Skip to main content

Authentication Bypass

31229 CVEs technique

Monthly

CVE-2026-50283 PHP MEDIUM PATCH GHSA This Month

Unauthorized cross-volume asset deletion in Craft CMS versions 4.0.0-RC1 through 4.17.13 and 5.0.0-RC1 through 5.9.20 allows any authenticated user with file-replace permission in one volume to permanently delete assets from other volumes where they hold no delete permission. The flaw stems from a PHP ternary operator short-circuit in AssetsController::actionReplaceFile() that bypasses source-volume authorization when both assetId and sourceAssetId parameters are supplied together. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the low complexity of the attack logic and the CMS's sequential asset IDs make exploitation straightforward for any low-privilege authenticated insider or compromised account.

Authentication Bypass Cms
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-50138 Go HIGH PATCH GHSA This Week

Access-control bypass in the goshs WebDAV listener (Go package goshs.de/goshs/v2, all releases through v2.0.9) lets an authenticated WebDAV client write, delete, and create files even when the operator started the server with --read-only, --upload-only, or --no-delete. The mode-restriction flags are enforced only on the primary HTTP port, while the WebDAV port (-w/-wp) wires requests straight into golang.org/x/net/webdav.Handler with no guard, so PUT/DELETE/MKCOL/MOVE/COPY succeed regardless of operator intent. A working proof of concept is published in the GitHub Security Advisory (GHSA-3whc-qvhv-xqjp); publicly available exploit code exists, but there is no public exploit identified as being used in active attacks.

Authentication Bypass Microsoft
NVD GitHub
CVSS 3.1
8.1
CVE-2026-53712 Maven HIGH PATCH GHSA This Week

TLS channel-binding downgrade in the ongres scram-client Java library (com.ongres.scram) lets a network man-in-the-middle silently strip SCRAM-SHA-256-PLUS down to plain SCRAM-SHA-256, defeating clients that explicitly require channel binding (e.g. channelBinding=require in pgJDBC). The flaw only bites when the server certificate uses a signature algorithm without a legacy 'WITH' name (Ed25519 or post-quantum), causing an internal NoSuchAlgorithmException to be swallowed and an empty channel-binding value to be treated as 'not offered' rather than a hard failure. Fixed in scram library 3.3; no public exploit identified at time of analysis and the issue is reported by the upstream maintainer via GitHub advisory GHSA-p9jg-fcr6-3mhf.

Authentication Bypass Java
NVD GitHub
CVE-2026-50162 Go MEDIUM PATCH GHSA This Month

Symlink traversal in oras-go's file content store allows writes outside the intended `workingDir` boundary even when `AllowPathTraversalOnWrite=false`. Applications that pull OCI artifacts from untrusted registries where an attacker controls blob titles (`ocispec.AnnotationTitle`) are at risk if any directory component under `workingDir` is a symlink pointing to an external path. No confirmed active exploitation (not in CISA KEV), but a self-contained proof-of-concept was included in the researcher's disclosure, making reproduction straightforward given the prerequisites.

Authentication Bypass Canonical
NVD GitHub
CVE-2026-14340 MEDIUM This Month

Incorrect authorization in GitHub Enterprise Server allows an attacker who has obtained a victim's user-to-server token - issued by a GitHub App installation - to perform write operations on any public repository, regardless of whether that installation was explicitly granted access to the target repository. Affected installations span all GHES versions prior to 3.22, with fixes backported to six supported release trains. The CVSS 4.0 score is 5.3 (medium); no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Enterprise Server
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-44935 Go CRITICAL PATCH GHSA Act Now

Cross-tenant authorization bypass in Rancher Fleet allows a low-privileged tenant in a multi-tenant environment to read any ConfigMap or Secret across all namespaces of a shared downstream cluster and to deploy cluster-wide resources without being bound to a restricted service account. The flaw (CWE-863, CVSS 9.9) is exploitable by authenticated tenants who abuse valuesFrom in fleet.yaml (via GitRepo) or HelmOp/Bundle resources; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.6%
CVE-2026-49998 Go HIGH PATCH GHSA This Week

Cross-tenant JWT authentication bypass in Centrifugo (v3 through v6) lets an attacker holding a valid token for one allowed issuer/tenant authenticate as a different issuer/tenant when the server uses dynamic JWKS endpoint templates. The flaw stems from the JWKS cache and singleflight lookup being keyed only by the JWT header 'kid', so a key fetched for tenant A is reused to verify a token claiming tenant B whenever both JWKS documents share the same 'kid' and tenant A's key is cached first. Publicly available exploit code exists in the form of a reporter-supplied Go unit-test PoC; there is no evidence of active exploitation, and the CVSS base score is 8.2 (AC:H, PR:L, scope-changed).

Authentication Bypass Jwt Attack Canonical
NVD GitHub VulDB
CVSS 3.1
8.2
CVE-2026-49997 Cargo MEDIUM PATCH GHSA This Month

SurrealDB's automatic graph edge cleanup mechanism bypasses edge-table permission clauses, allowing authenticated low-privilege users to delete edge records and observe hidden edge contents they are not authorized to access. When a node is deleted, the `Document::purge_edges` routine fires with permissions explicitly disabled (`opt.clone().with_perms(false)`), meaning the edge table's `PERMISSIONS FOR delete` and `PERMISSIONS FOR select` clauses are never consulted. This is a confirmed authorization bypass (CWE-285) fixed in version 3.1.0; no public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-48815 npm HIGH POC PATCH GHSA This Week

Signature verification policy bypass in the sigstore npm package allows attackers to have unauthorized signing certificates accepted despite explicit OID-based restrictions. The documented `certificateOIDs` verify option - used by `sigstore.verify()` and `createVerifier()` to require specific Fulcio/workload-identity extension OIDs - is silently discarded during policy construction, so those extension constraints are never enforced while callers believe they are. Publicly available exploit code exists (a proof-of-concept in the advisory), but there is no evidence of active exploitation; EPSS/KEV not indicated in the source data.

Authentication Bypass Jwt Attack
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-49989 Maven LOW POC PATCH GHSA Monitor

{table}/{digest}`) allows any authenticated user to read, write, or delete blobs across all blob tables, entirely circumventing the GRANT-based access control that the SQL path correctly enforces. Verified against CrateDB 6.2.7 and present since the blob HTTP handler was introduced, `io.crate.protocols.http.HttpBlobHandler` authenticates the connecting user but never invokes `AccessControl`, making blob operations permissible to any valid credential holder regardless of table-level privileges. A complete end-to-end Docker PoC is included in the report demonstrating both unauthorized read (HTTP 200) and unauthorized delete (HTTP 204) while the SQL path correctly returns a permission error for the same user; no KEV listing and no EPSS data are available at time of analysis.

Authentication Bypass Oracle Java Docker
NVD GitHub
CVE-2026-49981 PHP MEDIUM PATCH GHSA This Month

Sandbox allow-list bypass in the Twig PHP templating engine lets attacker-supplied filters, tags, and functions run unchecked when a shared Environment mixes sandboxed and non-sandboxed renders. The filter/tag/function SecurityPolicy check was computed once in the Template constructor and cached in $loadedTemplates, so any later sandbox state change or a pre-warmed template left a stale (typically empty) verdict, defeating the sandbox. Fixed in Twig 3.27.0; no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
6.0
EPSS
0.4%
CVE-2026-58517 MEDIUM PATCH This Month

Authentication bypass in the Wikimedia Foundation's WikiLambda extension for MediaWiki allows unauthenticated remote attackers to circumvent access controls via improper neutralization of input terminator characters (CWE-288). Affected are all WikiLambda deployments running versions prior to 1.43.9, 1.44.6, and 1.45.4 across the supported MediaWiki release branches. No public exploit or CISA KEV listing has been identified at time of analysis, though the network-accessible, zero-prerequisite attack vector warrants prompt patching.

Authentication Bypass Mediawiki Wikilambda Extension
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-46487 Maven HIGH PATCH GHSA This Week

Authorization bypass and information disclosure in GeoNetwork 4.x (4.0.0-alpha.1 through 4.4.10) lets an unauthenticated remote user retrieve restricted metadata records through the Elasticsearch-backed search API. Under certain request conditions the proxy layer skips the step that injects GeoNetwork's access-control filters, so requests reach the index without group-visibility, ownership, draft-exclusion, or portal filtering applied. There is no public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable on any public-facing instance, making disclosure of non-public catalog records trivial once the triggering condition is known.

Authentication Bypass Elastic Information Disclosure
NVD GitHub
CVSS 3.1
7.5
CVE-2026-57721 MEDIUM This Month

Missing authorization controls in the ApplyOnline WordPress plugin (versions through 2.6.7.6) by WP Reloaded allow unauthenticated remote attackers to perform unauthorized write-level actions by exploiting incorrectly configured access control security levels. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction against any network-accessible WordPress installation running this plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low complexity and zero-auth requirement make this straightforward to abuse.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57720 MEDIUM This Month

Missing authorization in the ThumbPress WordPress plugin (Codexpert Inc) through version 6.3.2 allows low-privileged authenticated users to invoke restricted plugin functionality, resulting in limited availability impact against thumbnail or image-size management operations. The CVSS vector (PR:L, A:L) confirms exploitation requires an authenticated session but no elevated role, and produces no confidentiality or integrity loss - only partial disruption. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-56152 MEDIUM This Month

Incorrect Authorization (CWE-863) in Elastic Defend exposes response action data to low-privileged authenticated users who should not have access to it. The flaw, classified under CAPEC-1, arises because access controls on specific functionality are not properly enforced, allowing a user with minimal privileges to read security response action data belonging to other users or roles. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, but the High confidentiality impact (CVSS C:H) means sensitive endpoint response data - such as isolation actions, process kills, or file retrieval outputs - could be disclosed.

Authentication Bypass Elastic Information Disclosure Endpoint Security
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-27409 MEDIUM This Month

Unauthenticated remote attackers can bypass access controls in the Webba Booking WordPress plugin (all versions through 6.4.13) due to missing server-side authorization checks on one or more booking-related endpoints, enabling unauthorized integrity-affecting actions such as creating, modifying, or canceling bookings. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero-friction exploitation requiring no credentials or user interaction against any internet-facing WordPress site running the affected plugin. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

Authentication Bypass Webba Booking
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-58453 CRITICAL POC Act Now

Default-credential authentication bypass in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets attackers log in to the anyka_ipc HTTP service on port 80 using the built-in admin username with an empty password, granting full access to snapshots, live video, network configuration, and factory-level API endpoints. Because the same interface exposes a SetMAC command-injection surface, this trivial access can be pivoted toward device-level code execution. Publicly available exploit code exists (published by VulnCheck), though this CVE is not listed in CISA KEV and no active exploitation is confirmed.

Command Injection Authentication Bypass C492A W6 Wi Fi Ip Camera
NVD GitHub
CVSS 4.0
9.3
EPSS
1.7%
CVE-2026-58029 MEDIUM PATCH This Month

Authentication API endpoints and Special pages in MediaWiki expose low-severity confidentiality and integrity weaknesses exploitable by unauthenticated remote attackers who can induce victim user interaction. Five files spanning account-linking and credential management operations - ApiChangeAuthenticationData, ApiLinkAccount, ApiRemoveAuthenticationData, SpecialLinkAccounts, and SpecialUnlinkAccounts - are affected across all MediaWiki releases prior to the fixed branches 1.43.9, 1.44.6, 1.45.4, and the forthcoming 1.46.0. No public exploit code and no active exploitation have been identified at time of analysis; real-world risk is constrained by the user-interaction prerequisite and the limited impact scope.

PHP Mediawiki Authentication Bypass
NVD VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2026-24270 CRITICAL Act Now

Authentication bypass in NVIDIA AIStore, a scalable distributed object-storage framework for AI/ML data pipelines, lets a remote attacker circumvent access controls (CWE-290) and reach protected functionality without valid credentials. Because the flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8), successful exploitation can enable information disclosure of stored datasets, tampering with training data, privilege escalation, and denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Nvidia Denial Of Service Information Disclosure Aistore Framework
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2026-58127 CRITICAL POC Act Now

Unauthenticated remote code execution as SYSTEM affects Hyland PACSgear MediaWriter 5.2.1, which exposes an unauthenticated .NET Remoting TCP service (PacsgearMediaServerEngine.dll) on port 9000. Remote attackers abuse the MarshalByRefObject unmarshalling technique against the default ObjectURIs (RemoteObj/UIRemoteObj) to gain an arbitrary file read/write primitive, then chain it with DLL hijacking to execute code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck), making this a high-priority issue despite no CISA KEV listing at time of analysis.

Authentication Bypass RCE Pacsgear Mediawriter
NVD GitHub
CVSS 4.0
9.3
EPSS
0.8%
CVE-2026-58126 CRITICAL POC Act Now

Unauthenticated remote code execution in Hyland PACSgear PACS Scan 5.2.1 lets remote attackers gain SYSTEM-level control of medical imaging servers by abusing an exposed .NET Remoting TCP service (PGImageExchQueue.exe) on port 22222. The exposed service grants arbitrary file read/write with no authentication, which is chained with a DLL hijack in the PGImageExchangeQueueSvc.exe service to run code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck); there is no public exploit identified as actively exploited, as it is not listed in CISA KEV.

Authentication Bypass RCE Pacsgear Pacs Scan
NVD GitHub
CVSS 4.0
9.3
EPSS
0.8%
CVE-2026-58399 npm HIGH PATCH GHSA This Week

Authentication bypass in @acastellon/auth (npm package, aka antonio-castellon/module-auth) before 2.3.0 lets a remote unauthenticated attacker impersonate a trusted internal service by sending spoofed 'auth-user' and 'Host' request headers. The validateToken() middleware short-circuits its own token check when auth-user equals 'service-brother' and the Host header starts with the configured hostname - both fully client-controllable - so an attacker skips legacy/JWT/OIDC validation entirely. No public exploit identified at time of analysis, but the flaw is trivially reproducible from the advisory and carries CVSS 4.0 8.7 (high).

Authentication Bypass Module Auth
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-5138 MEDIUM This Month

Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding host-edit permissions to retrieve sensitive infrastructure metadata from organizations and locations they are not authorized to access. The root cause is the taxonomy_scope controller method accepting organization and location IDs from nested request parameters without validating them against the caller's authorized tenancy scope, implementing a textbook CWE-639 authorization bypass through user-controlled key. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code is identified at time of analysis; however, the low attack complexity and lack of user interaction make this straightforward to exploit for any low-privileged authenticated user in multi-tenant Satellite deployments.

Authentication Bypass Information Disclosure Red Hat Satellite 6
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-5135 MEDIUM This Month

Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host-edit permissions to retarget an existing lookup value override to hosts outside their authorized organizational or location scope. The flaw stems from insufficient authorization enforcement on the match field when modified via nested host attributes, allowing an attacker to effectively write configuration overrides to managed hosts they are not permitted to administer. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Red Hat Satellite 6
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-5142 MEDIUM This Month

Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_keypairs' permission to bypass taxonomy scoping and retrieve private SSH keys belonging to foreign organizations by directly querying key pair IDs via the API. The flaw is an IDOR (CWE-639) at the multi-tenancy enforcement layer, meaning the isolation contract between tenant organizations is broken for any user granted that permission. No CISA KEV listing or public exploit code has been identified at time of analysis; impact is strictly confidentiality - no write or destructive capability is exposed through this path.

Authentication Bypass Information Disclosure Red Hat Satellite 6
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-12374 MEDIUM PATCH This Month

Local privilege escalation in Cato Client on macOS allows an authenticated low-privileged user to gain root by chaining two flaws in the PrivilegedHelperTool XPC service: improper certificate validation (CWE-295) that accepts self-signed certificates to bypass XPC caller verification, and a TOCTOU race condition exploitable via symlink swap during package installation. All Cato Client (SDP Client) versions prior to 5.13.1 on macOS are affected. A proof-of-concept exists per the CVSS 4.0 supplemental metric E:P, and the AU:Y (Automatable) tag indicates the exploit chain can be scripted - elevating practical urgency despite the absence of a CISA KEV listing.

Authentication Bypass Apple Sdp Client
NVD
CVSS 4.0
6.4
EPSS
0.1%
CVE-2026-23537 CRITICAL PATCH Act Now

Arbitrary file write in the Feast Feature Server's `/save-document` endpoint lets an unauthenticated remote attacker write attacker-controlled JSON to the host filesystem, bypassing the endpoint's path restrictions to overwrite application configuration or startup scripts. Because no credentials are required (CVSS 9.1, PR:N), any network-reachable attacker can corrupt system integrity, cause denial of service through disk exhaustion, or potentially achieve remote code execution. This flaw also ships in Red Hat OpenShift AI (RHOAI), which bundles Feast; there is no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass Denial Of Service RCE Feast Feature Server Red Hat Openshift Ai Rhoai
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.6%
CVE-2026-5120 HIGH This Week

Unauthorized cross-user data access in Dassault Systèmes BIOVIA Workbook (Release 2021 through Release 2026) stems from a race condition that lets one authenticated low-privilege user read data belonging to another user. Vendor 3DS tags the flaw as an authentication bypass, and its CVSS 3.1 score of 8.1 (AV:N/AC:L/PR:L) reflects network-reachable exploitation by any authenticated account with high confidentiality and integrity impact. There is no public exploit identified at time of analysis and no EPSS or KEV signal supplied.

Authentication Bypass Race Condition Biovia Workbook
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-53905 MEDIUM This Month

MCO's compliance management platform exposes administrator ACL tree structures to any authenticated low-privileged user via a missing authorization check on the `/customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure` web API endpoint. Confirmed by CERT-PL in version 25.3.3.1, the flaw allows low-privileged users to retrieve permission hierarchies and internal configuration details intended only for administrators. No active exploitation has been identified, no public exploit code exists, and vendor contact attempts were unsuccessful, leaving the patch timeline and full version impact unresolved.

Authentication Bypass Mco
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-53903 MEDIUM This Month

Insecure Direct Object Reference in MyComplianceOffice MCO version 25.3.3.1 allows authenticated users to retrieve trading document PDFs belonging to other customers by manipulating a user-supplied document identifier at the fetchPdfStatement API endpoint. The application performs no ownership or authorization check beyond confirming the user is logged in, enabling horizontal privilege escalation across customer accounts. No public exploit code or active exploitation has been identified at time of analysis, but predictable document ID patterns make automated enumeration feasible, raising real-world risk in financial compliance environments where trading statements contain sensitive regulatory and transactional data.

Authentication Bypass Mco
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-14198 CRITICAL PATCH Act Now

Authentication and authorization bypass in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers reach protected parameterized route handlers by placing an encoded slash (%2F) in a path parameter. The middleware layer decodes %2F before matching while Fastify's router preserves the encoding, so the two disagree on the canonical path and any middie-based auth, authz, rate-limiting, or auditing middleware silently fails to run while the route handler still fires. No public exploit identified at time of analysis; the flaw is method-agnostic and requires no special preconditions, and the vendor rates it CVSS 9.1.

Authentication Bypass Canonical Fastify Middie
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-27435 MEDIUM PATCH This Month

Broken access control in the WofficeIO Woffice WordPress theme (all versions before 5.4.33) permits unauthenticated remote attackers to exploit incorrectly configured access control security levels, achieving low-impact unauthorized write actions without credentials or user interaction. Discovered and disclosed by Patchstack, the flaw stems from CWE-862 (Missing Authorization), where the theme fails to enforce proper capability checks on specific endpoints. No public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated and low-complexity attack vector broadens the exposure surface beyond what the medium CVSS score alone conveys.

Authentication Bypass Woffice
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-10539 CRITICAL Act Now

Unauthenticated command execution in BMC Control-M/Server (versions 9.0.20.x through 9.0.21.200) arises because a Control-M/Server communication command fails to sufficiently filter or sanitize user-supplied input, allowing an attacker to run unauthorized commands and potentially fully compromise the affected server. The flaw carries a critical CVSS 4.0 base score of 9.5 and is classified as an authentication bypass by Airbus, who reported it. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Control M Server
NVD VulDB
CVSS 4.0
9.5
EPSS
0.2%
CVE-2026-11387 CRITICAL Act Now

Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. No public exploit has been identified at time of analysis, though the issue was disclosed by Wordfence and carries a 9.8 CVSS rating.

Authentication Bypass WordPress Privilege Escalation Sms Alert Sms Otp For Woocommerce Order Notifications Abandoned Cart Recovery
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-10096 MEDIUM This Month

Insecure Direct Object Reference in the Qi Blocks WordPress plugin (all versions ≤ 1.4.9) allows any authenticated user with Author-level access to overwrite the stored global styles of arbitrary posts, templates, or widgets they do not own by manipulating the unvalidated 'page_id' parameter. Critically, the reserved 'template' and 'widget' page_id values expose site-wide surfaces, enabling an Author to deface, hide content on, or visually degrade any page across the entire WordPress installation. The permission_callback validates only generic edit_posts and publish_posts capabilities rather than post ownership, meaning the built-in Author role is sufficient for exploitation. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress Qi Blocks
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12435 MEDIUM This Month

Authorization bypass in the Motors - Car Dealership & Classified Listings Plugin for WordPress allows authenticated subscriber-level users to arbitrarily mark any other user's vehicle listing as sold by replaying a harvested nonce against a victim's post ID. All plugin versions up to and including 1.4.111 are affected. An attacker exploiting this flaw can silently deface competitor or victim listings with a site-wide 'Sold' badge while also stripping the `special_car` featured post meta, causing business harm on dealership or classifieds sites. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Motors Car Dealership Classified Listings Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-56016 MEDIUM PATCH This Month

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.

Authentication Bypass Cgi
NVD VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-11887 MEDIUM POC PATCH This Month

Missing authorization on an AJAX endpoint in the Salon Booking System WordPress plugin (all versions before 10.30.20) allows any authenticated subscriber-level user to modify plugin settings and disable the manual approval workflow for new bookings. A publicly available proof-of-concept exists per WPScan's disclosure, making exploitation straightforward for any registered user on affected sites. No public exploitation (CISA KEV) has been confirmed, and SSVC assessment classifies technical impact as partial with exploitation not yet automated.

WordPress Authentication Bypass Salon Booking System
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-11883 HIGH POC PATCH This Week

Two-factor authentication bypass in the WebAuthn Provider for Two Factor WordPress plugin (all versions before 2.5.6) lets an attacker who already possesses a valid user's password defeat the WebAuthn second factor by submitting a malformed authentication response that the plugin fails to validate. This neutralizes the plugin's core protection, effectively reducing account security back to single-factor (password-only). Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as being used in active attacks and the issue is not listed in CISA KEV.

WordPress Authentication Bypass Webauthn Provider For Two Factor
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-11568 HIGH POC PATCH This Week

Unauthenticated information disclosure in the Product Configurator for WooCommerce WordPress plugin (versions before 1.7.3) exposes sensitive product data through a public AJAX action that skips authorization and post-status checks. By supplying only a product ID, remote unauthenticated users can read titles, prices, weights, stock status, and configurator option pricing/SKUs of private and draft products, bypassing WordPress post-visibility controls. Publicly available exploit code exists (reported by WPScan), though there is no indication of active exploitation.

WordPress Authentication Bypass Product Configurator For Woocommerce
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-1239 HIGH This Week

Broken access control in the Ninja Forms WordPress plugin (all versions through 3.14.1) lets unauthenticated remote attackers read stored form submissions via the 'ninja-forms-views/token/refresh' REST callback, which lacks an authorization check. Because Ninja Forms submissions frequently capture PII, contact details, and other sensitive user-entered data, this exposes potentially confidential information to anyone who can reach the site. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-auth nature makes it straightforward to abuse.

Authentication Bypass WordPress Ninja Forms The Contact Form Builder That Grows With You
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12579 HIGH This Week

Authentication bypass in the Delta Electronics AS228T programmable logic controller allows remote attackers to circumvent authentication controls and gain unauthorized access to controller functions over the network, threatening the integrity and availability of the industrial process it governs. The CVSS 3.1 base score is 7.4 (High), driven by high integrity and availability impact (I:H/A:H) with no confidentiality loss, but tempered by high attack complexity (AC:H). At the time of analysis there is no public exploit identified and the flaw is not listed in CISA KEV; no EPSS value was supplied.

Authentication Bypass As228T
NVD VulDB
CVSS 3.1
7.4
EPSS
0.3%
CVE-2026-12127 MEDIUM This Month

CRLF injection in WPForms plugin for WordPress (all versions up to and including 1.10.2) enables unauthenticated attackers to silently blind-copy all site notification emails to an attacker-controlled address. The flaw originates from `get_reply_to_address()` applying the wrong smart-tag expansion context, allowing CR/LF characters preserved by `wpforms_sanitize_textarea_field()` to pass unstripped into raw mail header concatenation. Exploitation requires a specific non-default site configuration but demands no authentication or elevated interaction beyond a standard form submission; no public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress Authentication Bypass Wpforms Ai Form Builder For Wordpress Contact Forms Payment Forms Survey Form Quiz More
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-11988 MEDIUM This Month

Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated subscribers to read the course progress and completion records of any instructor or administrator by supplying an arbitrary value to the `userId` REST API parameter. The lazy load controller accepts the caller-supplied key without verifying ownership, bypassing authorization for LP_TEACHER_ROLE and administrator accounts while a partial guard correctly blocks subscriber-to-subscriber cross-access. No public exploit code or active exploitation has been identified at time of analysis, but exploitation requires only a subscriber-level account, making the real-world barrier low on sites with open user registration.

Authentication Bypass WordPress Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-12113 MEDIUM This Month

Sensitive PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.02) allows any authenticated user with contributor-level access to retrieve customer booking records - including names, email addresses, phone numbers, and appointment comments - via the unprotected `cpabc_appointments_filter_list` AJAX action. The root cause is CWE-862 (Missing Authorization): the endpoint performs no capability check before returning data, meaning the attacker's only prerequisite is a valid WordPress login at contributor tier or above. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but a source-level fix appears committed in the plugin's SVN repository (changeset 3581633).

Authentication Bypass WordPress Information Disclosure Appointment Booking Calendar
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12902 MEDIUM This Month

Authorization bypass in the Kadence Blocks WordPress plugin (all versions through 3.7.7) allows authenticated contributors to create arbitrary Media Library attachments by fetching remote images via internal WordPress functions, bypassing the upload_files capability boundary. The flaw resides in class-kadence-blocks-prebuilt-library.php at multiple call sites where wp_upload_bits() and wp_insert_attachment() are invoked without verifying the requesting user's authorization. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Kadence Blocks Page Builder Toolkit For Gutenberg Editor
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-13468 HIGH This Week

{chart}/{type}/ REST route. The plugin route skips the capability checks that WordPress's core REST endpoint for this non-public custom post type enforces (which correctly returns HTTP 401), exposing otherwise-restricted data. Rated CVSS 7.5 (confidentiality-only); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Visualizer Tables Charts Manager With Built In Ai Generator
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-12904 MEDIUM This Month

Kadence Blocks WordPress plugin versions up to and including 3.7.7 allows authenticated Contributor-level users to read or delete optimizer analysis records belonging to posts they do not own, by exploiting a parameter mismatch in four REST API endpoints of the Optimize_Rest_Controller. The authorization check binds to a user-supplied post_id while the storage layer retrieves records by sha256 of a separately supplied, attacker-controlled post_path, with no enforcement that these two parameters refer to the same post. No public exploit code or CISA KEV listing exists at time of analysis; however, the low barrier to exploitation - any registered Contributor can leverage this - makes it relevant for multi-author WordPress sites. EPSS data was not provided in the input.

Authentication Bypass WordPress Kadence Blocks Page Builder Toolkit For Gutenberg Editor
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-12133 MEDIUM This Month

Arbitrary group deletion in the JoomSport WordPress plugin (versions ≤5.7.8) is achievable by any authenticated subscriber-level user due to a missing capability check in the joomsport_season_groupdel() AJAX handler. The handler validates a WordPress nonce - preventing CSRF - but never calls current_user_can() or equivalent, allowing any logged-in user to supply attacker-controlled group IDs to an unguarded DELETE query. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; real-world risk is bounded by the requirement for a valid WordPress account and the limited scope of impact (group record deletion only).

Authentication Bypass WordPress Joomsport For Sports
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-7839 CRITICAL Act Now

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can reach the HTTP administration port (default TCP 80) log in as administrator. On a fresh or unmodified install where settings2.txt is absent, the repeater writes the literal password 'adminadmi2', and the Basic-auth handler enforces no rate-limiting or lockout, so a single well-known credential yields full control over allow/deny rules and session visibility. Rated CVSS 9.1 (CWE-798); no public exploit identified at time of analysis, though the credential itself is disclosed in the advisory.

Authentication Bypass Ultravnc
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-50110 CRITICAL PATCH CISA Act Now

Credential exposure in StoneFly Storage Concentrator (SC) and its virtual machine variant (SCVM) lets an attacker recover plaintext credentials for numerous internal services from a configuration file where they are stored using reversible encoding rather than encryption. The hardcoded accounts cover databases, licensing, replication, and third-party integrations, so recovering them grants pivoting access across multiple interconnected systems. Reported to NVD via CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis and the vector is local (AV:L).

Authentication Bypass
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-14156 MEDIUM PATCH This Month

Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14155 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome prior to 150.0.7871.47 exposes sensitive user data from other origins when a victim visits a specially crafted HTML page that exploits insufficient policy enforcement in the StorageAccessAPI. The API, designed to manage third-party storage access in privacy-restricting browser contexts, fails to enforce cross-origin boundaries correctly, allowing an attacker to read data belonging to unrelated origins. No active exploitation has been confirmed - CVE is absent from CISA KEV, EPSS rates exploitation likelihood at 0.17% (7th percentile), and SSVC classifies exploitation status as none - though the CVSS confidentiality impact is rated High.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14105 MEDIUM PATCH This Month

Same-origin-policy bypass in Google Chrome's Speech component before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page cross origin boundaries via insufficient policy enforcement. No public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); notably, Google's own Chromium team rated this Low severity even though NVD scored it CVSS 9.6, a significant conflict defenders should weigh. Requires user interaction (visiting the page) and affects all Chrome desktop builds prior to the fixed stable release.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14080 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for Android (prior to 150.0.7871.47) allows a remote attacker to circumvent browser navigation controls through crafted malicious network traffic targeting the TabSwitcher component. The flaw stems from insufficient input validation (CWE-20) in the tab management UI and requires user interaction to trigger, limiting its practical reach. With an EPSS score of 0.17% (7th percentile), no public exploit code, no CISA KEV listing, and Chromium's own internal severity rating of Low, real-world exploitation risk is minimal despite network reachability.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14079 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Network component (versions prior to 150.0.7871.47) allows a remote attacker to violate cross-origin isolation by delivering a crafted HTML page to a victim. The flaw, rooted in CWE-346 (Origin Validation Error), enables unauthorized cross-origin integrity impacts - an attacker can cause a browser to act on or submit data across origin boundaries it should enforce. With an EPSS of 0.18% at the 8th percentile, no CISA KEV listing, and no public exploit identified, active exploitation risk is low at this time, though Chrome's ubiquitous deployment ensures broad attack surface if exploitation techniques mature.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14076 MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 allows a remote attacker to circumvent network-level policy enforcement by delivering a crafted HTML page to a victim. The Chrome security team internally rated this as Low severity, consistent with the CVSS 4.3 score and an impact limited to integrity (I:L) with no confidentiality or availability consequences. No public exploit code or active exploitation has been identified; EPSS places this in the 8th percentile of exploitation likelihood.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14075 MEDIUM PATCH This Month

No-referrer policy bypass in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to capture referrer URL information that the browser was supposed to suppress. Exploitation requires user interaction - the victim must visit a crafted HTML page served by the attacker - and exploits a client-side enforcement gap (CWE-602) specific to the iOS build of Chrome. EPSS is 0.19% (9th percentile) and no active exploitation or KEV listing exists, consistent with the Low Chromium severity rating.

Authentication Bypass Apple Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14073 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's WebXR component affects all versions prior to 150.0.7871.47, exploitable by a remote unauthenticated attacker who can induce a user to visit a crafted HTML page. The root cause is insufficient input validation (CWE-20) within the WebXR subsystem, resulting in limited integrity impact via unauthorized navigation. No public exploit exists and EPSS sits at 0.18% (8th percentile), consistent with the Chromium team's own Low severity classification - this represents a genuine but low-priority risk.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14066 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS prior to 150.0.7871.47 allows a remote, unauthenticated attacker to circumvent browser-enforced navigation controls by delivering a crafted HTML page. The flaw is confined to the iOS platform - Chrome on Android, Windows, macOS, and Linux is unaffected - and requires the victim to actively visit the attacker-controlled page (UI:R). With a CVSS score of 4.3 (Medium), an EPSS of 0.19% (9th percentile), no CISA KEV listing, and a Chromium-internal severity rating of Low, this vulnerability carries minimal real-world exploitation risk but warrants patching given its zero-privilege attack vector.

Authentication Bypass Apple Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14065 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables attackers who have already achieved renderer process compromise to escape certain navigation-level security controls via a crafted HTML page. The flaw resides in the PageInfo component, which handles page metadata, security indicators, and related navigation policy enforcement, and fails to adequately validate attacker-controlled input passed from a compromised renderer. With an EPSS of 0.22% (13th percentile), no CISA KEV listing, and a Chromium-internal severity of Low, real-world exploitation risk is currently low despite the CVSS 6.5 medium rating.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14061 MEDIUM PATCH This Month

Process memory disclosure in Google Chrome's Dawn WebGPU component (versions prior to 150.0.7871.47) enables remote attackers to read potentially sensitive data from the browser's process memory by luring a victim to a crafted HTML page. The flaw is categorized under CWE-284 (Improper Access Control) within the Dawn graphics abstraction layer, which underpins Chrome's WebGPU implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and Google's own Chromium security team rates the severity as Low despite the NVD CVSS score of 6.5.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14058 MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 stems from insufficient policy enforcement in the browser's Parser component, allowing a remote unauthenticated attacker to circumvent CSP protections via a crafted HTML page. The attacker achieves limited integrity impact (I:L) - able to load or execute content that a properly enforced CSP would block - but gains no confidentiality or availability impact. EPSS is low at 0.22% (13th percentile), no active exploitation has been confirmed (not in CISA KEV), and Chromium internally rated this Low severity, making it a real but low-priority finding.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14057 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's FedCM (Federated Credential Management) implementation allows remote attackers to perform limited cross-origin integrity manipulation by luring a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected. With an EPSS of 0.18% (8th percentile), no CISA KEV listing, and no public exploit identified, this represents a low-probability exploitation scenario despite being trivially deliverable via a web page.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14054 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 allows a remote attacker to circumvent network-layer policy enforcement by inducing a user to visit a specially crafted HTML page. Rooted in CWE-602 (client-side enforcement of server-side security), the flaw means Chrome's network policy checks governing navigation can be subverted client-side, yielding a low-integrity impact with no confidentiality or availability consequence. No public exploit has been identified and the EPSS exploitation probability stands at 0.18% (8th percentile), consistent with Chromium's own 'Low' severity rating - this is a low-urgency but genuine policy-enforcement gap.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14052 MEDIUM PATCH This Month

FileSystem policy enforcement bypass in Google Chrome prior to version 150.0.7871.47 allows a remote attacker to circumvent discretionary access control via a crafted HTML page, resulting in limited unauthorized write operations within the browser's sandboxed filesystem scope. The vulnerability requires user interaction - the victim must navigate to a malicious page - and produces only an integrity impact (I:L) with no confidentiality or availability consequence. With an EPSS of 0.18% (8th percentile) and no CISA KEV listing, real-world exploitation probability is very low; no public exploit has been identified at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14047 MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome's Extensions subsystem prior to version 150.0.7871.47 allows an attacker who socially engineers a victim into installing a crafted malicious extension to circumvent CSP protections, yielding limited integrity impact. CVSS UI:R and EPSS at 0.12% (2nd percentile) confirm this is a low-probability, user-interaction-dependent attack with no confidentiality or availability consequence. No KEV listing, no known POC, and Google's own 'Low' severity rating collectively position this as a low operational priority despite broad product prevalence.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-14046 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's CustomTabs component on Android (versions prior to 150.0.7871.47) permits remote attackers to perform limited cross-origin integrity violations by directing a victim to a crafted HTML page. The flaw is classified as CWE-346 (Origin Validation Error), meaning Chrome's CustomTabs implementation incorrectly validates or enforces origin boundaries when rendering attacker-controlled content. No active exploitation has been confirmed (not in CISA KEV) and the EPSS score of 0.18% (8th percentile) reflects very low observed exploitation probability, consistent with the Low severity rating assigned by the Chromium security team.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14039 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's GetUserMedia implementation prior to version 150.0.7871.47 allows a remote, unauthenticated attacker to achieve limited cross-origin integrity impact by delivering a crafted HTML page to a victim. Chromium's own severity classification is Low, consistent with the CVSS 4.3 score and an EPSS exploitation probability of just 0.18% (8th percentile). No public exploit code and no active exploitation have been identified at time of analysis; Google has issued a remediated build in Chrome 150.0.7871.47.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14035 MEDIUM PATCH This Month

Insufficient Bluetooth policy enforcement in Google Chrome prior to 150.0.7871.47 allows remote attackers to read potentially sensitive data from browser process memory by luring a victim to a crafted HTML page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) scores 6.5 Medium at NVD, though Chromium's own severity rating is 'Low,' suggesting Chrome's sandbox architecture limits practical memory exposure. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14034 MEDIUM PATCH This Month

WebXR implementation flaw in Google Chrome on Android prior to 150.0.7871.47 permits remote attackers to bypass navigation restrictions by delivering a crafted HTML page to a victim. The vulnerability is Android-specific and requires user interaction to trigger, constraining its reach. With no CISA KEV listing, no public exploit identified at time of analysis, and an EPSS of 0.18% (8th percentile), this represents a low-priority integrity issue that Google itself rates as Low severity.

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14033 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Media component on Windows allows remote attackers to circumvent cross-origin security boundaries by delivering a specially crafted HTML page to a victim. All Chrome for Windows releases prior to 150.0.7871.47 are affected. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS at 0.18% (8th percentile) and SSVC exploitation status of 'none' consistently indicate low current real-world risk despite the potential severity of an isolation bypass.

Authentication Bypass Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14023 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's SanitizerAPI before version 150.0.7871.47 allows a remote attacker to violate cross-origin integrity boundaries through a crafted HTML page that exploits insufficient input validation. The flaw targets a security-critical browser API whose purpose is precisely to prevent unsafe HTML injection, making the bypass particularly notable. EPSS at 0.22% (13th percentile) indicates low near-term exploitation probability, and no active exploitation or public exploit code has been identified at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14007 MEDIUM PATCH This Month

Insufficient policy enforcement in PermissionsPolicy in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14003 MEDIUM PATCH This Month

Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)

Google Authentication Bypass Suse
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-13964 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's WebView component on Android (all versions prior to 150.0.7871.47) allows remote unauthenticated attackers to circumvent enforcement of navigation policies via a specially crafted HTML page, producing high integrity impact with no confidentiality or availability consequence. The CVSS vector (PR:N, UI:R) confirms unauthenticated network exploitation gated on victim interaction, consistent with a social-engineering or malicious-redirect delivery. No public exploit exists and CISA has not added this to KEV; EPSS of 0.22% (13th percentile) and SSVC Exploitation:none collectively indicate low active exploitation probability at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13962 MEDIUM PATCH This Month

Insufficient data validation in PDF in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13959 MEDIUM PATCH This Month

Insufficient validation of untrusted input in Blink in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13954 MEDIUM PATCH This Month

Insufficient XML policy enforcement in Google Chrome on Android (prior to 150.0.7871.47) exposes process memory contents to remote attackers who can deliver a crafted HTML page. The flaw is classified under CWE-284 (Improper Access Control), allowing the browser's XML handling to bypass intended isolation boundaries and leak potentially sensitive in-process data - such as cookies, credentials, or other runtime state - to an attacker-controlled origin. No active exploitation is confirmed in CISA KEV and no public proof-of-concept has been identified at time of analysis, though the CVSS score of 6.5 (Medium) reflects meaningful real-world risk given the zero-authentication, high-confidentiality-impact profile.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13953 MEDIUM PATCH This Month

Inappropriate implementation in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13949 MEDIUM PATCH This Month

Insufficient policy enforcement in the Payments component of Google Chrome on Android prior to 150.0.7871.47 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a specially crafted HTML page, making this a user-interaction-dependent, network-delivered information disclosure. No active exploitation is confirmed (SSVC: Exploitation: none; not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the CVSS confidentiality impact is rated High due to the potential for process memory leakage.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13937 MEDIUM PATCH This Month

Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Google Authentication Bypass Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13936 MEDIUM PATCH This Month

Memory disclosure in Google Chrome's Passwords component on Android prior to 150.0.7871.47 allows a remote attacker to extract potentially sensitive information from process memory. Exploitation requires luring a target user to visit a specially crafted HTML page, placing this squarely in the social-engineering-assisted drive-by category. No public exploit code has been identified at time of analysis, but the high confidentiality impact (C:H in CVSS) indicates meaningful credential exposure risk given Chrome's role as a primary password manager on Android devices.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13933 MEDIUM PATCH This Month

Insufficient policy enforcement in Chrome's built-in Passwords subsystem (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to read potentially sensitive credential data from process memory via a crafted HTML page. This is a second-stage, chained information-disclosure flaw - not a standalone exploit - that bypasses Chrome's inter-process access boundaries to reach password manager data. No public exploit code has been identified at time of analysis, and a vendor patch is confirmed available in Chrome 150.0.7871.47.

Authentication Bypass Google Suse
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13932 MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's Sharing feature on Android exposes sensitive page content to remote attackers who have already compromised the renderer process, exploitable via a crafted HTML page. All Chrome for Android builds prior to 150.0.7871.47 are affected; the fixed release is confirmed by Google's stable channel advisory. EPSS of 0.21% (11th percentile) and absence from CISA KEV indicate negligible observed exploitation pressure at time of analysis, though the high confidentiality impact and ubiquitous deployment of Chrome on Android make patching a clear priority.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13931 MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to manipulate the browser interface via a specially crafted HTML page, potentially deceiving users into interacting with falsified content or controls. The vulnerability stems from an inappropriate implementation in the Media component and is classified as medium severity (CVSS 6.5). No public exploit code or active exploitation has been identified - EPSS sits at the 11th percentile (0.21%) and no CISA KEV listing exists - and a vendor patch is confirmed available in Chrome 150.0.7871.47.

Authentication Bypass Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13930 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to version 150.0.7871.47 enables remote attackers to circumvent browser policy enforcement via a crafted HTML page targeting the 'Actor' component. The flaw is rooted in CWE-602 (Client-Side Enforcement of Server-Side Security), where controls that should be authoritative are applied within the browser and can be subverted by an adversary-controlled page. EPSS at 0.22% (13th percentile) indicates low current exploitation probability, no public exploit code has been identified, and the vulnerability is not listed in CISA KEV; no public exploit identified at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13929 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's DevTools component on Android (all versions prior to 150.0.7871.47) allows a local attacker to circumvent policy-enforced browsing controls by delivering a crafted malicious file. The vulnerability is confined to Android - desktop Chrome is not in scope - and requires user interaction with the malicious file, substantially narrowing the realistic attack surface. No public exploit code exists and no active exploitation has been confirmed; an EPSS score of 0.14% (3rd percentile) corroborates low real-world exploitation probability at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-13926 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to circumvent Chrome's network navigation controls via a crafted HTML page. The vulnerability stems from CWE-20 (Improper Input Validation) in Chrome's Network component, producing a high-integrity impact with no confidentiality or availability loss. No public exploit code has been identified at time of analysis, and EPSS at 0.22% (13th percentile) places exploitation likelihood well below the median, though the pre-compromised renderer prerequisite makes this a chained attack vector relevant primarily within multi-stage browser exploitation chains.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthorized cross-volume asset deletion in Craft CMS versions 4.0.0-RC1 through 4.17.13 and 5.0.0-RC1 through 5.9.20 allows any authenticated user with file-replace permission in one volume to permanently delete assets from other volumes where they hold no delete permission. The flaw stems from a PHP ternary operator short-circuit in AssetsController::actionReplaceFile() that bypasses source-volume authorization when both assetId and sourceAssetId parameters are supplied together. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the low complexity of the attack logic and the CMS's sequential asset IDs make exploitation straightforward for any low-privilege authenticated insider or compromised account.

Authentication Bypass Cms
NVD GitHub
CVSS 8.1
HIGH PATCH This Week

Access-control bypass in the goshs WebDAV listener (Go package goshs.de/goshs/v2, all releases through v2.0.9) lets an authenticated WebDAV client write, delete, and create files even when the operator started the server with --read-only, --upload-only, or --no-delete. The mode-restriction flags are enforced only on the primary HTTP port, while the WebDAV port (-w/-wp) wires requests straight into golang.org/x/net/webdav.Handler with no guard, so PUT/DELETE/MKCOL/MOVE/COPY succeed regardless of operator intent. A working proof of concept is published in the GitHub Security Advisory (GHSA-3whc-qvhv-xqjp); publicly available exploit code exists, but there is no public exploit identified as being used in active attacks.

Authentication Bypass Microsoft
NVD GitHub
HIGH PATCH This Week

TLS channel-binding downgrade in the ongres scram-client Java library (com.ongres.scram) lets a network man-in-the-middle silently strip SCRAM-SHA-256-PLUS down to plain SCRAM-SHA-256, defeating clients that explicitly require channel binding (e.g. channelBinding=require in pgJDBC). The flaw only bites when the server certificate uses a signature algorithm without a legacy 'WITH' name (Ed25519 or post-quantum), causing an internal NoSuchAlgorithmException to be swallowed and an empty channel-binding value to be treated as 'not offered' rather than a hard failure. Fixed in scram library 3.3; no public exploit identified at time of analysis and the issue is reported by the upstream maintainer via GitHub advisory GHSA-p9jg-fcr6-3mhf.

Authentication Bypass Java
NVD GitHub
MEDIUM PATCH This Month

Symlink traversal in oras-go's file content store allows writes outside the intended `workingDir` boundary even when `AllowPathTraversalOnWrite=false`. Applications that pull OCI artifacts from untrusted registries where an attacker controls blob titles (`ocispec.AnnotationTitle`) are at risk if any directory component under `workingDir` is a symlink pointing to an external path. No confirmed active exploitation (not in CISA KEV), but a self-contained proof-of-concept was included in the researcher's disclosure, making reproduction straightforward given the prerequisites.

Authentication Bypass Canonical
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Incorrect authorization in GitHub Enterprise Server allows an attacker who has obtained a victim's user-to-server token - issued by a GitHub App installation - to perform write operations on any public repository, regardless of whether that installation was explicitly granted access to the target repository. Affected installations span all GHES versions prior to 3.22, with fixes backported to six supported release trains. The CVSS 4.0 score is 5.3 (medium); no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Enterprise Server
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

Cross-tenant authorization bypass in Rancher Fleet allows a low-privileged tenant in a multi-tenant environment to read any ConfigMap or Secret across all namespaces of a shared downstream cluster and to deploy cluster-wide resources without being bound to a restricted service account. The flaw (CWE-863, CVSS 9.9) is exploitable by authenticated tenants who abuse valuesFrom in fleet.yaml (via GitRepo) or HelmOp/Bundle resources; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
CVSS 8.2
HIGH PATCH This Week

Cross-tenant JWT authentication bypass in Centrifugo (v3 through v6) lets an attacker holding a valid token for one allowed issuer/tenant authenticate as a different issuer/tenant when the server uses dynamic JWKS endpoint templates. The flaw stems from the JWKS cache and singleflight lookup being keyed only by the JWT header 'kid', so a key fetched for tenant A is reused to verify a token claiming tenant B whenever both JWKS documents share the same 'kid' and tenant A's key is cached first. Publicly available exploit code exists in the form of a reporter-supplied Go unit-test PoC; there is no evidence of active exploitation, and the CVSS base score is 8.2 (AC:H, PR:L, scope-changed).

Authentication Bypass Jwt Attack Canonical
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

SurrealDB's automatic graph edge cleanup mechanism bypasses edge-table permission clauses, allowing authenticated low-privilege users to delete edge records and observe hidden edge contents they are not authorized to access. When a node is deleted, the `Document::purge_edges` routine fires with permissions explicitly disabled (`opt.clone().with_perms(false)`), meaning the edge table's `PERMISSIONS FOR delete` and `PERMISSIONS FOR select` clauses are never consulted. This is a confirmed authorization bypass (CWE-285) fixed in version 3.1.0; no public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Signature verification policy bypass in the sigstore npm package allows attackers to have unauthorized signing certificates accepted despite explicit OID-based restrictions. The documented `certificateOIDs` verify option - used by `sigstore.verify()` and `createVerifier()` to require specific Fulcio/workload-identity extension OIDs - is silently discarded during policy construction, so those extension constraints are never enforced while callers believe they are. Publicly available exploit code exists (a proof-of-concept in the advisory), but there is no evidence of active exploitation; EPSS/KEV not indicated in the source data.

Authentication Bypass Jwt Attack
NVD GitHub
LOW POC PATCH Monitor

{table}/{digest}`) allows any authenticated user to read, write, or delete blobs across all blob tables, entirely circumventing the GRANT-based access control that the SQL path correctly enforces. Verified against CrateDB 6.2.7 and present since the blob HTTP handler was introduced, `io.crate.protocols.http.HttpBlobHandler` authenticates the connecting user but never invokes `AccessControl`, making blob operations permissible to any valid credential holder regardless of table-level privileges. A complete end-to-end Docker PoC is included in the report demonstrating both unauthorized read (HTTP 200) and unauthorized delete (HTTP 204) while the SQL path correctly returns a permission error for the same user; no KEV listing and no EPSS data are available at time of analysis.

Authentication Bypass Oracle Java +1
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Sandbox allow-list bypass in the Twig PHP templating engine lets attacker-supplied filters, tags, and functions run unchecked when a shared Environment mixes sandboxed and non-sandboxed renders. The filter/tag/function SecurityPolicy check was computed once in the Template constructor and cached in $loadedTemplates, so any later sandbox state change or a pre-warmed template left a stale (typically empty) verdict, defeating the sandbox. Fixed in Twig 3.27.0; no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authentication bypass in the Wikimedia Foundation's WikiLambda extension for MediaWiki allows unauthenticated remote attackers to circumvent access controls via improper neutralization of input terminator characters (CWE-288). Affected are all WikiLambda deployments running versions prior to 1.43.9, 1.44.6, and 1.45.4 across the supported MediaWiki release branches. No public exploit or CISA KEV listing has been identified at time of analysis, though the network-accessible, zero-prerequisite attack vector warrants prompt patching.

Authentication Bypass Mediawiki Wikilambda Extension
NVD VulDB
CVSS 7.5
HIGH PATCH This Week

Authorization bypass and information disclosure in GeoNetwork 4.x (4.0.0-alpha.1 through 4.4.10) lets an unauthenticated remote user retrieve restricted metadata records through the Elasticsearch-backed search API. Under certain request conditions the proxy layer skips the step that injects GeoNetwork's access-control filters, so requests reach the index without group-visibility, ownership, draft-exclusion, or portal filtering applied. There is no public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable on any public-facing instance, making disclosure of non-public catalog records trivial once the triggering condition is known.

Authentication Bypass Elastic Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization controls in the ApplyOnline WordPress plugin (versions through 2.6.7.6) by WP Reloaded allow unauthenticated remote attackers to perform unauthorized write-level actions by exploiting incorrectly configured access control security levels. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction against any network-accessible WordPress installation running this plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low complexity and zero-auth requirement make this straightforward to abuse.

Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the ThumbPress WordPress plugin (Codexpert Inc) through version 6.3.2 allows low-privileged authenticated users to invoke restricted plugin functionality, resulting in limited availability impact against thumbnail or image-size management operations. The CVSS vector (PR:L, A:L) confirms exploitation requires an authenticated session but no elevated role, and produces no confidentiality or integrity loss - only partial disruption. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Incorrect Authorization (CWE-863) in Elastic Defend exposes response action data to low-privileged authenticated users who should not have access to it. The flaw, classified under CAPEC-1, arises because access controls on specific functionality are not properly enforced, allowing a user with minimal privileges to read security response action data belonging to other users or roles. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, but the High confidentiality impact (CVSS C:H) means sensitive endpoint response data - such as isolation actions, process kills, or file retrieval outputs - could be disclosed.

Authentication Bypass Elastic Information Disclosure +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated remote attackers can bypass access controls in the Webba Booking WordPress plugin (all versions through 6.4.13) due to missing server-side authorization checks on one or more booking-related endpoints, enabling unauthorized integrity-affecting actions such as creating, modifying, or canceling bookings. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero-friction exploitation requiring no credentials or user interaction against any internet-facing WordPress site running the affected plugin. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

Authentication Bypass Webba Booking
NVD
EPSS 2% CVSS 9.3
CRITICAL POC Act Now

Default-credential authentication bypass in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets attackers log in to the anyka_ipc HTTP service on port 80 using the built-in admin username with an empty password, granting full access to snapshots, live video, network configuration, and factory-level API endpoints. Because the same interface exposes a SetMAC command-injection surface, this trivial access can be pivoted toward device-level code execution. Publicly available exploit code exists (published by VulnCheck), though this CVE is not listed in CISA KEV and no active exploitation is confirmed.

Command Injection Authentication Bypass C492A W6 Wi Fi Ip Camera
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Authentication API endpoints and Special pages in MediaWiki expose low-severity confidentiality and integrity weaknesses exploitable by unauthenticated remote attackers who can induce victim user interaction. Five files spanning account-linking and credential management operations - ApiChangeAuthenticationData, ApiLinkAccount, ApiRemoveAuthenticationData, SpecialLinkAccounts, and SpecialUnlinkAccounts - are affected across all MediaWiki releases prior to the fixed branches 1.43.9, 1.44.6, 1.45.4, and the forthcoming 1.46.0. No public exploit code and no active exploitation have been identified at time of analysis; real-world risk is constrained by the user-interaction prerequisite and the limited impact scope.

PHP Mediawiki Authentication Bypass
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Authentication bypass in NVIDIA AIStore, a scalable distributed object-storage framework for AI/ML data pipelines, lets a remote attacker circumvent access controls (CWE-290) and reach protected functionality without valid credentials. Because the flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8), successful exploitation can enable information disclosure of stored datasets, tampering with training data, privilege escalation, and denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Nvidia Denial Of Service +2
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

Unauthenticated remote code execution as SYSTEM affects Hyland PACSgear MediaWriter 5.2.1, which exposes an unauthenticated .NET Remoting TCP service (PacsgearMediaServerEngine.dll) on port 9000. Remote attackers abuse the MarshalByRefObject unmarshalling technique against the default ObjectURIs (RemoteObj/UIRemoteObj) to gain an arbitrary file read/write primitive, then chain it with DLL hijacking to execute code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck), making this a high-priority issue despite no CISA KEV listing at time of analysis.

Authentication Bypass RCE Pacsgear Mediawriter
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

Unauthenticated remote code execution in Hyland PACSgear PACS Scan 5.2.1 lets remote attackers gain SYSTEM-level control of medical imaging servers by abusing an exposed .NET Remoting TCP service (PGImageExchQueue.exe) on port 22222. The exposed service grants arbitrary file read/write with no authentication, which is chained with a DLL hijack in the PGImageExchangeQueueSvc.exe service to run code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck); there is no public exploit identified as actively exploited, as it is not listed in CISA KEV.

Authentication Bypass RCE Pacsgear Pacs Scan
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in @acastellon/auth (npm package, aka antonio-castellon/module-auth) before 2.3.0 lets a remote unauthenticated attacker impersonate a trusted internal service by sending spoofed 'auth-user' and 'Host' request headers. The validateToken() middleware short-circuits its own token check when auth-user equals 'service-brother' and the Host header starts with the configured hostname - both fully client-controllable - so an attacker skips legacy/JWT/OIDC validation entirely. No public exploit identified at time of analysis, but the flaw is trivially reproducible from the advisory and carries CVSS 4.0 8.7 (high).

Authentication Bypass Module Auth
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding host-edit permissions to retrieve sensitive infrastructure metadata from organizations and locations they are not authorized to access. The root cause is the taxonomy_scope controller method accepting organization and location IDs from nested request parameters without validating them against the caller's authorized tenancy scope, implementing a textbook CWE-639 authorization bypass through user-controlled key. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code is identified at time of analysis; however, the low attack complexity and lack of user interaction make this straightforward to exploit for any low-privileged authenticated user in multi-tenant Satellite deployments.

Authentication Bypass Information Disclosure Red Hat Satellite 6
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host-edit permissions to retarget an existing lookup value override to hosts outside their authorized organizational or location scope. The flaw stems from insufficient authorization enforcement on the match field when modified via nested host attributes, allowing an attacker to effectively write configuration overrides to managed hosts they are not permitted to administer. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Red Hat Satellite 6
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_keypairs' permission to bypass taxonomy scoping and retrieve private SSH keys belonging to foreign organizations by directly querying key pair IDs via the API. The flaw is an IDOR (CWE-639) at the multi-tenancy enforcement layer, meaning the isolation contract between tenant organizations is broken for any user granted that permission. No CISA KEV listing or public exploit code has been identified at time of analysis; impact is strictly confidentiality - no write or destructive capability is exposed through this path.

Authentication Bypass Information Disclosure Red Hat Satellite 6
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Local privilege escalation in Cato Client on macOS allows an authenticated low-privileged user to gain root by chaining two flaws in the PrivilegedHelperTool XPC service: improper certificate validation (CWE-295) that accepts self-signed certificates to bypass XPC caller verification, and a TOCTOU race condition exploitable via symlink swap during package installation. All Cato Client (SDP Client) versions prior to 5.13.1 on macOS are affected. A proof-of-concept exists per the CVSS 4.0 supplemental metric E:P, and the AU:Y (Automatable) tag indicates the exploit chain can be scripted - elevating practical urgency despite the absence of a CISA KEV listing.

Authentication Bypass Apple Sdp Client
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Arbitrary file write in the Feast Feature Server's `/save-document` endpoint lets an unauthenticated remote attacker write attacker-controlled JSON to the host filesystem, bypassing the endpoint's path restrictions to overwrite application configuration or startup scripts. Because no credentials are required (CVSS 9.1, PR:N), any network-reachable attacker can corrupt system integrity, cause denial of service through disk exhaustion, or potentially achieve remote code execution. This flaw also ships in Red Hat OpenShift AI (RHOAI), which bundles Feast; there is no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass Denial Of Service RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Unauthorized cross-user data access in Dassault Systèmes BIOVIA Workbook (Release 2021 through Release 2026) stems from a race condition that lets one authenticated low-privilege user read data belonging to another user. Vendor 3DS tags the flaw as an authentication bypass, and its CVSS 3.1 score of 8.1 (AV:N/AC:L/PR:L) reflects network-reachable exploitation by any authenticated account with high confidentiality and integrity impact. There is no public exploit identified at time of analysis and no EPSS or KEV signal supplied.

Authentication Bypass Race Condition Biovia Workbook
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

MCO's compliance management platform exposes administrator ACL tree structures to any authenticated low-privileged user via a missing authorization check on the `/customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure` web API endpoint. Confirmed by CERT-PL in version 25.3.3.1, the flaw allows low-privileged users to retrieve permission hierarchies and internal configuration details intended only for administrators. No active exploitation has been identified, no public exploit code exists, and vendor contact attempts were unsuccessful, leaving the patch timeline and full version impact unresolved.

Authentication Bypass Mco
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Insecure Direct Object Reference in MyComplianceOffice MCO version 25.3.3.1 allows authenticated users to retrieve trading document PDFs belonging to other customers by manipulating a user-supplied document identifier at the fetchPdfStatement API endpoint. The application performs no ownership or authorization check beyond confirming the user is logged in, enabling horizontal privilege escalation across customer accounts. No public exploit code or active exploitation has been identified at time of analysis, but predictable document ID patterns make automated enumeration feasible, raising real-world risk in financial compliance environments where trading statements contain sensitive regulatory and transactional data.

Authentication Bypass Mco
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication and authorization bypass in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers reach protected parameterized route handlers by placing an encoded slash (%2F) in a path parameter. The middleware layer decodes %2F before matching while Fastify's router preserves the encoding, so the two disagree on the canonical path and any middie-based auth, authz, rate-limiting, or auditing middleware silently fails to run while the route handler still fires. No public exploit identified at time of analysis; the flaw is method-agnostic and requires no special preconditions, and the vendor rates it CVSS 9.1.

Authentication Bypass Canonical Fastify Middie
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Broken access control in the WofficeIO Woffice WordPress theme (all versions before 5.4.33) permits unauthenticated remote attackers to exploit incorrectly configured access control security levels, achieving low-impact unauthorized write actions without credentials or user interaction. Discovered and disclosed by Patchstack, the flaw stems from CWE-862 (Missing Authorization), where the theme fails to enforce proper capability checks on specific endpoints. No public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated and low-complexity attack vector broadens the exposure surface beyond what the medium CVSS score alone conveys.

Authentication Bypass Woffice
NVD
EPSS 0% CVSS 9.5
CRITICAL Act Now

Unauthenticated command execution in BMC Control-M/Server (versions 9.0.20.x through 9.0.21.200) arises because a Control-M/Server communication command fails to sufficiently filter or sanitize user-supplied input, allowing an attacker to run unauthorized commands and potentially fully compromise the affected server. The flaw carries a critical CVSS 4.0 base score of 9.5 and is classified as an authentication bypass by Airbus, who reported it. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Control M Server
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. No public exploit has been identified at time of analysis, though the issue was disclosed by Wordfence and carries a 9.8 CVSS rating.

Authentication Bypass WordPress Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Qi Blocks WordPress plugin (all versions ≤ 1.4.9) allows any authenticated user with Author-level access to overwrite the stored global styles of arbitrary posts, templates, or widgets they do not own by manipulating the unvalidated 'page_id' parameter. Critically, the reserved 'template' and 'widget' page_id values expose site-wide surfaces, enabling an Author to deface, hide content on, or visually degrade any page across the entire WordPress installation. The permission_callback validates only generic edit_posts and publish_posts capabilities rather than post ownership, meaning the built-in Author role is sufficient for exploitation. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress Qi Blocks
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Motors - Car Dealership & Classified Listings Plugin for WordPress allows authenticated subscriber-level users to arbitrarily mark any other user's vehicle listing as sold by replaying a harvested nonce against a victim's post ID. All plugin versions up to and including 1.4.111 are affected. An attacker exploiting this flaw can silently deface competitor or victim listings with a site-wide 'Sold' badge while also stripping the `special_car` featured post meta, causing business harm on dealership or classifieds sites. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Motors Car Dealership Classified Listings Plugin
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.

Authentication Bypass Cgi
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Missing authorization on an AJAX endpoint in the Salon Booking System WordPress plugin (all versions before 10.30.20) allows any authenticated subscriber-level user to modify plugin settings and disable the manual approval workflow for new bookings. A publicly available proof-of-concept exists per WPScan's disclosure, making exploitation straightforward for any registered user on affected sites. No public exploitation (CISA KEV) has been confirmed, and SSVC assessment classifies technical impact as partial with exploitation not yet automated.

WordPress Authentication Bypass Salon Booking System
NVD WPScan VulDB
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Two-factor authentication bypass in the WebAuthn Provider for Two Factor WordPress plugin (all versions before 2.5.6) lets an attacker who already possesses a valid user's password defeat the WebAuthn second factor by submitting a malformed authentication response that the plugin fails to validate. This neutralizes the plugin's core protection, effectively reducing account security back to single-factor (password-only). Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as being used in active attacks and the issue is not listed in CISA KEV.

WordPress Authentication Bypass Webauthn Provider For Two Factor
NVD WPScan VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Unauthenticated information disclosure in the Product Configurator for WooCommerce WordPress plugin (versions before 1.7.3) exposes sensitive product data through a public AJAX action that skips authorization and post-status checks. By supplying only a product ID, remote unauthenticated users can read titles, prices, weights, stock status, and configurator option pricing/SKUs of private and draft products, bypassing WordPress post-visibility controls. Publicly available exploit code exists (reported by WPScan), though there is no indication of active exploitation.

WordPress Authentication Bypass Product Configurator For Woocommerce
NVD WPScan VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Ninja Forms WordPress plugin (all versions through 3.14.1) lets unauthenticated remote attackers read stored form submissions via the 'ninja-forms-views/token/refresh' REST callback, which lacks an authorization check. Because Ninja Forms submissions frequently capture PII, contact details, and other sensitive user-entered data, this exposes potentially confidential information to anyone who can reach the site. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-auth nature makes it straightforward to abuse.

Authentication Bypass WordPress Ninja Forms The Contact Form Builder That Grows With You
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Authentication bypass in the Delta Electronics AS228T programmable logic controller allows remote attackers to circumvent authentication controls and gain unauthorized access to controller functions over the network, threatening the integrity and availability of the industrial process it governs. The CVSS 3.1 base score is 7.4 (High), driven by high integrity and availability impact (I:H/A:H) with no confidentiality loss, but tempered by high attack complexity (AC:H). At the time of analysis there is no public exploit identified and the flaw is not listed in CISA KEV; no EPSS value was supplied.

Authentication Bypass As228T
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

CRLF injection in WPForms plugin for WordPress (all versions up to and including 1.10.2) enables unauthenticated attackers to silently blind-copy all site notification emails to an attacker-controlled address. The flaw originates from `get_reply_to_address()` applying the wrong smart-tag expansion context, allowing CR/LF characters preserved by `wpforms_sanitize_textarea_field()` to pass unstripped into raw mail header concatenation. Exploitation requires a specific non-default site configuration but demands no authentication or elevated interaction beyond a standard form submission; no public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress Authentication Bypass Wpforms Ai Form Builder For Wordpress Contact Forms Payment Forms Survey Form Quiz More
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated subscribers to read the course progress and completion records of any instructor or administrator by supplying an arbitrary value to the `userId` REST API parameter. The lazy load controller accepts the caller-supplied key without verifying ownership, bypassing authorization for LP_TEACHER_ROLE and administrator accounts while a partial guard correctly blocks subscriber-to-subscriber cross-access. No public exploit code or active exploitation has been identified at time of analysis, but exploitation requires only a subscriber-level account, making the real-world barrier low on sites with open user registration.

Authentication Bypass WordPress Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.02) allows any authenticated user with contributor-level access to retrieve customer booking records - including names, email addresses, phone numbers, and appointment comments - via the unprotected `cpabc_appointments_filter_list` AJAX action. The root cause is CWE-862 (Missing Authorization): the endpoint performs no capability check before returning data, meaning the attacker's only prerequisite is a valid WordPress login at contributor tier or above. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but a source-level fix appears committed in the plugin's SVN repository (changeset 3581633).

Authentication Bypass WordPress Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Kadence Blocks WordPress plugin (all versions through 3.7.7) allows authenticated contributors to create arbitrary Media Library attachments by fetching remote images via internal WordPress functions, bypassing the upload_files capability boundary. The flaw resides in class-kadence-blocks-prebuilt-library.php at multiple call sites where wp_upload_bits() and wp_insert_attachment() are invoked without verifying the requesting user's authorization. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Kadence Blocks Page Builder Toolkit For Gutenberg Editor
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

{chart}/{type}/ REST route. The plugin route skips the capability checks that WordPress's core REST endpoint for this non-public custom post type enforces (which correctly returns HTTP 401), exposing otherwise-restricted data. Rated CVSS 7.5 (confidentiality-only); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Visualizer Tables Charts Manager With Built In Ai Generator
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Kadence Blocks WordPress plugin versions up to and including 3.7.7 allows authenticated Contributor-level users to read or delete optimizer analysis records belonging to posts they do not own, by exploiting a parameter mismatch in four REST API endpoints of the Optimize_Rest_Controller. The authorization check binds to a user-supplied post_id while the storage layer retrieves records by sha256 of a separately supplied, attacker-controlled post_path, with no enforcement that these two parameters refer to the same post. No public exploit code or CISA KEV listing exists at time of analysis; however, the low barrier to exploitation - any registered Contributor can leverage this - makes it relevant for multi-author WordPress sites. EPSS data was not provided in the input.

Authentication Bypass WordPress Kadence Blocks Page Builder Toolkit For Gutenberg Editor
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Arbitrary group deletion in the JoomSport WordPress plugin (versions ≤5.7.8) is achievable by any authenticated subscriber-level user due to a missing capability check in the joomsport_season_groupdel() AJAX handler. The handler validates a WordPress nonce - preventing CSRF - but never calls current_user_can() or equivalent, allowing any logged-in user to supply attacker-controlled group IDs to an unguarded DELETE query. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; real-world risk is bounded by the requirement for a valid WordPress account and the limited scope of impact (group record deletion only).

Authentication Bypass WordPress Joomsport For Sports
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can reach the HTTP administration port (default TCP 80) log in as administrator. On a fresh or unmodified install where settings2.txt is absent, the repeater writes the literal password 'adminadmi2', and the Basic-auth handler enforces no rate-limiting or lockout, so a single well-known credential yields full control over allow/deny rules and session visibility. Rated CVSS 9.1 (CWE-798); no public exploit identified at time of analysis, though the credential itself is disclosed in the advisory.

Authentication Bypass Ultravnc
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Credential exposure in StoneFly Storage Concentrator (SC) and its virtual machine variant (SCVM) lets an attacker recover plaintext credentials for numerous internal services from a configuration file where they are stored using reversible encoding rather than encryption. The hardcoded accounts cover databases, licensing, replication, and third-party integrations, so recovering them grants pivoting access across multiple interconnected systems. Reported to NVD via CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis and the vector is local (AV:L).

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome prior to 150.0.7871.47 exposes sensitive user data from other origins when a victim visits a specially crafted HTML page that exploits insufficient policy enforcement in the StorageAccessAPI. The API, designed to manage third-party storage access in privacy-restricting browser contexts, fails to enforce cross-origin boundaries correctly, allowing an attacker to read data belonging to unrelated origins. No active exploitation has been confirmed - CVE is absent from CISA KEV, EPSS rates exploitation likelihood at 0.17% (7th percentile), and SSVC classifies exploitation status as none - though the CVSS confidentiality impact is rated High.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin-policy bypass in Google Chrome's Speech component before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page cross origin boundaries via insufficient policy enforcement. No public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); notably, Google's own Chromium team rated this Low severity even though NVD scored it CVSS 9.6, a significant conflict defenders should weigh. Requires user interaction (visiting the page) and affects all Chrome desktop builds prior to the fixed stable release.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for Android (prior to 150.0.7871.47) allows a remote attacker to circumvent browser navigation controls through crafted malicious network traffic targeting the TabSwitcher component. The flaw stems from insufficient input validation (CWE-20) in the tab management UI and requires user interaction to trigger, limiting its practical reach. With an EPSS score of 0.17% (7th percentile), no public exploit code, no CISA KEV listing, and Chromium's own internal severity rating of Low, real-world exploitation risk is minimal despite network reachability.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Network component (versions prior to 150.0.7871.47) allows a remote attacker to violate cross-origin isolation by delivering a crafted HTML page to a victim. The flaw, rooted in CWE-346 (Origin Validation Error), enables unauthorized cross-origin integrity impacts - an attacker can cause a browser to act on or submit data across origin boundaries it should enforce. With an EPSS of 0.18% at the 8th percentile, no CISA KEV listing, and no public exploit identified, active exploitation risk is low at this time, though Chrome's ubiquitous deployment ensures broad attack surface if exploitation techniques mature.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 allows a remote attacker to circumvent network-level policy enforcement by delivering a crafted HTML page to a victim. The Chrome security team internally rated this as Low severity, consistent with the CVSS 4.3 score and an impact limited to integrity (I:L) with no confidentiality or availability consequences. No public exploit code or active exploitation has been identified; EPSS places this in the 8th percentile of exploitation likelihood.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

No-referrer policy bypass in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to capture referrer URL information that the browser was supposed to suppress. Exploitation requires user interaction - the victim must visit a crafted HTML page served by the attacker - and exploits a client-side enforcement gap (CWE-602) specific to the iOS build of Chrome. EPSS is 0.19% (9th percentile) and no active exploitation or KEV listing exists, consistent with the Low Chromium severity rating.

Authentication Bypass Apple Google +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's WebXR component affects all versions prior to 150.0.7871.47, exploitable by a remote unauthenticated attacker who can induce a user to visit a crafted HTML page. The root cause is insufficient input validation (CWE-20) within the WebXR subsystem, resulting in limited integrity impact via unauthorized navigation. No public exploit exists and EPSS sits at 0.18% (8th percentile), consistent with the Chromium team's own Low severity classification - this represents a genuine but low-priority risk.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS prior to 150.0.7871.47 allows a remote, unauthenticated attacker to circumvent browser-enforced navigation controls by delivering a crafted HTML page. The flaw is confined to the iOS platform - Chrome on Android, Windows, macOS, and Linux is unaffected - and requires the victim to actively visit the attacker-controlled page (UI:R). With a CVSS score of 4.3 (Medium), an EPSS of 0.19% (9th percentile), no CISA KEV listing, and a Chromium-internal severity rating of Low, this vulnerability carries minimal real-world exploitation risk but warrants patching given its zero-privilege attack vector.

Authentication Bypass Apple Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables attackers who have already achieved renderer process compromise to escape certain navigation-level security controls via a crafted HTML page. The flaw resides in the PageInfo component, which handles page metadata, security indicators, and related navigation policy enforcement, and fails to adequately validate attacker-controlled input passed from a compromised renderer. With an EPSS of 0.22% (13th percentile), no CISA KEV listing, and a Chromium-internal severity of Low, real-world exploitation risk is currently low despite the CVSS 6.5 medium rating.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Process memory disclosure in Google Chrome's Dawn WebGPU component (versions prior to 150.0.7871.47) enables remote attackers to read potentially sensitive data from the browser's process memory by luring a victim to a crafted HTML page. The flaw is categorized under CWE-284 (Improper Access Control) within the Dawn graphics abstraction layer, which underpins Chrome's WebGPU implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and Google's own Chromium security team rates the severity as Low despite the NVD CVSS score of 6.5.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 stems from insufficient policy enforcement in the browser's Parser component, allowing a remote unauthenticated attacker to circumvent CSP protections via a crafted HTML page. The attacker achieves limited integrity impact (I:L) - able to load or execute content that a properly enforced CSP would block - but gains no confidentiality or availability impact. EPSS is low at 0.22% (13th percentile), no active exploitation has been confirmed (not in CISA KEV), and Chromium internally rated this Low severity, making it a real but low-priority finding.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's FedCM (Federated Credential Management) implementation allows remote attackers to perform limited cross-origin integrity manipulation by luring a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected. With an EPSS of 0.18% (8th percentile), no CISA KEV listing, and no public exploit identified, this represents a low-probability exploitation scenario despite being trivially deliverable via a web page.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 allows a remote attacker to circumvent network-layer policy enforcement by inducing a user to visit a specially crafted HTML page. Rooted in CWE-602 (client-side enforcement of server-side security), the flaw means Chrome's network policy checks governing navigation can be subverted client-side, yielding a low-integrity impact with no confidentiality or availability consequence. No public exploit has been identified and the EPSS exploitation probability stands at 0.18% (8th percentile), consistent with Chromium's own 'Low' severity rating - this is a low-urgency but genuine policy-enforcement gap.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

FileSystem policy enforcement bypass in Google Chrome prior to version 150.0.7871.47 allows a remote attacker to circumvent discretionary access control via a crafted HTML page, resulting in limited unauthorized write operations within the browser's sandboxed filesystem scope. The vulnerability requires user interaction - the victim must navigate to a malicious page - and produces only an integrity impact (I:L) with no confidentiality or availability consequence. With an EPSS of 0.18% (8th percentile) and no CISA KEV listing, real-world exploitation probability is very low; no public exploit has been identified at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome's Extensions subsystem prior to version 150.0.7871.47 allows an attacker who socially engineers a victim into installing a crafted malicious extension to circumvent CSP protections, yielding limited integrity impact. CVSS UI:R and EPSS at 0.12% (2nd percentile) confirm this is a low-probability, user-interaction-dependent attack with no confidentiality or availability consequence. No KEV listing, no known POC, and Google's own 'Low' severity rating collectively position this as a low operational priority despite broad product prevalence.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's CustomTabs component on Android (versions prior to 150.0.7871.47) permits remote attackers to perform limited cross-origin integrity violations by directing a victim to a crafted HTML page. The flaw is classified as CWE-346 (Origin Validation Error), meaning Chrome's CustomTabs implementation incorrectly validates or enforces origin boundaries when rendering attacker-controlled content. No active exploitation has been confirmed (not in CISA KEV) and the EPSS score of 0.18% (8th percentile) reflects very low observed exploitation probability, consistent with the Low severity rating assigned by the Chromium security team.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's GetUserMedia implementation prior to version 150.0.7871.47 allows a remote, unauthenticated attacker to achieve limited cross-origin integrity impact by delivering a crafted HTML page to a victim. Chromium's own severity classification is Low, consistent with the CVSS 4.3 score and an EPSS exploitation probability of just 0.18% (8th percentile). No public exploit code and no active exploitation have been identified at time of analysis; Google has issued a remediated build in Chrome 150.0.7871.47.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient Bluetooth policy enforcement in Google Chrome prior to 150.0.7871.47 allows remote attackers to read potentially sensitive data from browser process memory by luring a victim to a crafted HTML page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) scores 6.5 Medium at NVD, though Chromium's own severity rating is 'Low,' suggesting Chrome's sandbox architecture limits practical memory exposure. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

WebXR implementation flaw in Google Chrome on Android prior to 150.0.7871.47 permits remote attackers to bypass navigation restrictions by delivering a crafted HTML page to a victim. The vulnerability is Android-specific and requires user interaction to trigger, constraining its reach. With no CISA KEV listing, no public exploit identified at time of analysis, and an EPSS of 0.18% (8th percentile), this represents a low-priority integrity issue that Google itself rates as Low severity.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Media component on Windows allows remote attackers to circumvent cross-origin security boundaries by delivering a specially crafted HTML page to a victim. All Chrome for Windows releases prior to 150.0.7871.47 are affected. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS at 0.18% (8th percentile) and SSVC exploitation status of 'none' consistently indicate low current real-world risk despite the potential severity of an isolation bypass.

Authentication Bypass Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's SanitizerAPI before version 150.0.7871.47 allows a remote attacker to violate cross-origin integrity boundaries through a crafted HTML page that exploits insufficient input validation. The flaw targets a security-critical browser API whose purpose is precisely to prevent unsafe HTML injection, making the bypass particularly notable. EPSS at 0.22% (13th percentile) indicates low near-term exploitation probability, and no active exploitation or public exploit code has been identified at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient policy enforcement in PermissionsPolicy in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)

Google Authentication Bypass Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's WebView component on Android (all versions prior to 150.0.7871.47) allows remote unauthenticated attackers to circumvent enforcement of navigation policies via a specially crafted HTML page, producing high integrity impact with no confidentiality or availability consequence. The CVSS vector (PR:N, UI:R) confirms unauthenticated network exploitation gated on victim interaction, consistent with a social-engineering or malicious-redirect delivery. No public exploit exists and CISA has not added this to KEV; EPSS of 0.22% (13th percentile) and SSVC Exploitation:none collectively indicate low active exploitation probability at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient data validation in PDF in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient validation of untrusted input in Blink in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient XML policy enforcement in Google Chrome on Android (prior to 150.0.7871.47) exposes process memory contents to remote attackers who can deliver a crafted HTML page. The flaw is classified under CWE-284 (Improper Access Control), allowing the browser's XML handling to bypass intended isolation boundaries and leak potentially sensitive in-process data - such as cookies, credentials, or other runtime state - to an attacker-controlled origin. No active exploitation is confirmed in CISA KEV and no public proof-of-concept has been identified at time of analysis, though the CVSS score of 6.5 (Medium) reflects meaningful real-world risk given the zero-authentication, high-confidentiality-impact profile.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Inappropriate implementation in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient policy enforcement in the Payments component of Google Chrome on Android prior to 150.0.7871.47 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a specially crafted HTML page, making this a user-interaction-dependent, network-delivered information disclosure. No active exploitation is confirmed (SSVC: Exploitation: none; not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the CVSS confidentiality impact is rated High due to the potential for process memory leakage.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Google Authentication Bypass Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory disclosure in Google Chrome's Passwords component on Android prior to 150.0.7871.47 allows a remote attacker to extract potentially sensitive information from process memory. Exploitation requires luring a target user to visit a specially crafted HTML page, placing this squarely in the social-engineering-assisted drive-by category. No public exploit code has been identified at time of analysis, but the high confidentiality impact (C:H in CVSS) indicates meaningful credential exposure risk given Chrome's role as a primary password manager on Android devices.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insufficient policy enforcement in Chrome's built-in Passwords subsystem (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to read potentially sensitive credential data from process memory via a crafted HTML page. This is a second-stage, chained information-disclosure flaw - not a standalone exploit - that bypasses Chrome's inter-process access boundaries to reach password manager data. No public exploit code has been identified at time of analysis, and a vendor patch is confirmed available in Chrome 150.0.7871.47.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's Sharing feature on Android exposes sensitive page content to remote attackers who have already compromised the renderer process, exploitable via a crafted HTML page. All Chrome for Android builds prior to 150.0.7871.47 are affected; the fixed release is confirmed by Google's stable channel advisory. EPSS of 0.21% (11th percentile) and absence from CISA KEV indicate negligible observed exploitation pressure at time of analysis, though the high confidentiality impact and ubiquitous deployment of Chrome on Android make patching a clear priority.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to manipulate the browser interface via a specially crafted HTML page, potentially deceiving users into interacting with falsified content or controls. The vulnerability stems from an inappropriate implementation in the Media component and is classified as medium severity (CVSS 6.5). No public exploit code or active exploitation has been identified - EPSS sits at the 11th percentile (0.21%) and no CISA KEV listing exists - and a vendor patch is confirmed available in Chrome 150.0.7871.47.

Authentication Bypass Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to version 150.0.7871.47 enables remote attackers to circumvent browser policy enforcement via a crafted HTML page targeting the 'Actor' component. The flaw is rooted in CWE-602 (Client-Side Enforcement of Server-Side Security), where controls that should be authoritative are applied within the browser and can be subverted by an adversary-controlled page. EPSS at 0.22% (13th percentile) indicates low current exploitation probability, no public exploit code has been identified, and the vulnerability is not listed in CISA KEV; no public exploit identified at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's DevTools component on Android (all versions prior to 150.0.7871.47) allows a local attacker to circumvent policy-enforced browsing controls by delivering a crafted malicious file. The vulnerability is confined to Android - desktop Chrome is not in scope - and requires user interaction with the malicious file, substantially narrowing the realistic attack surface. No public exploit code exists and no active exploitation has been confirmed; an EPSS score of 0.14% (3rd percentile) corroborates low real-world exploitation probability at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to circumvent Chrome's network navigation controls via a crafted HTML page. The vulnerability stems from CWE-20 (Improper Input Validation) in Chrome's Network component, producing a high-integrity impact with no confidentiality or availability loss. No public exploit code has been identified at time of analysis, and EPSS at 0.22% (13th percentile) places exploitation likelihood well below the median, though the pre-compromised renderer prerequisite makes this a chained attack vector relevant primarily within multi-stage browser exploitation chains.

Authentication Bypass Google Suse
NVD
Prev Page 11 of 347 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy