Skip to main content

Authentication Bypass

31234 CVEs technique

Monthly

CVE-2026-13932 MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's Sharing feature on Android exposes sensitive page content to remote attackers who have already compromised the renderer process, exploitable via a crafted HTML page. All Chrome for Android builds prior to 150.0.7871.47 are affected; the fixed release is confirmed by Google's stable channel advisory. EPSS of 0.21% (11th percentile) and absence from CISA KEV indicate negligible observed exploitation pressure at time of analysis, though the high confidentiality impact and ubiquitous deployment of Chrome on Android make patching a clear priority.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13931 MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to manipulate the browser interface via a specially crafted HTML page, potentially deceiving users into interacting with falsified content or controls. The vulnerability stems from an inappropriate implementation in the Media component and is classified as medium severity (CVSS 6.5). No public exploit code or active exploitation has been identified - EPSS sits at the 11th percentile (0.21%) and no CISA KEV listing exists - and a vendor patch is confirmed available in Chrome 150.0.7871.47.

Authentication Bypass Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13930 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to version 150.0.7871.47 enables remote attackers to circumvent browser policy enforcement via a crafted HTML page targeting the 'Actor' component. The flaw is rooted in CWE-602 (Client-Side Enforcement of Server-Side Security), where controls that should be authoritative are applied within the browser and can be subverted by an adversary-controlled page. EPSS at 0.22% (13th percentile) indicates low current exploitation probability, no public exploit code has been identified, and the vulnerability is not listed in CISA KEV; no public exploit identified at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13929 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's DevTools component on Android (all versions prior to 150.0.7871.47) allows a local attacker to circumvent policy-enforced browsing controls by delivering a crafted malicious file. The vulnerability is confined to Android - desktop Chrome is not in scope - and requires user interaction with the malicious file, substantially narrowing the realistic attack surface. No public exploit code exists and no active exploitation has been confirmed; an EPSS score of 0.14% (3rd percentile) corroborates low real-world exploitation probability at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-13926 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to circumvent Chrome's network navigation controls via a crafted HTML page. The vulnerability stems from CWE-20 (Improper Input Validation) in Chrome's Network component, producing a high-integrity impact with no confidentiality or availability loss. No public exploit code has been identified at time of analysis, and EPSS at 0.22% (13th percentile) places exploitation likelihood well below the median, though the pre-compromised renderer prerequisite makes this a chained attack vector relevant primarily within multi-stage browser exploitation chains.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13924 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's WebView component on Android enables a remote attacker who has already compromised the renderer process to perform cross-origin integrity violations by serving a crafted HTML page. Affected versions are all Chrome for Android releases prior to 150.0.7871.47. This is explicitly a chained attack requiring a pre-existing renderer compromise, making it a second-stage exploit rather than a standalone entry point. No public exploit code exists and no public exploitation has been confirmed at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13921 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's DeviceBoundSessionCredentials component allows remote attackers to violate cross-origin isolation guarantees via a crafted HTML page. Affected are all Chrome desktop releases prior to 150.0.7871.47 on all supported platforms. Exploitation requires user interaction (visiting an attacker-controlled page) and yields high integrity impact - enabling cross-origin state manipulation - with no confidentiality or availability consequence. No active exploitation is confirmed (not in CISA KEV), EPSS is low at 0.22% (13th percentile), and SSVC rates exploitation as none with partial technical impact; a vendor patch is available.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13919 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to circumvent extension policy enforcement and escape site isolation boundaries via a crafted HTML page. The root cause (CWE-602) is client-side enforcement of security policies in the Extensions subsystem that can be subverted once the renderer is under attacker control. No active exploitation has been confirmed - EPSS is 0.22% (13th percentile), SSVC rates exploitation as none and the attack as non-automatable - and a vendor-released patch is available in Chrome 150.0.7871.47.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13917 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) allows a remote attacker to subvert browser-enforced navigation controls by luring a user into performing specific UI gestures on a crafted HTML page. Classified as CWE-20 (Improper Input Validation), the flaw undermines integrity by permitting unauthorized navigation that the browser is intended to block. No public exploit code exists and EPSS sits at 0.22% (13th percentile), indicating low observed exploitation probability; the vulnerability is not listed in CISA KEV.

Authentication Bypass Apple Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13914 MEDIUM PATCH This Month

Chrome's built-in Passwords subsystem on macOS leaks sensitive process memory contents when a malicious file is processed, potentially exposing stored credentials or authentication tokens to a local attacker. All Google Chrome releases for Mac prior to 150.0.7871.47 are affected. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the confidentiality impact is rated High given the nature of the data at risk within the Passwords feature.

Authentication Bypass Google Suse
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-13908 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Omnibox on iOS (prior to 150.0.7871.47) enables a remote attacker to circumvent address bar security controls through insufficient input validation, contingent on user interaction with specific UI gestures during exposure to malicious network traffic. The integrity impact is rated High (I:H) with no confidentiality or availability impact, consistent with a content/navigation spoofing class of vulnerability. No public exploit code or CISA KEV listing has been identified; EPSS score of 0.20% (10th percentile) indicates low observed exploitation probability at time of analysis.

Authentication Bypass Apple Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13904 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Safe Browsing implementation on iOS allows a remote, unauthenticated attacker to circumvent phishing and malicious-site protections via a specially crafted HTML page, affecting all Chrome for iOS versions prior to 150.0.7871.47. The flaw is classified as CWE-693 (Protection Mechanism Failure), meaning the Safe Browsing guard can be rendered ineffective rather than defeated through cryptographic or authentication means. No public exploit or CISA KEV listing has been identified, and the EPSS score of 0.23% (14th percentile) signals low current exploitation probability - but the zero-prerequisite network delivery and high integrity impact make this a meaningful risk for iOS users who have not updated.

Authentication Bypass Apple Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13900 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Chromecast implementation (versions prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to circumvent navigation restrictions via a specially crafted HTML page. This is a post-compromise escalation primitive rather than a standalone entry point - the renderer must already be under attacker control, making this a link in an exploit chain rather than an initial access vector. No public exploit has been identified at time of analysis; EPSS at 0.23% (14th percentile) reflects very low observed exploitation probability, consistent with the chained-exploit requirement.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13897 HIGH PATCH This Week

Insufficient policy enforcement in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Authentication Bypass Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13896 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Glic feature (versions prior to 150.0.7871.47) enables remote attackers to circumvent policy enforcement controls by delivering a crafted HTML page that triggers insufficient validation logic. The flaw maps to CWE-602, meaning security enforcement intended to be authoritative is implemented client-side in a bypassable manner, resulting in high integrity impact with no confidentiality or availability consequence. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.22% (13th percentile) reflects low current exploitation probability.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13894 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables a network-positioned attacker to circumvent browser-enforced navigation policies via a crafted HTML page. The attacker must occupy a privileged network position (e.g., man-in-the-middle) and requires user interaction with the malicious page, per the CVSS UI:R and the description's explicit network-position prerequisite. With an EPSS of 0.15% at the 5th percentile, no public exploit code, and no CISA KEV listing, exploitation probability is low - this is a medium-severity issue with a meaningful but situational attack barrier.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13886 MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome's Isolated Web Apps (IWA) subsystem allows remote attackers to circumvent enforcement mechanisms via a specially crafted HTML page, resulting in high-integrity impact with no confidentiality or availability consequence. Affected versions are all Chrome releases prior to 150.0.7871.47. User interaction is required - the victim must visit the attacker-controlled page - and no public exploit or CISA KEV listing has been identified at time of analysis. The low EPSS score of 0.22% (13th percentile) reinforces that active exploitation is not currently observed.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13881 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's WebAppInstalls component allows remote attackers to compromise cross-origin integrity via a crafted HTML page, affecting all Chrome versions prior to 150.0.7871.47. The flaw stems from an inappropriate implementation (CWE-346, Origin Validation Error) in the PWA installation subsystem, enabling an attacker to perform unauthorized cross-origin writes or manipulations when a user visits attacker-controlled content. No public exploit identified at time of analysis, and the EPSS score of 0.23% (14th percentile) indicates low near-term exploitation probability, though the ubiquitous deployment of Chrome elevates aggregate exposure.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13876 MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 is achievable by an attacker holding a privileged network position who can manipulate traffic between the victim's browser and a server. The flaw originates in Chrome's Network component (CWE-693: Protection Mechanism Failure), where an inappropriate implementation allows CSP enforcement to be circumvented via crafted network traffic, yielding a High Integrity impact. No active exploitation is confirmed - the vulnerability is absent from CISA KEV and carries an EPSS score of 0.15% (4th percentile) - but the attack vector is unauthenticated and the integrity impact is significant for high-value targets on adversarial networks.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13871 MEDIUM PATCH This Month

GuestView policy enforcement in Google Chrome prior to 150.0.7871.47 can be subverted by an attacker who has already achieved renderer process compromise, allowing site isolation to be bypassed via a crafted HTML page. The flaw (CWE-602: Client-Side Enforcement of Server-Side Security) enables manipulation of cross-origin content or policy in embedded browsing contexts that Chrome's site isolation architecture is designed to protect. No public exploit code has been identified and EPSS places exploitation probability at 0.22% (13th percentile), consistent with the elevated prerequisite of a prior renderer compromise required to trigger this vulnerability.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13868 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome on Android prior to 150.0.7871.47 enables a remote attacker - who has already achieved renderer process compromise via a separate exploit - to break cross-origin security boundaries using a crafted HTML page. The root cause is CWE-346 (Origin Validation Error) in Chrome's Android-specific network implementation, meaning the network layer fails to enforce origin checks when requests originate from a compromised renderer context. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.22% at the 13th percentile reflects the high chaining complexity required.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13866 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome for Android (prior to 150.0.7871.47) allows a remote attacker who has already achieved renderer process compromise to cross origin boundaries using a crafted HTML page, enabling high-integrity impact against other open sites. The root cause is CWE-20 (Improper Input Validation) within Chrome's Input subsystem on Android - an input handling implementation flaw that fails to enforce cross-origin separation once the renderer is under adversary control. No public exploit has been identified at time of analysis and EPSS sits at 0.22% (13th percentile), placing this firmly in the category of a meaningful escalation primitive rather than a standalone mass-exploitation risk.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13864 HIGH PATCH This Week

Privilege escalation in Google Chrome desktop prior to 150.0.7871.47 stems from insufficient policy enforcement in the WebHID subsystem, letting a maliciously crafted extension escape its intended boundaries and gain elevated access to human-interface devices and browser privileges. Exploitation first requires convincing a victim to install the malicious extension, after which a crafted Chrome Extension bypasses WebHID access controls. Chromium rates the issue Medium; no public exploit is identified at time of analysis and EPSS exploitation probability is low (0.13%, 3rd percentile).

Authentication Bypass Privilege Escalation Google Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-13852 CRITICAL PATCH Act Now

Discretionary access control bypass in Google Chrome for Android before 150.0.7871.47 lets a local attacker abuse the WebAppInstalls component through a crafted HTML page, undermining the platform's integrity and availability boundaries. Google rates the Chromium severity High and has shipped a fix in the Stable channel; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-13851 CRITICAL PATCH Act Now

Access-control bypass in Google Chrome for Android before 150.0.7871.47 allows an attacker to subvert discretionary access controls through the WebAppInstalls component by serving a crafted HTML page, stemming from insufficient validation of untrusted input. Rated High by Chromium and scored CVSS 9.1, the flaw carries high integrity and availability impact but no confidentiality loss; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-13839 MEDIUM PATCH This Month

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13838 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's CSS implementation allows a remote, unauthenticated attacker to violate cross-origin integrity protections by luring a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected. Google has released a patch; no active exploitation is confirmed (not listed in CISA KEV), and the EPSS score of 0.22% at the 13th percentile indicates low current exploitation probability.

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13828 MEDIUM PATCH This Month

Memory disclosure in Google Chrome's Enterprise policy implementation exposes sensitive process memory contents to remote attackers who can direct victims to a crafted HTML page. All Chrome desktop releases prior to 150.0.7871.47 are affected. No public exploit code exists and CISA SSVC classifies exploitation status as none, but the high confidentiality impact and zero-privilege-required attack path make prompt patching advisable for enterprise-managed Chrome deployments.

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13822 MEDIUM PATCH This Month

Inappropriate implementation in Extensions in Google Chrome on Android prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13818 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Passwords subsystem allows a remote attacker to circumvent intended access controls by delivering a crafted HTML page to a user. All Chrome desktop versions prior to 150.0.7871.47 are affected, with integrity rated High by CVSS due to the ability to manipulate navigation behavior. No public exploit exists at time of analysis and EPSS sits at 0.22% (13th percentile), indicating low near-term exploitation probability despite Chrome's enormous global footprint and Chromium's internal 'High' severity classification.

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13806 HIGH PATCH This Week

Insufficient validation of untrusted input in Accessibility in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-13800 HIGH PATCH This Week

Local privilege escalation in the Google Chrome Updater on Windows (versions prior to 150.0.7871.47) allows a local attacker to gain OS-level privileges by planting a malicious file that the Updater component mishandles. Rated High by Chromium and CVSS 7.8, exploitation requires local access plus user interaction; there is no public exploit identified at time of analysis, and EPSS is low at 0.13% (3rd percentile). A vendor patch is available in the June 2026 Stable Channel release.

Authentication Bypass Privilege Escalation Microsoft Google Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13795 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) permits a remote, unauthenticated attacker to circumvent client-side policy controls by delivering a crafted HTML page to a victim user. The flaw originates from insufficient policy enforcement (CWE-602), where navigation security logic enforced within the browser client can be subverted through malicious web content. No active exploitation has been identified - CISA KEV is not listed, SSVC confirms Exploitation: none, and the EPSS score of 0.22% (13th percentile) reflects minimal real-world exploitation activity at time of analysis.

Authentication Bypass Apple Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-56350 npm MEDIUM POC PATCH This Month

SSO enforcement bypass in n8n before 2.8.0 allows any authenticated SSO user to disable organization-wide SSO enforcement via the API, then register a local password credential, permanently decoupling their account from the identity provider. This defeats identity-provider-enforced MFA and enables persistent access that survives SSO policy changes or user deprovisioning in the IdP. No public exploit code has been identified at time of analysis, but the technique requires only a valid SSO session and knowledge of the relevant API endpoint.

Authentication Bypass N8n
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-56334 MEDIUM PATCH This Month

Missing UPDATE row-level security (RLS) policy on Capgo's build_requests table permits low-privileged API-key holders to perform unauthorized status updates against build pipeline records, corrupting build state by leaving rows permanently stuck in a pending state with null last_error values. Capgo versions before 12.128.2 on all platforms are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, exploitation requires only low-privilege network access with no additional complexity, making it a straightforward post-authentication integrity issue.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56320 HIGH PATCH This Week

Broken authorization in Capgo before 12.128.2 lets an authenticated attacker forge device records against any application by supplying an arbitrary org_id to POST /private/create_device, which the backend trusts without checking it matches the target app's owning organization. The CVSS 4.0 score of 7.1 reflects high integrity impact with low privileges required and no user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56286 HIGH PATCH This Week

Account takeover-style destruction in Capgo before 12.128.2 lets remote attackers delete arbitrary user accounts because the deletion endpoint enforces no password re-authentication or secondary verification (CWE-306, Missing Authentication for a Critical Function). Reported by VulnCheck, the flaw is exploitable through CSRF, session hijacking, or parameter tampering, causing irreversible account removal, data loss, and denial-of-service. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass CSRF Capgo
NVD GitHub
CVSS 4.0
7.0
EPSS
0.4%
CVE-2026-56278 npm CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets unauthenticated remote attackers forge valid signed session cookies and impersonate any user, including administrators. The flaw stems from a publicly known hardcoded default secret ('flowise') used by the express-session middleware whenever the EXPRESS_SESSION_SECRET environment variable is left unset - the default deployment state. No public exploit identified at time of analysis, but forgery is trivial since the signing key is visible in the source code, and CVSS 4.0 rates it 9.3 (Critical).

Authentication Bypass Flowise
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-56277 npm MEDIUM PATCH This Month

Cross-origin request forgery via a hardcoded CORS wildcard in Flowise's text-to-speech endpoint (versions before 3.1.2) allows any malicious webpage to trigger TTS generation using a victim's stored credentials. The controller file `packages/server/src/controllers/text-to-speech/index.ts` unconditionally sets `Access-Control-Allow-Origin: *`, directly overriding the server's restrictive `getCorsOptions()` CORS policy for that route. No public exploit is identified at time of analysis, but the attack requires only basic web scripting skill given the straightforward CORS bypass mechanism.

Authentication Bypass Flowise
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56249 HIGH PATCH This Week

Privilege-bound authorization bypass in Capgo before 12.128.2 lets any authenticated user holding the app.create_channel permission overwrite existing channels by reusing their names, hijacking ownership and rewriting production channel configurations. The flaw stems from a logic mismatch between the existence-validation check and the upsert operation in the channel-creation endpoint, enabling tampering with live release channels. No public exploit identified at time of analysis; reported by VulnCheck with a vendor security advisory available.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-56247 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 lets an authenticated org admin assign org-scoped RBAC roles at the narrower app scope without any validation of scope compatibility, and to do so even for pending (not-yet-accepted) invitees. Because these malformed high-privilege bindings persist through invite acceptance, a nominally low-privilege user who accepts the invite gains unauthorized privileged app-level actions. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56230 HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited API key by supplying its identifier in the client-controlled x-limited-key-id header, which middlewareKey() trusts without checking ownership. Any low-privilege account can therefore read and act on resources belonging to other tenants across multiple API endpoints. No public exploit identified at time of analysis, though the flaw is trivially reproducible once the key-ID format is known.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56219 HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindings and member email addresses through the public.get_org_user_access_rbac PostgREST RPC endpoint. An improper NULL comparison in the authorization gate fails open, so anyone holding only a public API key can enumerate org membership, assigned roles, and emails. No public exploit has been identified at time of analysis, and the flaw discloses data only (no integrity or availability impact), but the CVSS 4.0 score of 8.7 reflects easy, unauthenticated, network-reachable confidentiality loss.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-58448 HIGH POC PATCH This Week

Information disclosure in the yudao-cloud BPM (business process management) module before 2026.06 lets any authenticated user read arbitrary workflow process-instance records by passing a caller-controlled process-instance ID to a GET endpoint that lacks the @PreAuthorize authorization check. Exposed data includes submitted form variables, approver identities, approval/rejection comments, and raw BPMN XML, with no ownership or tenant validation enforced. Publicly available exploit code exists and a vendor patch is available; the issue is not listed in CISA KEV.

Authentication Bypass Yudao Cloud
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-58447 HIGH POC PATCH This Week

Cross-user data tampering in Invidious through 2.20260626.0 lets any authenticated user permanently delete videos from playlists they do not own by submitting an arbitrary global video index to the playlist endpoint's remove_video action. The flaw is a broken object level authorization (BOLA) issue where per-video index values are harvested from the public playlist JSON API and replayed without an ownership check. Publicly available exploit code exists and a vendor fix has been released (commit 77ad416); there is no public exploit identified as being used in active attacks.

Authentication Bypass Invidious
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-58446 MEDIUM POC PATCH This Month

Authentication bypass in Presenton's bundled MCP server exposes server and Docker deployments to unauthenticated remote exploitation via the unprotected /mcp endpoint. When operators configure session authentication using AUTH_USERNAME/AUTH_PASSWORD, nginx enforces access control on all paths except /mcp, which is absent from the auth_request gate - and the MCP server compounds this by auto-minting valid internal session tokens for the configured user on any incoming request. An unauthenticated remote attacker can therefore invoke MCP tools such as generate_presentation as if fully authenticated, consuming the operator's LLM API keys and writing arbitrary presentations to the instance. A publicly available proof-of-concept exists; no active exploitation confirmed in CISA KEV.

Authentication Bypass Nginx Docker Presenton
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-13207 HIGH CISA Act Now

Authentication bypass in FUXA SCADA/HMI versions 1.3.1 and prior lets remote unauthenticated attackers reach protected REST API endpoints by inserting dot-segment sequences (e.g. /api/./users, /api/project/../users) that the router fails to normalize before applying its authentication middleware. Successful exploitation returns sensitive user and role data without any credentials. No public exploit identified at time of analysis, though the technique is trivially reproducible and the issue is documented in a CISA ICS advisory (ICSA-26-181-02).

Authentication Bypass Fuxa Scada Hmi
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-9132 MEDIUM This Month

Unauthorized source code disclosure in GitHub Enterprise Server exposes private repository contents to any authenticated user on the instance, regardless of their actual repository permissions. The Copilot pull request description diff summary endpoint accepted cross-repository comparison ranges and rendered the resulting diff without verifying the requesting user held read access to the target repository - a missing authorization flaw (CWE-862) allowing lateral access to arbitrary private repositories. No active exploitation has been confirmed (not in CISA KEV), the issue was responsibly disclosed via GitHub's Bug Bounty program, and patches are available across four release branches.

Authentication Bypass Enterprise Server
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.3%
CVE-2025-36327 MEDIUM PATCH This Month

Client-side enforcement of server-side security in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 allows an authenticated low-privileged user to bypass access controls and perform actions beyond their authorized role. The root cause (CWE-602) means security decisions are made in client-side logic rather than enforced on the server, enabling bypass via crafted API requests. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the high integrity impact (CVSS I:H) with low attack complexity poses meaningful risk in multi-tenant or role-segregated deployments.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-10560 CRITICAL Act Now

Information disclosure and denial of service in IBM Langflow OSS 1.0.0 through 1.9.6 stem from missing authentication on the /api/v1/build_public_tmp/ endpoints, letting an unauthenticated attacker who supplies a valid job identifier read build event data or cancel running jobs. The flaw carries a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and CWE-287 classification; there is no public exploit identified at time of analysis, and EPSS is low at 0.25% (17th percentile) with CISA SSVC recording no observed exploitation but flagging it as automatable.

Authentication Bypass IBM Denial Of Service Information Disclosure Langflow
NVD VulDB
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-10140 CRITICAL Act Now

Cross-tenant credential confusion in IBM Langflow OSS 1.0.0 through 1.10.0 lets an authenticated user manipulate the voice-mode shared cache so that other tenants' requests are processed with the wrong upstream API credentials, causing billing and accountability to be misattributed across tenant boundaries. The flaw (CWE-639) requires only low-privilege authentication and is rated critical (CVSS 9.6) because a scope change extends the impact to other users and upstream services. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass IBM Langflow
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2025-36333 MEDIUM PATCH This Month

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution due to improper enforcement of behavioral workflow sequences (CWE-841). Low-privileged authenticated users can circumvent intended access controls by exploiting gaps in workflow state validation, enabling integrity-impacting operations they should not be permitted to perform. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible attack vector and low complexity lower the bar for exploitation by any credentialed user.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-7663 CRITICAL PATCH Act Now

Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach protected MCP (Model Context Protocol) project resources and invoke MCP operations through the Streamable MCP transport endpoint. Because the flaw bypasses authentication entirely on a network-facing endpoint and is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, any exposed Langflow instance is at risk. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.24%, 15th percentile), indicating exploitation has not yet become widespread.

Authentication Bypass IBM Langflow Oss
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-55219 PHP MEDIUM PATCH GHSA This Month

Credit double-spend via race condition in Paymenter allows any authenticated user with a non-zero credit balance to settle multiple invoices for the cost of one. The root cause is that `lockForUpdate()` in `app/Livewire/Invoices/Show.php` is called outside a database transaction, rendering the pessimistic lock a no-op in MySQL/MariaDB and leaving the read-check-deduct sequence unprotected against concurrent execution. Successful exploitation results in direct financial or resource loss to the platform operator as `ExtensionHelper::addPayment()` provisions services or digital goods for each winning request. No public exploit has been identified at time of analysis.

Authentication Bypass Race Condition PHP
NVD GitHub
CVSS 3.1
5.3
CVE-2026-48808 PHP MEDIUM PATCH GHSA This Month

Sandbox property allowlist bypass in Twig's `column` filter allows template authors operating under `SourcePolicyInterface`-gated sandboxing to read any public or magic property of any object reachable in the render context, circumventing `SecurityPolicy::$allowedProperties` entirely. This is a residual bypass of CVE-2026-46635, exploitable only when three conditions coexist: `SourcePolicyInterface`-based sandbox mode, `column` present in `allowedFilters`, and attacker-controlled template authoring access. The global sandbox mode and direct attribute access paths are both unaffected, making this a targeted policy enforcement gap rather than a broad sandbox failure. No public exploit has been identified at time of analysis; the vendor-released patch is Twig v3.27.0.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-48806 PHP HIGH PATCH GHSA This Week

Sandbox __toString() policy enforcement in Twig is bypassed via dynamic array mapping keys, allowing sandboxed template authors to invoke __toString() on arbitrary context objects without sandbox policy checks. This is a residual bypass of the previously patched CVE-2026-47732, rooted in ArrayExpression failing to declare dynamic mapping keys as string-coercion sites through CoercesChildrenToStringInterface. The reliable demonstrated impact is unauthorized disclosure of sensitive data returned by __toString() on objects that the sandbox was explicitly configured to protect - no public KEV listing exists, but a clear proof-of-concept is embedded in the advisory.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-48805 PHP MEDIUM PATCH GHSA This Month

Sandbox bypass in Twig 3.26.x allows string callables to circumvent the Closure-only restriction when applications use the deprecated `twig_array_some()` and `twig_array_every()` wrapper functions over a sandboxed Environment. The 3.26.0 source-policy hardening changed `CoreExtension::checkArrow()` to accept a boolean sandbox state, but the legacy wrappers in `src/Resources/core.php` were not updated, causing them to silently pass `false` for `$isSandboxed` and accept arbitrary string callables such as `'exec'` or `'system'` that the sandbox was designed to block. No public exploit has been identified at time of analysis, and impact is limited to the narrow subset of applications calling the deprecated wrappers with sandbox mode active.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-48791 Maven LOW POC PATCH GHSA Monitor

Certificate timestamp validation bypass in sigstore-java 2.0.0 allows an attacker who has already exfiltrated an ephemeral Sigstore signing key to reuse an expired Fulcio certificate, causing bundle verification to succeed when it should fail. PR #1008 erroneously removed the check that bounds a Rekor V1 log entry's `integratedTime` against the Fulcio certificate's validity window, a regression only present in the 2.0.0 release and fixed in 2.1.0. No public exploit identified at time of analysis beyond the vendor-provided proof-of-concept test bundle in sigstore-conformance; CVSS base score of 2.0 reflects the extremely narrow, high-privilege, local-only attack conditions required.

Authentication Bypass Jwt Attack Java
NVD GitHub
CVSS 3.1
2.0
CVE-2026-49473 npm HIGH PATCH GHSA This Week

{id} action yet executed by the restrictive /users list handler. No public exploit identified at time of analysis, but the technique is fully described in the AWS/GitHub advisory and trivially reproducible.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
CVE-2026-47198 PHP HIGH PATCH GHSA This Week

Server provisioning parameter tampering in Paymenter (a PHP/Laravel billing and hosting-management platform) lets any authenticated customer override administrator-defined hosting plans and resource limits during checkout. By injecting arbitrary key-value pairs into the URL-bound checkout configuration, a low-privileged user can escalate CPU, RAM, storage, or package tiers without admin rights. Rated CVSS 8.5 (CWE-20); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
8.5
CVE-2026-58377 HIGH POC This Week

Broken access control in JeecgBoot through 3.9.2 lets authenticated low-privilege users reach the OpenApiAuthController and OpenApiPermissionController endpoints, which are missing Shiro authorization annotations, to fully manage OpenAPI AK/SK credentials. Because the list endpoint returns secret keys in plaintext, any logged-in user can harvest every Access Key/Secret Key pair and then create, modify, or delete them, enabling credential theft and unauthorized invocation of the OpenAPI surface. Publicly available exploit code exists and the issue was reported by VulnCheck, though it is not listed in CISA KEV.

Authentication Bypass Jeecgboot
NVD GitHub
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-58375 HIGH POC This Week

Unauthenticated report data exfiltration in JimuReport (JeecgBoot) through version 2.5.0 lets remote attackers export the full contents of any report via the POST /jmreport/auto/export endpoint. Because the handler carries the @JimuNoLoginRequired annotation, JimuReportTokenInterceptor skips all authentication and the export service never checks the auto-export configuration flag, so any guessed report id is rendered and streamed back. Publicly available exploit code exists; the disclosure comes from VulnCheck and the CVSS 4.0 base score is 8.7 (High), driven by high confidentiality impact with no privileges or user interaction required.

Authentication Bypass Jimureport
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-58373 MEDIUM PATCH This Month

Cross-organization report enumeration in CVAT before 2.69.0 exposes the existence of quality reports belonging to other organizations to any authenticated user. The vulnerability stems from a missing authorization gate in QualityReportViewSet.get_queryset, where the parent_id query parameter is processed without invoking check_object_permissions, allowing cross-tenant enumeration via differential HTTP response analysis. No public exploit or CISA KEV listing exists, but the attack is trivially automatable by any authenticated user in a multi-organization CVAT deployment.

Authentication Bypass Cvat
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-58370 CRITICAL PATCH Act Now

Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a GitLab-backed repository run unapproved, attacker-controlled pipelines. Because the GitLab forge driver populates pipeline.Author from the spoofable git commit author name (commit.author.name) rather than the GitLab-validated user identity, an attacker simply sets the commit author to a name listed in ApprovalAllowedUsers, making needsApproval return false. This grants arbitrary CI step execution on a Woodpecker agent and exposure of CI secrets; there is no public exploit identified at time of analysis, but the issue was reported by VulnCheck and is trivially reproducible.

Authentication Bypass Gitlab Gitea Woodpecker
NVD GitHub
CVSS 4.0
9.2
EPSS
0.5%
CVE-2026-49451 NuGet HIGH PATCH GHSA This Week

Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.

Authentication Bypass Microsoft RCE Privilege Escalation Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-58176 HIGH POC PATCH This Week

Broken function-level authorization in RuoYi-Vue-Plus through 5.6.2 allows any authenticated low-privileged user to manipulate workflow approval tasks - including reassigning pending approvals to arbitrary users, urging tasks, and enumerating all pending and completed tasks - by exploiting the absence of permission annotations on FlwTaskController endpoints under /workflow/task. This directly defeats segregation of duties in organizational approval chains, enabling a standard user to redirect approvals meant for specific roles and potentially approve transactions or actions they should never have authority over. A publicly available exploit is referenced in the project's GitHub issue tracker; no CISA KEV listing has been confirmed at time of analysis, suggesting targeted rather than widespread exploitation.

Authentication Bypass Ruoyi Vue Plus
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-58172 CRITICAL POC PATCH Act Now

IP-based access control bypass in ThreeMammals Ocelot (a .NET API Gateway) through 24.1.0 lets denied or non-allowlisted clients reach protected downstream services by sending a WebSocket upgrade request instead of a plain HTTP request. The WebSocket pipeline branch, split off via MapWhen in OcelotPipelineExtensions.cs, never invokes SecurityMiddleware, so the configured IPAllowedList/IPBlockedList is silently skipped for upgrade traffic. Publicly available exploit code exists (VulnCheck advisory plus a reproducer in PR #2406), though there is no public exploit identified as actively exploited at time of analysis.

Authentication Bypass Ocelot
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-58168 HIGH PATCH This Week

Privilege escalation via missing authorization in HKUDS DeepTutor before 1.4.10 lets any authenticated low-privilege user invoke deployment-wide MCP (Model Context Protocol) tools they were never granted. The root cause is the allowed_mcp_tools function in deeptutor/multi_user/tool_access.py returning None (interpreted as 'allow all') instead of a denied result when the mcp_tools key is omitted from a user's grant, so a regular user - or prompt-injected content running inside their session - can enumerate and call filesystem, shell, and browser MCP servers. No public exploit is identified at the time of analysis and it is not in CISA KEV, but a vendor patch (v1.4.10) is available and the issue was reported by VulnCheck.

Authentication Bypass Deeptutor
NVD GitHub
CVSS 4.0
7.7
EPSS
0.4%
CVE-2026-58167 HIGH PATCH This Week

Credential disclosure in Nightingale (n9e) before 9.0.0-beta.2 lets any authenticated Standard-role (low-privilege) user retrieve full datasource configurations via POST /api/n9e/datasource/list, exposing plaintext database passwords, HTTP bearer tokens, basic-auth passwords, and mTLS client keys. Reported by VulnCheck and fixed in v9.0.0-beta.2, this missing-authorization flaw effectively turns a read-only monitoring account into a pivot point against every connected downstream system. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Nightingale
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-58165 HIGH POC PATCH This Week

Privilege escalation in OpenZiti through 2.0.0 lets an authenticated non-admin identity that holds fine-grained enrollment-management permissions mint an enrollment for any identity - including the built-in default administrator - and then redeem the resulting one-time token via the unauthenticated client enrollment API to receive a client certificate that authenticates as that admin, granting full control of the controller and the entire zero-trust overlay. The root cause is a missing authorization check (CWE-862) in the enrollment creation path. Publicly available exploit details exist (reported by VulnCheck, GitHub issue #4010) and a vendor fix is available; no public exploit identified as actively used at time of analysis.

Authentication Bypass Privilege Escalation Ziti
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-48286 CRITICAL Act Now

Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. It carries a maximum CVSS 10.0 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Adobe RCE Adobe Campaign Classic Acc
NVD
CVSS 3.1
10.0
EPSS
0.7%
CVE-2026-44949 HIGH PATCH This Week

Authentication bypass in SUSE Rancher's in-cluster admission webhook (rancher-webhook) lets a network-adjacent, unauthenticated attacker forge FleetWorkspace admission payloads so that workspace-related Kubernetes objects are created with attacker-chosen identity data. Affected releases span Rancher 0.7.0–0.7.10, 0.8.0–0.8.7, 0.9.0–0.9.6 and 0.10.0–0.10.7, with integrity impact but no direct confidentiality or availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue is documented in SUSE/Rancher advisory GHSA-h83p-cq95-vph4.

Authentication Bypass Kubernetes Rancher
NVD GitHub
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-27956 MEDIUM PATCH This Month

{server_uuid}/domains endpoint silently drops team-scope enforcement when the optional uuid query parameter is supplied, producing a classic IDOR (CWE-639) condition where a user-controlled key bypasses authorization. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified, but the low attack complexity and single authentication prerequisite make the flaw trivially exploitable by any tenant in a multi-tenant Coolify deployment.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-27883 MEDIUM PATCH This Month

{uuid} endpoint extracts the requesting user's teamId from their authentication token but never applies it to scope the underlying database query, meaning any valid UUID is sufficient to retrieve another team's data. Exploitation requires a valid Coolify account; no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-27881 MEDIUM PATCH This Month

{uuid}`. The DeployController.php endpoint performs no team-ownership validation against the requesting user's session, making this a textbook CWE-639 Insecure Direct Object Reference (IDOR) across tenant boundaries. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the attack is mechanically trivial once a target UUID is known.

Authentication Bypass PHP Coolify
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-44947 MEDIUM PATCH This Month

Privilege persistence in SUSE Rancher allows project users to retain Pod Security Admission (PSA) permissions even after an administrator revokes those permissions from a RoleTemplate, due to a missing cleanup step in the legacy Project Role Template Binding (PRTB) reconciler. Affected versions are Rancher 2.13.0 through 2.13.7 and 2.14.0 through 2.14.3. An attacker with a pre-existing role assignment can continue to bypass PSA policies enforced at the project level, defeating administrative intent and potentially deploying workloads that violate the cluster's security posture. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.

Authentication Bypass Rancher
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-6556 CRITICAL PATCH Act Now

Authorization bypass in the @fastify/express middleware-compatibility plugin (versions 4.0.6 and earlier) lets unauthenticated remote attackers reach protected routes inside prefixed Fastify plugin scopes when security middleware is mounted using array or regular-expression paths. Because those non-string mount paths are never rewritten with the plugin prefix, authentication, authorization, rate-limiting, or auditing middleware silently fails to match the real request path and is skipped while Fastify still routes the request to the handler. There is no public exploit identified at time of analysis, and the issue is fixed in 4.0.7.

Authentication Bypass Fastify Express
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-12388 MEDIUM This Month

Privilege escalation in Red Hat Build of Keycloak's Identity Provider mapper component allows a restricted administrator with IdP management permissions to silently assign the built-in realm-admin role to themselves or other accounts by creating a Hardcoded Role mapper. This bypasses the authorization boundary intended to confine limited administrators within their delegated scope, resulting in full realm takeover. No public exploit code or CISA KEV listing exists at time of analysis; however, the impact is severe in multi-tenant or delegated-administration deployments where IdP management is granted to semi-trusted parties.

Authentication Bypass Red Hat Build Of Keycloak Red Hat
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14209 MEDIUM This Month

Unauthorized user profile disclosure in Red Hat Build of Keycloak allows low-privileged administrative users to bypass Fine-Grained Admin Permission (FGAPv2) restrictions and access complete user profiles they should only be permitted to search. An admin scoped exclusively to user-search rights can invoke the 'brute-force-user' endpoint to retrieve sensitive profile data and security metadata, circumventing the intended view-permission gate on that code path. No public exploit has been identified and the flaw is not listed in CISA KEV, but its network-accessible, low-complexity nature makes it straightforward to abuse within any Keycloak deployment that has activated FGAPv2 permission delegation.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14162 CRITICAL PATCH Act Now

Sensitive data exposure in Advantech Hospital Queuing Management lets unauthenticated remote attackers reach a specific URL and retrieve the application's API documentation, mapping out endpoints and parameters without any credentials. The flaw is rooted in missing authentication (CWE-306) on a resource that should be protected, and TWCERT rates it CVSS 4.0 9.3 (Critical). No public exploit is identified at time of analysis, but the exposed API documentation provides reconnaissance that materially lowers the barrier to follow-on attacks.

Authentication Bypass Information Disclosure Hospital Quering Management
NVD VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-49877 HIGH PATCH This Week

Privilege escalation via improper authorization in Apache ActiveMQ before 5.19.8 and 6.0.0 before 6.2.7 lets an authenticated low-privilege Web Console user reach the administrative /admin/* paths that should be restricted to administrators. The flaw stems from default Jetty configuration that failed to scope those paths to admin roles, granting low-priv users administrative Web Console functionality. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Apache Apache Activemq
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-24816 MEDIUM PATCH This Month

Insufficient authorization enforcement in the Nokia MantaRay NM API allows authenticated low-privilege users to retrieve confidential data beyond their assigned role boundaries. Affected are all Nokia MantaRay NM deployments running versions prior to 25R2-NM, a telecom-focused network management platform. No public exploit code or CISA KEV listing has been identified; with EPSS at 0.18% (7th percentile), real-world exploitation pressure is currently low, though the high confidentiality impact and low attack complexity make patching a priority for any operator with untrusted authenticated users.

Authentication Bypass Nokia Mantaray Nm
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12819 CRITICAL CISA Act Now

Unauthenticated Modbus TCP exposure on the Delta Electronics DVP12SE programmable logic controller lets any network-reachable attacker invoke security-sensitive PLC functions - reading and writing process registers, coils, and configuration - with no credentials or access control. The flaw (CWE-306, Missing Authentication for a Critical Function) carries a CVSS 4.0 base of 9.3 and is documented in Delta advisory PCSA-2026-00011 alongside CVE-2026-12818. There is no public exploit identified at time of analysis and no CISA KEV listing, but the Modbus protocol is trivially scriptable and well understood, lowering the practical exploitation bar.

Authentication Bypass Dvp 12Se
NVD VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-12073 CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation Profilegrid User Profiles Groups And Communities
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-12349 MEDIUM This Month

Unauthenticated sidebar manipulation in the Premium Addons for KingComposer WordPress plugin (versions up to and including 1.1.1) allows any remote attacker to create arbitrary custom widget areas or permanently delete existing ones without any credentials. The root cause is that the AJAX handlers add_custom_sidebar() and remove_custom_sidebar() are registered under wp_ajax_nopriv_* hooks with no authorization or capability checks, granting public HTTP access to options-table writes via update_option(). Deletion of sidebars silently breaks widget rendering site-wide, and no public exploit has been identified at time of analysis; no CISA KEV listing is present.

Authentication Bypass WordPress Premium Addons For Kingcomposer
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-34592 HIGH PATCH This Week

Cross-team data exposure in Coolify (self-hostable PaaS) before 4.0.0-beta.471 allows any authenticated user to read servers and projects owned by other teams by supplying their object IDs directly. The flaw is a broken object-level authorization (IDOR) where lookups are never scoped to the requester's team, breaching the multi-tenant boundary. No public exploit identified at time of analysis, and the issue is resolved in 4.0.0-beta.471.

Authentication Bypass Coolify
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-57997 MEDIUM PATCH This Month

JWT algorithm confusion in Strapi's users-permissions plugin enables authentication control weakening when the plugin::users-permissions.jwt.algorithm setting is absent from configuration. The plugin silently accepts HS384 and HS512 tokens alongside the intended HS256, allowing an attacker who has already obtained the jwtSecret to mint tokens using non-standard HMAC variants and bypass any algorithm-enforcement logic. No public exploit code is identified at time of analysis and this vulnerability is not listed in CISA KEV; real-world risk is substantially bounded by the prerequisite of jwtSecret compromise, reflected in the CVSS 4.0 score of 6.3 with High Complexity and Presence-of-attack-requirement modifiers.

Authentication Bypass Strapi
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-54475 HIGH PATCH This Week

Unauthorized message consumption in Apache ActiveMQ Classic lets a connected client read from temporary destinations belonging to a different connection, breaking the per-connection isolation that applications rely on. The root cause is that the isolation check is enforced only client-side, so a malicious or rogue client can subscribe to and drain another connection's temporary queue/topic. It affects ActiveMQ (Broker/All/Classic) before 5.19.8 and 6.0.0 before 6.2.7; there is no public exploit identified at time of analysis, and it is not in CISA KEV.

Apache Authentication Bypass Activemq Activemq Broker
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55956 MEDIUM This Month

Improper Authorization (CWE-285) in Apache Tomcat's default servlet allows HTTP method-based and method-omission security constraints to be silently bypassed across all major supported Tomcat branches from 7.0.x through 11.0.x. An attacker can perform HTTP operations - such as PUT or DELETE - that the web.xml security constraint configuration was intended to restrict, potentially enabling unauthorized file upload, modification, or deletion on the default servlet's served content. No active exploitation has been confirmed (not in CISA KEV) and no CVSS score has been published at time of analysis, but the broad version range and ubiquitous deployment footprint of Tomcat make prompt patching a priority.

Authentication Bypass Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-55955 MEDIUM This Month

Replay attack vulnerability in Apache Tomcat's cluster EncryptionInterceptor allows a network-adjacent attacker to retransmit previously captured encrypted inter-node cluster messages, causing receiving nodes to accept and process them as legitimate - potentially corrupting distributed session state or triggering unintended cluster actions. All major supported branches are affected: 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, plus end-of-life branches 8.5.38-8.5.100 and 7.0.100-7.0.109. No public exploit or CISA KEV listing has been identified at time of analysis; however, the breadth of affected versions across all active and legacy branches elevates organizational exposure, particularly for environments running EOL 8.5.x or 7.x with no available patch.

Authentication Bypass Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
6.5
EPSS
0.1%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's Sharing feature on Android exposes sensitive page content to remote attackers who have already compromised the renderer process, exploitable via a crafted HTML page. All Chrome for Android builds prior to 150.0.7871.47 are affected; the fixed release is confirmed by Google's stable channel advisory. EPSS of 0.21% (11th percentile) and absence from CISA KEV indicate negligible observed exploitation pressure at time of analysis, though the high confidentiality impact and ubiquitous deployment of Chrome on Android make patching a clear priority.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to manipulate the browser interface via a specially crafted HTML page, potentially deceiving users into interacting with falsified content or controls. The vulnerability stems from an inappropriate implementation in the Media component and is classified as medium severity (CVSS 6.5). No public exploit code or active exploitation has been identified - EPSS sits at the 11th percentile (0.21%) and no CISA KEV listing exists - and a vendor patch is confirmed available in Chrome 150.0.7871.47.

Authentication Bypass Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to version 150.0.7871.47 enables remote attackers to circumvent browser policy enforcement via a crafted HTML page targeting the 'Actor' component. The flaw is rooted in CWE-602 (Client-Side Enforcement of Server-Side Security), where controls that should be authoritative are applied within the browser and can be subverted by an adversary-controlled page. EPSS at 0.22% (13th percentile) indicates low current exploitation probability, no public exploit code has been identified, and the vulnerability is not listed in CISA KEV; no public exploit identified at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's DevTools component on Android (all versions prior to 150.0.7871.47) allows a local attacker to circumvent policy-enforced browsing controls by delivering a crafted malicious file. The vulnerability is confined to Android - desktop Chrome is not in scope - and requires user interaction with the malicious file, substantially narrowing the realistic attack surface. No public exploit code exists and no active exploitation has been confirmed; an EPSS score of 0.14% (3rd percentile) corroborates low real-world exploitation probability at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to circumvent Chrome's network navigation controls via a crafted HTML page. The vulnerability stems from CWE-20 (Improper Input Validation) in Chrome's Network component, producing a high-integrity impact with no confidentiality or availability loss. No public exploit code has been identified at time of analysis, and EPSS at 0.22% (13th percentile) places exploitation likelihood well below the median, though the pre-compromised renderer prerequisite makes this a chained attack vector relevant primarily within multi-stage browser exploitation chains.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's WebView component on Android enables a remote attacker who has already compromised the renderer process to perform cross-origin integrity violations by serving a crafted HTML page. Affected versions are all Chrome for Android releases prior to 150.0.7871.47. This is explicitly a chained attack requiring a pre-existing renderer compromise, making it a second-stage exploit rather than a standalone entry point. No public exploit code exists and no public exploitation has been confirmed at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's DeviceBoundSessionCredentials component allows remote attackers to violate cross-origin isolation guarantees via a crafted HTML page. Affected are all Chrome desktop releases prior to 150.0.7871.47 on all supported platforms. Exploitation requires user interaction (visiting an attacker-controlled page) and yields high integrity impact - enabling cross-origin state manipulation - with no confidentiality or availability consequence. No active exploitation is confirmed (not in CISA KEV), EPSS is low at 0.22% (13th percentile), and SSVC rates exploitation as none with partial technical impact; a vendor patch is available.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to circumvent extension policy enforcement and escape site isolation boundaries via a crafted HTML page. The root cause (CWE-602) is client-side enforcement of security policies in the Extensions subsystem that can be subverted once the renderer is under attacker control. No active exploitation has been confirmed - EPSS is 0.22% (13th percentile), SSVC rates exploitation as none and the attack as non-automatable - and a vendor-released patch is available in Chrome 150.0.7871.47.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) allows a remote attacker to subvert browser-enforced navigation controls by luring a user into performing specific UI gestures on a crafted HTML page. Classified as CWE-20 (Improper Input Validation), the flaw undermines integrity by permitting unauthorized navigation that the browser is intended to block. No public exploit code exists and EPSS sits at 0.22% (13th percentile), indicating low observed exploitation probability; the vulnerability is not listed in CISA KEV.

Authentication Bypass Apple Google +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Chrome's built-in Passwords subsystem on macOS leaks sensitive process memory contents when a malicious file is processed, potentially exposing stored credentials or authentication tokens to a local attacker. All Google Chrome releases for Mac prior to 150.0.7871.47 are affected. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the confidentiality impact is rated High given the nature of the data at risk within the Passwords feature.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Omnibox on iOS (prior to 150.0.7871.47) enables a remote attacker to circumvent address bar security controls through insufficient input validation, contingent on user interaction with specific UI gestures during exposure to malicious network traffic. The integrity impact is rated High (I:H) with no confidentiality or availability impact, consistent with a content/navigation spoofing class of vulnerability. No public exploit code or CISA KEV listing has been identified; EPSS score of 0.20% (10th percentile) indicates low observed exploitation probability at time of analysis.

Authentication Bypass Apple Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Safe Browsing implementation on iOS allows a remote, unauthenticated attacker to circumvent phishing and malicious-site protections via a specially crafted HTML page, affecting all Chrome for iOS versions prior to 150.0.7871.47. The flaw is classified as CWE-693 (Protection Mechanism Failure), meaning the Safe Browsing guard can be rendered ineffective rather than defeated through cryptographic or authentication means. No public exploit or CISA KEV listing has been identified, and the EPSS score of 0.23% (14th percentile) signals low current exploitation probability - but the zero-prerequisite network delivery and high integrity impact make this a meaningful risk for iOS users who have not updated.

Authentication Bypass Apple Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Chromecast implementation (versions prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to circumvent navigation restrictions via a specially crafted HTML page. This is a post-compromise escalation primitive rather than a standalone entry point - the renderer must already be under attacker control, making this a link in an exploit chain rather than an initial access vector. No public exploit has been identified at time of analysis; EPSS at 0.23% (14th percentile) reflects very low observed exploitation probability, consistent with the chained-exploit requirement.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Insufficient policy enforcement in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Authentication Bypass +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Glic feature (versions prior to 150.0.7871.47) enables remote attackers to circumvent policy enforcement controls by delivering a crafted HTML page that triggers insufficient validation logic. The flaw maps to CWE-602, meaning security enforcement intended to be authoritative is implemented client-side in a bypassable manner, resulting in high integrity impact with no confidentiality or availability consequence. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.22% (13th percentile) reflects low current exploitation probability.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables a network-positioned attacker to circumvent browser-enforced navigation policies via a crafted HTML page. The attacker must occupy a privileged network position (e.g., man-in-the-middle) and requires user interaction with the malicious page, per the CVSS UI:R and the description's explicit network-position prerequisite. With an EPSS of 0.15% at the 5th percentile, no public exploit code, and no CISA KEV listing, exploitation probability is low - this is a medium-severity issue with a meaningful but situational attack barrier.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome's Isolated Web Apps (IWA) subsystem allows remote attackers to circumvent enforcement mechanisms via a specially crafted HTML page, resulting in high-integrity impact with no confidentiality or availability consequence. Affected versions are all Chrome releases prior to 150.0.7871.47. User interaction is required - the victim must visit the attacker-controlled page - and no public exploit or CISA KEV listing has been identified at time of analysis. The low EPSS score of 0.22% (13th percentile) reinforces that active exploitation is not currently observed.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's WebAppInstalls component allows remote attackers to compromise cross-origin integrity via a crafted HTML page, affecting all Chrome versions prior to 150.0.7871.47. The flaw stems from an inappropriate implementation (CWE-346, Origin Validation Error) in the PWA installation subsystem, enabling an attacker to perform unauthorized cross-origin writes or manipulations when a user visits attacker-controlled content. No public exploit identified at time of analysis, and the EPSS score of 0.23% (14th percentile) indicates low near-term exploitation probability, though the ubiquitous deployment of Chrome elevates aggregate exposure.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 is achievable by an attacker holding a privileged network position who can manipulate traffic between the victim's browser and a server. The flaw originates in Chrome's Network component (CWE-693: Protection Mechanism Failure), where an inappropriate implementation allows CSP enforcement to be circumvented via crafted network traffic, yielding a High Integrity impact. No active exploitation is confirmed - the vulnerability is absent from CISA KEV and carries an EPSS score of 0.15% (4th percentile) - but the attack vector is unauthenticated and the integrity impact is significant for high-value targets on adversarial networks.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

GuestView policy enforcement in Google Chrome prior to 150.0.7871.47 can be subverted by an attacker who has already achieved renderer process compromise, allowing site isolation to be bypassed via a crafted HTML page. The flaw (CWE-602: Client-Side Enforcement of Server-Side Security) enables manipulation of cross-origin content or policy in embedded browsing contexts that Chrome's site isolation architecture is designed to protect. No public exploit code has been identified and EPSS places exploitation probability at 0.22% (13th percentile), consistent with the elevated prerequisite of a prior renderer compromise required to trigger this vulnerability.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome on Android prior to 150.0.7871.47 enables a remote attacker - who has already achieved renderer process compromise via a separate exploit - to break cross-origin security boundaries using a crafted HTML page. The root cause is CWE-346 (Origin Validation Error) in Chrome's Android-specific network implementation, meaning the network layer fails to enforce origin checks when requests originate from a compromised renderer context. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.22% at the 13th percentile reflects the high chaining complexity required.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome for Android (prior to 150.0.7871.47) allows a remote attacker who has already achieved renderer process compromise to cross origin boundaries using a crafted HTML page, enabling high-integrity impact against other open sites. The root cause is CWE-20 (Improper Input Validation) within Chrome's Input subsystem on Android - an input handling implementation flaw that fails to enforce cross-origin separation once the renderer is under adversary control. No public exploit has been identified at time of analysis and EPSS sits at 0.22% (13th percentile), placing this firmly in the category of a meaningful escalation primitive rather than a standalone mass-exploitation risk.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in Google Chrome desktop prior to 150.0.7871.47 stems from insufficient policy enforcement in the WebHID subsystem, letting a maliciously crafted extension escape its intended boundaries and gain elevated access to human-interface devices and browser privileges. Exploitation first requires convincing a victim to install the malicious extension, after which a crafted Chrome Extension bypasses WebHID access controls. Chromium rates the issue Medium; no public exploit is identified at time of analysis and EPSS exploitation probability is low (0.13%, 3rd percentile).

Authentication Bypass Privilege Escalation Google +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Discretionary access control bypass in Google Chrome for Android before 150.0.7871.47 lets a local attacker abuse the WebAppInstalls component through a crafted HTML page, undermining the platform's integrity and availability boundaries. Google rates the Chromium severity High and has shipped a fix in the Stable channel; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Access-control bypass in Google Chrome for Android before 150.0.7871.47 allows an attacker to subvert discretionary access controls through the WebAppInstalls component by serving a crafted HTML page, stemming from insufficient validation of untrusted input. Rated High by Chromium and scored CVSS 9.1, the flaw carries high integrity and availability impact but no confidentiality loss; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's CSS implementation allows a remote, unauthenticated attacker to violate cross-origin integrity protections by luring a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected. Google has released a patch; no active exploitation is confirmed (not listed in CISA KEV), and the EPSS score of 0.22% at the 13th percentile indicates low current exploitation probability.

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory disclosure in Google Chrome's Enterprise policy implementation exposes sensitive process memory contents to remote attackers who can direct victims to a crafted HTML page. All Chrome desktop releases prior to 150.0.7871.47 are affected. No public exploit code exists and CISA SSVC classifies exploitation status as none, but the high confidentiality impact and zero-privilege-required attack path make prompt patching advisable for enterprise-managed Chrome deployments.

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Inappropriate implementation in Extensions in Google Chrome on Android prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Passwords subsystem allows a remote attacker to circumvent intended access controls by delivering a crafted HTML page to a user. All Chrome desktop versions prior to 150.0.7871.47 are affected, with integrity rated High by CVSS due to the ability to manipulate navigation behavior. No public exploit exists at time of analysis and EPSS sits at 0.22% (13th percentile), indicating low near-term exploitation probability despite Chrome's enormous global footprint and Chromium's internal 'High' severity classification.

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Insufficient validation of untrusted input in Accessibility in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Google Chrome Updater on Windows (versions prior to 150.0.7871.47) allows a local attacker to gain OS-level privileges by planting a malicious file that the Updater component mishandles. Rated High by Chromium and CVSS 7.8, exploitation requires local access plus user interaction; there is no public exploit identified at time of analysis, and EPSS is low at 0.13% (3rd percentile). A vendor patch is available in the June 2026 Stable Channel release.

Authentication Bypass Privilege Escalation Microsoft +2
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) permits a remote, unauthenticated attacker to circumvent client-side policy controls by delivering a crafted HTML page to a victim user. The flaw originates from insufficient policy enforcement (CWE-602), where navigation security logic enforced within the browser client can be subverted through malicious web content. No active exploitation has been identified - CISA KEV is not listed, SSVC confirms Exploitation: none, and the EPSS score of 0.22% (13th percentile) reflects minimal real-world exploitation activity at time of analysis.

Authentication Bypass Apple Google +1
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

SSO enforcement bypass in n8n before 2.8.0 allows any authenticated SSO user to disable organization-wide SSO enforcement via the API, then register a local password credential, permanently decoupling their account from the identity provider. This defeats identity-provider-enforced MFA and enables persistent access that survives SSO policy changes or user deprovisioning in the IdP. No public exploit code has been identified at time of analysis, but the technique requires only a valid SSO session and knowledge of the relevant API endpoint.

Authentication Bypass N8n
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing UPDATE row-level security (RLS) policy on Capgo's build_requests table permits low-privileged API-key holders to perform unauthorized status updates against build pipeline records, corrupting build state by leaving rows permanently stuck in a pending state with null last_error values. Capgo versions before 12.128.2 on all platforms are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, exploitation requires only low-privilege network access with no additional complexity, making it a straightforward post-authentication integrity issue.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken authorization in Capgo before 12.128.2 lets an authenticated attacker forge device records against any application by supplying an arbitrary org_id to POST /private/create_device, which the backend trusts without checking it matches the target app's owning organization. The CVSS 4.0 score of 7.1 reflects high integrity impact with low privileges required and no user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Account takeover-style destruction in Capgo before 12.128.2 lets remote attackers delete arbitrary user accounts because the deletion endpoint enforces no password re-authentication or secondary verification (CWE-306, Missing Authentication for a Critical Function). Reported by VulnCheck, the flaw is exploitable through CSRF, session hijacking, or parameter tampering, causing irreversible account removal, data loss, and denial-of-service. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass CSRF Capgo
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets unauthenticated remote attackers forge valid signed session cookies and impersonate any user, including administrators. The flaw stems from a publicly known hardcoded default secret ('flowise') used by the express-session middleware whenever the EXPRESS_SESSION_SECRET environment variable is left unset - the default deployment state. No public exploit identified at time of analysis, but forgery is trivial since the signing key is visible in the source code, and CVSS 4.0 rates it 9.3 (Critical).

Authentication Bypass Flowise
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-origin request forgery via a hardcoded CORS wildcard in Flowise's text-to-speech endpoint (versions before 3.1.2) allows any malicious webpage to trigger TTS generation using a victim's stored credentials. The controller file `packages/server/src/controllers/text-to-speech/index.ts` unconditionally sets `Access-Control-Allow-Origin: *`, directly overriding the server's restrictive `getCorsOptions()` CORS policy for that route. No public exploit is identified at time of analysis, but the attack requires only basic web scripting skill given the straightforward CORS bypass mechanism.

Authentication Bypass Flowise
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege-bound authorization bypass in Capgo before 12.128.2 lets any authenticated user holding the app.create_channel permission overwrite existing channels by reusing their names, hijacking ownership and rewriting production channel configurations. The flaw stems from a logic mismatch between the existence-validation check and the upsert operation in the channel-creation endpoint, enabling tampering with live release channels. No public exploit identified at time of analysis; reported by VulnCheck with a vendor security advisory available.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 lets an authenticated org admin assign org-scoped RBAC roles at the narrower app scope without any validation of scope compatibility, and to do so even for pending (not-yet-accepted) invitees. Because these malformed high-privilege bindings persist through invite acceptance, a nominally low-privilege user who accepts the invite gains unauthorized privileged app-level actions. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited API key by supplying its identifier in the client-controlled x-limited-key-id header, which middlewareKey() trusts without checking ownership. Any low-privilege account can therefore read and act on resources belonging to other tenants across multiple API endpoints. No public exploit identified at time of analysis, though the flaw is trivially reproducible once the key-ID format is known.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindings and member email addresses through the public.get_org_user_access_rbac PostgREST RPC endpoint. An improper NULL comparison in the authorization gate fails open, so anyone holding only a public API key can enumerate org membership, assigned roles, and emails. No public exploit has been identified at time of analysis, and the flaw discloses data only (no integrity or availability impact), but the CVSS 4.0 score of 8.7 reflects easy, unauthenticated, network-reachable confidentiality loss.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Information disclosure in the yudao-cloud BPM (business process management) module before 2026.06 lets any authenticated user read arbitrary workflow process-instance records by passing a caller-controlled process-instance ID to a GET endpoint that lacks the @PreAuthorize authorization check. Exposed data includes submitted form variables, approver identities, approval/rejection comments, and raw BPMN XML, with no ownership or tenant validation enforced. Publicly available exploit code exists and a vendor patch is available; the issue is not listed in CISA KEV.

Authentication Bypass Yudao Cloud
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Cross-user data tampering in Invidious through 2.20260626.0 lets any authenticated user permanently delete videos from playlists they do not own by submitting an arbitrary global video index to the playlist endpoint's remove_video action. The flaw is a broken object level authorization (BOLA) issue where per-video index values are harvested from the public playlist JSON API and replayed without an ownership check. Publicly available exploit code exists and a vendor fix has been released (commit 77ad416); there is no public exploit identified as being used in active attacks.

Authentication Bypass Invidious
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Authentication bypass in Presenton's bundled MCP server exposes server and Docker deployments to unauthenticated remote exploitation via the unprotected /mcp endpoint. When operators configure session authentication using AUTH_USERNAME/AUTH_PASSWORD, nginx enforces access control on all paths except /mcp, which is absent from the auth_request gate - and the MCP server compounds this by auto-minting valid internal session tokens for the configured user on any incoming request. An unauthenticated remote attacker can therefore invoke MCP tools such as generate_presentation as if fully authenticated, consuming the operator's LLM API keys and writing arbitrary presentations to the instance. A publicly available proof-of-concept exists; no active exploitation confirmed in CISA KEV.

Authentication Bypass Nginx Docker +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH Act Now

Authentication bypass in FUXA SCADA/HMI versions 1.3.1 and prior lets remote unauthenticated attackers reach protected REST API endpoints by inserting dot-segment sequences (e.g. /api/./users, /api/project/../users) that the router fails to normalize before applying its authentication middleware. Successful exploitation returns sensitive user and role data without any credentials. No public exploit identified at time of analysis, though the technique is trivially reproducible and the issue is documented in a CISA ICS advisory (ICSA-26-181-02).

Authentication Bypass Fuxa Scada Hmi
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM This Month

Unauthorized source code disclosure in GitHub Enterprise Server exposes private repository contents to any authenticated user on the instance, regardless of their actual repository permissions. The Copilot pull request description diff summary endpoint accepted cross-repository comparison ranges and rendered the resulting diff without verifying the requesting user held read access to the target repository - a missing authorization flaw (CWE-862) allowing lateral access to arbitrary private repositories. No active exploitation has been confirmed (not in CISA KEV), the issue was responsibly disclosed via GitHub's Bug Bounty program, and patches are available across four release branches.

Authentication Bypass Enterprise Server
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Client-side enforcement of server-side security in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 allows an authenticated low-privileged user to bypass access controls and perform actions beyond their authorized role. The root cause (CWE-602) means security decisions are made in client-side logic rather than enforced on the server, enabling bypass via crafted API requests. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the high integrity impact (CVSS I:H) with low attack complexity poses meaningful risk in multi-tenant or role-segregated deployments.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Information disclosure and denial of service in IBM Langflow OSS 1.0.0 through 1.9.6 stem from missing authentication on the /api/v1/build_public_tmp/ endpoints, letting an unauthenticated attacker who supplies a valid job identifier read build event data or cancel running jobs. The flaw carries a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and CWE-287 classification; there is no public exploit identified at time of analysis, and EPSS is low at 0.25% (17th percentile) with CISA SSVC recording no observed exploitation but flagging it as automatable.

Authentication Bypass IBM Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-tenant credential confusion in IBM Langflow OSS 1.0.0 through 1.10.0 lets an authenticated user manipulate the voice-mode shared cache so that other tenants' requests are processed with the wrong upstream API credentials, causing billing and accountability to be misattributed across tenant boundaries. The flaw (CWE-639) requires only low-privilege authentication and is rated critical (CVSS 9.6) because a scope change extends the impact to other users and upstream services. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass IBM Langflow
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution due to improper enforcement of behavioral workflow sequences (CWE-841). Low-privileged authenticated users can circumvent intended access controls by exploiting gaps in workflow state validation, enabling integrity-impacting operations they should not be permitted to perform. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible attack vector and low complexity lower the bar for exploitation by any credentialed user.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach protected MCP (Model Context Protocol) project resources and invoke MCP operations through the Streamable MCP transport endpoint. Because the flaw bypasses authentication entirely on a network-facing endpoint and is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, any exposed Langflow instance is at risk. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.24%, 15th percentile), indicating exploitation has not yet become widespread.

Authentication Bypass IBM Langflow Oss
NVD VulDB
CVSS 5.3
MEDIUM PATCH This Month

Credit double-spend via race condition in Paymenter allows any authenticated user with a non-zero credit balance to settle multiple invoices for the cost of one. The root cause is that `lockForUpdate()` in `app/Livewire/Invoices/Show.php` is called outside a database transaction, rendering the pessimistic lock a no-op in MySQL/MariaDB and leaving the read-check-deduct sequence unprotected against concurrent execution. Successful exploitation results in direct financial or resource loss to the platform operator as `ExtensionHelper::addPayment()` provisions services or digital goods for each winning request. No public exploit has been identified at time of analysis.

Authentication Bypass Race Condition PHP
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Sandbox property allowlist bypass in Twig's `column` filter allows template authors operating under `SourcePolicyInterface`-gated sandboxing to read any public or magic property of any object reachable in the render context, circumventing `SecurityPolicy::$allowedProperties` entirely. This is a residual bypass of CVE-2026-46635, exploitable only when three conditions coexist: `SourcePolicyInterface`-based sandbox mode, `column` present in `allowedFilters`, and attacker-controlled template authoring access. The global sandbox mode and direct attribute access paths are both unaffected, making this a targeted policy enforcement gap rather than a broad sandbox failure. No public exploit has been identified at time of analysis; the vendor-released patch is Twig v3.27.0.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sandbox __toString() policy enforcement in Twig is bypassed via dynamic array mapping keys, allowing sandboxed template authors to invoke __toString() on arbitrary context objects without sandbox policy checks. This is a residual bypass of the previously patched CVE-2026-47732, rooted in ArrayExpression failing to declare dynamic mapping keys as string-coercion sites through CoercesChildrenToStringInterface. The reliable demonstrated impact is unauthorized disclosure of sensitive data returned by __toString() on objects that the sandbox was explicitly configured to protect - no public KEV listing exists, but a clear proof-of-concept is embedded in the advisory.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Sandbox bypass in Twig 3.26.x allows string callables to circumvent the Closure-only restriction when applications use the deprecated `twig_array_some()` and `twig_array_every()` wrapper functions over a sandboxed Environment. The 3.26.0 source-policy hardening changed `CoreExtension::checkArrow()` to accept a boolean sandbox state, but the legacy wrappers in `src/Resources/core.php` were not updated, causing them to silently pass `false` for `$isSandboxed` and accept arbitrary string callables such as `'exec'` or `'system'` that the sandbox was designed to block. No public exploit has been identified at time of analysis, and impact is limited to the narrow subset of applications calling the deprecated wrappers with sandbox mode active.

Authentication Bypass PHP
NVD GitHub
CVSS 2.0
LOW POC PATCH Monitor

Certificate timestamp validation bypass in sigstore-java 2.0.0 allows an attacker who has already exfiltrated an ephemeral Sigstore signing key to reuse an expired Fulcio certificate, causing bundle verification to succeed when it should fail. PR #1008 erroneously removed the check that bounds a Rekor V1 log entry's `integratedTime` against the Fulcio certificate's validity window, a regression only present in the 2.0.0 release and fixed in 2.1.0. No public exploit identified at time of analysis beyond the vendor-provided proof-of-concept test bundle in sigstore-conformance; CVSS base score of 2.0 reflects the extremely narrow, high-privilege, local-only attack conditions required.

Authentication Bypass Jwt Attack Java
NVD GitHub
CVSS 8.8
HIGH PATCH This Week

{id} action yet executed by the restrictive /users list handler. No public exploit identified at time of analysis, but the technique is fully described in the AWS/GitHub advisory and trivially reproducible.

Authentication Bypass
NVD GitHub
CVSS 8.5
HIGH PATCH This Week

Server provisioning parameter tampering in Paymenter (a PHP/Laravel billing and hosting-management platform) lets any authenticated customer override administrator-defined hosting plans and resource limits during checkout. By injecting arbitrary key-value pairs into the URL-bound checkout configuration, a low-privileged user can escalate CPU, RAM, storage, or package tiers without admin rights. Rated CVSS 8.5 (CWE-20); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC This Week

Broken access control in JeecgBoot through 3.9.2 lets authenticated low-privilege users reach the OpenApiAuthController and OpenApiPermissionController endpoints, which are missing Shiro authorization annotations, to fully manage OpenAPI AK/SK credentials. Because the list endpoint returns secret keys in plaintext, any logged-in user can harvest every Access Key/Secret Key pair and then create, modify, or delete them, enabling credential theft and unauthorized invocation of the OpenAPI surface. Publicly available exploit code exists and the issue was reported by VulnCheck, though it is not listed in CISA KEV.

Authentication Bypass Jeecgboot
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Unauthenticated report data exfiltration in JimuReport (JeecgBoot) through version 2.5.0 lets remote attackers export the full contents of any report via the POST /jmreport/auto/export endpoint. Because the handler carries the @JimuNoLoginRequired annotation, JimuReportTokenInterceptor skips all authentication and the export service never checks the auto-export configuration flag, so any guessed report id is rendered and streamed back. Publicly available exploit code exists; the disclosure comes from VulnCheck and the CVSS 4.0 base score is 8.7 (High), driven by high confidentiality impact with no privileges or user interaction required.

Authentication Bypass Jimureport
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-organization report enumeration in CVAT before 2.69.0 exposes the existence of quality reports belonging to other organizations to any authenticated user. The vulnerability stems from a missing authorization gate in QualityReportViewSet.get_queryset, where the parent_id query parameter is processed without invoking check_object_permissions, allowing cross-tenant enumeration via differential HTTP response analysis. No public exploit or CISA KEV listing exists, but the attack is trivially automatable by any authenticated user in a multi-organization CVAT deployment.

Authentication Bypass Cvat
NVD GitHub
EPSS 1% CVSS 9.2
CRITICAL PATCH Act Now

Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a GitLab-backed repository run unapproved, attacker-controlled pipelines. Because the GitLab forge driver populates pipeline.Author from the spoofable git commit author name (commit.author.name) rather than the GitLab-validated user identity, an attacker simply sets the commit author to a name listed in ApprovalAllowedUsers, making needsApproval return false. This grants arbitrary CI step execution on a Woodpecker agent and exposure of CI secrets; there is no public exploit identified at time of analysis, but the issue was reported by VulnCheck and is trivially reproducible.

Authentication Bypass Gitlab Gitea +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.

Authentication Bypass Microsoft RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Broken function-level authorization in RuoYi-Vue-Plus through 5.6.2 allows any authenticated low-privileged user to manipulate workflow approval tasks - including reassigning pending approvals to arbitrary users, urging tasks, and enumerating all pending and completed tasks - by exploiting the absence of permission annotations on FlwTaskController endpoints under /workflow/task. This directly defeats segregation of duties in organizational approval chains, enabling a standard user to redirect approvals meant for specific roles and potentially approve transactions or actions they should never have authority over. A publicly available exploit is referenced in the project's GitHub issue tracker; no CISA KEV listing has been confirmed at time of analysis, suggesting targeted rather than widespread exploitation.

Authentication Bypass Ruoyi Vue Plus
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

IP-based access control bypass in ThreeMammals Ocelot (a .NET API Gateway) through 24.1.0 lets denied or non-allowlisted clients reach protected downstream services by sending a WebSocket upgrade request instead of a plain HTTP request. The WebSocket pipeline branch, split off via MapWhen in OcelotPipelineExtensions.cs, never invokes SecurityMiddleware, so the configured IPAllowedList/IPBlockedList is silently skipped for upgrade traffic. Publicly available exploit code exists (VulnCheck advisory plus a reproducer in PR #2406), though there is no public exploit identified as actively exploited at time of analysis.

Authentication Bypass Ocelot
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Privilege escalation via missing authorization in HKUDS DeepTutor before 1.4.10 lets any authenticated low-privilege user invoke deployment-wide MCP (Model Context Protocol) tools they were never granted. The root cause is the allowed_mcp_tools function in deeptutor/multi_user/tool_access.py returning None (interpreted as 'allow all') instead of a denied result when the mcp_tools key is omitted from a user's grant, so a regular user - or prompt-injected content running inside their session - can enumerate and call filesystem, shell, and browser MCP servers. No public exploit is identified at the time of analysis and it is not in CISA KEV, but a vendor patch (v1.4.10) is available and the issue was reported by VulnCheck.

Authentication Bypass Deeptutor
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential disclosure in Nightingale (n9e) before 9.0.0-beta.2 lets any authenticated Standard-role (low-privilege) user retrieve full datasource configurations via POST /api/n9e/datasource/list, exposing plaintext database passwords, HTTP bearer tokens, basic-auth passwords, and mTLS client keys. Reported by VulnCheck and fixed in v9.0.0-beta.2, this missing-authorization flaw effectively turns a read-only monitoring account into a pivot point against every connected downstream system. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Nightingale
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Privilege escalation in OpenZiti through 2.0.0 lets an authenticated non-admin identity that holds fine-grained enrollment-management permissions mint an enrollment for any identity - including the built-in default administrator - and then redeem the resulting one-time token via the unauthenticated client enrollment API to receive a client certificate that authenticates as that admin, granting full control of the controller and the entire zero-trust overlay. The root cause is a missing authorization check (CWE-862) in the enrollment creation path. Publicly available exploit details exist (reported by VulnCheck, GitHub issue #4010) and a vendor fix is available; no public exploit identified as actively used at time of analysis.

Authentication Bypass Privilege Escalation Ziti
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. It carries a maximum CVSS 10.0 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Adobe RCE +1
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Authentication bypass in SUSE Rancher's in-cluster admission webhook (rancher-webhook) lets a network-adjacent, unauthenticated attacker forge FleetWorkspace admission payloads so that workspace-related Kubernetes objects are created with attacker-chosen identity data. Affected releases span Rancher 0.7.0–0.7.10, 0.8.0–0.8.7, 0.9.0–0.9.6 and 0.10.0–0.10.7, with integrity impact but no direct confidentiality or availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue is documented in SUSE/Rancher advisory GHSA-h83p-cq95-vph4.

Authentication Bypass Kubernetes Rancher
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

{server_uuid}/domains endpoint silently drops team-scope enforcement when the optional uuid query parameter is supplied, producing a classic IDOR (CWE-639) condition where a user-controlled key bypasses authorization. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified, but the low attack complexity and single authentication prerequisite make the flaw trivially exploitable by any tenant in a multi-tenant Coolify deployment.

Authentication Bypass Coolify
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

{uuid} endpoint extracts the requesting user's teamId from their authentication token but never applies it to scope the underlying database query, meaning any valid UUID is sufficient to retrieve another team's data. Exploitation requires a valid Coolify account; no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass Coolify
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

{uuid}`. The DeployController.php endpoint performs no team-ownership validation against the requesting user's session, making this a textbook CWE-639 Insecure Direct Object Reference (IDOR) across tenant boundaries. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the attack is mechanically trivial once a target UUID is known.

Authentication Bypass PHP Coolify
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Privilege persistence in SUSE Rancher allows project users to retain Pod Security Admission (PSA) permissions even after an administrator revokes those permissions from a RoleTemplate, due to a missing cleanup step in the legacy Project Role Template Binding (PRTB) reconciler. Affected versions are Rancher 2.13.0 through 2.13.7 and 2.14.0 through 2.14.3. An attacker with a pre-existing role assignment can continue to bypass PSA policies enforced at the project level, defeating administrative intent and potentially deploying workloads that violate the cluster's security posture. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.

Authentication Bypass Rancher
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authorization bypass in the @fastify/express middleware-compatibility plugin (versions 4.0.6 and earlier) lets unauthenticated remote attackers reach protected routes inside prefixed Fastify plugin scopes when security middleware is mounted using array or regular-expression paths. Because those non-string mount paths are never rewritten with the plugin prefix, authentication, authorization, rate-limiting, or auditing middleware silently fails to match the real request path and is skipped while Fastify still routes the request to the handler. There is no public exploit identified at time of analysis, and the issue is fixed in 4.0.7.

Authentication Bypass Fastify Express
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Privilege escalation in Red Hat Build of Keycloak's Identity Provider mapper component allows a restricted administrator with IdP management permissions to silently assign the built-in realm-admin role to themselves or other accounts by creating a Hardcoded Role mapper. This bypasses the authorization boundary intended to confine limited administrators within their delegated scope, resulting in full realm takeover. No public exploit code or CISA KEV listing exists at time of analysis; however, the impact is severe in multi-tenant or delegated-administration deployments where IdP management is granted to semi-trusted parties.

Authentication Bypass Red Hat Build Of Keycloak Red Hat
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized user profile disclosure in Red Hat Build of Keycloak allows low-privileged administrative users to bypass Fine-Grained Admin Permission (FGAPv2) restrictions and access complete user profiles they should only be permitted to search. An admin scoped exclusively to user-search rights can invoke the 'brute-force-user' endpoint to retrieve sensitive profile data and security metadata, circumventing the intended view-permission gate on that code path. No public exploit has been identified and the flaw is not listed in CISA KEV, but its network-accessible, low-complexity nature makes it straightforward to abuse within any Keycloak deployment that has activated FGAPv2 permission delegation.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Jboss Enterprise Application Platform Expansion Pack +1
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Sensitive data exposure in Advantech Hospital Queuing Management lets unauthenticated remote attackers reach a specific URL and retrieve the application's API documentation, mapping out endpoints and parameters without any credentials. The flaw is rooted in missing authentication (CWE-306) on a resource that should be protected, and TWCERT rates it CVSS 4.0 9.3 (Critical). No public exploit is identified at time of analysis, but the exposed API documentation provides reconnaissance that materially lowers the barrier to follow-on attacks.

Authentication Bypass Information Disclosure Hospital Quering Management
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation via improper authorization in Apache ActiveMQ before 5.19.8 and 6.0.0 before 6.2.7 lets an authenticated low-privilege Web Console user reach the administrative /admin/* paths that should be restricted to administrators. The flaw stems from default Jetty configuration that failed to scope those paths to admin roles, granting low-priv users administrative Web Console functionality. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Apache Apache Activemq
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient authorization enforcement in the Nokia MantaRay NM API allows authenticated low-privilege users to retrieve confidential data beyond their assigned role boundaries. Affected are all Nokia MantaRay NM deployments running versions prior to 25R2-NM, a telecom-focused network management platform. No public exploit code or CISA KEV listing has been identified; with EPSS at 0.18% (7th percentile), real-world exploitation pressure is currently low, though the high confidentiality impact and low attack complexity make patching a priority for any operator with untrusted authenticated users.

Authentication Bypass Nokia Mantaray Nm
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated Modbus TCP exposure on the Delta Electronics DVP12SE programmable logic controller lets any network-reachable attacker invoke security-sensitive PLC functions - reading and writing process registers, coils, and configuration - with no credentials or access control. The flaw (CWE-306, Missing Authentication for a Critical Function) carries a CVSS 4.0 base of 9.3 and is documented in Delta advisory PCSA-2026-00011 alongside CVE-2026-12818. There is no public exploit identified at time of analysis and no CISA KEV listing, but the Modbus protocol is trivially scriptable and well understood, lowering the practical exploitation bar.

Authentication Bypass Dvp 12Se
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sidebar manipulation in the Premium Addons for KingComposer WordPress plugin (versions up to and including 1.1.1) allows any remote attacker to create arbitrary custom widget areas or permanently delete existing ones without any credentials. The root cause is that the AJAX handlers add_custom_sidebar() and remove_custom_sidebar() are registered under wp_ajax_nopriv_* hooks with no authorization or capability checks, granting public HTTP access to options-table writes via update_option(). Deletion of sidebars silently breaks widget rendering site-wide, and no public exploit has been identified at time of analysis; no CISA KEV listing is present.

Authentication Bypass WordPress Premium Addons For Kingcomposer
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-team data exposure in Coolify (self-hostable PaaS) before 4.0.0-beta.471 allows any authenticated user to read servers and projects owned by other teams by supplying their object IDs directly. The flaw is a broken object-level authorization (IDOR) where lookups are never scoped to the requester's team, breaching the multi-tenant boundary. No public exploit identified at time of analysis, and the issue is resolved in 4.0.0-beta.471.

Authentication Bypass Coolify
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

JWT algorithm confusion in Strapi's users-permissions plugin enables authentication control weakening when the plugin::users-permissions.jwt.algorithm setting is absent from configuration. The plugin silently accepts HS384 and HS512 tokens alongside the intended HS256, allowing an attacker who has already obtained the jwtSecret to mint tokens using non-standard HMAC variants and bypass any algorithm-enforcement logic. No public exploit code is identified at time of analysis and this vulnerability is not listed in CISA KEV; real-world risk is substantially bounded by the prerequisite of jwtSecret compromise, reflected in the CVSS 4.0 score of 6.3 with High Complexity and Presence-of-attack-requirement modifiers.

Authentication Bypass Strapi
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthorized message consumption in Apache ActiveMQ Classic lets a connected client read from temporary destinations belonging to a different connection, breaking the per-connection isolation that applications rely on. The root cause is that the isolation check is enforced only client-side, so a malicious or rogue client can subscribe to and drain another connection's temporary queue/topic. It affects ActiveMQ (Broker/All/Classic) before 5.19.8 and 6.0.0 before 6.2.7; there is no public exploit identified at time of analysis, and it is not in CISA KEV.

Apache Authentication Bypass Activemq +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Authorization (CWE-285) in Apache Tomcat's default servlet allows HTTP method-based and method-omission security constraints to be silently bypassed across all major supported Tomcat branches from 7.0.x through 11.0.x. An attacker can perform HTTP operations - such as PUT or DELETE - that the web.xml security constraint configuration was intended to restrict, potentially enabling unauthorized file upload, modification, or deletion on the default servlet's served content. No active exploitation has been confirmed (not in CISA KEV) and no CVSS score has been published at time of analysis, but the broad version range and ubiquitous deployment footprint of Tomcat make prompt patching a priority.

Authentication Bypass Tomcat Apache +1
NVD VulDB HeroDevs
EPSS 0% CVSS 6.5
MEDIUM This Month

Replay attack vulnerability in Apache Tomcat's cluster EncryptionInterceptor allows a network-adjacent attacker to retransmit previously captured encrypted inter-node cluster messages, causing receiving nodes to accept and process them as legitimate - potentially corrupting distributed session state or triggering unintended cluster actions. All major supported branches are affected: 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, plus end-of-life branches 8.5.38-8.5.100 and 7.0.100-7.0.109. No public exploit or CISA KEV listing has been identified at time of analysis; however, the breadth of affected versions across all active and legacy branches elevates organizational exposure, particularly for environments running EOL 8.5.x or 7.x with no available patch.

Authentication Bypass Tomcat Apache +1
NVD VulDB HeroDevs
Prev Page 12 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy