Authentication Bypass
Monthly
Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any source IP to impersonate arbitrary users because the image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default. When an operator enables reverse-proxy header authentication (e.g. X-WEBAUTH-USER), the wildcard trust list means Gitea accepts those identity headers from any client rather than only from a trusted front-end proxy, granting full account takeover including administrator access. No public exploit has been identified at time of analysis, and the issue is patched in Gitea 1.26.3.
Authorization bypass in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows authenticated remote attackers to view student records they are not authorized to access. By manipulating the ID parameter in POST requests to /index.php?action=view_student, a low-privileged user can enumerate or access other students' data. A public proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no active exploitation confirmed in CISA KEV.
Keycloak's ClientResource admin API component, when Fine-Grained Admin Permissions v2 (FGAP v2) is enabled, permits a delegated administrator to attach or detach hidden client scopes that fall outside their authorized management boundary. By injecting unauthorized scopes into client configurations, an attacker can manipulate the contents of OAuth2/OIDC security tokens issued to end-users, causing downstream applications to grant privilege levels beyond what the original access policy intended. No public exploit is identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the token-injection impact class carries meaningful risk in federated identity deployments.
Keycloak's Fine-Grained Admin Permissions v2 (FGAP v2) fails to enforce group-level authorization when a restricted administrator queries role-to-group assignments, exposing group names and custom attributes beyond the admin's intended scope. Restricted admins holding only role-view permission can enumerate all groups assigned to that role, bypassing the group-level access controls that FGAP v2 is designed to enforce. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog; however, the EPSS risk is compounded in deployments where group attributes carry sensitive operational metadata.
Local privilege escalation via argument injection in TUBITAK BILGEM's pardus-software (the Pardus Linux application/software center) affects versions up to and including 1.0.4 and is fixed in 1.0.5. A low-privileged local user can abuse a missing authorization check (CWE-862) to inject attacker-controlled arguments into a privileged backend operation, and because the CVSS scope is Changed with High confidentiality, integrity, and availability impact, this realistically yields code execution or full compromise of the underlying system. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but the 8.8 CVSS and scope change make it a serious local escalation issue.
{id} path parameter in GET /calendar/event/delete/{id}. The delete handler calls Calendar::find($id)->delete() with no user_id or company_id scoping, meaning possession of a valid session is the only gate to destroying arbitrary records. No public exploit has been identified at time of analysis; a confirmed fix is available in the v5.5.3 release.
Incorrect authorization in Dell PowerProtect Data Domain permits a high-privileged local attacker to execute commands outside their authorized scope across a broad span of affected versions covering the main release line and all three active LTS branches. The root cause (CWE-863) indicates the appliance's Data Domain OS fails to enforce authorization boundaries correctly for certain operations accessible to already-elevated users, enabling privilege escalation within an authenticated administrative session. No public exploit code or active exploitation is confirmed at time of analysis; the CVSS 4.2 Medium score accurately reflects the significant access prerequisites - local presence plus high-level credentials - required to trigger the flaw.
Improper access control in the RBAC implementation of Dell PowerProtect Data Domain allows a low-privileged authenticated remote attacker to tamper with information beyond their authorized role scope. Affected releases span the main 7.7.1.0-8.6 line and three LTS tracks covering LTS2024, LTS2025, and LTS2026. No public exploit code has been identified and exploitation has not been confirmed by CISA KEV, placing this as a medium-priority issue requiring patch scheduling rather than emergency response.
Incorrect permission assignment on a critical resource in Dell PowerProtect Data Domain exposes sensitive data to high-privileged local attackers across a broad range of supported release trains. The flaw (CWE-732) means a resource - likely a file, directory, or configuration object - carries overly permissive access controls, allowing a local attacker operating with elevated privileges to read data they are not authorized to access. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the breadth of affected versions (seven release trains spanning 2024-2026 LTS and mainline builds) increases aggregate exposure across enterprise backup environments.
Link-following exploitation in Dell PowerProtect Data Domain enables a high-privileged local attacker to read files outside their intended access scope by manipulating symbolic or hard links before file access operations resolve. Affected across multiple release trains - mainline 7.7.1.0 through 8.6, LTS2026 8.6.1.10 and below, LTS2025 8.3.1.30 and below, and LTS2024 7.13.1.70 and below. No public exploit code or active exploitation confirmed at time of analysis; risk is bounded by the requirement for pre-existing high-privilege local access.
Physical-access authentication bypass in Dell Client Platform BIOS (CWE-305) affects a sweeping range of Dell consumer, gaming, and enterprise platforms - including Inspiron, Alienware, Latitude, OptiPlex, and Precision lines. An unauthenticated attacker with physical access and the ability to meet high-complexity attack conditions can bypass the primary BIOS authentication mechanism, resulting in information disclosure and, per the CVSS integrity metric (I:H), potential high-integrity impact. Notably, the declared impact in the description is limited to 'Information Disclosure' while the supplied CVSS vector assigns I:H, a discrepancy that warrants clarification from Dell's advisory DSA-2026-195. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
{id}/emails endpoint then honors that nonce without an ownership check. Attackers exploiting this can overwrite victim quiz result pages and redirect quiz notification emails to attacker-controlled addresses - a vector for targeted phishing against quiz respondents. No public exploit or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references that substantially lower the barrier to exploitation.
Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.
Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthenticated remote attackers to read all plugin debug log entries stored in the wp_nf3_log database table or permanently delete every row from that table. The flaw originates from the plugin's failure to verify whether a requesting user holds any authorization before processing debug log actions, as confirmed by Wordfence with a direct reference to the vulnerable DebugLog.php route. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to and including 2.3.0) allows any authenticated subscriber-level user to trigger a full data migration, manipulate documentation content, alter site options, and forcibly deactivate installed BetterDocs and BetterDocs Pro plugins. The vulnerable `do_migration()` function registered under the `wedocs_migrate_betterdocs_to_wedocs` AJAX action performs neither a nonce check via `check_ajax_referer()` nor a privilege check via `current_user_can()`, exposing sensitive administrative operations to the lowest authenticated user tier. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Cloud takeover of Gardyn smart indoor garden devices is possible because a privileged Azure IoT Hub 'iothubowner' shared-access key is embedded in the product, letting a malicious actor query the IoT Hub Registry Manager to enumerate connection details for every Gardyn Home Kit and Studio device and then push arbitrary commands to a targeted unit. Because the key is service-level rather than per-device, one extracted credential compromises the entire fleet, and the attacker may pivot from a controlled device onto the victim's home or corporate LAN. This flaw was reported through CISA ICS-CERT (ICSA-26-183-03) and carries a CVSS 4.0 base score of 9.5, but no public exploit identified at time of analysis.
WatchGuard Fireware OS deployed in FireCluster high-availability configurations falls back to a static, hard-coded encryption key to protect saved Access Portal credentials under unspecified exception circumstances, meaning any actor who can retrieve those encrypted credential stores can decrypt them offline using the known firmware key. Affected builds span Fireware OS 12.1 through 12.12 and 2025.1 through 2026.2; standalone Fireboxes and devices without Access Portal support are explicitly out of scope. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but CWE-798 class flaws become broadly exploitable once the static key is extracted from firmware through reverse engineering.
Firmware signature validation bypass in WatchGuard Fireware OS lets an authenticated administrator upload a tampered firmware image through the backup/restore feature and have it installed despite failing integrity checks. Affecting Fireware OS branches 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2025.6.2, the flaw (CWE-347) enables persistent malicious code on the appliance. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high integrity/confidentiality/availability impact and the appliance's privileged network position make it significant.
Privilege escalation in Microsoft Exchange Online allows an already-authenticated attacker to elevate their permissions over the network by exploiting an incorrect authorization check (CWE-863). Because Exchange Online is a cloud-hosted, multi-tenant service, a low-privileged authenticated user could gain elevated access to confidential data, tamper with mail/configuration, and disrupt availability. No public exploit has been identified at time of analysis, and the EPSS/exploit-maturity signal (E:U) indicates exploit code is currently unproven.
Privilege elevation in Microsoft Azure Synapse Analytics allows a network-based, authorized attacker to bypass improper access controls and gain higher privileges than assigned. The flaw carries a critical 9.8 CVSS with full confidentiality, integrity, and availability impact, though its EPSS probability is modest (0.33%, 24th percentile) and CISA SSVC records no observed exploitation. No public exploit has been identified at time of analysis, and Microsoft has released a fix through its Security Update Guide.
Authentication-bypass leading to remote code execution in 9router (npm package 9router) lets attackers reach spawn-capable MCP routes that were meant to be loopback-only. This is an incomplete fix for CVE-2026-46339: the local-only gate in src/dashboardGuard.js decides 'local' from attacker-controllable Host and Origin headers instead of the TCP source address, so any proxied or tunneled (Cloudflare Tunnel / Tailscale) deployment can be tricked into treating remote requests as local. Combined with the deterministic, machine-ID-derived CLI token, a remote attacker can inject JSON-RPC into MCP child processes (node, python, npx, etc.) and execute code on the host; no public exploit identified at time of analysis, though detailed reproduction steps are published in the vendor advisory.
Authentication bypass in 9router (>= 0.2.21 through 0.4.41) lets any unauthenticated remote attacker forge a valid dashboard session cookie because the JWT signing key falls back to the publicly committed hardcoded string "9router-default-secret-change-me" whenever the JWT_SECRET environment variable is unset. Since this secret is identical across every release and visible in the public repository, an attacker can pre-compute a valid auth_token, bypass the /dashboard login, and reach every API endpoint to steal stored API keys and auth tokens or take over the instance. Publicly available exploit code exists (the advisory ships a working jose-based PoC); there is no CISA KEV listing and no confirmed active exploitation at time of analysis.
Kiwi TCMS exposes its /init-db/ database setup endpoint without authentication even after initial setup is complete, allowing any unauthenticated remote actor to invoke the Django migration runner against an already-initialized database. Despite the Authentication Bypass classification (CWE-862), real-world impact is severely limited because the underlying manage.py migrate command is idempotent - once migrations are applied, repeated invocations produce a confirmed no-op with no data loss, no state change, and no information disclosure. No public exploit code exists and no CVSS score was assigned, consistent with the vendor's own characterization that the severity is low.
Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.
Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.
Authentication bypass and IdP impersonation in the SimpleSAMLphp saml2 library (and the saml2-legacy package) lets a malicious or lower-trust identity provider in a shared federation forge assertions for higher-trust IdPs when the HTTP-Artifact binding is used. Because the TLS-based validator applied to the SOAP ArtifactResponse returns normally instead of throwing when its public key does not match the embedded Response, an unsigned embedded SAML Response claiming a different issuer is accepted as valid, allowing an attacker to log into the SP as arbitrary users of a victim IdP. CVSS is 8.7; there is no public exploit identified at time of analysis and no CISA KEV listing.
Consensus divergence in the Zcash Foundation's Zebra node (zebrad up to and including v4.4.1) lets a remote, unauthenticated attacker force a chain split between Zebra and zcashd validators without any mining capability. Zebra's P2SH signature-operation counter runs a pure-Rust path that short-circuits on disabled opcodes and undercounts sigops, so Zebra accepts blocks that zcashd rejects once the 20,000 block-sigop limit is straddled. There is no public exploit identified at time of analysis, but the advisory includes a concrete crafted redeem script demonstrating the divergence, and all default configurations are affected.
Broken object level authorization in LobeChat through version 2.2.9 permits authenticated users to read and manipulate chat-group agent data belonging to other users by supplying arbitrary group identifiers to unguarded API operations. The getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup endpoints accept caller-controlled group IDs without validating ownership, enabling cross-user data access and modification. Publicly available exploit code exists per GitHub issue #16537, though the CVE is absent from the CISA KEV catalog and carries a CVSS 4.0 score of 2.3, indicating limited blast radius; real-world risk is elevated primarily in shared multi-tenant LobeChat deployments.
Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' documents by abusing the retrieval-augmented-generation (RAG) semantic search, whose chunk model omits a user-identifier predicate. By supplying arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths, an attacker recovers text content, file names, and metadata belonging to other tenants. Publicly available exploit code exists and a vendor patch has been released; the flaw is not listed in CISA KEV and no active exploitation is reported.
Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. No active exploitation is confirmed in CISA KEV, but a publicly available exploit exists, and the attack requires zero authentication, making exploitation trivially automatable against any network-exposed Taiga instance.
Information disclosure and denial of service in JuiceFS through 1.3.1 lets remote attackers reach Go pprof debug and Prometheus metrics endpoints that are inadvertently exposed because handlers are registered on the shared http.DefaultServeMux. By fetching /debug/pprof/cmdline an attacker recovers the process command line, which embeds the metadata engine connection string and its database credentials, effectively yielding full read/write control over filesystem metadata; other pprof and profiling handlers leak internal state and can be abused to exhaust resources. Reported by VulnCheck with an upstream fix in commit a46979c; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticated user to overwrite another user's message sub-resources - including plugin tool-call metadata, plugin state and error fields, text-to-speech records, and translation records - by submitting tRPC API requests that reference the victim's message identifier. Five MessageModel write methods (updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, updateTranslate) and one read method (findMessagePlugin) filter database rows by message ID alone, silently omitting the userId scope enforced in all sibling methods, causing the tampered content to be served back to the victim as their own data. No public exploit has been identified at time of analysis, and practical exploitation is gated by the requirement to possess a victim's non-enumerable message identifier.
Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.
Authentication bypass in the joserfc Python library (PyPI, versions <= 1.6.7) lets remote attackers forge valid HS256/HS384/HS512 JWTs whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds the zero-length key straight into hmac.new(b'', ...) and OctKey.import_key only warns (never rejects) empty material, an attacker with no secret knowledge recomputes the identical HMAC digest and joserfc.jwt.decode accepts arbitrary forged claims (sub, admin, scopes, exp). A full working proof-of-concept is published in the advisory, though the flaw is gated on an operator-side misconfiguration (a secret sourced from an unset env var, missing DB/Redis row, or a '' fallback) rather than a default-config defect.
Stored cross-site scripting in the TP-Link Archer C5 v6.8 router web management interface lets an authenticated administrator inject persistent HTML/JavaScript into a user-controlled field that later executes in another administrator's browser session. The flaw affects ISP-managed firmware variants and can be leveraged for session hijacking and unauthorized modification of router configuration. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires existing admin access, sharply limiting real-world impact.
JWT authentication bypass in Project Contour (Kubernetes ingress controller) allows unauthenticated remote clients to reach protected upstream services without a valid JWT token when an HTTPProxy resource incorrectly combines `spec.virtualhost.tls.enableFallbackCertificate: true` with `spec.virtualhost.jwtProviders`. Contour fails to detect and reject this incompatible configuration, so any TLS client that omits an SNI extension or presents an SNI not matching any configured HTTPProxy FQDN is silently matched by the fallback certificate handler, which operates outside the JWT verification pipeline. No public exploit has been identified and this CVE is not in the CISA KEV catalog; a vendor-released patch (v1.33.5) is available.
Craft CMS versions 4.x prior to 4.17.14 and 5.x prior to 5.9.21 contain a missing authorization check (CWE-862) in the asset folder move operation that allows an authenticated user to delete a destination folder they lack delete permission on by exploiting the force=true overwrite path in AssetsController::actionMoveFolder(). The CVSS 4.0 score of 4.9 with PR:L and VI:H reflects a real but internally-scoped integrity impact: an attacker with move-but-not-delete rights can destroy asset content outside their permission boundary. No public exploit code exists and no active exploitation has been identified; the E:U supplemental metric in the provided vector corroborates this assessment.
The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-based cookie computation deterministic and fully predictable to any network observer for the 0-to-15-second window before the first secret rotation. Any attacker who can observe a plaintext DTLS ClientHello during this window can forge valid cookies, bypassing the RFC 6347 §4.2.1 source address verification mechanism and enabling handshake amplification attacks with spoofed source IPs. No public exploit has been identified at time of analysis; vendor-released patches are available in OTP 29.0.3, 28.5.0.3, and 27.3.4.14.
Missing authentication in mcp-memory-service's HTTP REST server exposes every route under /api/documents/* without any credential check, even when the operator has enabled MCP_API_KEY or OAuth, so remote attackers can upload, read, and delete stored memories at will. Because the sibling /api/memories router correctly enforces auth (returning 401), the gap is an inconsistent, easily-discovered authentication boundary that grants full confidentiality, integrity, and availability impact. A working PoC and vendor GitHub Security Advisory (GHSA-84hp-mqvj-3p8h) exist, so publicly available exploit code exists, though no CISA KEV listing or EPSS score was provided.
Privilege escalation in Ubiquiti's UniFi Talk Application allows a low-privileged, network-adjacent user to gain elevated privileges within the application through an improper access control (CWE-284) weakness, tracked as CVE-2026-55119 and rated CVSS 8.1. Ubiquiti tagged the issue as an Authentication Bypass, and a successful attack yields high confidentiality and integrity impact (C:H/I:H) over an existing authenticated session without any user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elevated privileges within the controller due to Improper Access Control (CWE-284). Tagged as an authentication/authorization bypass and reported via HackerOne, the flaw carries a CVSS 8.8 with full confidentiality, integrity, and availability impact once triggered. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain granted privileges within the controller even after those privileges are supposed to have been revoked, due to an Incorrect Authorization (CWE-863) flaw. The CVSS 3.1 base score is 7.5 (AV:N/AC:H/PR:L/UI:N) with high confidentiality, integrity, and availability impact, meaning an actor whose access was removed can continue to act with the old authorization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires prior authenticated access plus specific unstated conditions (AC:H).
Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways.
Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network to elevate their permissions within the application by abusing an Improper Access Control weakness (CWE-284). The CVSS 3.1 score of 8.3 reflects that a network-reachable actor holding limited credentials can, under certain conditions, gain high integrity and availability impact over the controller. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Ubiquiti has published Security Advisory Bulletin 066 addressing it.
Privilege escalation in UniFi OS running the UniFi Protect Application (versions below 5.1.19) allows a network-adjacent, low-privileged attacker to gain control of the underlying host device via improper access control. Affected hardware spans Ubiquiti's Dream Machines, Dream Wall, Dream Routers, Cloud Keys, Cloud Gateways, and Network/Enterprise Video Recorders. No public exploit identified at time of analysis; EPSS is low (0.19%) and CISA SSVC records no known exploitation, but the total technical impact and 8.8 CVSS make it a meaningful patch priority.
Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.
Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Authentication bypass in Ubiquiti's UniFi Protect Application (versions before 7.1.83) allows a network-adjacent attacker to access data streaming without valid credentials due to improper access control. An unauthenticated attacker on a reachable network can view video/data streams that should be protected, with SSVC flagging the flaw as automatable. No public exploit has been identified at time of analysis, and the EPSS probability is low (0.27%), but the CVSS 9.8 rating and network exposure make it a meaningful patch priority.
Authentication bypass in Ubiquiti UniFi Protect Application (versions prior to 7.1.83) allows a network-adjacent attacker to circumvent authentication controls on UniFi Protect Cameras via an improper initialization flaw. The bypass yields total compromise of camera confidentiality, integrity, and availability, though exploitation depends on certain unspecified conditions and carries high attack complexity. No public exploit is identified at time of analysis, and EPSS probability is low (0.24%), consistent with the CISA SSVC assessment of no known exploitation.
Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints without valid credentials due to improper access control (CWE-284). Rated CVSS 8.6, the flaw combines low confidentiality and integrity impact with high availability impact, meaning an unauthenticated actor on the network could interact with protected surveillance-management functions. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network vector with no privileges required (AV:N/PR:N) makes it a meaningful exposure for internet- or LAN-reachable deployments.
Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the PDF generation workflow to have operations executed under another user's identity, exposing sensitive data and permitting unauthorized configuration changes. It affects all Flowmon releases before 12.5.9 (12.x branch) and before 13.0.10 (13.x branch). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).
SQL injection in Progress Flowmon ADS (Anomaly Detection System) before versions 12.5.6 and 13.0.5 allows a low-privileged authenticated user to read and modify application data by sending specially crafted requests. The CVSS 4.0 base score of 8.7 (High) reflects high confidentiality and integrity impact plus availability impact over the network with only low privileges required. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
IP header spoofing in GoFiber's BalancerForward proxy middleware allows any remote unauthenticated attacker to inject a forged X-Real-IP header that upstream servers treat as authoritative. The middleware calls Header.Add() rather than Header.Set() when stamping the real client IP, causing the attacker-supplied value to remain as the first header instance - the one read by nginx, Express, Apache, and most HTTP servers for rate limiting, IP-based ACLs, and audit logging. No public exploit has been identified at time of analysis, but exploitation requires only the ability to set an arbitrary HTTP header, making this trivially accessible to any network attacker targeting deployments using the BalancerForward helper.
Authentication abuse in TR7 Cyber Defense WAF-ASP (versions v1.0.324.900 through v1.4.0.116) lets remote unauthenticated attackers invoke a security-critical function that fails to enforce any authentication check, yielding full compromise of confidentiality, integrity, and availability per the CVSS 9.8 rating. Because WAF-ASP is a web application firewall, abusing this exposed function can subvert the very protection layer meant to shield downstream applications. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; disclosure comes from Turkey's national CERT (TR-CERT).
Cross-tenant authorization bypass in PraisonAI before 0.1.7 allows authenticated users to inject issues into projects belonging to other workspaces by supplying an unvalidated project_id in issue create and update request bodies. The server trusts the client-supplied project_id without verifying it belongs to the workspace identified in the URL, a classic IDOR pattern classified under CWE-639. An attacker can corrupt project statistics aggregation across tenant boundaries, undermining data integrity in multi-tenant deployments. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog.
Missing authorization checks in the Sendcloud Shipping WordPress plugin (versions through 1.0.29) allow unauthenticated remote attackers to perform unauthorized integrity-impacting actions without credentials. Rooted in CWE-862, the plugin fails to enforce capability checks on one or more endpoints or AJAX handlers, enabling access control bypass as tagged by Patchstack. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; EPSS data was not provided, but the unauthenticated network vector (PR:N) lowers the bar for opportunistic probing.
Broken access control in ez Form Calculator Premium WordPress plugin (versions up to and including 2.14.1.2) permits unauthenticated remote attackers to perform restricted plugin actions, resulting in unauthorized integrity modifications. Disclosed by Patchstack and classified under CWE-862 (Missing Authorization), the flaw requires no credentials, no user interaction, and no special configuration, lowering the exploitation barrier significantly. No public exploit code and no CISA KEV listing have been identified at the time of analysis, suggesting limited observed exploitation despite the low attack complexity.
Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-privileged authenticated users (Subscriber role) reach functionality or data they should not, resulting in high confidentiality exposure and limited integrity impact per the CVSS vector. The flaw stems from missing authorization checks (CWE-862) on plugin actions, so any registered site user can abuse it. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the issue was reported through Patchstack.
Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users to access sensitive data they are not authorized to view. The flaw stems from missing authorization checks (CWE-862), enabling privilege escalation beyond the contributor role's intended scope - specifically a high confidentiality impact with no integrity or availability consequence per the CVSS vector. No public exploit code or active exploitation has been identified at time of analysis, though the low attack complexity and network-accessible attack vector lower the bar for abuse by any site user holding a contributor account.
Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level users to access restricted resources or perform actions beyond their intended authorization. The flaw stems from missing authorization checks (CWE-862) on one or more endpoints or actions within the theme, enabling low-privilege WordPress users to retrieve information they should not be permitted to view. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is limited to authenticated users, reducing opportunistic risk.
Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. No public exploit code is identified and the vulnerability is not listed in CISA KEV, but the low-complexity network vector makes it trivially exploitable by any subscriber-level user on affected sites.
Missing authorization in the POS Entegratör WordPress plugin (versions <= 3.7.103, vendor gurmehub) lets unauthenticated remote attackers reach privileged plugin functions that lack capability checks, enabling unauthorized modification of data with limited service disruption. The flaw is remotely reachable with no authentication or user interaction (CVSS 8.2), but has no confidentiality impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Broken access control in Martfury WooCommerce Marketplace WordPress Theme (versions <= 3.2.8) permits authenticated subscriber-level users to invoke functionality restricted to higher-privilege roles, achieving unauthorized integrity modifications. The flaw is rooted in CWE-862 (Missing Authorization), where theme-controlled endpoints or action handlers fail to verify that the requesting user holds sufficient capabilities beyond basic authentication. No public exploit or CISA KEV listing was present in the available data at time of analysis.
Unauthenticated IDOR in the Kirki WordPress customizer toolkit (versions <= 6.0.11) allows remote unauthenticated attackers to reference and manipulate object identifiers they do not own, resulting in unauthorized modification of data and limited availability disruption. The vulnerability carries no confidentiality impact per the CVSS vector (C:N), but the combination of network-exploitability with zero authentication requirements (AV:N/AC:L/PR:N/UI:N) makes it trivially accessible to any internet-facing WordPress installation running an affected version. No public exploit code or CISA KEV listing has been identified at the time of analysis.
Broken access control in the Advanced Contact Form 7 DB WordPress plugin (versions <= 2.0.9) permits subscriber-level authenticated users to read all stored contact form submissions without authorization. The root cause is a missing capability check (CWE-862) on a data retrieval endpoint, exposing names, email addresses, phone numbers, and message content submitted by site visitors. No public exploit or CISA KEV listing exists at time of analysis, but low attack complexity and high confidentiality impact make this a meaningful risk on any WordPress site that permits open user registration.
Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticated users to perform privileged actions they should not be authorized to execute, resulting in high integrity impact. The vulnerability stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers, enabling low-privilege WordPress users to manipulate listing data, settings, or administrative functions beyond their intended role. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and network accessibility make this a realistic threat on any affected WordPress installation.
Broken access control in Link Whisper Premium WordPress plugin versions 2.9.0 and below allows subscriber-level authenticated users to perform privileged actions that should be restricted to higher-capability roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to make unauthorized modifications with high integrity impact. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and network accessibility make this straightforward to exploit for any user holding even a basic WordPress account on the target site.
Broken access control in the NOWPayments for WooCommerce WordPress plugin (versions <= 1.4.0) allows unauthenticated remote attackers to perform actions or modify state that should be restricted, without any authentication. The flaw stems from a missing authorization check (CWE-862) on a network-reachable endpoint, and per its CVSS 3.1 vector it affects integrity only (I:H) with no confidentiality or availability impact. No public exploit has been identified at time of analysis, though the vulnerability was cataloged by Patchstack, a specialist in WordPress plugin security research.
Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticated remote attackers to perform unauthorized actions, resulting in limited integrity and availability impact without requiring any credentials or user interaction. The vulnerability stems from CWE-862 (Missing Authorization), where specific theme functionality fails to enforce permission checks before executing sensitive operations. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated, low-complexity attack profile makes opportunistic exploitation straightforward for any threat actor targeting WordPress installations.
Arbitrary content deletion in the Merkulove 'OpenAI Chatbot for WordPress - Helper' plugin (versions 1.1.4 and earlier) lets remote unauthenticated attackers destroy site content by invoking a plugin action that lacks an authorization check. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H) confirms network-reachable, no-privilege, no-interaction exploitation with high availability impact and no confidentiality or integrity compromise. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated broken access control in Woostify Sites Library WordPress plugin versions up to and including 1.6.2 permits remote, unauthenticated attackers to bypass authorization checks and perform restricted actions against affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making automated scanning and exploitation straightforward. No active exploitation has been identified at time of analysis, and no public exploit code is known.
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.
Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.14) exposes non-public, draft, trashed, and personal calendar events to unauthenticated remote attackers via the 'vcal' iCalendar export endpoint. By enumerating integer occurrence IDs in the 'vcal' parameter, an attacker can retrieve full iCalendar exports containing event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata that site owners explicitly withheld from public view. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and zero authentication requirement make opportunistic enumeration trivially feasible.
Authorization bypass in the JoomSport WordPress plugin (all versions through 5.7.8) permits any subscriber-level authenticated user to create arbitrary season groups or tamper with group names, participant records, and round-type options - sports league data that site administrators should exclusively control. The flaw, identified by Wordfence and rooted in CWE-862 (Missing Authorization), is exploitable by any registered WordPress user who can load a page rendering a JoomSport shortcode to harvest a required nonce. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS 4.3 Medium score accurately reflects a bounded, integrity-only impact with no path to code execution or privilege escalation.
Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.
Unauthorized wp_postmeta enumeration in JetFormBuilder (WordPress plugin, all versions through 3.6.3) allows unauthenticated remote attackers to extract arbitrary post meta values - including WooCommerce billing PII, payment tokens, and third-party plugin credentials - by exploiting a missing authorization check in the plugin's REST API generator endpoint. The flaw exists in the get_from_db generator function, which returns database values without verifying whether the requesting user is permitted to access them. No public exploit has been identified at time of analysis, but the attack is trivially executable against any site where a published JetFormBuilder form with a get_from_db field exists, as all required parameters (form ID, field name, generator ID) are discoverable by browsing the site's public forms.
Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. No public exploit code or CISA KEV listing has been identified, but the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms trivially exploitable, zero-barrier network access against default plugin configurations that utilize service-level access restrictions.
Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the `edit_key` - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer `client_id`, a publicly observable appointment timestamp `start_at`, and an enumerable integer `staff_id`. The unauthenticated REST endpoints for `tryCancel()` perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the attack requires only standard HTTP tooling and basic scripting against any site with cancellation or rescheduling features enabled.
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the `_before_request` authorization handler, so requests reach these endpoints without any validator running. No public exploit has been identified at time of analysis, though a fix commit and huntr bounty report are public.
Unauthenticated curriculum exposure in the Academy LMS WordPress plugin (versions ≤ 3.8.1) allows any internet user to retrieve detailed topic and lesson structures from courses explicitly protected by private, draft, scheduled, or password-protected post statuses. The root cause is the plugin's '/topics' REST API endpoint registering with '__return_true' as its permission callback, entirely bypassing WordPress's built-in post visibility and enrollment enforcement. No exploit code has been publicly identified and the vulnerability is not listed in CISA KEV, but the zero-complexity network vector makes automated course ID enumeration trivially scriptable with standard HTTP tools.
Private content disclosure in the Envo's Templates & Widgets for Elementor and WooCommerce WordPress plugin (versions up to and including 1.4.26) allows authenticated attackers with Author-level access to expose private or draft Elementor-rendered pages and templates to anonymous visitors. The flaw is rooted in the Tabs and Off Canvas widgets passing a user-supplied post ID directly to Elementor's get_builder_content_for_display() without any post-status or capability check, meaning the rendered output of restricted content is served publicly once an Author configures the widget. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, making this a lower-urgency but real information-disclosure risk for WordPress sites with multiple or untrusted Author-level users.
Authorization bypass in the Email Subscribers & Newsletters WordPress plugin (all versions through 5.9.27) allows contributor-level authenticated users to hijack the site's email infrastructure - overwriting sender identity, creating mailing lists, injecting arbitrary contacts, and dispatching mass email to arbitrary external recipients. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity, network-accessible exploitation requiring only a contributor account, which is commonly available on multi-author WordPress sites. No public exploit code has been identified at time of analysis, but the abuse potential - mass phishing campaigns sent through a trusted domain's authenticated mail relay - materially exceeds what the 4.3 CVSS score implies.
Out-of-bounds array access in GeoVision's GeoWebPlayer add-on (also branded 'Web Plugin' for GV-VMS and 'WS Player' for VMS-Cloud) lets an attacker abuse the 'byPass' WebSocket command by supplying an unchecked 'index' value, corrupting memory to achieve high-impact compromise (CVSS 8.3). The bundled component runs a local WebSocket server for GeoVision web interfaces (GV-VMS, GV-Cloud); because the server is reachable from a victim's browser, a malicious web page can drive the flaw with only user interaction and no authentication. No public exploit identified at time of analysis, though a Talos vulnerability report (TALOS-2026-2373) documents the issue.
Missing authentication in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets any web page reach a locally-bound, unauthenticated WebSocket server and invoke sensitive APIs. By chaining the `create` method with `getScreenCapture`, a remote attacker who lures a victim to a malicious site can silently exfiltrate the contents of the user's screen. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; CVSS is 8.8 driven by network reach and a scope change into the browsing user's data.
Improper access control in Craft CMS 5.x allows a low-privileged, authenticated control-panel user to inject content into sections where they hold only read access, bypassing the editorial authorization model. The EntriesController::actionMoveToSection() endpoint validates the destination section using viewEntries permission rather than the required saveEntries permission, enabling an attacker to rewrite an entry's sectionId and persist it into protected sections. No public exploit has been identified at time of analysis, but the fix is available in version 5.9.21.
Authorization bypass in Craft CMS versions 5.0.0-RC1 through 5.9.20 lets a low-privileged authenticated user spoof entry authorship by reassigning an entry's author to an arbitrary user without holding the dedicated peer-author-change permission. Because EntriesController::actionSaveEntry() checks edit permissions before applying request-controlled author changes and never re-runs authorization after mutating the author list, any existing author of an entry can hijack attribution. No public exploit has been identified at time of analysis; the flaw is fixed in 5.9.21.
Broken authorization in Craft CMS lets a low-privilege authenticated user destroy other users' assets on a shared volume. AssetsController::actionDeleteFolder() checks only the deleteAssets:<volume-uid> permission for the target folder but never enforces deletePeerAssets:<volume-uid>, while the underlying Assets::deleteFoldersByIds() cascades deletion to every descendant folder and asset regardless of who uploaded them. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the vendor patched it in 4.17.15 and 5.9.22.
Unauthorized cross-volume asset deletion in Craft CMS versions 4.0.0-RC1 through 4.17.13 and 5.0.0-RC1 through 5.9.20 allows any authenticated user with file-replace permission in one volume to permanently delete assets from other volumes where they hold no delete permission. The flaw stems from a PHP ternary operator short-circuit in AssetsController::actionReplaceFile() that bypasses source-volume authorization when both assetId and sourceAssetId parameters are supplied together. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the low complexity of the attack logic and the CMS's sequential asset IDs make exploitation straightforward for any low-privilege authenticated insider or compromised account.
Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any source IP to impersonate arbitrary users because the image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default. When an operator enables reverse-proxy header authentication (e.g. X-WEBAUTH-USER), the wildcard trust list means Gitea accepts those identity headers from any client rather than only from a trusted front-end proxy, granting full account takeover including administrator access. No public exploit has been identified at time of analysis, and the issue is patched in Gitea 1.26.3.
Authorization bypass in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows authenticated remote attackers to view student records they are not authorized to access. By manipulating the ID parameter in POST requests to /index.php?action=view_student, a low-privileged user can enumerate or access other students' data. A public proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no active exploitation confirmed in CISA KEV.
Keycloak's ClientResource admin API component, when Fine-Grained Admin Permissions v2 (FGAP v2) is enabled, permits a delegated administrator to attach or detach hidden client scopes that fall outside their authorized management boundary. By injecting unauthorized scopes into client configurations, an attacker can manipulate the contents of OAuth2/OIDC security tokens issued to end-users, causing downstream applications to grant privilege levels beyond what the original access policy intended. No public exploit is identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the token-injection impact class carries meaningful risk in federated identity deployments.
Keycloak's Fine-Grained Admin Permissions v2 (FGAP v2) fails to enforce group-level authorization when a restricted administrator queries role-to-group assignments, exposing group names and custom attributes beyond the admin's intended scope. Restricted admins holding only role-view permission can enumerate all groups assigned to that role, bypassing the group-level access controls that FGAP v2 is designed to enforce. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog; however, the EPSS risk is compounded in deployments where group attributes carry sensitive operational metadata.
Local privilege escalation via argument injection in TUBITAK BILGEM's pardus-software (the Pardus Linux application/software center) affects versions up to and including 1.0.4 and is fixed in 1.0.5. A low-privileged local user can abuse a missing authorization check (CWE-862) to inject attacker-controlled arguments into a privileged backend operation, and because the CVSS scope is Changed with High confidentiality, integrity, and availability impact, this realistically yields code execution or full compromise of the underlying system. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but the 8.8 CVSS and scope change make it a serious local escalation issue.
{id} path parameter in GET /calendar/event/delete/{id}. The delete handler calls Calendar::find($id)->delete() with no user_id or company_id scoping, meaning possession of a valid session is the only gate to destroying arbitrary records. No public exploit has been identified at time of analysis; a confirmed fix is available in the v5.5.3 release.
Incorrect authorization in Dell PowerProtect Data Domain permits a high-privileged local attacker to execute commands outside their authorized scope across a broad span of affected versions covering the main release line and all three active LTS branches. The root cause (CWE-863) indicates the appliance's Data Domain OS fails to enforce authorization boundaries correctly for certain operations accessible to already-elevated users, enabling privilege escalation within an authenticated administrative session. No public exploit code or active exploitation is confirmed at time of analysis; the CVSS 4.2 Medium score accurately reflects the significant access prerequisites - local presence plus high-level credentials - required to trigger the flaw.
Improper access control in the RBAC implementation of Dell PowerProtect Data Domain allows a low-privileged authenticated remote attacker to tamper with information beyond their authorized role scope. Affected releases span the main 7.7.1.0-8.6 line and three LTS tracks covering LTS2024, LTS2025, and LTS2026. No public exploit code has been identified and exploitation has not been confirmed by CISA KEV, placing this as a medium-priority issue requiring patch scheduling rather than emergency response.
Incorrect permission assignment on a critical resource in Dell PowerProtect Data Domain exposes sensitive data to high-privileged local attackers across a broad range of supported release trains. The flaw (CWE-732) means a resource - likely a file, directory, or configuration object - carries overly permissive access controls, allowing a local attacker operating with elevated privileges to read data they are not authorized to access. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the breadth of affected versions (seven release trains spanning 2024-2026 LTS and mainline builds) increases aggregate exposure across enterprise backup environments.
Link-following exploitation in Dell PowerProtect Data Domain enables a high-privileged local attacker to read files outside their intended access scope by manipulating symbolic or hard links before file access operations resolve. Affected across multiple release trains - mainline 7.7.1.0 through 8.6, LTS2026 8.6.1.10 and below, LTS2025 8.3.1.30 and below, and LTS2024 7.13.1.70 and below. No public exploit code or active exploitation confirmed at time of analysis; risk is bounded by the requirement for pre-existing high-privilege local access.
Physical-access authentication bypass in Dell Client Platform BIOS (CWE-305) affects a sweeping range of Dell consumer, gaming, and enterprise platforms - including Inspiron, Alienware, Latitude, OptiPlex, and Precision lines. An unauthenticated attacker with physical access and the ability to meet high-complexity attack conditions can bypass the primary BIOS authentication mechanism, resulting in information disclosure and, per the CVSS integrity metric (I:H), potential high-integrity impact. Notably, the declared impact in the description is limited to 'Information Disclosure' while the supplied CVSS vector assigns I:H, a discrepancy that warrants clarification from Dell's advisory DSA-2026-195. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
{id}/emails endpoint then honors that nonce without an ownership check. Attackers exploiting this can overwrite victim quiz result pages and redirect quiz notification emails to attacker-controlled addresses - a vector for targeted phishing against quiz respondents. No public exploit or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references that substantially lower the barrier to exploitation.
Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.
Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthenticated remote attackers to read all plugin debug log entries stored in the wp_nf3_log database table or permanently delete every row from that table. The flaw originates from the plugin's failure to verify whether a requesting user holds any authorization before processing debug log actions, as confirmed by Wordfence with a direct reference to the vulnerable DebugLog.php route. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to and including 2.3.0) allows any authenticated subscriber-level user to trigger a full data migration, manipulate documentation content, alter site options, and forcibly deactivate installed BetterDocs and BetterDocs Pro plugins. The vulnerable `do_migration()` function registered under the `wedocs_migrate_betterdocs_to_wedocs` AJAX action performs neither a nonce check via `check_ajax_referer()` nor a privilege check via `current_user_can()`, exposing sensitive administrative operations to the lowest authenticated user tier. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Cloud takeover of Gardyn smart indoor garden devices is possible because a privileged Azure IoT Hub 'iothubowner' shared-access key is embedded in the product, letting a malicious actor query the IoT Hub Registry Manager to enumerate connection details for every Gardyn Home Kit and Studio device and then push arbitrary commands to a targeted unit. Because the key is service-level rather than per-device, one extracted credential compromises the entire fleet, and the attacker may pivot from a controlled device onto the victim's home or corporate LAN. This flaw was reported through CISA ICS-CERT (ICSA-26-183-03) and carries a CVSS 4.0 base score of 9.5, but no public exploit identified at time of analysis.
WatchGuard Fireware OS deployed in FireCluster high-availability configurations falls back to a static, hard-coded encryption key to protect saved Access Portal credentials under unspecified exception circumstances, meaning any actor who can retrieve those encrypted credential stores can decrypt them offline using the known firmware key. Affected builds span Fireware OS 12.1 through 12.12 and 2025.1 through 2026.2; standalone Fireboxes and devices without Access Portal support are explicitly out of scope. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but CWE-798 class flaws become broadly exploitable once the static key is extracted from firmware through reverse engineering.
Firmware signature validation bypass in WatchGuard Fireware OS lets an authenticated administrator upload a tampered firmware image through the backup/restore feature and have it installed despite failing integrity checks. Affecting Fireware OS branches 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2025.6.2, the flaw (CWE-347) enables persistent malicious code on the appliance. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high integrity/confidentiality/availability impact and the appliance's privileged network position make it significant.
Privilege escalation in Microsoft Exchange Online allows an already-authenticated attacker to elevate their permissions over the network by exploiting an incorrect authorization check (CWE-863). Because Exchange Online is a cloud-hosted, multi-tenant service, a low-privileged authenticated user could gain elevated access to confidential data, tamper with mail/configuration, and disrupt availability. No public exploit has been identified at time of analysis, and the EPSS/exploit-maturity signal (E:U) indicates exploit code is currently unproven.
Privilege elevation in Microsoft Azure Synapse Analytics allows a network-based, authorized attacker to bypass improper access controls and gain higher privileges than assigned. The flaw carries a critical 9.8 CVSS with full confidentiality, integrity, and availability impact, though its EPSS probability is modest (0.33%, 24th percentile) and CISA SSVC records no observed exploitation. No public exploit has been identified at time of analysis, and Microsoft has released a fix through its Security Update Guide.
Authentication-bypass leading to remote code execution in 9router (npm package 9router) lets attackers reach spawn-capable MCP routes that were meant to be loopback-only. This is an incomplete fix for CVE-2026-46339: the local-only gate in src/dashboardGuard.js decides 'local' from attacker-controllable Host and Origin headers instead of the TCP source address, so any proxied or tunneled (Cloudflare Tunnel / Tailscale) deployment can be tricked into treating remote requests as local. Combined with the deterministic, machine-ID-derived CLI token, a remote attacker can inject JSON-RPC into MCP child processes (node, python, npx, etc.) and execute code on the host; no public exploit identified at time of analysis, though detailed reproduction steps are published in the vendor advisory.
Authentication bypass in 9router (>= 0.2.21 through 0.4.41) lets any unauthenticated remote attacker forge a valid dashboard session cookie because the JWT signing key falls back to the publicly committed hardcoded string "9router-default-secret-change-me" whenever the JWT_SECRET environment variable is unset. Since this secret is identical across every release and visible in the public repository, an attacker can pre-compute a valid auth_token, bypass the /dashboard login, and reach every API endpoint to steal stored API keys and auth tokens or take over the instance. Publicly available exploit code exists (the advisory ships a working jose-based PoC); there is no CISA KEV listing and no confirmed active exploitation at time of analysis.
Kiwi TCMS exposes its /init-db/ database setup endpoint without authentication even after initial setup is complete, allowing any unauthenticated remote actor to invoke the Django migration runner against an already-initialized database. Despite the Authentication Bypass classification (CWE-862), real-world impact is severely limited because the underlying manage.py migrate command is idempotent - once migrations are applied, repeated invocations produce a confirmed no-op with no data loss, no state change, and no information disclosure. No public exploit code exists and no CVSS score was assigned, consistent with the vendor's own characterization that the severity is low.
Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.
Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.
Authentication bypass and IdP impersonation in the SimpleSAMLphp saml2 library (and the saml2-legacy package) lets a malicious or lower-trust identity provider in a shared federation forge assertions for higher-trust IdPs when the HTTP-Artifact binding is used. Because the TLS-based validator applied to the SOAP ArtifactResponse returns normally instead of throwing when its public key does not match the embedded Response, an unsigned embedded SAML Response claiming a different issuer is accepted as valid, allowing an attacker to log into the SP as arbitrary users of a victim IdP. CVSS is 8.7; there is no public exploit identified at time of analysis and no CISA KEV listing.
Consensus divergence in the Zcash Foundation's Zebra node (zebrad up to and including v4.4.1) lets a remote, unauthenticated attacker force a chain split between Zebra and zcashd validators without any mining capability. Zebra's P2SH signature-operation counter runs a pure-Rust path that short-circuits on disabled opcodes and undercounts sigops, so Zebra accepts blocks that zcashd rejects once the 20,000 block-sigop limit is straddled. There is no public exploit identified at time of analysis, but the advisory includes a concrete crafted redeem script demonstrating the divergence, and all default configurations are affected.
Broken object level authorization in LobeChat through version 2.2.9 permits authenticated users to read and manipulate chat-group agent data belonging to other users by supplying arbitrary group identifiers to unguarded API operations. The getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup endpoints accept caller-controlled group IDs without validating ownership, enabling cross-user data access and modification. Publicly available exploit code exists per GitHub issue #16537, though the CVE is absent from the CISA KEV catalog and carries a CVSS 4.0 score of 2.3, indicating limited blast radius; real-world risk is elevated primarily in shared multi-tenant LobeChat deployments.
Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' documents by abusing the retrieval-augmented-generation (RAG) semantic search, whose chunk model omits a user-identifier predicate. By supplying arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths, an attacker recovers text content, file names, and metadata belonging to other tenants. Publicly available exploit code exists and a vendor patch has been released; the flaw is not listed in CISA KEV and no active exploitation is reported.
Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. No active exploitation is confirmed in CISA KEV, but a publicly available exploit exists, and the attack requires zero authentication, making exploitation trivially automatable against any network-exposed Taiga instance.
Information disclosure and denial of service in JuiceFS through 1.3.1 lets remote attackers reach Go pprof debug and Prometheus metrics endpoints that are inadvertently exposed because handlers are registered on the shared http.DefaultServeMux. By fetching /debug/pprof/cmdline an attacker recovers the process command line, which embeds the metadata engine connection string and its database credentials, effectively yielding full read/write control over filesystem metadata; other pprof and profiling handlers leak internal state and can be abused to exhaust resources. Reported by VulnCheck with an upstream fix in commit a46979c; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticated user to overwrite another user's message sub-resources - including plugin tool-call metadata, plugin state and error fields, text-to-speech records, and translation records - by submitting tRPC API requests that reference the victim's message identifier. Five MessageModel write methods (updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, updateTranslate) and one read method (findMessagePlugin) filter database rows by message ID alone, silently omitting the userId scope enforced in all sibling methods, causing the tampered content to be served back to the victim as their own data. No public exploit has been identified at time of analysis, and practical exploitation is gated by the requirement to possess a victim's non-enumerable message identifier.
Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.
Authentication bypass in the joserfc Python library (PyPI, versions <= 1.6.7) lets remote attackers forge valid HS256/HS384/HS512 JWTs whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds the zero-length key straight into hmac.new(b'', ...) and OctKey.import_key only warns (never rejects) empty material, an attacker with no secret knowledge recomputes the identical HMAC digest and joserfc.jwt.decode accepts arbitrary forged claims (sub, admin, scopes, exp). A full working proof-of-concept is published in the advisory, though the flaw is gated on an operator-side misconfiguration (a secret sourced from an unset env var, missing DB/Redis row, or a '' fallback) rather than a default-config defect.
Stored cross-site scripting in the TP-Link Archer C5 v6.8 router web management interface lets an authenticated administrator inject persistent HTML/JavaScript into a user-controlled field that later executes in another administrator's browser session. The flaw affects ISP-managed firmware variants and can be leveraged for session hijacking and unauthorized modification of router configuration. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires existing admin access, sharply limiting real-world impact.
JWT authentication bypass in Project Contour (Kubernetes ingress controller) allows unauthenticated remote clients to reach protected upstream services without a valid JWT token when an HTTPProxy resource incorrectly combines `spec.virtualhost.tls.enableFallbackCertificate: true` with `spec.virtualhost.jwtProviders`. Contour fails to detect and reject this incompatible configuration, so any TLS client that omits an SNI extension or presents an SNI not matching any configured HTTPProxy FQDN is silently matched by the fallback certificate handler, which operates outside the JWT verification pipeline. No public exploit has been identified and this CVE is not in the CISA KEV catalog; a vendor-released patch (v1.33.5) is available.
Craft CMS versions 4.x prior to 4.17.14 and 5.x prior to 5.9.21 contain a missing authorization check (CWE-862) in the asset folder move operation that allows an authenticated user to delete a destination folder they lack delete permission on by exploiting the force=true overwrite path in AssetsController::actionMoveFolder(). The CVSS 4.0 score of 4.9 with PR:L and VI:H reflects a real but internally-scoped integrity impact: an attacker with move-but-not-delete rights can destroy asset content outside their permission boundary. No public exploit code exists and no active exploitation has been identified; the E:U supplemental metric in the provided vector corroborates this assessment.
The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-based cookie computation deterministic and fully predictable to any network observer for the 0-to-15-second window before the first secret rotation. Any attacker who can observe a plaintext DTLS ClientHello during this window can forge valid cookies, bypassing the RFC 6347 §4.2.1 source address verification mechanism and enabling handshake amplification attacks with spoofed source IPs. No public exploit has been identified at time of analysis; vendor-released patches are available in OTP 29.0.3, 28.5.0.3, and 27.3.4.14.
Missing authentication in mcp-memory-service's HTTP REST server exposes every route under /api/documents/* without any credential check, even when the operator has enabled MCP_API_KEY or OAuth, so remote attackers can upload, read, and delete stored memories at will. Because the sibling /api/memories router correctly enforces auth (returning 401), the gap is an inconsistent, easily-discovered authentication boundary that grants full confidentiality, integrity, and availability impact. A working PoC and vendor GitHub Security Advisory (GHSA-84hp-mqvj-3p8h) exist, so publicly available exploit code exists, though no CISA KEV listing or EPSS score was provided.
Privilege escalation in Ubiquiti's UniFi Talk Application allows a low-privileged, network-adjacent user to gain elevated privileges within the application through an improper access control (CWE-284) weakness, tracked as CVE-2026-55119 and rated CVSS 8.1. Ubiquiti tagged the issue as an Authentication Bypass, and a successful attack yields high confidentiality and integrity impact (C:H/I:H) over an existing authenticated session without any user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elevated privileges within the controller due to Improper Access Control (CWE-284). Tagged as an authentication/authorization bypass and reported via HackerOne, the flaw carries a CVSS 8.8 with full confidentiality, integrity, and availability impact once triggered. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain granted privileges within the controller even after those privileges are supposed to have been revoked, due to an Incorrect Authorization (CWE-863) flaw. The CVSS 3.1 base score is 7.5 (AV:N/AC:H/PR:L/UI:N) with high confidentiality, integrity, and availability impact, meaning an actor whose access was removed can continue to act with the old authorization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires prior authenticated access plus specific unstated conditions (AC:H).
Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways.
Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network to elevate their permissions within the application by abusing an Improper Access Control weakness (CWE-284). The CVSS 3.1 score of 8.3 reflects that a network-reachable actor holding limited credentials can, under certain conditions, gain high integrity and availability impact over the controller. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Ubiquiti has published Security Advisory Bulletin 066 addressing it.
Privilege escalation in UniFi OS running the UniFi Protect Application (versions below 5.1.19) allows a network-adjacent, low-privileged attacker to gain control of the underlying host device via improper access control. Affected hardware spans Ubiquiti's Dream Machines, Dream Wall, Dream Routers, Cloud Keys, Cloud Gateways, and Network/Enterprise Video Recorders. No public exploit identified at time of analysis; EPSS is low (0.19%) and CISA SSVC records no known exploitation, but the total technical impact and 8.8 CVSS make it a meaningful patch priority.
Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.
Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Authentication bypass in Ubiquiti's UniFi Protect Application (versions before 7.1.83) allows a network-adjacent attacker to access data streaming without valid credentials due to improper access control. An unauthenticated attacker on a reachable network can view video/data streams that should be protected, with SSVC flagging the flaw as automatable. No public exploit has been identified at time of analysis, and the EPSS probability is low (0.27%), but the CVSS 9.8 rating and network exposure make it a meaningful patch priority.
Authentication bypass in Ubiquiti UniFi Protect Application (versions prior to 7.1.83) allows a network-adjacent attacker to circumvent authentication controls on UniFi Protect Cameras via an improper initialization flaw. The bypass yields total compromise of camera confidentiality, integrity, and availability, though exploitation depends on certain unspecified conditions and carries high attack complexity. No public exploit is identified at time of analysis, and EPSS probability is low (0.24%), consistent with the CISA SSVC assessment of no known exploitation.
Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints without valid credentials due to improper access control (CWE-284). Rated CVSS 8.6, the flaw combines low confidentiality and integrity impact with high availability impact, meaning an unauthenticated actor on the network could interact with protected surveillance-management functions. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network vector with no privileges required (AV:N/PR:N) makes it a meaningful exposure for internet- or LAN-reachable deployments.
Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the PDF generation workflow to have operations executed under another user's identity, exposing sensitive data and permitting unauthorized configuration changes. It affects all Flowmon releases before 12.5.9 (12.x branch) and before 13.0.10 (13.x branch). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).
SQL injection in Progress Flowmon ADS (Anomaly Detection System) before versions 12.5.6 and 13.0.5 allows a low-privileged authenticated user to read and modify application data by sending specially crafted requests. The CVSS 4.0 base score of 8.7 (High) reflects high confidentiality and integrity impact plus availability impact over the network with only low privileges required. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
IP header spoofing in GoFiber's BalancerForward proxy middleware allows any remote unauthenticated attacker to inject a forged X-Real-IP header that upstream servers treat as authoritative. The middleware calls Header.Add() rather than Header.Set() when stamping the real client IP, causing the attacker-supplied value to remain as the first header instance - the one read by nginx, Express, Apache, and most HTTP servers for rate limiting, IP-based ACLs, and audit logging. No public exploit has been identified at time of analysis, but exploitation requires only the ability to set an arbitrary HTTP header, making this trivially accessible to any network attacker targeting deployments using the BalancerForward helper.
Authentication abuse in TR7 Cyber Defense WAF-ASP (versions v1.0.324.900 through v1.4.0.116) lets remote unauthenticated attackers invoke a security-critical function that fails to enforce any authentication check, yielding full compromise of confidentiality, integrity, and availability per the CVSS 9.8 rating. Because WAF-ASP is a web application firewall, abusing this exposed function can subvert the very protection layer meant to shield downstream applications. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; disclosure comes from Turkey's national CERT (TR-CERT).
Cross-tenant authorization bypass in PraisonAI before 0.1.7 allows authenticated users to inject issues into projects belonging to other workspaces by supplying an unvalidated project_id in issue create and update request bodies. The server trusts the client-supplied project_id without verifying it belongs to the workspace identified in the URL, a classic IDOR pattern classified under CWE-639. An attacker can corrupt project statistics aggregation across tenant boundaries, undermining data integrity in multi-tenant deployments. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog.
Missing authorization checks in the Sendcloud Shipping WordPress plugin (versions through 1.0.29) allow unauthenticated remote attackers to perform unauthorized integrity-impacting actions without credentials. Rooted in CWE-862, the plugin fails to enforce capability checks on one or more endpoints or AJAX handlers, enabling access control bypass as tagged by Patchstack. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; EPSS data was not provided, but the unauthenticated network vector (PR:N) lowers the bar for opportunistic probing.
Broken access control in ez Form Calculator Premium WordPress plugin (versions up to and including 2.14.1.2) permits unauthenticated remote attackers to perform restricted plugin actions, resulting in unauthorized integrity modifications. Disclosed by Patchstack and classified under CWE-862 (Missing Authorization), the flaw requires no credentials, no user interaction, and no special configuration, lowering the exploitation barrier significantly. No public exploit code and no CISA KEV listing have been identified at the time of analysis, suggesting limited observed exploitation despite the low attack complexity.
Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-privileged authenticated users (Subscriber role) reach functionality or data they should not, resulting in high confidentiality exposure and limited integrity impact per the CVSS vector. The flaw stems from missing authorization checks (CWE-862) on plugin actions, so any registered site user can abuse it. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the issue was reported through Patchstack.
Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users to access sensitive data they are not authorized to view. The flaw stems from missing authorization checks (CWE-862), enabling privilege escalation beyond the contributor role's intended scope - specifically a high confidentiality impact with no integrity or availability consequence per the CVSS vector. No public exploit code or active exploitation has been identified at time of analysis, though the low attack complexity and network-accessible attack vector lower the bar for abuse by any site user holding a contributor account.
Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level users to access restricted resources or perform actions beyond their intended authorization. The flaw stems from missing authorization checks (CWE-862) on one or more endpoints or actions within the theme, enabling low-privilege WordPress users to retrieve information they should not be permitted to view. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is limited to authenticated users, reducing opportunistic risk.
Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. No public exploit code is identified and the vulnerability is not listed in CISA KEV, but the low-complexity network vector makes it trivially exploitable by any subscriber-level user on affected sites.
Missing authorization in the POS Entegratör WordPress plugin (versions <= 3.7.103, vendor gurmehub) lets unauthenticated remote attackers reach privileged plugin functions that lack capability checks, enabling unauthorized modification of data with limited service disruption. The flaw is remotely reachable with no authentication or user interaction (CVSS 8.2), but has no confidentiality impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Broken access control in Martfury WooCommerce Marketplace WordPress Theme (versions <= 3.2.8) permits authenticated subscriber-level users to invoke functionality restricted to higher-privilege roles, achieving unauthorized integrity modifications. The flaw is rooted in CWE-862 (Missing Authorization), where theme-controlled endpoints or action handlers fail to verify that the requesting user holds sufficient capabilities beyond basic authentication. No public exploit or CISA KEV listing was present in the available data at time of analysis.
Unauthenticated IDOR in the Kirki WordPress customizer toolkit (versions <= 6.0.11) allows remote unauthenticated attackers to reference and manipulate object identifiers they do not own, resulting in unauthorized modification of data and limited availability disruption. The vulnerability carries no confidentiality impact per the CVSS vector (C:N), but the combination of network-exploitability with zero authentication requirements (AV:N/AC:L/PR:N/UI:N) makes it trivially accessible to any internet-facing WordPress installation running an affected version. No public exploit code or CISA KEV listing has been identified at the time of analysis.
Broken access control in the Advanced Contact Form 7 DB WordPress plugin (versions <= 2.0.9) permits subscriber-level authenticated users to read all stored contact form submissions without authorization. The root cause is a missing capability check (CWE-862) on a data retrieval endpoint, exposing names, email addresses, phone numbers, and message content submitted by site visitors. No public exploit or CISA KEV listing exists at time of analysis, but low attack complexity and high confidentiality impact make this a meaningful risk on any WordPress site that permits open user registration.
Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticated users to perform privileged actions they should not be authorized to execute, resulting in high integrity impact. The vulnerability stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers, enabling low-privilege WordPress users to manipulate listing data, settings, or administrative functions beyond their intended role. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and network accessibility make this a realistic threat on any affected WordPress installation.
Broken access control in Link Whisper Premium WordPress plugin versions 2.9.0 and below allows subscriber-level authenticated users to perform privileged actions that should be restricted to higher-capability roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to make unauthorized modifications with high integrity impact. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and network accessibility make this straightforward to exploit for any user holding even a basic WordPress account on the target site.
Broken access control in the NOWPayments for WooCommerce WordPress plugin (versions <= 1.4.0) allows unauthenticated remote attackers to perform actions or modify state that should be restricted, without any authentication. The flaw stems from a missing authorization check (CWE-862) on a network-reachable endpoint, and per its CVSS 3.1 vector it affects integrity only (I:H) with no confidentiality or availability impact. No public exploit has been identified at time of analysis, though the vulnerability was cataloged by Patchstack, a specialist in WordPress plugin security research.
Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticated remote attackers to perform unauthorized actions, resulting in limited integrity and availability impact without requiring any credentials or user interaction. The vulnerability stems from CWE-862 (Missing Authorization), where specific theme functionality fails to enforce permission checks before executing sensitive operations. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated, low-complexity attack profile makes opportunistic exploitation straightforward for any threat actor targeting WordPress installations.
Arbitrary content deletion in the Merkulove 'OpenAI Chatbot for WordPress - Helper' plugin (versions 1.1.4 and earlier) lets remote unauthenticated attackers destroy site content by invoking a plugin action that lacks an authorization check. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H) confirms network-reachable, no-privilege, no-interaction exploitation with high availability impact and no confidentiality or integrity compromise. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated broken access control in Woostify Sites Library WordPress plugin versions up to and including 1.6.2 permits remote, unauthenticated attackers to bypass authorization checks and perform restricted actions against affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making automated scanning and exploitation straightforward. No active exploitation has been identified at time of analysis, and no public exploit code is known.
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.
Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.14) exposes non-public, draft, trashed, and personal calendar events to unauthenticated remote attackers via the 'vcal' iCalendar export endpoint. By enumerating integer occurrence IDs in the 'vcal' parameter, an attacker can retrieve full iCalendar exports containing event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata that site owners explicitly withheld from public view. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and zero authentication requirement make opportunistic enumeration trivially feasible.
Authorization bypass in the JoomSport WordPress plugin (all versions through 5.7.8) permits any subscriber-level authenticated user to create arbitrary season groups or tamper with group names, participant records, and round-type options - sports league data that site administrators should exclusively control. The flaw, identified by Wordfence and rooted in CWE-862 (Missing Authorization), is exploitable by any registered WordPress user who can load a page rendering a JoomSport shortcode to harvest a required nonce. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS 4.3 Medium score accurately reflects a bounded, integrity-only impact with no path to code execution or privilege escalation.
Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.
Unauthorized wp_postmeta enumeration in JetFormBuilder (WordPress plugin, all versions through 3.6.3) allows unauthenticated remote attackers to extract arbitrary post meta values - including WooCommerce billing PII, payment tokens, and third-party plugin credentials - by exploiting a missing authorization check in the plugin's REST API generator endpoint. The flaw exists in the get_from_db generator function, which returns database values without verifying whether the requesting user is permitted to access them. No public exploit has been identified at time of analysis, but the attack is trivially executable against any site where a published JetFormBuilder form with a get_from_db field exists, as all required parameters (form ID, field name, generator ID) are discoverable by browsing the site's public forms.
Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. No public exploit code or CISA KEV listing has been identified, but the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms trivially exploitable, zero-barrier network access against default plugin configurations that utilize service-level access restrictions.
Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the `edit_key` - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer `client_id`, a publicly observable appointment timestamp `start_at`, and an enumerable integer `staff_id`. The unauthenticated REST endpoints for `tryCancel()` perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the attack requires only standard HTTP tooling and basic scripting against any site with cancellation or rescheduling features enabled.
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the `_before_request` authorization handler, so requests reach these endpoints without any validator running. No public exploit has been identified at time of analysis, though a fix commit and huntr bounty report are public.
Unauthenticated curriculum exposure in the Academy LMS WordPress plugin (versions ≤ 3.8.1) allows any internet user to retrieve detailed topic and lesson structures from courses explicitly protected by private, draft, scheduled, or password-protected post statuses. The root cause is the plugin's '/topics' REST API endpoint registering with '__return_true' as its permission callback, entirely bypassing WordPress's built-in post visibility and enrollment enforcement. No exploit code has been publicly identified and the vulnerability is not listed in CISA KEV, but the zero-complexity network vector makes automated course ID enumeration trivially scriptable with standard HTTP tools.
Private content disclosure in the Envo's Templates & Widgets for Elementor and WooCommerce WordPress plugin (versions up to and including 1.4.26) allows authenticated attackers with Author-level access to expose private or draft Elementor-rendered pages and templates to anonymous visitors. The flaw is rooted in the Tabs and Off Canvas widgets passing a user-supplied post ID directly to Elementor's get_builder_content_for_display() without any post-status or capability check, meaning the rendered output of restricted content is served publicly once an Author configures the widget. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, making this a lower-urgency but real information-disclosure risk for WordPress sites with multiple or untrusted Author-level users.
Authorization bypass in the Email Subscribers & Newsletters WordPress plugin (all versions through 5.9.27) allows contributor-level authenticated users to hijack the site's email infrastructure - overwriting sender identity, creating mailing lists, injecting arbitrary contacts, and dispatching mass email to arbitrary external recipients. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity, network-accessible exploitation requiring only a contributor account, which is commonly available on multi-author WordPress sites. No public exploit code has been identified at time of analysis, but the abuse potential - mass phishing campaigns sent through a trusted domain's authenticated mail relay - materially exceeds what the 4.3 CVSS score implies.
Out-of-bounds array access in GeoVision's GeoWebPlayer add-on (also branded 'Web Plugin' for GV-VMS and 'WS Player' for VMS-Cloud) lets an attacker abuse the 'byPass' WebSocket command by supplying an unchecked 'index' value, corrupting memory to achieve high-impact compromise (CVSS 8.3). The bundled component runs a local WebSocket server for GeoVision web interfaces (GV-VMS, GV-Cloud); because the server is reachable from a victim's browser, a malicious web page can drive the flaw with only user interaction and no authentication. No public exploit identified at time of analysis, though a Talos vulnerability report (TALOS-2026-2373) documents the issue.
Missing authentication in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets any web page reach a locally-bound, unauthenticated WebSocket server and invoke sensitive APIs. By chaining the `create` method with `getScreenCapture`, a remote attacker who lures a victim to a malicious site can silently exfiltrate the contents of the user's screen. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; CVSS is 8.8 driven by network reach and a scope change into the browsing user's data.
Improper access control in Craft CMS 5.x allows a low-privileged, authenticated control-panel user to inject content into sections where they hold only read access, bypassing the editorial authorization model. The EntriesController::actionMoveToSection() endpoint validates the destination section using viewEntries permission rather than the required saveEntries permission, enabling an attacker to rewrite an entry's sectionId and persist it into protected sections. No public exploit has been identified at time of analysis, but the fix is available in version 5.9.21.
Authorization bypass in Craft CMS versions 5.0.0-RC1 through 5.9.20 lets a low-privileged authenticated user spoof entry authorship by reassigning an entry's author to an arbitrary user without holding the dedicated peer-author-change permission. Because EntriesController::actionSaveEntry() checks edit permissions before applying request-controlled author changes and never re-runs authorization after mutating the author list, any existing author of an entry can hijack attribution. No public exploit has been identified at time of analysis; the flaw is fixed in 5.9.21.
Broken authorization in Craft CMS lets a low-privilege authenticated user destroy other users' assets on a shared volume. AssetsController::actionDeleteFolder() checks only the deleteAssets:<volume-uid> permission for the target folder but never enforces deletePeerAssets:<volume-uid>, while the underlying Assets::deleteFoldersByIds() cascades deletion to every descendant folder and asset regardless of who uploaded them. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the vendor patched it in 4.17.15 and 5.9.22.
Unauthorized cross-volume asset deletion in Craft CMS versions 4.0.0-RC1 through 4.17.13 and 5.0.0-RC1 through 5.9.20 allows any authenticated user with file-replace permission in one volume to permanently delete assets from other volumes where they hold no delete permission. The flaw stems from a PHP ternary operator short-circuit in AssetsController::actionReplaceFile() that bypasses source-volume authorization when both assetId and sourceAssetId parameters are supplied together. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the low complexity of the attack logic and the CMS's sequential asset IDs make exploitation straightforward for any low-privilege authenticated insider or compromised account.