Skip to main content

Authentication Bypass

31242 CVEs technique

Monthly

CVE-2026-12819 CRITICAL CISA Act Now

Unauthenticated Modbus TCP exposure on the Delta Electronics DVP12SE programmable logic controller lets any network-reachable attacker invoke security-sensitive PLC functions - reading and writing process registers, coils, and configuration - with no credentials or access control. The flaw (CWE-306, Missing Authentication for a Critical Function) carries a CVSS 4.0 base of 9.3 and is documented in Delta advisory PCSA-2026-00011 alongside CVE-2026-12818. There is no public exploit identified at time of analysis and no CISA KEV listing, but the Modbus protocol is trivially scriptable and well understood, lowering the practical exploitation bar.

Authentication Bypass Dvp 12Se
NVD VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-12073 CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation Profilegrid User Profiles Groups And Communities
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-12349 MEDIUM This Month

Unauthenticated sidebar manipulation in the Premium Addons for KingComposer WordPress plugin (versions up to and including 1.1.1) allows any remote attacker to create arbitrary custom widget areas or permanently delete existing ones without any credentials. The root cause is that the AJAX handlers add_custom_sidebar() and remove_custom_sidebar() are registered under wp_ajax_nopriv_* hooks with no authorization or capability checks, granting public HTTP access to options-table writes via update_option(). Deletion of sidebars silently breaks widget rendering site-wide, and no public exploit has been identified at time of analysis; no CISA KEV listing is present.

Authentication Bypass WordPress Premium Addons For Kingcomposer
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-34592 HIGH PATCH This Week

Cross-team data exposure in Coolify (self-hostable PaaS) before 4.0.0-beta.471 allows any authenticated user to read servers and projects owned by other teams by supplying their object IDs directly. The flaw is a broken object-level authorization (IDOR) where lookups are never scoped to the requester's team, breaching the multi-tenant boundary. No public exploit identified at time of analysis, and the issue is resolved in 4.0.0-beta.471.

Authentication Bypass Coolify
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-57997 MEDIUM PATCH This Month

JWT algorithm confusion in Strapi's users-permissions plugin enables authentication control weakening when the plugin::users-permissions.jwt.algorithm setting is absent from configuration. The plugin silently accepts HS384 and HS512 tokens alongside the intended HS256, allowing an attacker who has already obtained the jwtSecret to mint tokens using non-standard HMAC variants and bypass any algorithm-enforcement logic. No public exploit code is identified at time of analysis and this vulnerability is not listed in CISA KEV; real-world risk is substantially bounded by the prerequisite of jwtSecret compromise, reflected in the CVSS 4.0 score of 6.3 with High Complexity and Presence-of-attack-requirement modifiers.

Authentication Bypass Strapi
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-54475 HIGH PATCH This Week

Unauthorized message consumption in Apache ActiveMQ Classic lets a connected client read from temporary destinations belonging to a different connection, breaking the per-connection isolation that applications rely on. The root cause is that the isolation check is enforced only client-side, so a malicious or rogue client can subscribe to and drain another connection's temporary queue/topic. It affects ActiveMQ (Broker/All/Classic) before 5.19.8 and 6.0.0 before 6.2.7; there is no public exploit identified at time of analysis, and it is not in CISA KEV.

Apache Authentication Bypass Activemq Activemq Broker
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55956 MEDIUM This Month

Improper Authorization (CWE-285) in Apache Tomcat's default servlet allows HTTP method-based and method-omission security constraints to be silently bypassed across all major supported Tomcat branches from 7.0.x through 11.0.x. An attacker can perform HTTP operations - such as PUT or DELETE - that the web.xml security constraint configuration was intended to restrict, potentially enabling unauthorized file upload, modification, or deletion on the default servlet's served content. No active exploitation has been confirmed (not in CISA KEV) and no CVSS score has been published at time of analysis, but the broad version range and ubiquitous deployment footprint of Tomcat make prompt patching a priority.

Authentication Bypass Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-55955 MEDIUM This Month

Replay attack vulnerability in Apache Tomcat's cluster EncryptionInterceptor allows a network-adjacent attacker to retransmit previously captured encrypted inter-node cluster messages, causing receiving nodes to accept and process them as legitimate - potentially corrupting distributed session state or triggering unintended cluster actions. All major supported branches are affected: 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, plus end-of-life branches 8.5.38-8.5.100 and 7.0.100-7.0.109. No public exploit or CISA KEV listing has been identified at time of analysis; however, the breadth of affected versions across all active and legacy branches elevates organizational exposure, particularly for environments running EOL 8.5.x or 7.x with no available patch.

Authentication Bypass Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-41896 HIGH PATCH This Week

Webhook signature forgery in Coolify (self-hosted PaaS) before 4.0.0-beta.474 lets unauthenticated remote attackers trigger arbitrary application deployments. Because the per-application manual_webhook_secret_github field is nullable with no default, newly created applications carry a null HMAC key; PHP's hash_hmac() silently coerces null to an empty string, so the expected X-Hub-Signature-256 becomes a deterministic value any attacker can compute offline. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but exploitation is trivial against affected default configurations.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-57498 CRITICAL POC PATCH Act Now

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated, low-privileged member of one team to deploy and manipulate resources belonging to other teams. While the REST API controllers correctly enforce ownership via Server::whereTeamId($teamId), several Livewire web UI components trust attacker-supplied server_id and destination_uuid URL query parameters with no team-ownership check (CWE-639). No public exploit identified at time of analysis, but the CVSS 9.6 rating and trivially manipulable parameters make this a high-priority fix for any multi-tenant Coolify deployment.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13763 HIGH POC HOSTED Monitor

WAF managed-rule body inspection on AWS Application Load Balancer (ALB) can be bypassed by remote actors who fragment an HTTP/2 request body across multiple frames so that only a partial body is inspected before reaching the backend. The flaw (CWE-444, HTTP request smuggling) affects only ALB target groups serving HTTP/2 traffic with AWS WAF enabled, and lets attackers slip malicious payloads past WAF managed rules. No public exploit identified at time of analysis and it is not on CISA KEV; AWS scores it 7.9 (CVSS 4.0) with impact falling on the protected backend rather than the ALB itself.

Request Smuggling Authentication Bypass Aws Application Load Balancer
NVD GitHub
CVSS 4.0
7.9
EPSS
0.5%
CVE-2026-13762 HIGH POC HOSTED Monitor

WAF inspection bypass in Amazon CloudFront (with AWS WAF enabled) lets remote actors smuggle malicious request bodies past managed rule inspection by fragmenting the HTTP/2 request body across frames so only a partial body is examined. The flaw (CWE-444, request smuggling) defeats the protective security control rather than CloudFront itself, allowing attacks the WAF would normally block to reach the protected origin. AWS remediated it server-side with no customer action required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Request Smuggling Authentication Bypass Amazon Cloudfront
NVD GitHub
CVSS 4.0
7.9
EPSS
0.5%
CVE-2026-43701 HIGH PATCH This Week

Sandbox escape in Apple's WebKit/Safari web content engine allows a malicious website to process restricted web content outside the sandbox on Safari, iOS/iPadOS, and macOS prior to 26.5.2. Reported by Apple and classed as an improper access-control flaw (CWE-284), it requires a victim to load attacker-controlled content (UI:R) and carries CVSS 7.1 with a scope change, reflecting that breaking out of the sandbox crosses a security boundary. There is no public exploit identified at time of analysis and EPSS is low (0.16%), though CISA's SSVC framework rates the technique as automatable with partial technical impact.

Authentication Bypass Apple Ios And Ipados
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57956 MEDIUM This Month

Broken tenant isolation in SigNoz through 0.130.1 allows authenticated users from one organization to read, modify, and delete alert rules belonging to entirely separate organizations by directly supplying a target rule UUID via API. The alert rule store predicates omit organization ID filtering - a textbook Insecure Direct Object Reference (CWE-639) - collapsing the multi-tenant access boundary. No active exploitation is confirmed (not in CISA KEV) and no public POC has been independently confirmed, though the referenced GitHub issue may expose sufficient technical detail for manual exploitation by any credentialed user on a shared SigNoz instance.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.2%
CVE-2026-57954 MEDIUM This Month

Sort-expression permission bypass in Yahoo Elide through 7.1.17 allows authenticated network attackers to leak relative values of @ReadPermission-protected fields by sorting API collections on forbidden field names. The flaw exists in SortingImpl.getValidSortingRules, which accepts client-controlled sort keys without verifying the caller's read authorization, exposing a classic side-channel across both JSON:API and GraphQL read endpoints. No public exploit code has been identified and no CISA KEV listing exists, but the attack is low-complexity for any authenticated user on an affected deployment.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-57953 MEDIUM PATCH This Month

Authorization bypass in Mythic C2 framework before 3.4.0.60 allows authenticated spectator-role users to perform write operations against the eventing_import_automatic_webhook endpoint, which is incorrectly registered under spectator-permitted middleware. Spectator accounts - intended to be read-only observers of red team operations - can exploit this misconfiguration to create and delete automation workflows and EventGroups, effectively escalating their privilege within an active operation. No public exploit code has been identified and no CISA KEV listing exists; a vendor-released patch is available in v3.4.0.60.

Authentication Bypass Mythic
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-57952 MEDIUM PATCH This Month

Cross-operation authorization bypass in Mythic C2 framework before 3.4.0.60 exposes encryption keys and C2 profile configurations to authenticated operators from separate operations. Four webhook REST endpoints - c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, and c2profile_sample_message_webhook - fail to verify that a submitted payload UUID belongs to the caller's operation, allowing an operator in Operation A to retrieve the full C2 profile configuration of Operation B by supplying a known UUID. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 6.0 reflects high complexity due to the prerequisite of obtaining a cross-operation UUID.

Authentication Bypass Mythic
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-57951 HIGH PATCH This Week

Cross-operation information disclosure in Mythic C2 framework versions before 3.4.0.60 allows any authenticated operator or spectator to read payload build artifacts belonging to operations they are not assigned to. A broken Hasura GraphQL permission filter on the payload_build_step table contains an always-true _or clause, neutralizing the operation-scoped row-level access control and exposing step_stdout, step_stderr, step_name, and step_description across every operation on the server. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix is publicly committed and the conditions are trivial for any logged-in low-privilege user.

Authentication Bypass Mythic
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-57950 HIGH This Week

Broken access control in the ErpSaleOrderController of ruoyi-vue-pro (through version 2026.05) lets authenticated users holding only shipment-level 'erp:sale-out' permissions perform full create, read, update, and delete operations on financially sensitive ERP sale orders. The controller enforces the wrong permission namespace ('erp:sale-out' instead of the intended 'erp:sale-order'), so low-privileged warehouse/shipment operators effectively gain order-management authority. No public exploit identified at time of analysis and the issue is not in CISA KEV; an upstream fix exists as commit 5d1fd70.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-57949 HIGH This Week

Broken object-level authorization (IDOR) in the ruoyi-vue-pro CRM module lets any authenticated user read arbitrary follow-up records via the GET /admin-api/crm/follow-up-record/get endpoint, which fails to verify record ownership. Because record IDs are sequential integers, a low-privileged user can enumerate IDs to harvest other users' follow-up notes, file attachments, scheduling data, and linked business-entity references. No public exploit or active exploitation has been reported; the issue is fixed upstream in commit c779a47.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-57947 MEDIUM This Month

Server-side request forgery in Pinpoint APM through version 3.1.0 allows authenticated users with low privileges to register internal or cloud-metadata URLs as alarm webhook targets due to missing URL validation on the webhook registration endpoint. By deliberately triggering alarm threshold breaches, an attacker can coerce the Pinpoint server to issue outbound POST requests to internal hosts, cloud metadata services (such as AWS IMDS at 169.254.169.254), or other non-routable internal infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 subsequent-system confidentiality impact is rated High, reflecting the potential to enumerate internal services or harvest cloud credentials.

Authentication Bypass SSRF
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-57946 MEDIUM PATCH This Month

Unauthenticated access to private playlist data in Invidious before v2.20260626.0 is possible via a broken authorization check on the RSS feed playlist endpoint. By supplying a known playlist ID to this endpoint, a remote attacker with no credentials can retrieve the full contents of a private playlist, the owner's email address, and all associated video entries. No public exploit has been identified at time of analysis, and a vendor-released patch is available in v2.20260626.0.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-57945 MEDIUM PATCH This Month

{uid} API endpoint allows any authenticated non-admin user to overwrite another user's profile information by substituting an arbitrary user identifier in the request path. Affected are all PhotoPrism deployments running versions prior to 260601-a7d098548 that host multiple user accounts. No active exploitation has been confirmed by CISA KEV and no public exploit code is known at time of analysis, though the attack requires only a valid low-privileged session and knowledge of a target user's UID.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-57943 MEDIUM PATCH This Month

Broken object-level authorization (BOLA/IDOR) in LibrePhotos prior to version 1.0.0 allows any authenticated user to read private photos belonging to other users by manipulating shared_to relationship parameters in the SetPhotosShared endpoint without server-side ownership validation. The attack vector is network-accessible and requires only a low-privilege account, delivering high confidentiality impact against victim photo libraries. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available as version 1.0.0.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-57942 MEDIUM This Month

IP spoofing in LibreTranslate through 1.9.7 allows unauthenticated remote attackers to bypass per-IP rate limiting and flood bans by injecting arbitrary values into the X-Forwarded-For HTTP header. The get_remote_address() function accepts client-supplied header values without validating that the request originated from a trusted proxy, enabling any attacker to present a rotating set of forged IP addresses and evade API abuse controls entirely. No public exploit code has been identified at time of analysis, but the technique requires no authentication and trivially low technical skill given the well-known nature of X-Forwarded-For abuse.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56782 CRITICAL POC PATCH Act Now

Unauthenticated database exfiltration and overwrite in Gorse (the open-source Go recommendation engine) before 0.5.10 lets remote attackers hit the /api/dump and /api/restore endpoints whenever admin_api_key is unset - the out-of-the-box default - bypassing authentication entirely. Attackers can dump the full backing dataset (user records, items, and feedback containing PII) or restore/overwrite it with arbitrary data. No public exploit is identified at time of analysis, but the flaw is trivially reachable on any default deployment, and the vendor (VulnCheck) rates it CVSS 4.0 9.3 (critical).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.9%
CVE-2026-56781 MEDIUM PATCH This Month

Hidden field data disclosure in Teable before 2026-06-15T04-43-24Z.1912 allows unauthenticated remote attackers to bypass share view field visibility restrictions by supplying arbitrary field IDs in the API projection parameter. The share view records endpoint fails to enforce server-side field visibility policy, permitting any caller with access to a public share URL to read field values the table owner explicitly marked as hidden. No public exploit code has been identified at time of analysis, but the attack is trivially repeatable - field IDs are enumerable from unauthenticated share metadata, requiring no special tools or privileges beyond network access.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56780 HIGH PATCH This Week

{pk}/password/ endpoint, which fails to enforce object-level authorization (CWE-639 IDOR). By simply supplying another user's primary key, a domain-scoped admin can take over the highest-privileged account and gain full control of the mail platform. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is upstream in PR #4038 (commit a1878c4).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-48717 Maven MEDIUM PATCH GHSA This Month

PKCE bypass in OpenAM Community Edition through 16.0.6 allows an attacker who intercepts an OAuth2 authorization code to exchange it for tokens without supplying the required code_verifier. The token endpoint only enforces PKCE verification when the realm-wide codeVerifierEnforced setting is explicitly enabled - a setting that ships disabled by default - meaning omitting the code_verifier parameter silently skips the challenge check entirely. No public exploit has been identified at time of analysis, and a patch is available in version 16.1.1.

Authentication Bypass Microsoft
NVD GitHub
CVE-2026-47426 Maven HIGH PATCH GHSA This Week

Cross-client token impersonation in OpenAM Community Edition (Open Identity Platform fork) through 16.0.6 allows any registered OAuth2 client to forge private_key_jwt client assertions and mint access tokens in the name of any other client that publishes its keys via a jwks_uri, with no knowledge of the victim's signing key. The flaw, rooted in improper authentication (CWE-287) in the OAuth2 token endpoint, lets an attacker holding any client registration impersonate other clients across every realm hosted by the OpenAM process. There is no public exploit identified at time of analysis, no CVSS or EPSS data was supplied, and the issue is not listed in CISA KEV; it was fixed in version 16.1.1.

Authentication Bypass
NVD GitHub
CVE-2026-49049 HIGH POC This Week

Improper access control in the Helix3 template framework extension for Joomla (versions 1.0 through 3.1.1) exposes an AJAX handler task that lets remote unauthenticated attackers delete arbitrary files, write arbitrary JSON files, and modify template parameters. Because the handler performs no authentication or authorization check, an attacker can corrupt site configuration or destroy files without credentials. There is no public exploit identified at time of analysis, but the issue is automatable per CISA SSVC and carries a CVSS 7.5 (High) due to its network-reachable, unauthenticated integrity impact.

Authentication Bypass Helix3 Extension For Joomla
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-56290 CRITICAL POC KEV THREAT NEWS Emergency

Unauthenticated arbitrary file upload in the Joomlack Page Builder CK extension for Joomla allows remote attackers to upload executable (PHP) files and achieve full remote code execution on the host. Any Joomla site running this extension is exposed to complete compromise without credentials. No public exploit identified at time of analysis, though the CVSS 4.0 threat metric (E:A) supplied by the scoring source signals observed exploitation activity, and the maximum 10.0 score plus AU:Y (automatable) indicate this is highly attractive for mass scanning.

Authentication Bypass File Upload Joomlack Fr Page Builder Ck Extension For Joomla
NVD VulDB GitHub Exploit-DB
CVSS 4.0
10.0
EPSS
0.2%
Threat
5.0
CVE-2026-57341 MEDIUM This Month

Unauthenticated IDOR in Colissimo Officiel : Méthodes de livraison pour WooCommerce (versions ≤ 2.9.0) exposes shipping-related backend objects to manipulation by remote, unauthenticated attackers. Missing server-side authorization on object lookups allows adversaries to reference records belonging to other users, producing low integrity and availability impacts on WooCommerce shipping data with no confidentiality breach. No public exploit code or active exploitation has been identified at time of analysis, and no patched version number was independently confirmed in the available intelligence.

Authentication Bypass WordPress Colissimo Officiel
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57340 MEDIUM This Month

Unauthenticated broken access control in the Japanized For WooCommerce WordPress plugin (versions <= 2.9.12) allows remote unauthenticated attackers to bypass authorization checks and perform restricted operations, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, lowering the exploitation barrier significantly for any exposed WordPress site running this plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity and zero-privilege requirement make this accessible to unsophisticated attackers.

Authentication Bypass WordPress Japanized For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57339 MEDIUM This Month

Broken Access Control in the Business Directory WordPress plugin (versions 6.4.23 and below) permits unauthenticated remote attackers to perform unauthorized operations against directory data, yielding limited integrity and availability impacts. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms exploitation requires no authentication, no special configuration, and no user interaction, making the attack trivially accessible to any network-reachable actor. No public exploit code and no CISA KEV listing are confirmed at time of analysis, placing current real-world exploitation risk in the moderate range.

Authentication Bypass Business Directory
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57335 MEDIUM This Month

Broken access control in the Ads by WPQuads WordPress plugin (versions <= 3.0.3) allows authenticated subscribers to perform privileged administrative actions they are explicitly unauthorized to execute. The flaw, classified under CWE-862 (Missing Authorization), results in high integrity impact with no confidentiality or availability effect, per the CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N vector. No active exploitation has been identified in CISA KEV at time of analysis, though the low attack complexity and widely deployed WordPress ecosystem make this a realistic risk for any site with open subscriber registration.

Authentication Bypass Ads By Wpquads
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57334 MEDIUM This Month

Broken access control in WP User Frontend plugin for WordPress (versions <= 4.3.7) allows unauthenticated remote attackers to perform restricted actions without authorization. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints, enabling limited integrity and availability impact against affected WordPress installations. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis, though the unauthenticated, low-complexity nature of the vulnerability lowers the bar for casual abuse.

Authentication Bypass Wp User Frontend
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57332 HIGH This Week

Improper authorization in the Wallet System for WooCommerce WordPress plugin (versions 2.7.6 and earlier) lets low-privileged authenticated users — subscriber-level accounts — perform wallet actions reserved for higher roles, enabling manipulation of stored wallet balances and transactions. The flaw, reported by Patchstack and tracked as CWE-862 (Missing Authorization), carries a 7.1 (High) CVSS score driven by high integrity impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Wallet System For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57327 MEDIUM This Month

Broken access control in MainWP WordPress plugin versions 6.1.1 and below allows authenticated subscribers to bypass authorization checks and perform actions restricted to higher-privileged roles. The CVSS vector (PR:L, AC:L, AV:N) confirms any low-privileged WordPress account - the subscriber role being the lowest default - is sufficient for network-based exploitation with no special complexity. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the minimal barrier to obtaining a subscriber account on sites with open registration makes this a meaningful risk for multi-user or membership-based installations.

Authentication Bypass Mainwp
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-13676 HIGH PATCH This Week

Host-based security policy bypass in the fast-uri Node.js URI parser (versions 2.3.1 through 3.1.2 and 4.0.0) lets remote attackers defeat denylists, loopback filters, redirect validation, and SSRF/proxy-routing controls by supplying Unicode (IDN) hostnames. Because fast-uri's IDN path invokes a non-existent helper on the global URL constructor, it leaves the host in raw Unicode form while normalize() and equal() report a host that differs from what Node's WHATWG URL or fetch ultimately resolve, producing a parser-differential bypass. No public exploit is identified at time of analysis, but the bypass is trivially reproducible and primarily enables SSRF-style integrity attacks.

Authentication Bypass Fast Uri
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13568 MEDIUM This Month

Privilege escalation via role parameter manipulation in SourceCodester Inventory Management System 1.0 allows unauthenticated remote attackers to self-assign elevated roles during user registration. The vulnerability resides in /api/users_handler.php, where the application fails to enforce server-side restrictions on the role argument at the User Registration Endpoint, enabling account creation with admin-level privileges. A public proof-of-concept exploit is available, lowering the skill bar for abuse against any exposed instance; no CISA KEV listing exists, so confirmed active exploitation in the wild has not been established.

Authentication Bypass PHP Inventory Management System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13553 MEDIUM This Month

Unrestricted file upload in itsourcecode Online Hotel Management System 1.0 allows remote attackers to upload arbitrary files - including PHP webshells - via the `image` parameter of `/admin/mod_amenities/controller.php?action=add`. The CVSS 4.0 vector assigns PR:N (no privileges required), corroborated by the 'Authentication Bypass' tag, indicating the admin-facing endpoint is reachable without credentials. A published proof-of-concept exploit exists; no patch has been identified at time of analysis.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-57676 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in the Simple User Avatar WordPress plugin through version 4.9 allows authenticated low-privileged users to bypass authorization controls and access avatar-related resources belonging to other users by manipulating user-controlled object keys. The root cause (CWE-639) is the plugin's failure to verify that the requesting user owns or is authorized to access the referenced object. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV, though the low complexity and low privilege requirement (PR:L, AC:L per CVSS) mean any registered WordPress user on an affected site could trivially exploit it.

Authentication Bypass Simple User Avatar
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13549 LOW POC Monitor

Authorization bypass in CodeAstro Complaint Management System 1.0 exposes the deletereport endpoint to unauthenticated arbitrary deletion of complaint reports and associated files. The deletereport function in application/controllers/Report.php accepts a caller-supplied report identifier without verifying ownership or authorization, enabling any remote user to delete any report by manipulating that identifier. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, indicating no confirmed widespread active exploitation.

Authentication Bypass PHP Complaint Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-13546 MEDIUM POC This Month

Unauthenticated access to the /api/articles REST API endpoint in Feehi CMS up to version 2.1.1 exposes article management functions without any credential verification, allowing remote attackers to interact with CMS content at low complexity and zero privilege. A publicly available proof-of-concept exploit exists via a GitHub issue report. The vendor has not responded to the disclosure, leaving installations without an official patch; no KEV listing indicates no confirmed mass exploitation at time of analysis, but the no-authentication network vector makes this trivially accessible to any internet-facing attacker.

Authentication Bypass Cms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13544 LOW POC Monitor

Improper access control in Feehi CMS up to version 2.1.1 allows low-privileged remote attackers to perform unauthorized operations against the /api/users API endpoint. Exploitation of CWE-284 at this endpoint enables access to or manipulation of user data beyond what the authenticated role should permit, representing an authentication bypass at the authorization layer. A public exploit exists per GitHub issue #89; no vendor patch or response has been issued as of analysis time, leaving the exposure unmitigated.

Authentication Bypass Cms
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13543 LOW POC PATCH Monitor

Google OAuth login in Documenso through version 2.11.0 fails to enforce two-factor authentication during the OAuth callback flow, allowing a remote attacker to authenticate as any Google-linked user without completing MFA verification. The flaw resides in handle-oauth-callback-url.ts, where the oauth2fa state is not properly routed through the dedicated OAuth 2FA verification path - as confirmed by the PR diff showing the signin form was not checking the oauth2fa=true callback parameter. Publicly available exploit code exists (GitHub issue #2758), though no active exploitation has been confirmed and the CVSS 4.0 AC:H rating indicates the attack requires precise manipulation of the OAuth callback flow.

Authentication Bypass Google Documenso
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.4%
CVE-2025-2902 HIGH This Week

Improper authorization in the Maintenance Utility of Hitachi Virtual Storage Platform (VSP) enterprise storage arrays allows an authenticated low-privileged user to perform actions beyond their authorization, undermining the integrity and availability of the storage controller. The flaw affects the VSP E-series, VSP 5000-series, and VSP G/F-series families running pre-fix DKCMAIN and GUM firmware, and was reported by Hitachi itself; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Hitachi Virtual Storage Platform E390 E590 E790 E990 E1090 E390H E590H E790H E1090H Hitachi Virtual Storage Platform 5100 5500 5100H 5500H 5200 5600 5200H 5600H Hitachi Virtual Storage Platform G130 G150 G350 G370 G700 G900 F350 F370 F700 F900
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13534 LOW POC PATCH Monitor

Authorization bypass in CherryHQ Cherry Studio up to version 1.9.7 allows authenticated remote attackers to cross user/agent memory isolation boundaries by manipulating memory content to produce SHA-256 hash collisions in the MemoryService deduplication logic. The vulnerable CherryIN Preload API component computed memory hashes solely from content, without scoping them to userId or agentId, enabling crafted inputs to match records belonging to other users. A public exploit exists per GitHub issue #15411, and a vendor patch is available via PR #15413; the vendor notes the memory feature is slated for removal in v2.

Authentication Bypass Cherry Studio
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-13524 LOW POC PATCH Monitor

Cherry Studio's MCP OAuth Local Callback Server, in all versions up to 1.9.6, accepts OAuth authorization code callbacks without validating the OAuth `state` parameter, enabling authorization code injection attacks. The PR diff confirms that `src/main/services/mcp/oauth/callback.ts` processed any inbound `code` value without checking a bound state token, allowing a network-positioned attacker to substitute a malicious authorization code during an active OAuth flow. A public exploit has been disclosed via GitHub issue #15372; no confirmed patched release exists - only an unmerged fix PR (#15388) - and no active exploitation has been confirmed (not in CISA KEV).

Authentication Bypass Cherry Studio
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-13514 LOW Monitor

Chess Play and Learn (chess.com) Android app versions up to 4.9.42 expose application backup files to unauthorized parties through a misconfiguration in AndroidManifest.xml that enables Android's backup mechanism without adequate authorization controls. Physical access to the target device is required to exploit this issue. A public proof-of-concept is available, exploitation probability is very low given the physical access requirement, and the vendor has acknowledged the issue while noting it falls outside their bug bounty scope.

Authentication Bypass Google
NVD GitHub VulDB
CVSS 4.0
0.9
EPSS
0.1%
CVE-2026-51221 HIGH This Week

Denial of service in EIPStackGroup OpENer (commit 76b95c), an open-source EtherNet/IP stack, allows remote attackers to crash the device by sending a crafted Common Packet Format (CPF) packet that triggers a buffer overflow in the Get_Attribute_List handler. The flaw is network-reachable without authentication or user interaction (CVSS 7.5, availability-only impact), and SSVC indicates proof-of-concept exploit code exists and that exploitation is automatable. EPSS is low (0.17%, 7th percentile) and the CVE is not on CISA KEV, so there is no public evidence of active exploitation yet.

Authentication Bypass Denial Of Service Buffer Overflow N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13512 LOW Monitor

Tenant isolation bypass in Databend up to 1.2.881 allows an authenticated remote attacker to access or corrupt session state belonging to users in other tenants by exploiting a missing tenant dimension in the ClientSessionManager session key derivation. The state_key function generated keys using only username and client_session_id, enabling key collisions across tenants sharing a server process - a flaw confirmed by the PR #19931 diff which adds tenant scoping to all key construction paths. Publicly available exploit code exists; no patched release has been confirmed at time of analysis.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13511 LOW POC PATCH Monitor

Improper authorization in VoltAgent's Memory REST API allows an authenticated user to read another user's private conversation history by substituting a victim's conversationId in requests to the handleGetMemoryConversation endpoint. All VoltAgent versions up to and including 2.1.17 are affected; the CVSS 4.0 base score of 2.3 reflects high attack complexity and limited confidentiality impact. No public exploit confirmed active exploitation (CISA KEV absent), but a proof-of-concept is publicly available via GitHub issue #1315, and a fix PR (#1317) remains pending acceptance with no released patched version confirmed at time of analysis.

Authentication Bypass Voltagent
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-13508 LOW Monitor

Incorrect authorization in khoj's Conversation Sharing Handler exposes private agent configurations to authenticated low-privileged users in versions up to 2.0.0-beta.28. The conversation.agent parameter is passed through shared conversation copy paths in src/khoj/routers/api_chat.py without verifying the requesting user's permission to access that agent, allowing leakage of private agent personality instructions and system prompts across trust boundaries. A proof-of-concept has been published (CVSS 4.0 E:P); the vulnerability is not in CISA KEV, and no officially released patch version has been confirmed.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-13490 MEDIUM This Month

Authorization bypass in GLPI 11.0.5 through 11.0.7 exposes restricted documents to unauthorized network-based access via a manipulable docid parameter in the document download handler. The vulnerability resides in the Document::canViewFile authorization check within front/document.send.php, where an attacker can tamper with the docid argument to circumvent document-level access controls and retrieve files they are not permitted to view. No public exploit has been identified at time of analysis, and EPSS data was not provided; however, the remote network vector with no required privileges raises concern for exposed GLPI deployments.

Authentication Bypass PHP Glpi
NVD VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-13484 LOW POC Monitor

Missing authorization in MLflow's Experiment-scoped Label Schema CRUD API allows a remote, low-privileged attacker to perform unauthorized read, create, update, or delete operations on label schema resources. The vulnerability stems from a pre-release feature that was disclosed before its authentication handlers were implemented - a GitHub maintainer confirmed: 'The auth handlers will be added before the release.' A proof-of-concept is publicly available via the referenced GitHub issue. Despite network accessibility, the CVSS 4.0 score of 1.3 reflects high attack complexity and limited impact scope, and no CISA KEV listing has been issued.

Authentication Bypass Mlflow
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-58056 HIGH POC This Week

Authorization scope bypass in RustDesk lets a peer holding only a FileTransfer authorization inject keyboard and mouse input and invoke the screenshot and display-capture handlers, escalating a limited file-transfer session into full interactive remote control and screen surveillance. The defect arises because RustDesk gates incoming control messages on per-capability flags that a file-transfer session never clears, rather than on the session's authorized connection type. Publicly available exploit code exists (reported by VulnCheck); no public active exploitation has been identified at time of analysis.

Authentication Bypass Rustdesk
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-45259 MEDIUM This Month

Capsicum sandbox escape in FreeBSD allows a compromised capability-mode process to send arbitrary signals - including SIGKILL and SIGSTOP - to processes outside its sandbox, undermining Capsicum's core isolation guarantee. Affected are FreeBSD 14.3-RELEASE through 15.0-RELEASE in versions prior to their respective patch levels; the root cause is a 2011-era omission in kern_sigqueue that never enforced a PID self-restriction when a process operates in capability mode. EPSS is 0.14% (4th percentile), SSVC marks exploitation as none and non-automatable, and no public exploit has been identified at time of analysis.

Authentication Bypass Freebsd
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-3462 MEDIUM This Month

Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's `upload_csv` and `process_batch` functions in the `MigrationMobilepayToVipps` class perform no WordPress capability checks before processing caller-supplied CSV data. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier (Subscriber) makes it meaningful in multi-tenant or open-registration WordPress environments.

Authentication Bypass WordPress Frisbii Pay
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-12432 MEDIUM This Month

Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. An attacker who has legitimately initiated a checkout on the target site (and thereby obtained a Stripe Payment Intent ID from the browser-visible Stripe.js flow) can send a crafted POST request to mark a previously successful payment as failed, potentially blocking order fulfillment, triggering disputes, or corrupting financial records. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Stripe Payment Forms By Wp Full Pay Accept Credit Card Payments Donations Subscriptions
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12471 MEDIUM This Month

Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. No public exploit code or active exploitation has been identified at time of analysis, and no EPSS data was provided.

Authentication Bypass WordPress Spexo
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11773 MEDIUM This Month

Authorization bypass in the Masteriyo LMS WordPress plugin (all versions through 2.2.1) allows authenticated users with student-level access to overwrite the post content of course announcements created by instructors or administrators. The flaw is rooted in missing authorization checks (CWE-862) inside the CourseAnnouncementController addon, meaning any enrolled student can tamper with official communications - exam instructions, policy notices, deadlines - without being detected by the LMS. No public exploit code or active exploitation has been identified at time of analysis; CVSS rates this 4.3 (Medium) reflecting limited integrity-only impact with no confidentiality or availability consequence.

Authentication Bypass WordPress Masteriyo Lms Lms Course Builder Quizzes Certificates
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-9233 MEDIUM This Month

Authorization bypass in the Quiz and Survey Master (QSM) WordPress plugin (all versions through 11.1.4) allows authenticated contributors to create, modify, and delete quiz output templates in the mlw_quiz_output_templates database table without proper capability checks. Because template content is stored without sanitization, this grants contributor-level users the practical ability to inject arbitrary script tags into templates viewable by higher-privileged users such as administrators. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege requirement makes this accessible to any registered contributor on affected WordPress installations.

Authentication Bypass WordPress Quiz And Survey Master Qsm Easy Quiz And Survey Maker
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-11364 MEDIUM This Month

Unauthorized taxonomy manipulation in the Product Specifications for WooCommerce WordPress plugin (versions up to and including 0.8.9) exposes AJAX endpoints that any authenticated subscriber can invoke without authorization checks or CSRF protection, enabling arbitrary creation, modification, and deletion of product specification groups and attributes. The affected AJAX actions 'dwps_modify_groups' and 'dwps_modify_attributes' - bound to the __invoke() methods of AttributeGroupController and AttributeController - operate on 'spec-group' and attribute taxonomy terms, meaning successful exploitation directly corrupts WooCommerce store business data and breaks frontend product display. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Authentication Bypass WordPress Product Specifications For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9242 MEDIUM This Month

Authentication bypass in the RegistrationMagic WordPress plugin (all versions through 6.0.8.6) permits an unauthenticated attacker with a prior legitimate payment transaction on the target site to obtain real WordPress session cookies for any user account, including administrators. The flaw exploits a fatally inverted processing order in the PayPal IPN callback handler: attacker-controlled POST data including the target user_id is written to the payment log database before PayPal IPN validation is performed, and the database poisoning persists even after validation subsequently rejects the forged notification. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the account-takeover impact makes this a critical priority for any site running the plugin with active PayPal payment integration.

WordPress Authentication Bypass Registrationmagic Custom Registration Forms User Registration Payment And User Login
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-11987 MEDIUM This Month

Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enables horizontal privilege escalation across vendor accounts via the REST API 'id' parameter. Authenticated attackers holding any vendor-level or subscriber-level account can retrieve full product records belonging to competing vendors, including unpublished draft and pending-review listings that expose product names, prices, SKUs, and descriptions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress Dokan
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-12404 MEDIUM This Month

Unauthenticated form submission data exfiltration in NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) exposes sensitive PII and payment details to any remote attacker. Missing authorization checks on report download endpoints allow sequential enumeration of report IDs without any credentials, enabling mass harvesting of names, email addresses, phone numbers, postal addresses, payment details, and file paths from every saved form report on the site. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and zero authentication requirement make opportunistic exploitation straightforward.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-54244 PHP LOW PATCH GHSA Monitor

Incorrect authorization in Statamic CMS's Live Preview endpoint allows authenticated Control Panel users with view-only permissions to submit and render arbitrary field values they are not authorized to edit. By exploiting this flaw, a restricted user can generate a shareable Live Preview URL that displays unauthorized content as if authored through legitimate editorial workflow. No public exploit code or active exploitation has been identified; this is a low-severity integrity issue confirmed patched by the vendor in versions 5.74.0 and 6.20.3.

Authentication Bypass
NVD GitHub
CVSS 3.1
3.5
CVE-2026-54242 PHP MEDIUM PATCH GHSA This Month

Server-Side Request Forgery (SSRF) in Statamic CMS allows authenticated low-privilege users to cause the server to make HTTP requests to internal addresses - including loopback, RFC-1918 private ranges, and cloud metadata endpoints such as 169.254.169.254 - by exploiting a DNS rebinding flaw in the Glide image proxy. Affected versions are statamic/cms before 5.73.24 and 6.x before 6.20.1 on sites that accept user-supplied remote image URLs. No public exploit or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector and cloud metadata exposure make this a meaningful risk for cloud-hosted deployments.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.9
CVE-2026-31928 CRITICAL CISA Emergency

Default administrative web credentials in Daktronics DMP-5000, VFC-DMP-5000, and DMP-8000 digital media players grant full system access to anyone who knows the shipped account, because the devices do not force a credential change during setup or operation. Tracked as CWE-798 (use of hard-coded/default credentials) and rated CVSS 4.0 9.3 by ICS-CERT, this lets a network-positioned attacker log into the management interface and seize complete control of the device. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but default-credential weaknesses are trivially abused once the device is reachable.

Authentication Bypass Vfc Dmp 5000 Dmp 5000 Dmp 8000
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-50029 npm MEDIUM POC PATCH GHSA This Month

Silent type confusion in js-toml's TOML interpreter allows attacker-controlled input to overwrite falsy primitive values (false, 0, empty string) with truthy objects, defeating duplicate-key enforcement required by TOML 1.0.0 spec. All versions of js-toml up to and including 1.1.1 are affected via the npm package (pkg:npm/js-toml). Attackers who can supply TOML input to an application using this parser can cause security-gated boolean checks such as if (config.isAdmin) or if (!user.banned) to silently evaluate as truthy, enabling authentication bypass. A working proof-of-concept is publicly available in the GitHub security advisory GHSA-m34p-749j-x6m6; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
CVE-2026-49258 Go HIGH GHSA This Week

Cross-operator authorization bypass in juev/nebula-mesh (<= 0.3.4) lets any authenticated non-admin operator read and mutate resources owned by other operators through the web UI (/ui/*), which-unlike the JSON API fixed in GHSA-598g-never applies per-operator CA scoping. An attacker with a low-privileged operator account can enumerate every operator's hosts and networks (names, Nebula/public IPs, certificate fingerprints, CIDRs) and can block (revoke certificates) or delete any host in the deployment, causing cross-operator denial of service. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation is trivial for any non-admin user once one exists.

Authentication Bypass Denial Of Service
NVD GitHub
CVSS 3.1
8.8
CVE-2026-53577 MEDIUM PATCH This Month

Unauthorized file read in Kestra's execution preview API allows any authenticated tenant user to access output files from executions they do not own, bypassing both execution-level and namespace-level isolation. Affected versions span the 1.0.x branch prior to 1.0.45 and the 1.3.x branch prior to 1.3.21. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and purely network-based exploitation path make this a meaningful risk in multi-tenant or shared Kestra deployments where execution output may contain sensitive pipeline data.

Authentication Bypass Kestra
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-41262 Go MEDIUM POC PATCH GHSA This Month

Cross-team policy data exposure in Fleet DM allows any authenticated user holding observer-level access on a single team to read the full policy details - including SQL queries, host compliance counts, and software/script metadata - of policies belonging to any other team in the instance. The vulnerability stems from an authorization check performed against a placeholder empty struct (nil TeamID) rather than the actual fetched policy object, causing Fleet's OPA authorization engine to incorrectly grant access. A public proof-of-concept is included in the GitHub advisory (GHSA-gm7f-v959-fr2g); no active exploitation has been confirmed via CISA KEV. The issue is fixed in Fleet DM v4.85.0.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
CVE-2026-55189 HIGH This Week

Authorization bypass in RustFS (1.0.0-alpha.1 through pre-beta.9 builds) lets any user able to authenticate to the optional FTP listener read and stat arbitrary objects in any bucket, even when their IAM policy explicitly Denies s3:GetObject. The FTP read/probe handlers (RETR, SIZE, MDTM, CWD) dispatch straight to the storage backend and skip the IAM authorization check enforced everywhere else, breaking tenant/object isolation. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score was provided.

Authentication Bypass Rustfs
NVD GitHub
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-55838 MEDIUM This Month

Unauthorized access to the admin metrics endpoint in RustFS 1.0.0-beta.7 and earlier allows any authenticated IAM user to read server-wide operational telemetry regardless of their assigned policy. The MetricsHandler for /rustfs/admin/v3/metrics omits the validate_admin_request call that every other admin handler enforces, exposing disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state to restricted users whose policies should grant no such visibility. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Rustfs
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44733 MEDIUM PATCH This Month

Password validation bypass in OpenProject's REST API allows an attacker who has already seized a valid user session to change that account's password without supplying the current password, exploiting CWE-620 (Unverified Password Change) via a crafted PATCH request to /api/v3/users/me. Affected versions are all OpenProject releases prior to 17.3.2 and 17.4.0 (CPE cpe:2.3:a:opf:openproject:*:*:*:*:*:*:*:*). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, when chained with a session-takeover primitive, it converts transient access into persistent account control.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-44731 MEDIUM PATCH This Month

User account enumeration in OpenProject's meetings filter feature allows authenticated attackers to probe arbitrary user IDs and, by observing differences in server responses, determine whether each ID corresponds to a valid account and retrieve the associated user's full name. All versions prior to 17.3.2 and 17.4.0 are affected. No public exploit code or active exploitation has been identified at time of analysis, though the low-complexity attack path makes this straightforward to weaponize for reconnaissance.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-53320 MEDIUM PATCH This Month

Improper input validation in the Linux kernel's nilfs2 filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON and cause a denial of service by submitting a crafted ioctl request with bd_oblocknr set to zero. The zero value collides with the -ENOENT sentinel path in nilfs_ioctl_mark_blocks_dirty(), bypassing the dead block detection logic and passing an invalid block reference into nilfs_bmap_mark(). No active exploitation has been identified (EPSS 0.17%, not in CISA KEV), and patches are available across all actively maintained Linux stable branches.

Authentication Bypass Linux
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53304 MEDIUM PATCH This Month

Soft CPU lockup in the Linux kernel SCSI generic (sg) driver allows a local user to trigger a denial of service by writing an out-of-range value directly to the def_reserved_size sysfs module parameter, bypassing the validation enforced by sg_proc_write_dressz. Setting def_reserved_size to -1 via /sys/module/sg/parameters/def_reserved_size causes sg_build_reserve to enter a non-terminating allocation loop on the next open() of any /dev/sgX device, hanging the affected CPU core for 26+ seconds until the kernel watchdog fires. No public exploit code has been identified and EPSS probability is very low at 0.18%; patches are confirmed available across all active stable kernel branches.

Authentication Bypass Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-44732 MEDIUM PATCH This Month

OpenProject's document update endpoint before versions 17.3.2 and 17.4.0 contains an authorization order-of-operations flaw (CWE-639) that allows any authenticated low-privilege user to move or modify documents belonging to projects they do not have permission to manage. By sending a single crafted PATCH request containing a `project_id` attribute pointing to a foreign project, the attacker exploits the endpoint's incorrect sequence - attributes are applied to the record before authorization is enforced - bypassing the `:manage_documents` permission check entirely. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; however, the attack requires only a valid user session and standard HTTP tooling.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44734 MEDIUM PATCH This Month

Missing authorization in OpenProject's CostReportsController allows any authenticated user to rename or overwrite the filter and grouping configuration of any Public cost report system-wide, bypassing ownership checks entirely. All OpenProject deployments running versions prior to 17.3.2 and 17.4.0 are affected. An attacker with only a low-privilege account who enumerates or guesses a public report's numeric ID can silently corrupt shared cost reporting configurations with no warning to the report's owner. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-44735 MEDIUM PATCH This Month

Incorrect authorization in OpenProject's REST API allows authenticated project members to harvest confidential work package metadata they are not entitled to view. The `GET /api/v3/shares` endpoint enforces access control only at the project level - not at the individual work package level - meaning any holder of the `view_shared_work_packages` permission can retrieve share records for every work package in a project, including confidential titles, share recipient identities, and assigned role levels. No public exploit is identified at time of analysis; vendor-released patches exist in versions 17.3.2 and 17.4.0.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-52779 MEDIUM PATCH This Month

Cross-project IDOR in OpenProject's Calendar and Team Planner modules allows an authenticated low-privileged user with management rights in one project to delete public or shared Calendar and Team Planner Query views belonging to entirely separate projects on the same instance. The authorization context is established using :project_id from the URL (Project A), but the targeted Query object is resolved independently by :id through Query.visible(current_user), with no check that the loaded Query belongs to the authorized project - enabling cross-project privilege misuse. Versions prior to 17.3.3 and 17.4.1 are affected; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-52782 CRITICAL PATCH Act Now

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct object reference (CWE-639) to take over another project's managed Nextcloud or OneDrive storage folder. By PATCHing the storages_project_storage[project_folder_id] parameter on /projects/<id>/settings/project_storages/<ps_id>, an attacker writes a victim project's folder ID into their own ProjectStorage row, and the next managed-folder sync rewrites the target folder's ACL to the attacker's project member list. CVSS is 9.9 and the issue carries a scope change, but there is no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Nextcloud Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-48751 Go CRITICAL POC PATCH GHSA Act Now

Privilege escalation and project-restriction bypass in Incus before 7.2.0 lets a low-privileged user with access to an unrestricted project craft an instance whose snapshot carries malicious low-level hooks (raw.lxc/raw.qemu), then move and restore it into a project protected by restricted.containers.lowlevel=block, executing arbitrary commands on the host as root. The snapshot-restore path fails to re-enforce the lowlevel restriction, so the security control is silently bypassed. Publicly available exploit code exists (full PoC published in the vendor GHSA advisory); there is no public evidence of active exploitation.

Authentication Bypass Debian
NVD GitHub
CVSS 3.1
9.9
CVE-2026-48743 HIGH PATCH This Week

HTTP request smuggling in Envoy proxy (versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1) lets remote attackers desynchronize HTTP/1 upstream connections by sending an HTTP/3 downstream request that is transport-complete (HEADERS with FIN) yet declares a nonzero Content-Length, leaving the translated HTTP/1 request with unresolved body debt. When the HTTP/1 origin replies before reading the body and keeps the connection reusable, the start of Envoy's next upstream request is consumed as the prior request's body, and the remainder is parsed by the origin as a separate, attacker-controlled request. This was demonstrated as a route-bypass: a directly denied /pwn was served to a second downstream stream as a backend-parsed GET /pwn, with no public exploit identified at time of analysis and no CISA KEV listing.

Request Smuggling Authentication Bypass Envoy
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-46619 Maven HIGH PATCH GHSA This Week

Pre-authentication login bypass in OpenAM Community Edition through 16.0.6 lets an unauthenticated remote attacker mint a valid OpenAM session for an arbitrary user without supplying a password. The MSISDN authentication module concatenates a request-supplied MSISDN value directly into an LDAP search filter (CWE-90), and because the default trusted-gateway list permits all traffic, any realm with an MSISDN module in its authentication chain is reachable and exploitable. No public exploit identified at time of analysis, and the issue is fixed in version 16.1.1.

Code Injection LDAP Authentication Bypass
NVD GitHub
CVE-2026-44161 Ruby HIGH PATCH GHSA This Week

{tag}) whose value is derived from untrusted log data, an attacker who can influence that data forces the Fluentd node to call arbitrary internal services. There is no public exploit identified at time of analysis, but the upstream fix is shipped in v1.19.3 (PR #5394 adds strict host validation for dynamic endpoints).

Authentication Bypass SSRF
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.4%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated Modbus TCP exposure on the Delta Electronics DVP12SE programmable logic controller lets any network-reachable attacker invoke security-sensitive PLC functions - reading and writing process registers, coils, and configuration - with no credentials or access control. The flaw (CWE-306, Missing Authentication for a Critical Function) carries a CVSS 4.0 base of 9.3 and is documented in Delta advisory PCSA-2026-00011 alongside CVE-2026-12818. There is no public exploit identified at time of analysis and no CISA KEV listing, but the Modbus protocol is trivially scriptable and well understood, lowering the practical exploitation bar.

Authentication Bypass Dvp 12Se
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sidebar manipulation in the Premium Addons for KingComposer WordPress plugin (versions up to and including 1.1.1) allows any remote attacker to create arbitrary custom widget areas or permanently delete existing ones without any credentials. The root cause is that the AJAX handlers add_custom_sidebar() and remove_custom_sidebar() are registered under wp_ajax_nopriv_* hooks with no authorization or capability checks, granting public HTTP access to options-table writes via update_option(). Deletion of sidebars silently breaks widget rendering site-wide, and no public exploit has been identified at time of analysis; no CISA KEV listing is present.

Authentication Bypass WordPress Premium Addons For Kingcomposer
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-team data exposure in Coolify (self-hostable PaaS) before 4.0.0-beta.471 allows any authenticated user to read servers and projects owned by other teams by supplying their object IDs directly. The flaw is a broken object-level authorization (IDOR) where lookups are never scoped to the requester's team, breaching the multi-tenant boundary. No public exploit identified at time of analysis, and the issue is resolved in 4.0.0-beta.471.

Authentication Bypass Coolify
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

JWT algorithm confusion in Strapi's users-permissions plugin enables authentication control weakening when the plugin::users-permissions.jwt.algorithm setting is absent from configuration. The plugin silently accepts HS384 and HS512 tokens alongside the intended HS256, allowing an attacker who has already obtained the jwtSecret to mint tokens using non-standard HMAC variants and bypass any algorithm-enforcement logic. No public exploit code is identified at time of analysis and this vulnerability is not listed in CISA KEV; real-world risk is substantially bounded by the prerequisite of jwtSecret compromise, reflected in the CVSS 4.0 score of 6.3 with High Complexity and Presence-of-attack-requirement modifiers.

Authentication Bypass Strapi
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthorized message consumption in Apache ActiveMQ Classic lets a connected client read from temporary destinations belonging to a different connection, breaking the per-connection isolation that applications rely on. The root cause is that the isolation check is enforced only client-side, so a malicious or rogue client can subscribe to and drain another connection's temporary queue/topic. It affects ActiveMQ (Broker/All/Classic) before 5.19.8 and 6.0.0 before 6.2.7; there is no public exploit identified at time of analysis, and it is not in CISA KEV.

Apache Authentication Bypass Activemq +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Authorization (CWE-285) in Apache Tomcat's default servlet allows HTTP method-based and method-omission security constraints to be silently bypassed across all major supported Tomcat branches from 7.0.x through 11.0.x. An attacker can perform HTTP operations - such as PUT or DELETE - that the web.xml security constraint configuration was intended to restrict, potentially enabling unauthorized file upload, modification, or deletion on the default servlet's served content. No active exploitation has been confirmed (not in CISA KEV) and no CVSS score has been published at time of analysis, but the broad version range and ubiquitous deployment footprint of Tomcat make prompt patching a priority.

Authentication Bypass Tomcat Apache +1
NVD VulDB HeroDevs
EPSS 0% CVSS 6.5
MEDIUM This Month

Replay attack vulnerability in Apache Tomcat's cluster EncryptionInterceptor allows a network-adjacent attacker to retransmit previously captured encrypted inter-node cluster messages, causing receiving nodes to accept and process them as legitimate - potentially corrupting distributed session state or triggering unintended cluster actions. All major supported branches are affected: 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, plus end-of-life branches 8.5.38-8.5.100 and 7.0.100-7.0.109. No public exploit or CISA KEV listing has been identified at time of analysis; however, the breadth of affected versions across all active and legacy branches elevates organizational exposure, particularly for environments running EOL 8.5.x or 7.x with no available patch.

Authentication Bypass Tomcat Apache +1
NVD VulDB HeroDevs
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Webhook signature forgery in Coolify (self-hosted PaaS) before 4.0.0-beta.474 lets unauthenticated remote attackers trigger arbitrary application deployments. Because the per-application manual_webhook_secret_github field is nullable with no default, newly created applications carry a null HMAC key; PHP's hash_hmac() silently coerces null to an empty string, so the expected X-Hub-Signature-256 becomes a deterministic value any attacker can compute offline. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but exploitation is trivial against affected default configurations.

Authentication Bypass Coolify
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated, low-privileged member of one team to deploy and manipulate resources belonging to other teams. While the REST API controllers correctly enforce ownership via Server::whereTeamId($teamId), several Livewire web UI components trust attacker-supplied server_id and destination_uuid URL query parameters with no team-ownership check (CWE-639). No public exploit identified at time of analysis, but the CVSS 9.6 rating and trivially manipulable parameters make this a high-priority fix for any multi-tenant Coolify deployment.

Authentication Bypass Coolify
NVD GitHub
EPSS 0% CVSS 7.9
HIGH POC HOSTED Monitor

WAF managed-rule body inspection on AWS Application Load Balancer (ALB) can be bypassed by remote actors who fragment an HTTP/2 request body across multiple frames so that only a partial body is inspected before reaching the backend. The flaw (CWE-444, HTTP request smuggling) affects only ALB target groups serving HTTP/2 traffic with AWS WAF enabled, and lets attackers slip malicious payloads past WAF managed rules. No public exploit identified at time of analysis and it is not on CISA KEV; AWS scores it 7.9 (CVSS 4.0) with impact falling on the protected backend rather than the ALB itself.

Request Smuggling Authentication Bypass Aws Application Load Balancer
NVD GitHub
EPSS 0% CVSS 7.9
HIGH POC HOSTED Monitor

WAF inspection bypass in Amazon CloudFront (with AWS WAF enabled) lets remote actors smuggle malicious request bodies past managed rule inspection by fragmenting the HTTP/2 request body across frames so only a partial body is examined. The flaw (CWE-444, request smuggling) defeats the protective security control rather than CloudFront itself, allowing attacks the WAF would normally block to reach the protected origin. AWS remediated it server-side with no customer action required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Request Smuggling Authentication Bypass Amazon Cloudfront
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sandbox escape in Apple's WebKit/Safari web content engine allows a malicious website to process restricted web content outside the sandbox on Safari, iOS/iPadOS, and macOS prior to 26.5.2. Reported by Apple and classed as an improper access-control flaw (CWE-284), it requires a victim to load attacker-controlled content (UI:R) and carries CVSS 7.1 with a scope change, reflecting that breaking out of the sandbox crosses a security boundary. There is no public exploit identified at time of analysis and EPSS is low (0.16%), though CISA's SSVC framework rates the technique as automatable with partial technical impact.

Authentication Bypass Apple Ios And Ipados
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Broken tenant isolation in SigNoz through 0.130.1 allows authenticated users from one organization to read, modify, and delete alert rules belonging to entirely separate organizations by directly supplying a target rule UUID via API. The alert rule store predicates omit organization ID filtering - a textbook Insecure Direct Object Reference (CWE-639) - collapsing the multi-tenant access boundary. No active exploitation is confirmed (not in CISA KEV) and no public POC has been independently confirmed, though the referenced GitHub issue may expose sufficient technical detail for manual exploitation by any credentialed user on a shared SigNoz instance.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Sort-expression permission bypass in Yahoo Elide through 7.1.17 allows authenticated network attackers to leak relative values of @ReadPermission-protected fields by sorting API collections on forbidden field names. The flaw exists in SortingImpl.getValidSortingRules, which accepts client-controlled sort keys without verifying the caller's read authorization, exposing a classic side-channel across both JSON:API and GraphQL read endpoints. No public exploit code has been identified and no CISA KEV listing exists, but the attack is low-complexity for any authenticated user on an affected deployment.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authorization bypass in Mythic C2 framework before 3.4.0.60 allows authenticated spectator-role users to perform write operations against the eventing_import_automatic_webhook endpoint, which is incorrectly registered under spectator-permitted middleware. Spectator accounts - intended to be read-only observers of red team operations - can exploit this misconfiguration to create and delete automation workflows and EventGroups, effectively escalating their privilege within an active operation. No public exploit code has been identified and no CISA KEV listing exists; a vendor-released patch is available in v3.4.0.60.

Authentication Bypass Mythic
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Cross-operation authorization bypass in Mythic C2 framework before 3.4.0.60 exposes encryption keys and C2 profile configurations to authenticated operators from separate operations. Four webhook REST endpoints - c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, and c2profile_sample_message_webhook - fail to verify that a submitted payload UUID belongs to the caller's operation, allowing an operator in Operation A to retrieve the full C2 profile configuration of Operation B by supplying a known UUID. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 6.0 reflects high complexity due to the prerequisite of obtaining a cross-operation UUID.

Authentication Bypass Mythic
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-operation information disclosure in Mythic C2 framework versions before 3.4.0.60 allows any authenticated operator or spectator to read payload build artifacts belonging to operations they are not assigned to. A broken Hasura GraphQL permission filter on the payload_build_step table contains an always-true _or clause, neutralizing the operation-scoped row-level access control and exposing step_stdout, step_stderr, step_name, and step_description across every operation on the server. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix is publicly committed and the conditions are trivial for any logged-in low-privilege user.

Authentication Bypass Mythic
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Broken access control in the ErpSaleOrderController of ruoyi-vue-pro (through version 2026.05) lets authenticated users holding only shipment-level 'erp:sale-out' permissions perform full create, read, update, and delete operations on financially sensitive ERP sale orders. The controller enforces the wrong permission namespace ('erp:sale-out' instead of the intended 'erp:sale-order'), so low-privileged warehouse/shipment operators effectively gain order-management authority. No public exploit identified at time of analysis and the issue is not in CISA KEV; an upstream fix exists as commit 5d1fd70.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Broken object-level authorization (IDOR) in the ruoyi-vue-pro CRM module lets any authenticated user read arbitrary follow-up records via the GET /admin-api/crm/follow-up-record/get endpoint, which fails to verify record ownership. Because record IDs are sequential integers, a low-privileged user can enumerate IDs to harvest other users' follow-up notes, file attachments, scheduling data, and linked business-entity references. No public exploit or active exploitation has been reported; the issue is fixed upstream in commit c779a47.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Server-side request forgery in Pinpoint APM through version 3.1.0 allows authenticated users with low privileges to register internal or cloud-metadata URLs as alarm webhook targets due to missing URL validation on the webhook registration endpoint. By deliberately triggering alarm threshold breaches, an attacker can coerce the Pinpoint server to issue outbound POST requests to internal hosts, cloud metadata services (such as AWS IMDS at 169.254.169.254), or other non-routable internal infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 subsequent-system confidentiality impact is rated High, reflecting the potential to enumerate internal services or harvest cloud credentials.

Authentication Bypass SSRF
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthenticated access to private playlist data in Invidious before v2.20260626.0 is possible via a broken authorization check on the RSS feed playlist endpoint. By supplying a known playlist ID to this endpoint, a remote attacker with no credentials can retrieve the full contents of a private playlist, the owner's email address, and all associated video entries. No public exploit has been identified at time of analysis, and a vendor-released patch is available in v2.20260626.0.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

{uid} API endpoint allows any authenticated non-admin user to overwrite another user's profile information by substituting an arbitrary user identifier in the request path. Affected are all PhotoPrism deployments running versions prior to 260601-a7d098548 that host multiple user accounts. No active exploitation has been confirmed by CISA KEV and no public exploit code is known at time of analysis, though the attack requires only a valid low-privileged session and knowledge of a target user's UID.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Broken object-level authorization (BOLA/IDOR) in LibrePhotos prior to version 1.0.0 allows any authenticated user to read private photos belonging to other users by manipulating shared_to relationship parameters in the SetPhotosShared endpoint without server-side ownership validation. The attack vector is network-accessible and requires only a low-privilege account, delivering high confidentiality impact against victim photo libraries. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available as version 1.0.0.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

IP spoofing in LibreTranslate through 1.9.7 allows unauthenticated remote attackers to bypass per-IP rate limiting and flood bans by injecting arbitrary values into the X-Forwarded-For HTTP header. The get_remote_address() function accepts client-supplied header values without validating that the request originated from a trusted proxy, enabling any attacker to present a rotating set of forged IP addresses and evade API abuse controls entirely. No public exploit code has been identified at time of analysis, but the technique requires no authentication and trivially low technical skill given the well-known nature of X-Forwarded-For abuse.

Authentication Bypass
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL POC PATCH Act Now

Unauthenticated database exfiltration and overwrite in Gorse (the open-source Go recommendation engine) before 0.5.10 lets remote attackers hit the /api/dump and /api/restore endpoints whenever admin_api_key is unset - the out-of-the-box default - bypassing authentication entirely. Attackers can dump the full backing dataset (user records, items, and feedback containing PII) or restore/overwrite it with arbitrary data. No public exploit is identified at time of analysis, but the flaw is trivially reachable on any default deployment, and the vendor (VulnCheck) rates it CVSS 4.0 9.3 (critical).

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Hidden field data disclosure in Teable before 2026-06-15T04-43-24Z.1912 allows unauthenticated remote attackers to bypass share view field visibility restrictions by supplying arbitrary field IDs in the API projection parameter. The share view records endpoint fails to enforce server-side field visibility policy, permitting any caller with access to a public share URL to read field values the table owner explicitly marked as hidden. No public exploit code has been identified at time of analysis, but the attack is trivially repeatable - field IDs are enumerable from unauthenticated share metadata, requiring no special tools or privileges beyond network access.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

{pk}/password/ endpoint, which fails to enforce object-level authorization (CWE-639 IDOR). By simply supplying another user's primary key, a domain-scoped admin can take over the highest-privileged account and gain full control of the mail platform. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is upstream in PR #4038 (commit a1878c4).

Authentication Bypass
NVD GitHub VulDB
MEDIUM PATCH This Month

PKCE bypass in OpenAM Community Edition through 16.0.6 allows an attacker who intercepts an OAuth2 authorization code to exchange it for tokens without supplying the required code_verifier. The token endpoint only enforces PKCE verification when the realm-wide codeVerifierEnforced setting is explicitly enabled - a setting that ships disabled by default - meaning omitting the code_verifier parameter silently skips the challenge check entirely. No public exploit has been identified at time of analysis, and a patch is available in version 16.1.1.

Authentication Bypass Microsoft
NVD GitHub
HIGH PATCH This Week

Cross-client token impersonation in OpenAM Community Edition (Open Identity Platform fork) through 16.0.6 allows any registered OAuth2 client to forge private_key_jwt client assertions and mint access tokens in the name of any other client that publishes its keys via a jwks_uri, with no knowledge of the victim's signing key. The flaw, rooted in improper authentication (CWE-287) in the OAuth2 token endpoint, lets an attacker holding any client registration impersonate other clients across every realm hosted by the OpenAM process. There is no public exploit identified at time of analysis, no CVSS or EPSS data was supplied, and the issue is not listed in CISA KEV; it was fixed in version 16.1.1.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Improper access control in the Helix3 template framework extension for Joomla (versions 1.0 through 3.1.1) exposes an AJAX handler task that lets remote unauthenticated attackers delete arbitrary files, write arbitrary JSON files, and modify template parameters. Because the handler performs no authentication or authorization check, an attacker can corrupt site configuration or destroy files without credentials. There is no public exploit identified at time of analysis, but the issue is automatable per CISA SSVC and carries a CVSS 7.5 (High) due to its network-reachable, unauthenticated integrity impact.

Authentication Bypass Helix3 Extension For Joomla
NVD VulDB GitHub
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Unauthenticated arbitrary file upload in the Joomlack Page Builder CK extension for Joomla allows remote attackers to upload executable (PHP) files and achieve full remote code execution on the host. Any Joomla site running this extension is exposed to complete compromise without credentials. No public exploit identified at time of analysis, though the CVSS 4.0 threat metric (E:A) supplied by the scoring source signals observed exploitation activity, and the maximum 10.0 score plus AU:Y (automatable) indicate this is highly attractive for mass scanning.

Authentication Bypass File Upload Joomlack Fr Page Builder Ck Extension For Joomla
NVD VulDB GitHub Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated IDOR in Colissimo Officiel : Méthodes de livraison pour WooCommerce (versions ≤ 2.9.0) exposes shipping-related backend objects to manipulation by remote, unauthenticated attackers. Missing server-side authorization on object lookups allows adversaries to reference records belonging to other users, producing low integrity and availability impacts on WooCommerce shipping data with no confidentiality breach. No public exploit code or active exploitation has been identified at time of analysis, and no patched version number was independently confirmed in the available intelligence.

Authentication Bypass WordPress Colissimo Officiel
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated broken access control in the Japanized For WooCommerce WordPress plugin (versions <= 2.9.12) allows remote unauthenticated attackers to bypass authorization checks and perform restricted operations, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, lowering the exploitation barrier significantly for any exposed WordPress site running this plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity and zero-privilege requirement make this accessible to unsophisticated attackers.

Authentication Bypass WordPress Japanized For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken Access Control in the Business Directory WordPress plugin (versions 6.4.23 and below) permits unauthenticated remote attackers to perform unauthorized operations against directory data, yielding limited integrity and availability impacts. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms exploitation requires no authentication, no special configuration, and no user interaction, making the attack trivially accessible to any network-reachable actor. No public exploit code and no CISA KEV listing are confirmed at time of analysis, placing current real-world exploitation risk in the moderate range.

Authentication Bypass Business Directory
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Ads by WPQuads WordPress plugin (versions <= 3.0.3) allows authenticated subscribers to perform privileged administrative actions they are explicitly unauthorized to execute. The flaw, classified under CWE-862 (Missing Authorization), results in high integrity impact with no confidentiality or availability effect, per the CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N vector. No active exploitation has been identified in CISA KEV at time of analysis, though the low attack complexity and widely deployed WordPress ecosystem make this a realistic risk for any site with open subscriber registration.

Authentication Bypass Ads By Wpquads
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in WP User Frontend plugin for WordPress (versions <= 4.3.7) allows unauthenticated remote attackers to perform restricted actions without authorization. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints, enabling limited integrity and availability impact against affected WordPress installations. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis, though the unauthenticated, low-complexity nature of the vulnerability lowers the bar for casual abuse.

Authentication Bypass Wp User Frontend
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper authorization in the Wallet System for WooCommerce WordPress plugin (versions 2.7.6 and earlier) lets low-privileged authenticated users — subscriber-level accounts — perform wallet actions reserved for higher roles, enabling manipulation of stored wallet balances and transactions. The flaw, reported by Patchstack and tracked as CWE-862 (Missing Authorization), carries a 7.1 (High) CVSS score driven by high integrity impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Wallet System For Woocommerce
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Broken access control in MainWP WordPress plugin versions 6.1.1 and below allows authenticated subscribers to bypass authorization checks and perform actions restricted to higher-privileged roles. The CVSS vector (PR:L, AC:L, AV:N) confirms any low-privileged WordPress account - the subscriber role being the lowest default - is sufficient for network-based exploitation with no special complexity. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the minimal barrier to obtaining a subscriber account on sites with open registration makes this a meaningful risk for multi-user or membership-based installations.

Authentication Bypass Mainwp
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Host-based security policy bypass in the fast-uri Node.js URI parser (versions 2.3.1 through 3.1.2 and 4.0.0) lets remote attackers defeat denylists, loopback filters, redirect validation, and SSRF/proxy-routing controls by supplying Unicode (IDN) hostnames. Because fast-uri's IDN path invokes a non-existent helper on the global URL constructor, it leaves the host in raw Unicode form while normalize() and equal() report a host that differs from what Node's WHATWG URL or fetch ultimately resolve, producing a parser-differential bypass. No public exploit is identified at time of analysis, but the bypass is trivially reproducible and primarily enables SSRF-style integrity attacks.

Authentication Bypass Fast Uri
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Privilege escalation via role parameter manipulation in SourceCodester Inventory Management System 1.0 allows unauthenticated remote attackers to self-assign elevated roles during user registration. The vulnerability resides in /api/users_handler.php, where the application fails to enforce server-side restrictions on the role argument at the User Registration Endpoint, enabling account creation with admin-level privileges. A public proof-of-concept exploit is available, lowering the skill bar for abuse against any exposed instance; no CISA KEV listing exists, so confirmed active exploitation in the wild has not been established.

Authentication Bypass PHP Inventory Management System
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unrestricted file upload in itsourcecode Online Hotel Management System 1.0 allows remote attackers to upload arbitrary files - including PHP webshells - via the `image` parameter of `/admin/mod_amenities/controller.php?action=add`. The CVSS 4.0 vector assigns PR:N (no privileges required), corroborated by the 'Authentication Bypass' tag, indicating the admin-facing endpoint is reachable without credentials. A published proof-of-concept exploit exists; no patch has been identified at time of analysis.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference (IDOR) in the Simple User Avatar WordPress plugin through version 4.9 allows authenticated low-privileged users to bypass authorization controls and access avatar-related resources belonging to other users by manipulating user-controlled object keys. The root cause (CWE-639) is the plugin's failure to verify that the requesting user owns or is authorized to access the referenced object. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV, though the low complexity and low privilege requirement (PR:L, AC:L per CVSS) mean any registered WordPress user on an affected site could trivially exploit it.

Authentication Bypass Simple User Avatar
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Authorization bypass in CodeAstro Complaint Management System 1.0 exposes the deletereport endpoint to unauthenticated arbitrary deletion of complaint reports and associated files. The deletereport function in application/controllers/Report.php accepts a caller-supplied report identifier without verifying ownership or authorization, enabling any remote user to delete any report by manipulating that identifier. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, indicating no confirmed widespread active exploitation.

Authentication Bypass PHP Complaint Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated access to the /api/articles REST API endpoint in Feehi CMS up to version 2.1.1 exposes article management functions without any credential verification, allowing remote attackers to interact with CMS content at low complexity and zero privilege. A publicly available proof-of-concept exploit exists via a GitHub issue report. The vendor has not responded to the disclosure, leaving installations without an official patch; no KEV listing indicates no confirmed mass exploitation at time of analysis, but the no-authentication network vector makes this trivially accessible to any internet-facing attacker.

Authentication Bypass Cms
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper access control in Feehi CMS up to version 2.1.1 allows low-privileged remote attackers to perform unauthorized operations against the /api/users API endpoint. Exploitation of CWE-284 at this endpoint enables access to or manipulation of user data beyond what the authenticated role should permit, representing an authentication bypass at the authorization layer. A public exploit exists per GitHub issue #89; no vendor patch or response has been issued as of analysis time, leaving the exposure unmitigated.

Authentication Bypass Cms
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Google OAuth login in Documenso through version 2.11.0 fails to enforce two-factor authentication during the OAuth callback flow, allowing a remote attacker to authenticate as any Google-linked user without completing MFA verification. The flaw resides in handle-oauth-callback-url.ts, where the oauth2fa state is not properly routed through the dedicated OAuth 2FA verification path - as confirmed by the PR diff showing the signin form was not checking the oauth2fa=true callback parameter. Publicly available exploit code exists (GitHub issue #2758), though no active exploitation has been confirmed and the CVSS 4.0 AC:H rating indicates the attack requires precise manipulation of the OAuth callback flow.

Authentication Bypass Google Documenso
NVD VulDB GitHub
EPSS 0% CVSS 8.3
HIGH This Week

Improper authorization in the Maintenance Utility of Hitachi Virtual Storage Platform (VSP) enterprise storage arrays allows an authenticated low-privileged user to perform actions beyond their authorization, undermining the integrity and availability of the storage controller. The flaw affects the VSP E-series, VSP 5000-series, and VSP G/F-series families running pre-fix DKCMAIN and GUM firmware, and was reported by Hitachi itself; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Hitachi Virtual Storage Platform E390 E590 E790 E990 E1090 E390H E590H E790H E1090H Hitachi Virtual Storage Platform 5100 5500 5100H 5500H 5200 5600 5200H 5600H +1
NVD VulDB
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Authorization bypass in CherryHQ Cherry Studio up to version 1.9.7 allows authenticated remote attackers to cross user/agent memory isolation boundaries by manipulating memory content to produce SHA-256 hash collisions in the MemoryService deduplication logic. The vulnerable CherryIN Preload API component computed memory hashes solely from content, without scoping them to userId or agentId, enabling crafted inputs to match records belonging to other users. A public exploit exists per GitHub issue #15411, and a vendor patch is available via PR #15413; the vendor notes the memory feature is slated for removal in v2.

Authentication Bypass Cherry Studio
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Cherry Studio's MCP OAuth Local Callback Server, in all versions up to 1.9.6, accepts OAuth authorization code callbacks without validating the OAuth `state` parameter, enabling authorization code injection attacks. The PR diff confirms that `src/main/services/mcp/oauth/callback.ts` processed any inbound `code` value without checking a bound state token, allowing a network-positioned attacker to substitute a malicious authorization code during an active OAuth flow. A public exploit has been disclosed via GitHub issue #15372; no confirmed patched release exists - only an unmerged fix PR (#15388) - and no active exploitation has been confirmed (not in CISA KEV).

Authentication Bypass Cherry Studio
NVD VulDB GitHub
EPSS 0% CVSS 0.9
LOW Monitor

Chess Play and Learn (chess.com) Android app versions up to 4.9.42 expose application backup files to unauthorized parties through a misconfiguration in AndroidManifest.xml that enables Android's backup mechanism without adequate authorization controls. Physical access to the target device is required to exploit this issue. A public proof-of-concept is available, exploitation probability is very low given the physical access requirement, and the vendor has acknowledged the issue while noting it falls outside their bug bounty scope.

Authentication Bypass Google
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in EIPStackGroup OpENer (commit 76b95c), an open-source EtherNet/IP stack, allows remote attackers to crash the device by sending a crafted Common Packet Format (CPF) packet that triggers a buffer overflow in the Get_Attribute_List handler. The flaw is network-reachable without authentication or user interaction (CVSS 7.5, availability-only impact), and SSVC indicates proof-of-concept exploit code exists and that exploitation is automatable. EPSS is low (0.17%, 7th percentile) and the CVE is not on CISA KEV, so there is no public evidence of active exploitation yet.

Authentication Bypass Denial Of Service Buffer Overflow +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Tenant isolation bypass in Databend up to 1.2.881 allows an authenticated remote attacker to access or corrupt session state belonging to users in other tenants by exploiting a missing tenant dimension in the ClientSessionManager session key derivation. The state_key function generated keys using only username and client_session_id, enabling key collisions across tenants sharing a server process - a flaw confirmed by the PR #19931 diff which adds tenant scoping to all key construction paths. Publicly available exploit code exists; no patched release has been confirmed at time of analysis.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Improper authorization in VoltAgent's Memory REST API allows an authenticated user to read another user's private conversation history by substituting a victim's conversationId in requests to the handleGetMemoryConversation endpoint. All VoltAgent versions up to and including 2.1.17 are affected; the CVSS 4.0 base score of 2.3 reflects high attack complexity and limited confidentiality impact. No public exploit confirmed active exploitation (CISA KEV absent), but a proof-of-concept is publicly available via GitHub issue #1315, and a fix PR (#1317) remains pending acceptance with no released patched version confirmed at time of analysis.

Authentication Bypass Voltagent
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

Incorrect authorization in khoj's Conversation Sharing Handler exposes private agent configurations to authenticated low-privileged users in versions up to 2.0.0-beta.28. The conversation.agent parameter is passed through shared conversation copy paths in src/khoj/routers/api_chat.py without verifying the requesting user's permission to access that agent, allowing leakage of private agent personality instructions and system prompts across trust boundaries. A proof-of-concept has been published (CVSS 4.0 E:P); the vulnerability is not in CISA KEV, and no officially released patch version has been confirmed.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Authorization bypass in GLPI 11.0.5 through 11.0.7 exposes restricted documents to unauthorized network-based access via a manipulable docid parameter in the document download handler. The vulnerability resides in the Document::canViewFile authorization check within front/document.send.php, where an attacker can tamper with the docid argument to circumvent document-level access controls and retrieve files they are not permitted to view. No public exploit has been identified at time of analysis, and EPSS data was not provided; however, the remote network vector with no required privileges raises concern for exposed GLPI deployments.

Authentication Bypass PHP Glpi
NVD VulDB
EPSS 0% CVSS 1.3
LOW POC Monitor

Missing authorization in MLflow's Experiment-scoped Label Schema CRUD API allows a remote, low-privileged attacker to perform unauthorized read, create, update, or delete operations on label schema resources. The vulnerability stems from a pre-release feature that was disclosed before its authentication handlers were implemented - a GitHub maintainer confirmed: 'The auth handlers will be added before the release.' A proof-of-concept is publicly available via the referenced GitHub issue. Despite network accessibility, the CVSS 4.0 score of 1.3 reflects high attack complexity and limited impact scope, and no CISA KEV listing has been issued.

Authentication Bypass Mlflow
NVD VulDB GitHub
EPSS 0% CVSS 7.2
HIGH POC This Week

Authorization scope bypass in RustDesk lets a peer holding only a FileTransfer authorization inject keyboard and mouse input and invoke the screenshot and display-capture handlers, escalating a limited file-transfer session into full interactive remote control and screen surveillance. The defect arises because RustDesk gates incoming control messages on per-capability flags that a file-transfer session never clears, rather than on the session's authorized connection type. Publicly available exploit code exists (reported by VulnCheck); no public active exploitation has been identified at time of analysis.

Authentication Bypass Rustdesk
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Capsicum sandbox escape in FreeBSD allows a compromised capability-mode process to send arbitrary signals - including SIGKILL and SIGSTOP - to processes outside its sandbox, undermining Capsicum's core isolation guarantee. Affected are FreeBSD 14.3-RELEASE through 15.0-RELEASE in versions prior to their respective patch levels; the root cause is a 2011-era omission in kern_sigqueue that never enforced a PID self-restriction when a process operates in capability mode. EPSS is 0.14% (4th percentile), SSVC marks exploitation as none and non-automatable, and no public exploit has been identified at time of analysis.

Authentication Bypass Freebsd
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's `upload_csv` and `process_batch` functions in the `MigrationMobilepayToVipps` class perform no WordPress capability checks before processing caller-supplied CSV data. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier (Subscriber) makes it meaningful in multi-tenant or open-registration WordPress environments.

Authentication Bypass WordPress Frisbii Pay
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. An attacker who has legitimately initiated a checkout on the target site (and thereby obtained a Stripe Payment Intent ID from the browser-visible Stripe.js flow) can send a crafted POST request to mark a previously successful payment as failed, potentially blocking order fulfillment, triggering disputes, or corrupting financial records. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Stripe Payment Forms By Wp Full Pay Accept Credit Card Payments Donations Subscriptions
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. No public exploit code or active exploitation has been identified at time of analysis, and no EPSS data was provided.

Authentication Bypass WordPress Spexo
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Masteriyo LMS WordPress plugin (all versions through 2.2.1) allows authenticated users with student-level access to overwrite the post content of course announcements created by instructors or administrators. The flaw is rooted in missing authorization checks (CWE-862) inside the CourseAnnouncementController addon, meaning any enrolled student can tamper with official communications - exam instructions, policy notices, deadlines - without being detected by the LMS. No public exploit code or active exploitation has been identified at time of analysis; CVSS rates this 4.3 (Medium) reflecting limited integrity-only impact with no confidentiality or availability consequence.

Authentication Bypass WordPress Masteriyo Lms Lms Course Builder Quizzes Certificates
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Quiz and Survey Master (QSM) WordPress plugin (all versions through 11.1.4) allows authenticated contributors to create, modify, and delete quiz output templates in the mlw_quiz_output_templates database table without proper capability checks. Because template content is stored without sanitization, this grants contributor-level users the practical ability to inject arbitrary script tags into templates viewable by higher-privileged users such as administrators. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege requirement makes this accessible to any registered contributor on affected WordPress installations.

Authentication Bypass WordPress Quiz And Survey Master Qsm Easy Quiz And Survey Maker
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized taxonomy manipulation in the Product Specifications for WooCommerce WordPress plugin (versions up to and including 0.8.9) exposes AJAX endpoints that any authenticated subscriber can invoke without authorization checks or CSRF protection, enabling arbitrary creation, modification, and deletion of product specification groups and attributes. The affected AJAX actions 'dwps_modify_groups' and 'dwps_modify_attributes' - bound to the __invoke() methods of AttributeGroupController and AttributeController - operate on 'spec-group' and attribute taxonomy terms, meaning successful exploitation directly corrupts WooCommerce store business data and breaks frontend product display. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Authentication Bypass WordPress Product Specifications For Woocommerce
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authentication bypass in the RegistrationMagic WordPress plugin (all versions through 6.0.8.6) permits an unauthenticated attacker with a prior legitimate payment transaction on the target site to obtain real WordPress session cookies for any user account, including administrators. The flaw exploits a fatally inverted processing order in the PayPal IPN callback handler: attacker-controlled POST data including the target user_id is written to the payment log database before PayPal IPN validation is performed, and the database poisoning persists even after validation subsequently rejects the forged notification. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the account-takeover impact makes this a critical priority for any site running the plugin with active PayPal payment integration.

WordPress Authentication Bypass Registrationmagic Custom Registration Forms User Registration Payment And User Login
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enables horizontal privilege escalation across vendor accounts via the REST API 'id' parameter. Authenticated attackers holding any vendor-level or subscriber-level account can retrieve full product records belonging to competing vendors, including unpublished draft and pending-review listings that expose product names, prices, SKUs, and descriptions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress Dokan
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated form submission data exfiltration in NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) exposes sensitive PII and payment details to any remote attacker. Missing authorization checks on report download endpoints allow sequential enumeration of report IDs without any credentials, enabling mass harvesting of names, email addresses, phone numbers, postal addresses, payment details, and file paths from every saved form report on the site. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and zero authentication requirement make opportunistic exploitation straightforward.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.5
LOW PATCH Monitor

Incorrect authorization in Statamic CMS's Live Preview endpoint allows authenticated Control Panel users with view-only permissions to submit and render arbitrary field values they are not authorized to edit. By exploiting this flaw, a restricted user can generate a shareable Live Preview URL that displays unauthorized content as if authored through legitimate editorial workflow. No public exploit code or active exploitation has been identified; this is a low-severity integrity issue confirmed patched by the vendor in versions 5.74.0 and 6.20.3.

Authentication Bypass
NVD GitHub
CVSS 4.9
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Statamic CMS allows authenticated low-privilege users to cause the server to make HTTP requests to internal addresses - including loopback, RFC-1918 private ranges, and cloud metadata endpoints such as 169.254.169.254 - by exploiting a DNS rebinding flaw in the Glide image proxy. Affected versions are statamic/cms before 5.73.24 and 6.x before 6.20.1 on sites that accept user-supplied remote image URLs. No public exploit or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector and cloud metadata exposure make this a meaningful risk for cloud-hosted deployments.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Emergency

Default administrative web credentials in Daktronics DMP-5000, VFC-DMP-5000, and DMP-8000 digital media players grant full system access to anyone who knows the shipped account, because the devices do not force a credential change during setup or operation. Tracked as CWE-798 (use of hard-coded/default credentials) and rated CVSS 4.0 9.3 by ICS-CERT, this lets a network-positioned attacker log into the management interface and seize complete control of the device. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but default-credential weaknesses are trivially abused once the device is reachable.

Authentication Bypass Vfc Dmp 5000 Dmp 5000 +1
NVD GitHub VulDB
CVSS 5.3
MEDIUM POC PATCH This Month

Silent type confusion in js-toml's TOML interpreter allows attacker-controlled input to overwrite falsy primitive values (false, 0, empty string) with truthy objects, defeating duplicate-key enforcement required by TOML 1.0.0 spec. All versions of js-toml up to and including 1.1.1 are affected via the npm package (pkg:npm/js-toml). Attackers who can supply TOML input to an application using this parser can cause security-gated boolean checks such as if (config.isAdmin) or if (!user.banned) to silently evaluate as truthy, enabling authentication bypass. A working proof-of-concept is publicly available in the GitHub security advisory GHSA-m34p-749j-x6m6; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 8.8
HIGH This Week

Cross-operator authorization bypass in juev/nebula-mesh (<= 0.3.4) lets any authenticated non-admin operator read and mutate resources owned by other operators through the web UI (/ui/*), which-unlike the JSON API fixed in GHSA-598g-never applies per-operator CA scoping. An attacker with a low-privileged operator account can enumerate every operator's hosts and networks (names, Nebula/public IPs, certificate fingerprints, CIDRs) and can block (revoke certificates) or delete any host in the deployment, causing cross-operator denial of service. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation is trivial for any non-admin user once one exists.

Authentication Bypass Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthorized file read in Kestra's execution preview API allows any authenticated tenant user to access output files from executions they do not own, bypassing both execution-level and namespace-level isolation. Affected versions span the 1.0.x branch prior to 1.0.45 and the 1.3.x branch prior to 1.3.21. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and purely network-based exploitation path make this a meaningful risk in multi-tenant or shared Kestra deployments where execution output may contain sensitive pipeline data.

Authentication Bypass Kestra
NVD GitHub VulDB
CVSS 4.3
MEDIUM POC PATCH This Month

Cross-team policy data exposure in Fleet DM allows any authenticated user holding observer-level access on a single team to read the full policy details - including SQL queries, host compliance counts, and software/script metadata - of policies belonging to any other team in the instance. The vulnerability stems from an authorization check performed against a placeholder empty struct (nil TeamID) rather than the actual fetched policy object, causing Fleet's OPA authorization engine to incorrectly grant access. A public proof-of-concept is included in the GitHub advisory (GHSA-gm7f-v959-fr2g); no active exploitation has been confirmed via CISA KEV. The issue is fixed in Fleet DM v4.85.0.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

Authorization bypass in RustFS (1.0.0-alpha.1 through pre-beta.9 builds) lets any user able to authenticate to the optional FTP listener read and stat arbitrary objects in any bucket, even when their IAM policy explicitly Denies s3:GetObject. The FTP read/probe handlers (RETR, SIZE, MDTM, CWD) dispatch straight to the storage backend and skip the IAM authorization check enforced everywhere else, breaking tenant/object isolation. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score was provided.

Authentication Bypass Rustfs
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized access to the admin metrics endpoint in RustFS 1.0.0-beta.7 and earlier allows any authenticated IAM user to read server-wide operational telemetry regardless of their assigned policy. The MetricsHandler for /rustfs/admin/v3/metrics omits the validate_admin_request call that every other admin handler enforces, exposing disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state to restricted users whose policies should grant no such visibility. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Rustfs
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Password validation bypass in OpenProject's REST API allows an attacker who has already seized a valid user session to change that account's password without supplying the current password, exploiting CWE-620 (Unverified Password Change) via a crafted PATCH request to /api/v3/users/me. Affected versions are all OpenProject releases prior to 17.3.2 and 17.4.0 (CPE cpe:2.3:a:opf:openproject:*:*:*:*:*:*:*:*). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, when chained with a session-takeover primitive, it converts transient access into persistent account control.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

User account enumeration in OpenProject's meetings filter feature allows authenticated attackers to probe arbitrary user IDs and, by observing differences in server responses, determine whether each ID corresponds to a valid account and retrieve the associated user's full name. All versions prior to 17.3.2 and 17.4.0 are affected. No public exploit code or active exploitation has been identified at time of analysis, though the low-complexity attack path makes this straightforward to weaponize for reconnaissance.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper input validation in the Linux kernel's nilfs2 filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON and cause a denial of service by submitting a crafted ioctl request with bd_oblocknr set to zero. The zero value collides with the -ENOENT sentinel path in nilfs_ioctl_mark_blocks_dirty(), bypassing the dead block detection logic and passing an invalid block reference into nilfs_bmap_mark(). No active exploitation has been identified (EPSS 0.17%, not in CISA KEV), and patches are available across all actively maintained Linux stable branches.

Authentication Bypass Linux
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Soft CPU lockup in the Linux kernel SCSI generic (sg) driver allows a local user to trigger a denial of service by writing an out-of-range value directly to the def_reserved_size sysfs module parameter, bypassing the validation enforced by sg_proc_write_dressz. Setting def_reserved_size to -1 via /sys/module/sg/parameters/def_reserved_size causes sg_build_reserve to enter a non-terminating allocation loop on the next open() of any /dev/sgX device, hanging the affected CPU core for 26+ seconds until the kernel watchdog fires. No public exploit code has been identified and EPSS probability is very low at 0.18%; patches are confirmed available across all active stable kernel branches.

Authentication Bypass Linux
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

OpenProject's document update endpoint before versions 17.3.2 and 17.4.0 contains an authorization order-of-operations flaw (CWE-639) that allows any authenticated low-privilege user to move or modify documents belonging to projects they do not have permission to manage. By sending a single crafted PATCH request containing a `project_id` attribute pointing to a foreign project, the attacker exploits the endpoint's incorrect sequence - attributes are applied to the record before authorization is enforced - bypassing the `:manage_documents` permission check entirely. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; however, the attack requires only a valid user session and standard HTTP tooling.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing authorization in OpenProject's CostReportsController allows any authenticated user to rename or overwrite the filter and grouping configuration of any Public cost report system-wide, bypassing ownership checks entirely. All OpenProject deployments running versions prior to 17.3.2 and 17.4.0 are affected. An attacker with only a low-privilege account who enumerates or guesses a public report's numeric ID can silently corrupt shared cost reporting configurations with no warning to the report's owner. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Openproject
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Incorrect authorization in OpenProject's REST API allows authenticated project members to harvest confidential work package metadata they are not entitled to view. The `GET /api/v3/shares` endpoint enforces access control only at the project level - not at the individual work package level - meaning any holder of the `view_shared_work_packages` permission can retrieve share records for every work package in a project, including confidential titles, share recipient identities, and assigned role levels. No public exploit is identified at time of analysis; vendor-released patches exist in versions 17.3.2 and 17.4.0.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-project IDOR in OpenProject's Calendar and Team Planner modules allows an authenticated low-privileged user with management rights in one project to delete public or shared Calendar and Team Planner Query views belonging to entirely separate projects on the same instance. The authorization context is established using :project_id from the URL (Project A), but the targeted Query object is resolved independently by :id through Query.visible(current_user), with no check that the loaded Query belongs to the authorized project - enabling cross-project privilege misuse. Versions prior to 17.3.3 and 17.4.1 are affected; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct object reference (CWE-639) to take over another project's managed Nextcloud or OneDrive storage folder. By PATCHing the storages_project_storage[project_folder_id] parameter on /projects/<id>/settings/project_storages/<ps_id>, an attacker writes a victim project's folder ID into their own ProjectStorage row, and the next managed-folder sync rewrites the target folder's ACL to the attacker's project member list. CVSS is 9.9 and the issue carries a scope change, but there is no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Nextcloud Openproject
NVD GitHub
CVSS 9.9
CRITICAL POC PATCH Act Now

Privilege escalation and project-restriction bypass in Incus before 7.2.0 lets a low-privileged user with access to an unrestricted project craft an instance whose snapshot carries malicious low-level hooks (raw.lxc/raw.qemu), then move and restore it into a project protected by restricted.containers.lowlevel=block, executing arbitrary commands on the host as root. The snapshot-restore path fails to re-enforce the lowlevel restriction, so the security control is silently bypassed. Publicly available exploit code exists (full PoC published in the vendor GHSA advisory); there is no public evidence of active exploitation.

Authentication Bypass Debian
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

HTTP request smuggling in Envoy proxy (versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1) lets remote attackers desynchronize HTTP/1 upstream connections by sending an HTTP/3 downstream request that is transport-complete (HEADERS with FIN) yet declares a nonzero Content-Length, leaving the translated HTTP/1 request with unresolved body debt. When the HTTP/1 origin replies before reading the body and keeps the connection reusable, the start of Envoy's next upstream request is consumed as the prior request's body, and the remainder is parsed by the origin as a separate, attacker-controlled request. This was demonstrated as a route-bypass: a directly denied /pwn was served to a second downstream stream as a backend-parsed GET /pwn, with no public exploit identified at time of analysis and no CISA KEV listing.

Request Smuggling Authentication Bypass Envoy
NVD GitHub
HIGH PATCH This Week

Pre-authentication login bypass in OpenAM Community Edition through 16.0.6 lets an unauthenticated remote attacker mint a valid OpenAM session for an arbitrary user without supplying a password. The MSISDN authentication module concatenates a request-supplied MSISDN value directly into an LDAP search filter (CWE-90), and because the default trusted-gateway list permits all traffic, any realm with an MSISDN module in its authentication chain is reachable and exploitable. No public exploit identified at time of analysis, and the issue is fixed in version 16.1.1.

Code Injection LDAP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

{tag}) whose value is derived from untrusted log data, an attacker who can influence that data forces the Fluentd node to call arbitrary internal services. There is no public exploit identified at time of analysis, but the upstream fix is shipped in v1.19.3 (PR #5394 adds strict host validation for dynamic endpoints).

Authentication Bypass SSRF
NVD GitHub VulDB
Prev Page 13 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy