi TCMS exposes its /init-db/ database setup endpoint without authentication even after initial setup is complete, allowing any unauthenticated remote actor to invoke the Django migration runner against an already-initialized database. Despite the Authentication Bypass classification (CWE-862), real-world impact is severely limited because the underlying manage.py migrate command is idempotent - once migrations are applied, repeated invocations produce a confirmed no-op with no data loss, no state change, and no information disclosure. No public exploit code exists and no CVSS score was assigned, consistent with the vendor's own characterization that the severity is low.

Authentication Bypass
NVD GitHub
CVSS 9.8
CRITICAL Act Now

Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.

Path Traversal Authentication Bypass Nginx +2
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.

Authentication Bypass Python Path Traversal +1
NVD GitHub
CVSS 8.7
HIGH PATCH This Week

Authentication bypass and IdP impersonation in the SimpleSAMLphp saml2 library (and the saml2-legacy package) lets a malicious or lower-trust identity provider in a shared federation forge assertions for higher-trust IdPs when the HTTP-Artifact binding is used. Because the TLS-based validator applied to the SOAP ArtifactResponse returns normally instead of throwing when its public key does not match the embedded Response, an unsigned embedded SAML Response claiming a different issuer is accepted as valid, allowing an attacker to log into the SP as arbitrary users of a victim IdP. CVSS is 8.7; there is no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass
NVD GitHub
CRITICAL PATCH Act Now

Consensus divergence in the Zcash Foundation's Zebra node (zebrad up to and including v4.4.1) lets a remote, unauthenticated attacker force a chain split between Zebra and zcashd validators without any mining capability. Zebra's P2SH signature-operation counter runs a pure-Rust path that short-circuits on disabled opcodes and undercounts sigops, so Zebra accepts blocks that zcashd rejects once the 20,000 block-sigop limit is straddled. There is no public exploit identified at time of analysis, but the advisory includes a concrete crafted redeem script demonstrating the divergence, and all default configurations are affected.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Broken object level authorization in LobeChat through version 2.2.9 permits authenticated users to read and manipulate chat-group agent data belonging to other users by supplying arbitrary group identifiers to unguarded API operations. The getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup endpoints accept caller-controlled group IDs without validating ownership, enabling cross-user data access and modification. Publicly available exploit code exists per GitHub issue #16537, though the CVE is absent from the CISA KEV catalog and carries a CVSS 4.0 score of 2.3, indicating limited blast radius; real-world risk is elevated primarily in shared multi-tenant LobeChat deployments.

Authentication Bypass Lobehub
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' documents by abusing the retrieval-augmented-generation (RAG) semantic search, whose chunk model omits a user-identifier predicate. By supplying arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths, an attacker recovers text content, file names, and metadata belonging to other tenants. Publicly available exploit code exists and a vendor patch has been released; the flaw is not listed in CISA KEV and no active exploitation is reported.

Authentication Bypass Lobehub
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. No active exploitation is confirmed in CISA KEV, but a publicly available exploit exists, and the attack requires zero authentication, making exploitation trivially automatable against any network-exposed Taiga instance.

Authentication Bypass Taiga Back
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Information disclosure and denial of service in JuiceFS through 1.3.1 lets remote attackers reach Go pprof debug and Prometheus metrics endpoints that are inadvertently exposed because handlers are registered on the shared http.DefaultServeMux. By fetching /debug/pprof/cmdline an attacker recovers the process command line, which embeds the metadata engine connection string and its database credentials, effectively yielding full read/write control over filesystem metadata; other pprof and profiling handlers leak internal state and can be abused to exhaust resources. Reported by VulnCheck with an upstream fix in commit a46979c; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Denial Of Service Juicefs
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM This Month

Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticated user to overwrite another user's message sub-resources - including plugin tool-call metadata, plugin state and error fields, text-to-speech records, and translation records - by submitting tRPC API requests that reference the victim's message identifier. Five MessageModel write methods (updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, updateTranslate) and one read method (findMessagePlugin) filter database rows by message ID alone, silently omitting the userId scope enforced in all sibling methods, causing the tampered content to be served back to the victim as their own data. No public exploit has been identified at time of analysis, and practical exploitation is gated by the requirement to possess a victim's non-enumerable message identifier.

Authentication Bypass Lobehub
NVD GitHub VulDB
LOW POC PATCH Monitor

Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.

Google Authentication Bypass Redis +2
NVD GitHub
HIGH POC PATCH This Week

Authentication bypass in the joserfc Python library (PyPI, versions <= 1.6.7) lets remote attackers forge valid HS256/HS384/HS512 JWTs whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds the zero-length key straight into hmac.new(b'', ...) and OctKey.import_key only warns (never rejects) empty material, an attacker with no secret knowledge recomputes the identical HMAC digest and joserfc.jwt.decode accepts arbitrary forged claims (sub, admin, scopes, exp). A full working proof-of-concept is published in the advisory, though the flaw is gated on an operator-side misconfiguration (a secret sourced from an unset env var, missing DB/Redis row, or a '' fallback) rather than a default-config defect.

Authentication Bypass Python Canonical +1
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Stored cross-site scripting in the TP-Link Archer C5 v6.8 router web management interface lets an authenticated administrator inject persistent HTML/JavaScript into a user-controlled field that later executes in another administrator's browser session. The flaw affects ISP-managed firmware variants and can be leveraged for session hijacking and unauthorized modification of router configuration. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires existing admin access, sharply limiting real-world impact.

Authentication Bypass XSS Information Disclosure
NVD
CVSS 6.5
MEDIUM PATCH This Month

JWT authentication bypass in Project Contour (Kubernetes ingress controller) allows unauthenticated remote clients to reach protected upstream services without a valid JWT token when an HTTPProxy resource incorrectly combines `spec.virtualhost.tls.enableFallbackCertificate: true` with `spec.virtualhost.jwtProviders`. Contour fails to detect and reject this incompatible configuration, so any TLS client that omits an SNI extension or presents an SNI not matching any configured HTTPProxy FQDN is silently matched by the fallback certificate handler, which operates outside the JWT verification pipeline. No public exploit has been identified and this CVE is not in the CISA KEV catalog; a vendor-released patch (v1.33.5) is available.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Craft CMS versions 4.x prior to 4.17.14 and 5.x prior to 5.9.21 contain a missing authorization check (CWE-862) in the asset folder move operation that allows an authenticated user to delete a destination folder they lack delete permission on by exploiting the force=true overwrite path in AssetsController::actionMoveFolder(). The CVSS 4.0 score of 4.9 with PR:L and VI:H reflects a real but internally-scoped integrity impact: an attacker with move-but-not-delete rights can destroy asset content outside their permission boundary. No public exploit code exists and no active exploitation has been identified; the E:U supplemental metric in the provided vector corroborates this assessment.

Authentication Bypass Cms
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-based cookie computation deterministic and fully predictable to any network observer for the 0-to-15-second window before the first secret rotation. Any attacker who can observe a plaintext DTLS ClientHello during this window can forge valid cookies, bypassing the RFC 6347 §4.2.1 source address verification mechanism and enabling handshake amplification attacks with spoofed source IPs. No public exploit has been identified at time of analysis; vendor-released patches are available in OTP 29.0.3, 28.5.0.3, and 27.3.4.14.

Authentication Bypass Otp
NVD GitHub VulDB
CVSS 9.8
CRITICAL POC PATCH Act Now

Missing authentication in mcp-memory-service's HTTP REST server exposes every route under /api/documents/* without any credential check, even when the operator has enabled MCP_API_KEY or OAuth, so remote attackers can upload, read, and delete stored memories at will. Because the sibling /api/memories router correctly enforces auth (returning 401), the gap is an inconsistent, easily-discovered authentication boundary that grants full confidentiality, integrity, and availability impact. A working PoC and vendor GitHub Security Advisory (GHSA-84hp-mqvj-3p8h) exist, so publicly available exploit code exists, though no CISA KEV listing or EPSS score was provided.

Authentication Bypass Python Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Talk Application allows a low-privileged, network-adjacent user to gain elevated privileges within the application through an improper access control (CWE-284) weakness, tracked as CVE-2026-55119 and rated CVSS 8.1. Ubiquiti tagged the issue as an Authentication Bypass, and a successful attack yields high confidentiality and integrity impact (C:H/I:H) over an existing authenticated session without any user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Talk Application
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elevated privileges within the controller due to Improper Access Control (CWE-284). Tagged as an authentication/authorization bypass and reported via HackerOne, the flaw carries a CVSS 8.8 with full confidentiality, integrity, and availability impact once triggered. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Network Application
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain granted privileges within the controller even after those privileges are supposed to have been revoked, due to an Incorrect Authorization (CWE-863) flaw. The CVSS 3.1 base score is 7.5 (AV:N/AC:H/PR:L/UI:N) with high confidentiality, integrity, and availability impact, meaning an actor whose access was removed can continue to act with the old authorization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires prior authenticated access plus specific unstated conditions (AC:H).

Authentication Bypass Ubiquiti Unifi Network Application
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways.

Authentication Bypass Ubiquiti Dream Machines +6
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network to elevate their permissions within the application by abusing an Improper Access Control weakness (CWE-284). The CVSS 3.1 score of 8.3 reflects that a network-reachable actor holding limited credentials can, under certain conditions, gain high integrity and availability impact over the controller. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Ubiquiti has published Security Advisory Bulletin 066 addressing it.

Authentication Bypass Ubiquiti Unifi Network Application
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in UniFi OS running the UniFi Protect Application (versions below 5.1.19) allows a network-adjacent, low-privileged attacker to gain control of the underlying host device via improper access control. Affected hardware spans Ubiquiti's Dream Machines, Dream Wall, Dream Routers, Cloud Keys, Cloud Gateways, and Network/Enterprise Video Recorders. No public exploit identified at time of analysis; EPSS is low (0.19%) and CISA SSVC records no known exploitation, but the total technical impact and 8.8 CVSS make it a meaningful patch priority.

Authentication Bypass Ubiquiti Dream Machines +6
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Ubiquiti Command Injection +1
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Access Application
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in Ubiquiti's UniFi Protect Application (versions before 7.1.83) allows a network-adjacent attacker to access data streaming without valid credentials due to improper access control. An unauthenticated attacker on a reachable network can view video/data streams that should be protected, with SSVC flagging the flaw as automatable. No public exploit has been identified at time of analysis, and the EPSS probability is low (0.27%), but the CVSS 9.8 rating and network exposure make it a meaningful patch priority.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application (versions prior to 7.1.83) allows a network-adjacent attacker to circumvent authentication controls on UniFi Protect Cameras via an improper initialization flaw. The bypass yields total compromise of camera confidentiality, integrity, and availability, though exploitation depends on certain unspecified conditions and carries high attack complexity. No public exploit is identified at time of analysis, and EPSS probability is low (0.24%), consistent with the CISA SSVC assessment of no known exploitation.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints without valid credentials due to improper access control (CWE-284). Rated CVSS 8.6, the flaw combines low confidentiality and integrity impact with high availability impact, meaning an unauthenticated actor on the network could interact with protected surveillance-management functions. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network vector with no privileges required (AV:N/PR:N) makes it a meaningful exposure for internet- or LAN-reachable deployments.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the PDF generation workflow to have operations executed under another user's identity, exposing sensitive data and permitting unauthorized configuration changes. It affects all Flowmon releases before 12.5.9 (12.x branch) and before 13.0.10 (13.x branch). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).

Authentication Bypass Information Disclosure Flowmon
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

SQL injection in Progress Flowmon ADS (Anomaly Detection System) before versions 12.5.6 and 13.0.5 allows a low-privileged authenticated user to read and modify application data by sending specially crafted requests. The CVSS 4.0 base score of 8.7 (High) reflects high confidentiality and integrity impact plus availability impact over the network with only low privileges required. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass SQLi Flowmon Ads
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IP header spoofing in GoFiber's BalancerForward proxy middleware allows any remote unauthenticated attacker to inject a forged X-Real-IP header that upstream servers treat as authoritative. The middleware calls Header.Add() rather than Header.Set() when stamping the real client IP, causing the attacker-supplied value to remain as the first header instance - the one read by nginx, Express, Apache, and most HTTP servers for rate limiting, IP-based ACLs, and audit logging. No public exploit has been identified at time of analysis, but exploitation requires only the ability to set an arbitrary HTTP header, making this trivially accessible to any network attacker targeting deployments using the BalancerForward helper.

Authentication Bypass Nginx Node.js +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication abuse in TR7 Cyber Defense WAF-ASP (versions v1.0.324.900 through v1.4.0.116) lets remote unauthenticated attackers invoke a security-critical function that fails to enforce any authentication check, yielding full compromise of confidentiality, integrity, and availability per the CVSS 9.8 rating. Because WAF-ASP is a web application firewall, abusing this exposed function can subvert the very protection layer meant to shield downstream applications. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; disclosure comes from Turkey's national CERT (TR-CERT).

Authentication Bypass Waf Asp
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-tenant authorization bypass in PraisonAI before 0.1.7 allows authenticated users to inject issues into projects belonging to other workspaces by supplying an unvalidated project_id in issue create and update request bodies. The server trusts the client-supplied project_id without verifying it belongs to the workspace identified in the URL, a classic IDOR pattern classified under CWE-639. An attacker can corrupt project statistics aggregation across tenant boundaries, undermining data integrity in multi-tenant deployments. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog.

Authentication Bypass Praisonai
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization checks in the Sendcloud Shipping WordPress plugin (versions through 1.0.29) allow unauthenticated remote attackers to perform unauthorized integrity-impacting actions without credentials. Rooted in CWE-862, the plugin fails to enforce capability checks on one or more endpoints or AJAX handlers, enabling access control bypass as tagged by Patchstack. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; EPSS data was not provided, but the unauthenticated network vector (PR:N) lowers the bar for opportunistic probing.

Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Broken access control in ez Form Calculator Premium WordPress plugin (versions up to and including 2.14.1.2) permits unauthenticated remote attackers to perform restricted plugin actions, resulting in unauthorized integrity modifications. Disclosed by Patchstack and classified under CWE-862 (Missing Authorization), the flaw requires no credentials, no user interaction, and no special configuration, lowering the exploitation barrier significantly. No public exploit code and no CISA KEV listing have been identified at the time of analysis, suggesting limited observed exploitation despite the low attack complexity.

Authentication Bypass Ez Form Calculator Premium
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-privileged authenticated users (Subscriber role) reach functionality or data they should not, resulting in high confidentiality exposure and limited integrity impact per the CVSS vector. The flaw stems from missing authorization checks (CWE-862) on plugin actions, so any registered site user can abuse it. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the issue was reported through Patchstack.

Authentication Bypass Booked
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users to access sensitive data they are not authorized to view. The flaw stems from missing authorization checks (CWE-862), enabling privilege escalation beyond the contributor role's intended scope - specifically a high confidentiality impact with no integrity or availability consequence per the CVSS vector. No public exploit code or active exploitation has been identified at time of analysis, though the low attack complexity and network-accessible attack vector lower the bar for abuse by any site user holding a contributor account.

Authentication Bypass Flatsome
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level users to access restricted resources or perform actions beyond their intended authorization. The flaw stems from missing authorization checks (CWE-862) on one or more endpoints or actions within the theme, enabling low-privilege WordPress users to retrieve information they should not be permitted to view. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is limited to authenticated users, reducing opportunistic risk.

Authentication Bypass Flatsome
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. No public exploit code is identified and the vulnerability is not listed in CISA KEV, but the low-complexity network vector makes it trivially exploitable by any subscriber-level user on affected sites.

Authentication Bypass Werkstatt
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Missing authorization in the POS Entegratör WordPress plugin (versions <= 3.7.103, vendor gurmehub) lets unauthenticated remote attackers reach privileged plugin functions that lack capability checks, enabling unauthorized modification of data with limited service disruption. The flaw is remotely reachable with no authentication or user interaction (CVSS 8.2), but has no confidentiality impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Pos Entegrat R
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in Martfury WooCommerce Marketplace WordPress Theme (versions <= 3.2.8) permits authenticated subscriber-level users to invoke functionality restricted to higher-privilege roles, achieving unauthorized integrity modifications. The flaw is rooted in CWE-862 (Missing Authorization), where theme-controlled endpoints or action handlers fail to verify that the requesting user holds sufficient capabilities beyond basic authentication. No public exploit or CISA KEV listing was present in the available data at time of analysis.

Authentication Bypass WordPress Martfury Woocommerce Marketplace Wordpress Theme
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated IDOR in the Kirki WordPress customizer toolkit (versions <= 6.0.11) allows remote unauthenticated attackers to reference and manipulate object identifiers they do not own, resulting in unauthorized modification of data and limited availability disruption. The vulnerability carries no confidentiality impact per the CVSS vector (C:N), but the combination of network-exploitability with zero authentication requirements (AV:N/AC:L/PR:N/UI:N) makes it trivially accessible to any internet-facing WordPress installation running an affected version. No public exploit code or CISA KEV listing has been identified at the time of analysis.

Authentication Bypass Kirki
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Advanced Contact Form 7 DB WordPress plugin (versions <= 2.0.9) permits subscriber-level authenticated users to read all stored contact form submissions without authorization. The root cause is a missing capability check (CWE-862) on a data retrieval endpoint, exposing names, email addresses, phone numbers, and message content submitted by site visitors. No public exploit or CISA KEV listing exists at time of analysis, but low attack complexity and high confidentiality impact make this a meaningful risk on any WordPress site that permits open user registration.

Authentication Bypass Advanced Contact Form 7 Db
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticated users to perform privileged actions they should not be authorized to execute, resulting in high integrity impact. The vulnerability stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers, enabling low-privilege WordPress users to manipulate listing data, settings, or administrative functions beyond their intended role. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and network accessibility make this a realistic threat on any affected WordPress installation.

Authentication Bypass Classified Listing
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in Link Whisper Premium WordPress plugin versions 2.9.0 and below allows subscriber-level authenticated users to perform privileged actions that should be restricted to higher-capability roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to make unauthorized modifications with high integrity impact. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and network accessibility make this straightforward to exploit for any user holding even a basic WordPress account on the target site.

Authentication Bypass Link Whisper Premium
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the NOWPayments for WooCommerce WordPress plugin (versions <= 1.4.0) allows unauthenticated remote attackers to perform actions or modify state that should be restricted, without any authentication. The flaw stems from a missing authorization check (CWE-862) on a network-reachable endpoint, and per its CVSS 3.1 vector it affects integrity only (I:H) with no confidentiality or availability impact. No public exploit has been identified at time of analysis, though the vulnerability was cataloged by Patchstack, a specialist in WordPress plugin security research.

Authentication Bypass WordPress Nowpayments For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticated remote attackers to perform unauthorized actions, resulting in limited integrity and availability impact without requiring any credentials or user interaction. The vulnerability stems from CWE-862 (Missing Authorization), where specific theme functionality fails to enforce permission checks before executing sensitive operations. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated, low-complexity attack profile makes opportunistic exploitation straightforward for any threat actor targeting WordPress installations.

Authentication Bypass Motors
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary content deletion in the Merkulove 'OpenAI Chatbot for WordPress - Helper' plugin (versions 1.1.4 and earlier) lets remote unauthenticated attackers destroy site content by invoking a plugin action that lacks an authorization check. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H) confirms network-reachable, no-privilege, no-interaction exploitation with high availability impact and no confidentiality or integrity compromise. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass WordPress Openai Chatbot For Wordpress Helper
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated broken access control in Woostify Sites Library WordPress plugin versions up to and including 1.6.2 permits remote, unauthenticated attackers to bypass authorization checks and perform restricted actions against affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making automated scanning and exploitation straightforward. No active exploitation has been identified at time of analysis, and no public exploit code is known.

Authentication Bypass Woostify Sites Library
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass WordPress Kirki Freeform Page Builder Website Builder Customizer
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.14) exposes non-public, draft, trashed, and personal calendar events to unauthenticated remote attackers via the 'vcal' iCalendar export endpoint. By enumerating integer occurrence IDs in the 'vcal' parameter, an attacker can retrieve full iCalendar exports containing event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata that site owners explicitly withheld from public view. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and zero authentication requirement make opportunistic enumeration trivially feasible.

Authentication Bypass WordPress My Calendar Accessible Event Manager
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the JoomSport WordPress plugin (all versions through 5.7.8) permits any subscriber-level authenticated user to create arbitrary season groups or tamper with group names, participant records, and round-type options - sports league data that site administrators should exclusively control. The flaw, identified by Wordfence and rooted in CWE-862 (Missing Authorization), is exploitable by any registered WordPress user who can load a page rendering a JoomSport shortcode to harvest a required nonce. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS 4.3 Medium score accurately reflects a bounded, integrity-only impact with no path to code execution or privilege escalation.

Authentication Bypass WordPress Joomsport For Sports
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.

Authentication Bypass WordPress Information Disclosure +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Unauthorized wp_postmeta enumeration in JetFormBuilder (WordPress plugin, all versions through 3.6.3) allows unauthenticated remote attackers to extract arbitrary post meta values - including WooCommerce billing PII, payment tokens, and third-party plugin credentials - by exploiting a missing authorization check in the plugin's REST API generator endpoint. The flaw exists in the get_from_db generator function, which returns database values without verifying whether the requesting user is permitted to access them. No public exploit has been identified at time of analysis, but the attack is trivially executable against any site where a published JetFormBuilder form with a get_from_db field exists, as all required parameters (form ID, field name, generator ID) are discoverable by browsing the site's public forms.

Authentication Bypass WordPress Jetformbuilder Dynamic Blocks Form Builder
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. No public exploit code or CISA KEV listing has been identified, but the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms trivially exploitable, zero-barrier network access against default plugin configurations that utilize service-level access restrictions.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the `edit_key` - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer `client_id`, a publicly observable appointment timestamp `start_at`, and an enumerable integer `staff_id`. The unauthenticated REST endpoints for `tryCancel()` perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the attack requires only standard HTTP tooling and basic scripting against any site with cancellation or rescheduling features enabled.

Authentication Bypass WordPress Appointment Bookings For Zoom Googlemeet And More Wappointment
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the `_before_request` authorization handler, so requests reach these endpoints without any validator running. No public exploit has been identified at time of analysis, though a fix commit and huntr bounty report are public.

Authentication Bypass Information Disclosure Mlflow Mlflow
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated curriculum exposure in the Academy LMS WordPress plugin (versions ≤ 3.8.1) allows any internet user to retrieve detailed topic and lesson structures from courses explicitly protected by private, draft, scheduled, or password-protected post statuses. The root cause is the plugin's '/topics' REST API endpoint registering with '__return_true' as its permission callback, entirely bypassing WordPress's built-in post visibility and enrollment enforcement. No exploit code has been publicly identified and the vulnerability is not listed in CISA KEV, but the zero-complexity network vector makes automated course ID enumeration trivially scriptable with standard HTTP tools.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Private content disclosure in the Envo's Templates & Widgets for Elementor and WooCommerce WordPress plugin (versions up to and including 1.4.26) allows authenticated attackers with Author-level access to expose private or draft Elementor-rendered pages and templates to anonymous visitors. The flaw is rooted in the Tabs and Off Canvas widgets passing a user-supplied post ID directly to Elementor's get_builder_content_for_display() without any post-status or capability check, meaning the rendered output of restricted content is served publicly once an Author configures the widget. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, making this a lower-urgency but real information-disclosure risk for WordPress sites with multiple or untrusted Author-level users.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Email Subscribers & Newsletters WordPress plugin (all versions through 5.9.27) allows contributor-level authenticated users to hijack the site's email infrastructure - overwriting sender identity, creating mailing lists, injecting arbitrary contacts, and dispatching mass email to arbitrary external recipients. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity, network-accessible exploitation requiring only a contributor account, which is commonly available on multi-author WordPress sites. No public exploit code has been identified at time of analysis, but the abuse potential - mass phishing campaigns sent through a trusted domain's authenticated mail relay - materially exceeds what the 4.3 CVSS score implies.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer add-on (also branded 'Web Plugin' for GV-VMS and 'WS Player' for VMS-Cloud) lets an attacker abuse the 'byPass' WebSocket command by supplying an unchecked 'index' value, corrupting memory to achieve high-impact compromise (CVSS 8.3). The bundled component runs a local WebSocket server for GeoVision web interfaces (GV-VMS, GV-Cloud); because the server is reachable from a victim's browser, a malicious web page can drive the flaw with only user interaction and no authentication. No public exploit identified at time of analysis, though a Talos vulnerability report (TALOS-2026-2373) documents the issue.

Authentication Bypass Geowebplayer
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Missing authentication in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets any web page reach a locally-bound, unauthenticated WebSocket server and invoke sensitive APIs. By chaining the `create` method with `getScreenCapture`, a remote attacker who lures a victim to a malicious site can silently exfiltrate the contents of the user's screen. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; CVSS is 8.8 driven by network reach and a scope change into the browsing user's data.

Authentication Bypass Geowebplayer
NVD
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Improper access control in Craft CMS 5.x allows a low-privileged, authenticated control-panel user to inject content into sections where they hold only read access, bypassing the editorial authorization model. The EntriesController::actionMoveToSection() endpoint validates the destination section using viewEntries permission rather than the required saveEntries permission, enabling an attacker to rewrite an entry's sectionId and persist it into protected sections. No public exploit has been identified at time of analysis, but the fix is available in version 5.9.21.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Authorization bypass in Craft CMS versions 5.0.0-RC1 through 5.9.20 lets a low-privileged authenticated user spoof entry authorship by reassigning an entry's author to an arbitrary user without holding the dedicated peer-author-change permission. Because EntriesController::actionSaveEntry() checks edit permissions before applying request-controlled author changes and never re-runs authorization after mutating the author list, any existing author of an entry can hijack attribution. No public exploit has been identified at time of analysis; the flaw is fixed in 5.9.21.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken authorization in Craft CMS lets a low-privilege authenticated user destroy other users' assets on a shared volume. AssetsController::actionDeleteFolder() checks only the deleteAssets:<volume-uid> permission for the target folder but never enforces deletePeerAssets:<volume-uid>, while the underlying Assets::deleteFoldersByIds() cascades deletion to every descendant folder and asset regardless of who uploaded them. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the vendor patched it in 4.17.15 and 5.9.22.

Authentication Bypass Cms
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthorized cross-volume asset deletion in Craft CMS versions 4.0.0-RC1 through 4.17.13 and 5.0.0-RC1 through 5.9.20 allows any authenticated user with file-replace permission in one volume to permanently delete assets from other volumes where they hold no delete permission. The flaw stems from a PHP ternary operator short-circuit in AssetsController::actionReplaceFile() that bypasses source-volume authorization when both assetId and sourceAssetId parameters are supplied together. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the low complexity of the attack logic and the CMS's sequential asset IDs make exploitation straightforward for any low-privilege authenticated insider or compromised account.

Authentication Bypass Cms
NVD GitHub
Prev Page 10 of 347 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy