Skip to main content

Authentication Bypass

31254 CVEs technique

Monthly

CVE-2026-44731 MEDIUM PATCH This Month

User account enumeration in OpenProject's meetings filter feature allows authenticated attackers to probe arbitrary user IDs and, by observing differences in server responses, determine whether each ID corresponds to a valid account and retrieve the associated user's full name. All versions prior to 17.3.2 and 17.4.0 are affected. No public exploit code or active exploitation has been identified at time of analysis, though the low-complexity attack path makes this straightforward to weaponize for reconnaissance.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-53320 MEDIUM PATCH This Month

Improper input validation in the Linux kernel's nilfs2 filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON and cause a denial of service by submitting a crafted ioctl request with bd_oblocknr set to zero. The zero value collides with the -ENOENT sentinel path in nilfs_ioctl_mark_blocks_dirty(), bypassing the dead block detection logic and passing an invalid block reference into nilfs_bmap_mark(). No active exploitation has been identified (EPSS 0.17%, not in CISA KEV), and patches are available across all actively maintained Linux stable branches.

Authentication Bypass Linux
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53304 MEDIUM PATCH This Month

Soft CPU lockup in the Linux kernel SCSI generic (sg) driver allows a local user to trigger a denial of service by writing an out-of-range value directly to the def_reserved_size sysfs module parameter, bypassing the validation enforced by sg_proc_write_dressz. Setting def_reserved_size to -1 via /sys/module/sg/parameters/def_reserved_size causes sg_build_reserve to enter a non-terminating allocation loop on the next open() of any /dev/sgX device, hanging the affected CPU core for 26+ seconds until the kernel watchdog fires. No public exploit code has been identified and EPSS probability is very low at 0.18%; patches are confirmed available across all active stable kernel branches.

Authentication Bypass Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-44732 MEDIUM PATCH This Month

OpenProject's document update endpoint before versions 17.3.2 and 17.4.0 contains an authorization order-of-operations flaw (CWE-639) that allows any authenticated low-privilege user to move or modify documents belonging to projects they do not have permission to manage. By sending a single crafted PATCH request containing a `project_id` attribute pointing to a foreign project, the attacker exploits the endpoint's incorrect sequence - attributes are applied to the record before authorization is enforced - bypassing the `:manage_documents` permission check entirely. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; however, the attack requires only a valid user session and standard HTTP tooling.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44734 MEDIUM PATCH This Month

Missing authorization in OpenProject's CostReportsController allows any authenticated user to rename or overwrite the filter and grouping configuration of any Public cost report system-wide, bypassing ownership checks entirely. All OpenProject deployments running versions prior to 17.3.2 and 17.4.0 are affected. An attacker with only a low-privilege account who enumerates or guesses a public report's numeric ID can silently corrupt shared cost reporting configurations with no warning to the report's owner. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-44735 MEDIUM PATCH This Month

Incorrect authorization in OpenProject's REST API allows authenticated project members to harvest confidential work package metadata they are not entitled to view. The `GET /api/v3/shares` endpoint enforces access control only at the project level - not at the individual work package level - meaning any holder of the `view_shared_work_packages` permission can retrieve share records for every work package in a project, including confidential titles, share recipient identities, and assigned role levels. No public exploit is identified at time of analysis; vendor-released patches exist in versions 17.3.2 and 17.4.0.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-52779 MEDIUM PATCH This Month

Cross-project IDOR in OpenProject's Calendar and Team Planner modules allows an authenticated low-privileged user with management rights in one project to delete public or shared Calendar and Team Planner Query views belonging to entirely separate projects on the same instance. The authorization context is established using :project_id from the URL (Project A), but the targeted Query object is resolved independently by :id through Query.visible(current_user), with no check that the loaded Query belongs to the authorized project - enabling cross-project privilege misuse. Versions prior to 17.3.3 and 17.4.1 are affected; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-52782 CRITICAL PATCH Act Now

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct object reference (CWE-639) to take over another project's managed Nextcloud or OneDrive storage folder. By PATCHing the storages_project_storage[project_folder_id] parameter on /projects/<id>/settings/project_storages/<ps_id>, an attacker writes a victim project's folder ID into their own ProjectStorage row, and the next managed-folder sync rewrites the target folder's ACL to the attacker's project member list. CVSS is 9.9 and the issue carries a scope change, but there is no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Nextcloud Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-48751 Go CRITICAL POC PATCH GHSA Act Now

Privilege escalation and project-restriction bypass in Incus before 7.2.0 lets a low-privileged user with access to an unrestricted project craft an instance whose snapshot carries malicious low-level hooks (raw.lxc/raw.qemu), then move and restore it into a project protected by restricted.containers.lowlevel=block, executing arbitrary commands on the host as root. The snapshot-restore path fails to re-enforce the lowlevel restriction, so the security control is silently bypassed. Publicly available exploit code exists (full PoC published in the vendor GHSA advisory); there is no public evidence of active exploitation.

Authentication Bypass Debian
NVD GitHub
CVSS 3.1
9.9
CVE-2026-48743 HIGH PATCH This Week

HTTP request smuggling in Envoy proxy (versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1) lets remote attackers desynchronize HTTP/1 upstream connections by sending an HTTP/3 downstream request that is transport-complete (HEADERS with FIN) yet declares a nonzero Content-Length, leaving the translated HTTP/1 request with unresolved body debt. When the HTTP/1 origin replies before reading the body and keeps the connection reusable, the start of Envoy's next upstream request is consumed as the prior request's body, and the remainder is parsed by the origin as a separate, attacker-controlled request. This was demonstrated as a route-bypass: a directly denied /pwn was served to a second downstream stream as a backend-parsed GET /pwn, with no public exploit identified at time of analysis and no CISA KEV listing.

Request Smuggling Authentication Bypass Envoy
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-46619 Maven HIGH PATCH GHSA This Week

Pre-authentication login bypass in OpenAM Community Edition through 16.0.6 lets an unauthenticated remote attacker mint a valid OpenAM session for an arbitrary user without supplying a password. The MSISDN authentication module concatenates a request-supplied MSISDN value directly into an LDAP search filter (CWE-90), and because the default trusted-gateway list permits all traffic, any realm with an MSISDN module in its authentication chain is reachable and exploitable. No public exploit identified at time of analysis, and the issue is fixed in version 16.1.1.

Code Injection LDAP Authentication Bypass
NVD GitHub
CVE-2026-44161 Ruby HIGH PATCH GHSA This Week

{tag}) whose value is derived from untrusted log data, an attacker who can influence that data forces the Fluentd node to call arbitrary internal services. There is no public exploit identified at time of analysis, but the upstream fix is shipped in v1.19.3 (PR #5394 adds strict host validation for dynamic endpoints).

Authentication Bypass SSRF
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-56823 MEDIUM PATCH This Month

{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the target webhook belongs to them. An attacker with a valid account can confirm webhook existence, leak OAuth provider metadata, and trigger unauthorized ping deliveries on behalf of other users. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Autogpt
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57518 HIGH POC This Week

Privilege escalation to remote code execution in Pagekit CMS 1.0.18 lets an authenticated user holding the 'user: manage users' permission grant themselves arbitrary custom roles via an unprotected UserApiController::saveAction(), then assign a role carrying 'system: manage packages' to upload a malicious PHP package through the admin installer and run arbitrary code. Publicly available exploit code exists (gist by sermikr0, reported by VulnCheck), and the chain converts a limited management permission into full server compromise. No public evidence of active exploitation has been confirmed (not in CISA KEV).

Authentication Bypass RCE Privilege Escalation PHP Pagekit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-9640 HIGH PATCH This Week

Privilege escalation in Canonical LXD (versions 6.0-6.8, 5.21.0-5.21.4, and 5.0.0-5.0.6) allows an authenticated project operator in a restricted multi-tenant deployment to escape tenant confinement and obtain host root. Because project-restriction policies are not re-validated when an instance backup is imported and its snapshot restored, an operator can smuggle restricted configuration keys into a snapshot, restore them onto the live instance, and start it to gain unauthorized root on the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but a vendor patch and the fixing source code are available.

Authentication Bypass Privilege Escalation Lxd
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-12411 CRITICAL PATCH Act Now

Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and overwrite the custom storage volumes owned by other guests on the same host, breaking tenant isolation. Exploitation requires the non-default security.devlxd.management.volumes option to be enabled, and is fixed in LXD 6.9. Rated CVSS 9.6 with a scope change and CISA SSVC 'total' technical impact; SSVC lists exploitation as proof-of-concept, but EPSS is very low (0.11%, 1st percentile) and it is not in CISA KEV.

Authentication Bypass Canonical Lxd
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-57665 MEDIUM This Month

Unauthenticated IDOR in GravityView WordPress plugin (≤ 3.0.0) allows remote attackers to bypass object-level authorization and access form entry data belonging to other users without any credentials or interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation is trivially reachable over the network with no prerequisites beyond the plugin being active and a view being publicly rendered. No public exploit code or CISA KEV listing has been identified at time of analysis, but the zero-authentication requirement and low complexity make manual exploitation straightforward.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57661 MEDIUM This Month

Broken access control in WPComplete WordPress plugin versions up to and including 2.9.5.5 allows authenticated subscribers to perform actions reserved for higher-privileged roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privileged WordPress users to bypass access restrictions on plugin functionality. No public exploit code or CISA KEV listing is identified at time of analysis, but the low attack complexity and network accessibility make this straightforward to exploit by any subscriber-level account.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-57660 MEDIUM This Month

Unauthenticated broken access control in the Booking and Rental Manager WordPress plugin (versions <= 2.7.1) allows remote unauthenticated attackers to perform restricted actions, resulting in unauthorized integrity modifications to booking or rental data. The flaw stems from missing authorization checks (CWE-862), meaning any network-accessible request can bypass intended access controls without credentials. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 5.3 (Medium) reflects the limited impact scope - integrity only, no confidentiality or availability loss.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57654 MEDIUM This Month

Broken Access Control in the Affiliates Manager WordPress plugin (versions <= 2.9.49) allows an authenticated low-privilege user to perform unauthorized affiliate management actions, achieving high integrity impact due to missing authorization checks (CWE-862). The CVSS vector (PR:L, AV:N, AC:L) confirms exploitation is network-accessible with minimal complexity, requiring only a valid low-privilege account. No active exploitation has been identified at time of analysis, and no patched version has been independently confirmed from the available intelligence.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57652 MEDIUM This Month

Unauthenticated IDOR in the JS Help Desk WordPress plugin (versions ≤3.1.0) exposes support ticket objects to unauthorized access by any remote attacker. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction against a default plugin installation. Impact is limited to confidentiality (C:L), enabling enumeration and read access to other users' ticket data; no public exploit code identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57649 MEDIUM This Month

Broken access control in the Shoppable Images Lite WordPress plugin (versions 1.3 and below) allows subscriber-level authenticated users to perform actions or access data beyond their authorized scope. Rooted in CWE-862 (Missing Authorization), the plugin fails to verify whether the requesting user holds sufficient privileges before executing restricted functionality. No public exploit code or active exploitation (CISA KEV) has been identified at the time of analysis; real-world risk is tempered by the authentication prerequisite and the plugin's limited deployment footprint.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57648 MEDIUM This Month

Broken access control in the Nelio Content WordPress plugin (versions 4.3.4 and earlier) allows authenticated users holding only the Contributor role to bypass intended authorization restrictions and perform actions reserved for higher-privileged roles. The root cause is missing authorization checks (CWE-862) on one or more plugin endpoints, enabling unauthorized integrity-affecting operations on content managed by the plugin. No public exploit code is identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57646 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in the Majestic Support WordPress plugin (versions up to and including 1.1.7) allows any authenticated subscriber-level user to access or modify support objects belonging to other users by manipulating user-controlled resource identifiers. Reported by Patchstack's audit team and tracked as EUVD-2026-39761, the flaw carries a CVSS 5.4 Medium rating with both confidentiality and integrity impact confirmed. No public exploit code or CISA KEV listing is identified at time of analysis, but the low attack complexity and broad attacker pool (any registered WordPress user) make it a meaningful risk on multi-tenant or customer-facing WordPress installations running this plugin.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-57645 HIGH This Week

Improper authorization (CWE-862) in the WordPress "Newsletters" plugin (newsletters-lite) versions 4.13 and earlier lets remote unauthenticated attackers tamper with the newsletters_subscribers functionality, yielding high integrity and availability impact (CVSS 8.1). The flaw, reported by Patchstack and tagged as an authentication bypass, requires victim interaction (UI:R) but no attacker privileges. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-57640 MEDIUM This Month

Broken Access Control in the MasterStudy LMS WordPress plugin (versions ≤ 3.7.30) permits authenticated subscriber-level users to perform actions that exceed their intended permissions. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce capability checks on one or more endpoints, allowing low-privileged registered users to make unauthorized integrity-affecting modifications. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low complexity and network accessibility make it straightforward to exploit on sites with open user registration.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57634 MEDIUM This Month

Password Protect WordPress Page (PPWP) plugin versions up to and including 1.9.19 expose an Insecure Direct Object Reference (IDOR) flaw exploitable by authenticated Contributors, enabling unauthorized modification of password-protected page objects outside the attacker's authorized scope. The plugin fails to validate that the user-supplied object reference belongs to a resource the requesting Contributor is authorized to manage, as classified under CWE-639. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; real-world risk is meaningfully constrained by the Contributor authentication prerequisite.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57632 MEDIUM This Month

Broken access control in Email Marketing for WooCommerce by Omnisend (versions up to and including 1.19.0) allows authenticated subscriber-level WordPress users to invoke privileged plugin functionality without proper authorization checks. Exploitation requires only a low-privilege WordPress account and no user interaction, enabling unauthorized modification of plugin state and potential availability disruption. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier - subscriber-level access - elevates real-world concern on sites with open user registration.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-57630 MEDIUM This Month

Unauthenticated IDOR in Blocksy Companion Pro WordPress plugin (versions through 2.1.46) allows remote unauthenticated attackers to access restricted objects by manipulating user-controlled reference keys, resulting in unauthorized information disclosure. The CVSS 5.3 Medium score reflects network-reachable, zero-authentication access (AV:N/AC:L/PR:N/UI:N) but limited confidentiality impact only (C:L/I:N/A:N). No active exploitation has been confirmed (not listed in CISA KEV), and no EPSS data was provided, though the trivial exploitation complexity elevates practical risk above the moderate score suggests.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57622 MEDIUM This Month

Broken access control in the WPCafe WordPress plugin (versions 3.0.14 and earlier) allows authenticated subscriber-level users to access restricted functionality or data without proper authorization checks. The flaw stems from missing authorization (CWE-862) on one or more plugin endpoints, permitting low-privileged WordPress accounts to bypass intended access restrictions. No public exploit code or active exploitation has been identified at time of analysis, but the network-accessible, low-complexity nature of the issue makes it straightforward to abuse by any registered site user.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-57430 MEDIUM This Month

Broken Access Control in SEOPress PRO WordPress plugin versions up to and including 9.1.1 allows authenticated users holding the Contributor role to perform privileged actions beyond their intended authorization scope. Exploitation requires a valid WordPress account with at least Contributor-level access, making this an insider or low-privilege escalation risk rather than a remote unauthenticated threat. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the low attack complexity and network reachability keep this a realistic risk in multi-author WordPress environments.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57324 MEDIUM This Month

Broken access control in the GIFT4U WordPress plugin (versions ≤ 1.0.10) exposes unauthenticated endpoints that allow remote attackers to perform unauthorized operations against WooCommerce gift card functionality. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials, no user interaction, and no special configuration beyond plugin installation. Reported by Patchstack (audit@patchstack.com) and cataloged under EUVD-2026-39736, this is no public exploit identified at time of analysis, but the trivial exploitation conditions lower the practical bar for abuse.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57323 MEDIUM This Month

Unauthenticated broken access control in the Flash & HTML5 Video WordPress plugin (versions <= 2.11.0) allows remote unauthenticated attackers to bypass authorization checks and access restricted resources, crossing a privilege boundary (CVSS Scope Changed) with limited confidentiality impact. Reported by Patchstack and catalogued under EUVD-2026-39735, this is a CWE-862 (Missing Authorization) flaw requiring no credentials, no user interaction, and no special complexity to exploit. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.8
EPSS
0.2%
CVE-2026-56773 HIGH PATCH This Week

Broken access control in Teable's v2 REST API lets any authenticated user bypass authorization and act across bases and tables they should not reach. Because the ORPC controller endpoints (e.g. GET /api/v2/tables/get, POST /api/v2/tables/updateRecords) ship without the required @Permissions metadata, an attacker holding even a low-privileged account can enumerate schemas, create tables, and modify or delete arbitrary records. No public exploit is identified at time of analysis, and the issue is not on CISA KEV, but a vendor fix (PR #3285) and patched release are available.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56069 HIGH This Week

Availability-impacting Insecure Direct Object Reference in the WordPress Toolset Forms (CRED Frontend Editor) plugin version 2.6.24 and earlier lets unauthenticated remote attackers manipulate object identifiers to act on records they should not control. The flaw was reported by Patchstack and carries CVSS 7.5; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV. Because the CVSS vector scores only Availability (A:H), the practical impact is disruption or destruction of plugin-managed objects rather than data disclosure.

Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-56063 HIGH This Week

Broken access control in the WordPress "MailChimp Block" plugin (versions 1.1.15 and earlier) lets unauthenticated remote attackers invoke protected plugin functionality without any authorization check, per the CVSS:3.1 vector (AV:N/PR:N/UI:N) and Patchstack's CWE-862 classification. The scope-changed vector (S:C) with low confidentiality, integrity, and availability impact indicates the missing authorization can affect resources beyond the vulnerable component itself. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-56061 HIGH This Week

Improper authorization in the Subscriptions for WooCommerce WordPress plugin (versions 1.9.5 and earlier) lets unauthenticated remote attackers reach functionality that should be access-restricted, enabling unauthorized modification of subscription data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms network-reachable, no-authentication, low-complexity abuse with a high integrity impact but no confidentiality or availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-56048 MEDIUM This Month

Unauthenticated IDOR in Payment Gateway Based Fees and Discounts for WooCommerce (versions up to and including 3.0.0) allows remote, unauthenticated attackers to manipulate payment gateway fee and discount object references, resulting in unauthorized modification of pricing logic and potential disruption of checkout availability. The CVSS vector (PR:N/UI:N/AV:N) confirms exploitation requires no authentication or user interaction, making this trivially reachable on any exposed WooCommerce storefront running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated entry point lowers the barrier for opportunistic abuse.

Authentication Bypass WordPress
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-56038 HIGH This Week

Privilege escalation in the Frisbii Pay (reepay-checkout-gateway) WordPress plugin through version 1.8.2 allows a low-privileged authenticated user holding a Contributor role to elevate to higher privileges due to a missing authorization check. Reported through Patchstack's audit program and tagged as both Authentication Bypass and Privilege Escalation, the flaw carries a CVSS 8.8 and full confidentiality, integrity, and availability impact, meaning a successful actor can effectively take administrative control of the affected WordPress site. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-56025 HIGH This Week

Broken access control in the Paymob for WooCommerce WordPress plugin (versions <= 4.1.2) allows remote unauthenticated attackers to invoke a protected function or action that lacks an authorization check, producing a high integrity impact (CVSS 7.5, CVSS:3.1/.../I:H). The flaw maps to CWE-862 (Missing Authorization), meaning a function reachable over the network performs no capability or ownership validation before acting. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass WordPress
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54847 HIGH This Week

Unauthorized data exposure in the Stylish Cost Calculator WordPress plugin (versions 8.3.9 and earlier) lets remote unauthenticated attackers reach functionality that should be access-controlled, exposing sensitive information. Reported through Patchstack and classified as a broken access control / missing authorization flaw (CWE-862), it carries a CVSS 7.5 with confidentiality-only impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54846 HIGH This Week

Sensitive data disclosure in the Syncee Premium Dropshipping & Wholesale WordPress plugin (versions <= 1.0.27) lets remote unauthenticated attackers reach functionality that should be access-restricted, exposing confidential information without any login. Reported by Patchstack and tagged as an authentication bypass, the flaw stems from missing authorization checks (CWE-862) on plugin endpoints. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the supplied data, but the CVSS 3.1 base score of 7.5 reflects easy network reach with a high confidentiality impact.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54840 HIGH This Week

Missing authorization in the Newsletters (newsletters-lite) WordPress plugin through version 4.13 lets unauthenticated remote attackers reach functionality that should be access-controlled, producing limited confidentiality, integrity, and availability impact (CVSS 7.3). Reported by Patchstack and tagged as an authentication bypass, the flaw requires no credentials or user interaction, though no public exploit code or CISA KEV listing exists at time of analysis. The partial (Low) impact across all three dimensions suggests scoped data exposure or unauthorized actions rather than full site compromise.

Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-54839 HIGH This Week

Sensitive data exposure in the Trinity Backup WordPress plugin (versions 2.0.9 and earlier) allows remote unauthenticated attackers to retrieve confidential information without any credentials. Because the plugin manages full-site backups, the exposed data may include database dumps, configuration files, and credentials. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54837 HIGH This Week

Broken access control in the All-In-One Intranet WordPress plugin (versions ≤ 1.8.1) allows unauthenticated remote attackers to bypass the plugin's core 'force login / private site' restriction and read content that is supposed to be visible only to authenticated intranet members. The flaw is a missing authorization check (CWE-862) that undermines the single security feature the plugin exists to provide. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54835 HIGH This Week

Improper authorization in the Five Star Restaurant Menu WordPress plugin (versions <= 2.5.2) lets unauthenticated remote attackers invoke restricted functionality and modify data without any credentials. The CVSS 3.1 vector (AV:N/PR:N/UI:N) and CWE-862 indicate the plugin exposes one or more actions that lack capability/nonce checks, scored 7.5 with integrity-only impact (C:N/I:H/A:N). No public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Patchstack's audit team and tagged as an Authentication Bypass.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54832 HIGH This Week

Unauthorized data modification in the Gutenverse Companion WordPress plugin (versions 2.5.0 and earlier) lets remote unauthenticated attackers invoke protected functionality due to a missing authorization check. The CVSS 3.1 vector (AV:N/PR:N/UI:N, I:H, C:N, A:N) indicates a network-reachable, no-login integrity compromise rather than data theft or outage. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54826 HIGH This Week

Insecure Direct Object Reference in the SupportCandy WordPress helpdesk plugin (versions 3.4.6 and earlier) lets an authenticated low-privilege user (Subscriber) access support tickets and data belonging to other users by manipulating object identifiers, effectively bypassing authorization controls. The flaw carries a CVSS 3.1 base score of 7.6 (PR:L) and was reported by Patchstack; no public exploit code or active exploitation has been identified at time of analysis. Because SupportCandy frequently runs on sites with open user registration, the Subscriber prerequisite is often trivially met.

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.3%
CVE-2026-52701 MEDIUM This Month

Broken access control in the WordPress User Registration plugin (versions <= 5.2.2) allows unauthenticated remote attackers to bypass authorization checks and access or manipulate functionality restricted to privileged users. The flaw stems from missing authorization (CWE-862) on one or more plugin endpoints, permitting network-accessible exploitation with no credentials or user interaction required. No public exploit code or CISA KEV listing is identified at time of analysis, but the low attack complexity and zero-authentication requirement make this straightforward to exploit opportunistically.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-24547 MEDIUM This Month

Broken access control in the SiteGround Email Marketing WordPress plugin (versions 1.7.5 and earlier) permits unauthenticated remote attackers to perform privileged actions due to missing authorization checks (CWE-862). The CVSS vector confirms network-accessible, low-complexity, zero-privilege exploitation with an integrity-only impact, meaning attackers can manipulate plugin-managed data or functionality without logging in. No active exploitation has been confirmed at time of analysis, and no public exploit code has been identified.

Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-66123 MEDIUM This Month

Unauthenticated IDOR in the BookPro WordPress plugin (versions ≤ 1.1.0) exposes arbitrary booking records to remote attackers without any authentication. By manipulating object reference identifiers in HTTP requests, an unauthenticated attacker can retrieve booking data belonging to other users, bypassing authorization entirely. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS confirms the impact is limited to partial confidentiality disclosure with no integrity or availability consequence.

Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-64636 MEDIUM This Month

Broken access control in the Donation Thermometer WordPress plugin version 2.2.7 and earlier allows unauthenticated remote attackers to perform unauthorized actions with low integrity impact against affected WordPress installations. The flaw stems from missing authorization checks (CWE-862), permitting requests that should be gated behind authentication or capability checks to succeed without credentials. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.3 Medium reflects the limited impact scope.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-63079 MEDIUM This Month

Broken access control in the Live Copy Paste for Elementor WordPress plugin (versions <= 1.5.3) allows contributor-level authenticated users to access restricted functionality beyond their intended authorization scope, resulting in unauthorized read access to content. The vulnerability stems from missing authorization checks (CWE-862) on plugin endpoints, and the 'Authentication Bypass' tag from Patchstack indicates contributors can bypass role-based restrictions enforced elsewhere. No public exploit code has been identified at time of analysis, and the plugin is not listed in the CISA KEV catalog.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-63078 MEDIUM This Month

Broken access control in the Restaurant Menu by MotoPress WordPress plugin (versions <= 2.4.11) allows authenticated users with subscriber-level privileges to perform actions reserved for higher-privileged roles. The root cause is CWE-862 (Missing Authorization) - the plugin fails to verify whether the authenticated caller holds the required capability before executing sensitive operations, enabling low-privilege users to manipulate menu data or plugin functionality beyond their intended scope. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-63041 MEDIUM This Month

Broken access control in the 'Forget About Shortcode Buttons' WordPress plugin (versions <= 2.1.3) allows authenticated Contributors to invoke restricted plugin functionality without proper authorization checks. The root cause is CWE-862 (Missing Authorization), meaning the plugin exposes one or more privileged endpoints or actions without verifying that the calling user holds a sufficient role. An attacker with a Contributor account on the target WordPress site can exploit this to make unauthorized integrity or availability modifications within the scope of what the plugin controls. No public exploit code and no CISA KEV listing are identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-57925 MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before version 2026.2.16593 permits authenticated low-privileged users to read saved queries and tags outside their authorized scope. The flaw stems from missing authorization checks (CWE-862), meaning the application fails to verify whether the requesting user holds the required permissions before serving these resources over the network. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible nature of the issue means any authenticated user on an exposed YouTrack instance is a potential threat actor.

Authentication Bypass Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57923 HIGH PATCH This Week

Improper authorization in JetBrains YouTrack's app configurations endpoint lets remote attackers modify project settings they should not be permitted to change, affecting all versions before 2026.2.16593. The flaw (CWE-862, Missing Authorization) impacts integrity only - no data disclosure or service disruption - and was self-reported by JetBrains with a patch already available. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.16%, 5th percentile).

Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-57922 MEDIUM PATCH This Month

Project settings disclosure in JetBrains YouTrack before version 2026.2.16593 allows an authenticated low-privileged user to read project configuration data they are not authorized to access via the MCP (Model Context Protocol) integration. The root cause is a missing authorization check (CWE-862) on MCP-exposed endpoints, meaning the server returns project settings without validating the requesting user's project-level permissions. No public exploit has been identified at time of analysis, no KEV listing exists, and a vendor-released patch is available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-57921 HIGH PATCH This Week

Information disclosure in JetBrains YouTrack before 2026.2.16593 allows remote attackers to read other users' private data through a missing authorization check on the comment templates endpoint. The flaw is unauthenticated and network-reachable per the CVSS vector (PR:N), exposing confidential information without any user interaction. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.16%, 6th percentile).

Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-57920 HIGH PATCH HOSTED Monitor

{orgId} REST endpoints they should not be able to access by appending a semicolon to the request path. With a scope-changing CVSS of 7.7 and confidentiality impact, a low-privileged tenant could read data belonging to other organizations managed by the same platform. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Incontrol
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-57915 HIGH PATCH This Week

Authentication bypass in Apache Kerby before 2.1.2 lets remote attackers defeat Kerberos pre-authentication by submitting a PA-DATA element with an unrecognized or unsupported type, causing the KDC to skip the pre-auth check rather than reject the request. The flaw affects all Apache Kerby deployments below 2.1.2 acting as a Kerberos KDC/AS, and is fixed in version 2.1.2. There is no public exploit identified at time of analysis, no CISA KEV listing, and EPSS data was not provided; CVSS is rated 7.3 (High) with partial confidentiality, integrity, and availability impact.

Authentication Bypass Apache Apache Kerby
NVD VulDB
CVSS 3.1
7.3
EPSS
0.3%
CVE-2026-13325 HIGH This Week

Cross-tenant VM compromise in KubeVirt (and Red Hat OpenShift Virtualization 4) occurs when spec.configuration.migrations.disableTLS is set to true, causing virt-handler to expose an unauthenticated plaintext TCP proxy into a virt-launcher's virtqemud control socket on all interfaces. An authenticated tenant who can run any pod on the cluster network can reach this listener and issue arbitrary libvirt RPC commands against another tenant's virtual machine - reading guest memory, altering VM state via QMP, or destroying the VM. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided.

Authentication Bypass Red Hat Openshift Virtualization 4
NVD VulDB
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-1869 MEDIUM This Month

Payment bypass in WPEverest's User Registration & Membership WordPress plugin (versions up to and including 5.2.0) allows unauthenticated remote attackers to activate paid memberships without completing payment. The vulnerability stems from missing authorization checks in the confirm_payment() function (CWE-862), which fails to validate that a legitimate payment transaction occurred before granting membership access. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity and requires no authentication, making it trivially reachable by any internet-connected adversary.

Authentication Bypass WordPress User Registration Membership Free Paid Memberships Subscriptions Content Restriction User Profile Custom User Registration Login Builder
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-2053 CRITICAL PATCH Act Now

Server-side request forgery in WSO2 API Manager lets unauthenticated remote attackers coerce the gateway into making server-initiated requests to attacker-chosen destinations by injecting crafted WS-Addressing headers into the message flow. Because the API Manager typically sits at the network edge with reachability into internal systems, this allows pivoting to otherwise unreachable internal resources and services. The vendor rates it CVSS 10.0; it is not in CISA KEV and no public exploit identified at time of analysis, with a low EPSS of 0.20% (10th percentile).

Authentication Bypass SSRF Wso2 Api Manager
NVD
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-50739 MEDIUM This Month

Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link their own trackers to campaigns belonging to other managers on the same instance via the `tracker-campaigns.php` script. This is a bypass of the fix introduced for CVE-2026-34913, which applied ownership checks only to the forward linking operation but omitted the reverse direction. The impact is confined to integrity - specifically, creation of inconsistent cross-manager ownership relationships - with no confidentiality or availability consequences. No public exploit identified at time of analysis.

Authentication Bypass PHP Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-50744 MEDIUM This Month

Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to bypass the admin-only restriction on that API. The ox.login method issues a valid session cookie in HTTP response headers before completing credential validation; when authentication fails, the error is returned to the caller but the underlying server-side session is never torn down. A threat actor who captures that leaked cookie can then replay it to invoke otherwise admin-restricted XML-RPC methods without possessing admin credentials. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-43920 MEDIUM This Month

Unauthenticated remote access to the /run-patcher maintenance endpoint in FOSSBilling versions 0.5.4 through 0.7.2 allows any network-reachable attacker to trigger privileged database schema changes (including ALTER TABLE and DROP TABLE), configuration file migrations, filesystem mutations, and batch token regeneration for all admin and client accounts via a single HTTP GET request. The attack requires no credentials, no CSRF token, and no special headers, making it trivially automatable against any publicly exposed instance. No active exploitation has been confirmed in the CISA KEV catalog, but the attack surface is broad and the operational impact - forced session invalidation, potential database inconsistency from concurrent invocations, and cache destruction - constitutes a meaningful denial-of-service risk against production instances.

Authentication Bypass CSRF
NVD GitHub
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-38571 MEDIUM This Month

Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a physically proximate attacker to obtain stored WPA2 credentials in cleartext and to read or write arbitrary memory via the serial console.

Authentication Bypass Tenda N A
NVD GitHub VulDB
CVSS 3.1
4.6
EPSS
0.2%
CVE-2026-55166 PyPI CRITICAL POC PATCH GHSA Act Now

Privilege escalation to AWS IAM and PKI compromise in Netflix Lemur 1.9.0 (and earlier) lets any SSO-authenticated, low-privilege user chain an ACME acme_url SSRF with a creator-equality IDOR to steal the worker's AWS STS credentials and retain permanent access to issued TLS private keys. Because Lemur auto-provisions new SSO identities as active=True, any holder of a trusted federated identity can reach the vulnerable authority-creation and key-fetch endpoints. A detailed, fully reproduced proof-of-concept (Docker lab plus asciinema recording) exists publicly, though there is no public exploit identified as being used in active attacks and the issue is fixed in 1.9.2.

Python Authentication Bypass SSRF OpenSSL Docker
NVD GitHub
CVSS 3.1
9.9
CVE-2026-55164 PyPI MEDIUM PATCH GHSA This Month

Cleartext password storage in Netflix Lemur's user-update service path allows any attacker who gains read access to the Lemur database, its backups, query logs, or read replicas to obtain directly usable plaintext credentials - no offline cracking required. The flaw affects all Lemur deployments running pip/lemur <= 1.9.1 and is triggered exclusively when an administrator resets a user password through the admin-gated PUT /api/1/users/<id> API endpoint. No public exploit is required: the advisory itself contains precise reproduction steps, and the side effect (immediate login failure for affected users) makes the exposure operationally detectable. No KEV listing exists at time of analysis.

Authentication Bypass Hashicorp Python
NVD GitHub
CVSS 3.1
4.9
CVE-2026-55163 PyPI MEDIUM PATCH GHSA This Month

Incorrect authorization in Netflix Lemur's role management API allows any authenticated role member to rewrite the membership list and rename their own role via the PUT /api/1/roles/<id> endpoint in versions up to and including 1.9.1. The RoleMemberPermission check uses OR-semantics, meaning membership of a role is sufficient to mutate it - an authorization oversight confirmed by the asymmetry with the DELETE handler on the same resource, which correctly enforces admin-only access. Exploitation enables lateral privilege escalation within a Lemur PKI deployment: a malicious role member can inject colluders into certificate or authority management roles, remove legitimate members, or rename roles. No public exploit identified at time of analysis, though detailed reproduction steps are published in the GitHub security advisory GHSA-x3vf-mgxj-7785.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
6.3
CVE-2025-71327 npm CRITICAL Act Now

Authentication bypass in Flowise on-premise (npm package 'flowise', version 3.0.1 and earlier) lets unauthenticated remote attackers POST to the /api/v1/account/register endpoint to self-provision arbitrary user accounts and then log in, obtaining full API access without any prior credentials. The endpoint is open by default and the registration request is reusable, so an attacker can repeatedly create privileged ('type':'pro') accounts. A working proof-of-concept exists (publicly available exploit code exists via the VulnCheck/GHSA advisory), and the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact.

Authentication Bypass Flowise
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-48529 Go MEDIUM POC PATCH GHSA This Month

Lockdown mode in GitHub MCP Server HTTP deployments (versions 0.22.0-1.1.1) fails to isolate per-user GraphQL credentials due to a process-global singleton that retains the first authenticated user's client for the lifetime of the process. All subsequent users' IsSafeContent checks-the security gate that decides whether content from external contributors is sanitized before reaching the AI model-are evaluated under the first user's GitHub token and identity, producing wrong access control decisions for every user except the first. A publicly available proof-of-concept confirms the singleton pointer collision; no active exploitation (CISA KEV) has been confirmed at time of analysis.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.0
EPSS
0.2%
CVE-2026-7532 MEDIUM PATCH This Month

Certificate IP address name constraint enforcement in wolfSSL is silently disabled when the library is compiled without the WOLFSSL_IP_ALT_NAME preprocessor define, allowing a CA operator to issue certificates bearing IP address Subject Alternative Names that the issuing CA's nameConstraints extension was intended to prohibit. Any wolfSSL-based TLS endpoint built in this configuration will accept these constraint-violating certificates as valid, undermining PKI-enforced IP address restrictions. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.7 reflects meaningful exploitation constraints including high-privilege CA access and a specific non-default build configuration.

Authentication Bypass Wolfssl
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-11703 MEDIUM PATCH This Month

Session authentication bypass in wolfSSL exposes servers running multiple TLS virtual hosts to cross-vhost peer-authentication spoofing via stateful session-ID resumption. When a client resumes a cached session using a session ID rather than a session ticket, wolfSSL previously skipped the SNI and ALPN binding verification that was already enforced on the ticket-based resumption path - allowing the cached peerAuthGood state and peer-certificate context from one virtual host to be silently carried into a second virtual host with a different client-authentication policy. The upstream fix (PR #10489) extends the binding check to cover stateful resumption, declining mismatched resumptions and falling back to a full handshake. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.0 with AC:H and AT:P reflects the non-trivial configuration prerequisites.

Authentication Bypass Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-55962 MEDIUM PATCH This Month

Post-handshake authentication bypass in wolfSSL TLS 1.3 permits a connected client to skip certificate verification during server-initiated post-handshake re-authentication. When a server has issued a post-handshake CertificateRequest via wolfSSL_request_certificate(), a client can send a Finished message without providing a Certificate or CertificateVerify; the server incorrectly applies an initial-handshake exemption and accepts it, treating the client as authenticated. No public exploit is identified and this is not listed in CISA KEV; the vulnerability was self-disclosed by wolfSSL with a patch available in GitHub PR #10702.

Authentication Bypass Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-40702 CRITICAL CISA Emergency

Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. CVSS 4.0 rates this 9.3 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though it is the subject of a CISA ICS advisory (ICSA-26-176-02).

Authentication Bypass Privilege Escalation Information Disclosure Evoke Csms
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-50176 HIGH CISA Act Now

Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management system) stems from its WebSocket API enforcing no rate limit on authentication requests, letting a remote, network-positioned attacker flood the authentication endpoint to exhaust resources or rapidly guess credentials for unauthorized access. CISA's ICS-CERT (advisory ICSA-26-176-02) coordinated this issue, which carries a CVSS 4.0 base of 8.7 driven by high availability impact. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-11800 HIGH PATCH This Week

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Red Hat Build of Keycloak 26.6/26.6.4) lets an attacker holding valid client credentials abuse a JWT algorithm-confusion weakness in the JWT Authorization Grant flow to forge client assertions and mint unauthorized access tokens. The forged tokens allow impersonation of any federated user tied to the affected Identity Provider, yielding unauthorized access and potential privilege escalation. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; Red Hat rates it 8.1 (High).

Privilege Escalation Jwt Attack Authentication Bypass Red Hat Build Of Keycloak 26 6 Red Hat Build Of Keycloak 26 6 4 +4
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-54479 MEDIUM CISA This Month

Authentication bypass and denial-of-service in Evoke Systems' Evoke CSMS electric-vehicle charging station management system stems from predictable WebSocket session identifiers derived from charging station IDs, with no enforcement against duplicate session reuse. Remote unauthenticated attackers can guess or reuse a session identifier to impersonate another charging station/user, or flood the backend with valid session requests to exhaust resources. Reported to CISA by ICS-CERT (advisory ICSA-26-176-02); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-6450 LOW PATCH Monitor

Certificate Revocation List processing in wolfSSL silently accepts CRLs containing unrecognized critical extensions rather than rejecting them as mandated by RFC 5280, constituting an improper certificate validation flaw (CWE-295). Affected are only wolfSSL builds explicitly compiled with CRL support (HAVE_CRL preprocessor flag) where the attacker can present a crafted CRL carrying a trusted CA signature - conditions that substantially limit the attack surface. An adversary satisfying these prerequisites could cause a revoked certificate to be treated as valid, enabling an authentication bypass. No public exploit has been identified and this CVE is absent from CISA KEV; the CVSS 4.0 score of 1.0 accurately reflects the extreme exploitation constraints.

Authentication Bypass Wolfssl
NVD GitHub VulDB
CVSS 4.0
1.0
EPSS
0.1%
CVE-2026-6731 MEDIUM PATCH This Month

X.509 DNS name constraint enforcement in wolfSSL fails to evaluate the Subject Common Name when no Subject Alternative Name extension is present, allowing a certificate whose CN violates an issuing CA's DNS name constraints to be accepted as valid. Affected deployments include any application using wolfSSL's certificate manager for chain verification where name-constrained intermediate or root CAs are in use. An attacker who can obtain or forge a certificate with a non-compliant CN and no SAN can bypass the policy boundary the constraining CA was intended to enforce, enabling impersonation of hosts outside the permitted domain set. No public exploit identified at time of analysis; upstream fix available as a GitHub pull request.

Authentication Bypass Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-10592 MEDIUM PATCH This Month

wolfSSL's certificate chain validation logic incorrectly evaluates wildcard DNS Subject Alternative Names (SANs) against CA-enforced name constraints, allowing certificates that should be rejected under a constrained PKI hierarchy to be silently accepted. Any wolfSSL-powered application that validates certificate chains in a PKI where intermediate or root CAs define permitted or excluded DNS name constraints per RFC 5280 §4.2.1.10 is affected; all versions matching cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:* are listed as affected. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified; an upstream patch is available via PR #10549 but a tagged release version has not been independently confirmed.

Authentication Bypass Wolfssl
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-11310 HIGH PATCH This Week

X.509 trust-chain bypass in wolfSSL's OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert/X509_verify_cert) allows an attacker to have an attacker-controlled certificate accepted as valid by presenting a chain that never reaches a configured trust anchor. The flaw affects only builds compiled with --enable-opensslextra whose applications perform certificate validation via the OpenSSL-compat X509_verify_cert() API using caller-supplied untrusted intermediates; for those deployments it is critical (CVSS 4.0 base 8.7, integrity impact only). There is no public exploit identified at time of analysis and it is not on CISA KEV, but an upstream fix is available via wolfSSL PR #10674.

Authentication Bypass OpenSSL Wolfssl
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-55960 HIGH PATCH This Week

Certificate validation bypass in wolfSSL (builds compiled with HAVE_RPK) allows a peer to present an un-negotiated Raw Public Key (RFC 7250) in place of a full X.509 certificate, defeating chain-of-trust validation. Because a raw public key carries no certificate chain, ParseCertRelative() accepts it without performing any trust verification, so an attacker presenting a bare key can impersonate a server (or client) when neither side actually negotiated the RPK certificate type. No public exploit identified at time of analysis and the issue is not in CISA KEV; the high CVSS (8.2, CVSS 4.0) reflects a full authentication/integrity bypass, but exploitation is gated by the non-default HAVE_RPK build option.

Authentication Bypass Wolfssl
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-57521 MEDIUM POC PATCH This Month

Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user via an IDOR vulnerability in the PreviewInvoiceController endpoints. The missing ManageOrganizationBillingRequirement authorization check permits a valid session holder to supply an arbitrary organizationId and retrieve Stripe-derived billing details - including tax totals, subscription status, and customer data - for organizations they do not belong to. A public proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at the time of analysis.

Authentication Bypass Server
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-57520 HIGH POC PATCH This Week

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a Custom role with the ManageUsers permission delete Admin accounts from the organization, undermining administrative control. The flaw stems from the bulk user-remove (DELETE) endpoint omitting the role-hierarchy guard that the single-user removal path enforces, so a lower-privileged user can strip Admins by submitting their organization-user IDs in a batch request. Publicly available exploit code exists (VulnCheck/researcher write-up), it is not listed in CISA KEV, and no EPSS score was provided in the input.

Authentication Bypass Privilege Escalation Server
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-2299 MEDIUM This Month

Missing authorization in the Mattermost Google Drive plugin's file creation endpoint (all versions before 1.1.0) allows authenticated Mattermost users with a linked Google account to share Drive files into private channels they are not a member of, and to infer the existence and membership of those private channels. The root cause is CWE-862 (Missing Authorization): the endpoint processes the target channel ID supplied by the caller without verifying the caller belongs to that channel. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Mattermost Google Mattermost Google Drive Plugin
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-48508 PyPI HIGH PATCH GHSA This Week

Privilege escalation via broken authorization in Netflix Lemur (versions <= 1.9.0) lets any authenticated user - including the shipped lowest-privilege `read-only` role - perform admin-only certificate-management actions. Because the `StrictRolePermission` and `AuthorityCreatorPermission` classes were instantiated with an empty Need set when their config flags were left at the default `False`, Flask-Principal's `allows()` returns True for every identity, removing the only role gate in front of CA creation, certificate upload, notification (SSRF sink) management, and domain registry edits. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation requires only a single low-privilege credential, making it a direct pivot to control of the PKI issuance plane.

Authentication Bypass SSRF Python
NVD GitHub
CVSS 3.1
8.8
CVE-2026-56774 MEDIUM POC PATCH This Month

Authenticated session hijacking via IDOR in Kanboard through 1.2.52 allows any low-privilege user to mass-invalidate the persistent 'Remember Me' sessions of arbitrary users, including administrators, by enumerating sequential integer session IDs against the unguarded `removeSession` endpoint. The root-cause fix - scoping `RememberMeSessionModel::remove()` to the requesting user's own `user_id` - is confirmed in commit 928c68a via PR #5831. A publicly available proof-of-concept exists on GitHub (issue #5829); this vulnerability is not currently listed in the CISA KEV catalog, though the trivially low exploitation barrier warrants prompt patching.

Authentication Bypass Denial Of Service Kanboard
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

User account enumeration in OpenProject's meetings filter feature allows authenticated attackers to probe arbitrary user IDs and, by observing differences in server responses, determine whether each ID corresponds to a valid account and retrieve the associated user's full name. All versions prior to 17.3.2 and 17.4.0 are affected. No public exploit code or active exploitation has been identified at time of analysis, though the low-complexity attack path makes this straightforward to weaponize for reconnaissance.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper input validation in the Linux kernel's nilfs2 filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON and cause a denial of service by submitting a crafted ioctl request with bd_oblocknr set to zero. The zero value collides with the -ENOENT sentinel path in nilfs_ioctl_mark_blocks_dirty(), bypassing the dead block detection logic and passing an invalid block reference into nilfs_bmap_mark(). No active exploitation has been identified (EPSS 0.17%, not in CISA KEV), and patches are available across all actively maintained Linux stable branches.

Authentication Bypass Linux
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Soft CPU lockup in the Linux kernel SCSI generic (sg) driver allows a local user to trigger a denial of service by writing an out-of-range value directly to the def_reserved_size sysfs module parameter, bypassing the validation enforced by sg_proc_write_dressz. Setting def_reserved_size to -1 via /sys/module/sg/parameters/def_reserved_size causes sg_build_reserve to enter a non-terminating allocation loop on the next open() of any /dev/sgX device, hanging the affected CPU core for 26+ seconds until the kernel watchdog fires. No public exploit code has been identified and EPSS probability is very low at 0.18%; patches are confirmed available across all active stable kernel branches.

Authentication Bypass Linux
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

OpenProject's document update endpoint before versions 17.3.2 and 17.4.0 contains an authorization order-of-operations flaw (CWE-639) that allows any authenticated low-privilege user to move or modify documents belonging to projects they do not have permission to manage. By sending a single crafted PATCH request containing a `project_id` attribute pointing to a foreign project, the attacker exploits the endpoint's incorrect sequence - attributes are applied to the record before authorization is enforced - bypassing the `:manage_documents` permission check entirely. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; however, the attack requires only a valid user session and standard HTTP tooling.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing authorization in OpenProject's CostReportsController allows any authenticated user to rename or overwrite the filter and grouping configuration of any Public cost report system-wide, bypassing ownership checks entirely. All OpenProject deployments running versions prior to 17.3.2 and 17.4.0 are affected. An attacker with only a low-privilege account who enumerates or guesses a public report's numeric ID can silently corrupt shared cost reporting configurations with no warning to the report's owner. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Openproject
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Incorrect authorization in OpenProject's REST API allows authenticated project members to harvest confidential work package metadata they are not entitled to view. The `GET /api/v3/shares` endpoint enforces access control only at the project level - not at the individual work package level - meaning any holder of the `view_shared_work_packages` permission can retrieve share records for every work package in a project, including confidential titles, share recipient identities, and assigned role levels. No public exploit is identified at time of analysis; vendor-released patches exist in versions 17.3.2 and 17.4.0.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-project IDOR in OpenProject's Calendar and Team Planner modules allows an authenticated low-privileged user with management rights in one project to delete public or shared Calendar and Team Planner Query views belonging to entirely separate projects on the same instance. The authorization context is established using :project_id from the URL (Project A), but the targeted Query object is resolved independently by :id through Query.visible(current_user), with no check that the loaded Query belongs to the authorized project - enabling cross-project privilege misuse. Versions prior to 17.3.3 and 17.4.1 are affected; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct object reference (CWE-639) to take over another project's managed Nextcloud or OneDrive storage folder. By PATCHing the storages_project_storage[project_folder_id] parameter on /projects/<id>/settings/project_storages/<ps_id>, an attacker writes a victim project's folder ID into their own ProjectStorage row, and the next managed-folder sync rewrites the target folder's ACL to the attacker's project member list. CVSS is 9.9 and the issue carries a scope change, but there is no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Nextcloud Openproject
NVD GitHub
CVSS 9.9
CRITICAL POC PATCH Act Now

Privilege escalation and project-restriction bypass in Incus before 7.2.0 lets a low-privileged user with access to an unrestricted project craft an instance whose snapshot carries malicious low-level hooks (raw.lxc/raw.qemu), then move and restore it into a project protected by restricted.containers.lowlevel=block, executing arbitrary commands on the host as root. The snapshot-restore path fails to re-enforce the lowlevel restriction, so the security control is silently bypassed. Publicly available exploit code exists (full PoC published in the vendor GHSA advisory); there is no public evidence of active exploitation.

Authentication Bypass Debian
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

HTTP request smuggling in Envoy proxy (versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1) lets remote attackers desynchronize HTTP/1 upstream connections by sending an HTTP/3 downstream request that is transport-complete (HEADERS with FIN) yet declares a nonzero Content-Length, leaving the translated HTTP/1 request with unresolved body debt. When the HTTP/1 origin replies before reading the body and keeps the connection reusable, the start of Envoy's next upstream request is consumed as the prior request's body, and the remainder is parsed by the origin as a separate, attacker-controlled request. This was demonstrated as a route-bypass: a directly denied /pwn was served to a second downstream stream as a backend-parsed GET /pwn, with no public exploit identified at time of analysis and no CISA KEV listing.

Request Smuggling Authentication Bypass Envoy
NVD GitHub
HIGH PATCH This Week

Pre-authentication login bypass in OpenAM Community Edition through 16.0.6 lets an unauthenticated remote attacker mint a valid OpenAM session for an arbitrary user without supplying a password. The MSISDN authentication module concatenates a request-supplied MSISDN value directly into an LDAP search filter (CWE-90), and because the default trusted-gateway list permits all traffic, any realm with an MSISDN module in its authentication chain is reachable and exploitable. No public exploit identified at time of analysis, and the issue is fixed in version 16.1.1.

Code Injection LDAP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

{tag}) whose value is derived from untrusted log data, an attacker who can influence that data forces the Fluentd node to call arbitrary internal services. There is no public exploit identified at time of analysis, but the upstream fix is shipped in v1.19.3 (PR #5394 adds strict host validation for dynamic endpoints).

Authentication Bypass SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the target webhook belongs to them. An attacker with a valid account can confirm webhook existence, leak OAuth provider metadata, and trigger unauthorized ping deliveries on behalf of other users. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Autogpt
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Privilege escalation to remote code execution in Pagekit CMS 1.0.18 lets an authenticated user holding the 'user: manage users' permission grant themselves arbitrary custom roles via an unprotected UserApiController::saveAction(), then assign a role carrying 'system: manage packages' to upload a malicious PHP package through the admin installer and run arbitrary code. Publicly available exploit code exists (gist by sermikr0, reported by VulnCheck), and the chain converts a limited management permission into full server compromise. No public evidence of active exploitation has been confirmed (not in CISA KEV).

Authentication Bypass RCE Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Canonical LXD (versions 6.0-6.8, 5.21.0-5.21.4, and 5.0.0-5.0.6) allows an authenticated project operator in a restricted multi-tenant deployment to escape tenant confinement and obtain host root. Because project-restriction policies are not re-validated when an instance backup is imported and its snapshot restored, an operator can smuggle restricted configuration keys into a snapshot, restore them onto the live instance, and start it to gain unauthorized root on the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but a vendor patch and the fixing source code are available.

Authentication Bypass Privilege Escalation Lxd
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and overwrite the custom storage volumes owned by other guests on the same host, breaking tenant isolation. Exploitation requires the non-default security.devlxd.management.volumes option to be enabled, and is fixed in LXD 6.9. Rated CVSS 9.6 with a scope change and CISA SSVC 'total' technical impact; SSVC lists exploitation as proof-of-concept, but EPSS is very low (0.11%, 1st percentile) and it is not in CISA KEV.

Authentication Bypass Canonical Lxd
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated IDOR in GravityView WordPress plugin (≤ 3.0.0) allows remote attackers to bypass object-level authorization and access form entry data belonging to other users without any credentials or interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation is trivially reachable over the network with no prerequisites beyond the plugin being active and a view being publicly rendered. No public exploit code or CISA KEV listing has been identified at time of analysis, but the zero-authentication requirement and low complexity make manual exploitation straightforward.

Authentication Bypass
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Broken access control in WPComplete WordPress plugin versions up to and including 2.9.5.5 allows authenticated subscribers to perform actions reserved for higher-privileged roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privileged WordPress users to bypass access restrictions on plugin functionality. No public exploit code or CISA KEV listing is identified at time of analysis, but the low attack complexity and network accessibility make this straightforward to exploit by any subscriber-level account.

Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated broken access control in the Booking and Rental Manager WordPress plugin (versions <= 2.7.1) allows remote unauthenticated attackers to perform restricted actions, resulting in unauthorized integrity modifications to booking or rental data. The flaw stems from missing authorization checks (CWE-862), meaning any network-accessible request can bypass intended access controls without credentials. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 5.3 (Medium) reflects the limited impact scope - integrity only, no confidentiality or availability loss.

Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken Access Control in the Affiliates Manager WordPress plugin (versions <= 2.9.49) allows an authenticated low-privilege user to perform unauthorized affiliate management actions, achieving high integrity impact due to missing authorization checks (CWE-862). The CVSS vector (PR:L, AV:N, AC:L) confirms exploitation is network-accessible with minimal complexity, requiring only a valid low-privilege account. No active exploitation has been identified at time of analysis, and no patched version has been independently confirmed from the available intelligence.

Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated IDOR in the JS Help Desk WordPress plugin (versions ≤3.1.0) exposes support ticket objects to unauthorized access by any remote attacker. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction against a default plugin installation. Impact is limited to confidentiality (C:L), enabling enumeration and read access to other users' ticket data; no public exploit code identified at time of analysis.

Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in the Shoppable Images Lite WordPress plugin (versions 1.3 and below) allows subscriber-level authenticated users to perform actions or access data beyond their authorized scope. Rooted in CWE-862 (Missing Authorization), the plugin fails to verify whether the requesting user holds sufficient privileges before executing restricted functionality. No public exploit code or active exploitation (CISA KEV) has been identified at the time of analysis; real-world risk is tempered by the authentication prerequisite and the plugin's limited deployment footprint.

Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in the Nelio Content WordPress plugin (versions 4.3.4 and earlier) allows authenticated users holding only the Contributor role to bypass intended authorization restrictions and perform actions reserved for higher-privileged roles. The root cause is missing authorization checks (CWE-862) on one or more plugin endpoints, enabling unauthorized integrity-affecting operations on content managed by the plugin. No public exploit code is identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Insecure Direct Object Reference (IDOR) in the Majestic Support WordPress plugin (versions up to and including 1.1.7) allows any authenticated subscriber-level user to access or modify support objects belonging to other users by manipulating user-controlled resource identifiers. Reported by Patchstack's audit team and tracked as EUVD-2026-39761, the flaw carries a CVSS 5.4 Medium rating with both confidentiality and integrity impact confirmed. No public exploit code or CISA KEV listing is identified at time of analysis, but the low attack complexity and broad attacker pool (any registered WordPress user) make it a meaningful risk on multi-tenant or customer-facing WordPress installations running this plugin.

Authentication Bypass
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper authorization (CWE-862) in the WordPress "Newsletters" plugin (newsletters-lite) versions 4.13 and earlier lets remote unauthenticated attackers tamper with the newsletters_subscribers functionality, yielding high integrity and availability impact (CVSS 8.1). The flaw, reported by Patchstack and tagged as an authentication bypass, requires victim interaction (UI:R) but no attacker privileges. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken Access Control in the MasterStudy LMS WordPress plugin (versions ≤ 3.7.30) permits authenticated subscriber-level users to perform actions that exceed their intended permissions. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce capability checks on one or more endpoints, allowing low-privileged registered users to make unauthorized integrity-affecting modifications. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low complexity and network accessibility make it straightforward to exploit on sites with open user registration.

Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Password Protect WordPress Page (PPWP) plugin versions up to and including 1.9.19 expose an Insecure Direct Object Reference (IDOR) flaw exploitable by authenticated Contributors, enabling unauthorized modification of password-protected page objects outside the attacker's authorized scope. The plugin fails to validate that the user-supplied object reference belongs to a resource the requesting Contributor is authorized to manage, as classified under CWE-639. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; real-world risk is meaningfully constrained by the Contributor authentication prerequisite.

Authentication Bypass
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Broken access control in Email Marketing for WooCommerce by Omnisend (versions up to and including 1.19.0) allows authenticated subscriber-level WordPress users to invoke privileged plugin functionality without proper authorization checks. Exploitation requires only a low-privilege WordPress account and no user interaction, enabling unauthorized modification of plugin state and potential availability disruption. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier - subscriber-level access - elevates real-world concern on sites with open user registration.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated IDOR in Blocksy Companion Pro WordPress plugin (versions through 2.1.46) allows remote unauthenticated attackers to access restricted objects by manipulating user-controlled reference keys, resulting in unauthorized information disclosure. The CVSS 5.3 Medium score reflects network-reachable, zero-authentication access (AV:N/AC:L/PR:N/UI:N) but limited confidentiality impact only (C:L/I:N/A:N). No active exploitation has been confirmed (not listed in CISA KEV), and no EPSS data was provided, though the trivial exploitation complexity elevates practical risk above the moderate score suggests.

Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in the WPCafe WordPress plugin (versions 3.0.14 and earlier) allows authenticated subscriber-level users to access restricted functionality or data without proper authorization checks. The flaw stems from missing authorization (CWE-862) on one or more plugin endpoints, permitting low-privileged WordPress accounts to bypass intended access restrictions. No public exploit code or active exploitation has been identified at time of analysis, but the network-accessible, low-complexity nature of the issue makes it straightforward to abuse by any registered site user.

Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken Access Control in SEOPress PRO WordPress plugin versions up to and including 9.1.1 allows authenticated users holding the Contributor role to perform privileged actions beyond their intended authorization scope. Exploitation requires a valid WordPress account with at least Contributor-level access, making this an insider or low-privilege escalation risk rather than a remote unauthenticated threat. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the low attack complexity and network reachability keep this a realistic risk in multi-author WordPress environments.

Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the GIFT4U WordPress plugin (versions ≤ 1.0.10) exposes unauthenticated endpoints that allow remote attackers to perform unauthorized operations against WooCommerce gift card functionality. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials, no user interaction, and no special configuration beyond plugin installation. Reported by Patchstack (audit@patchstack.com) and cataloged under EUVD-2026-39736, this is no public exploit identified at time of analysis, but the trivial exploitation conditions lower the practical bar for abuse.

Authentication Bypass
NVD
EPSS 0% CVSS 5.8
MEDIUM This Month

Unauthenticated broken access control in the Flash & HTML5 Video WordPress plugin (versions <= 2.11.0) allows remote unauthenticated attackers to bypass authorization checks and access restricted resources, crossing a privilege boundary (CVSS Scope Changed) with limited confidentiality impact. Reported by Patchstack and catalogued under EUVD-2026-39735, this is a CWE-862 (Missing Authorization) flaw requiring no credentials, no user interaction, and no special complexity to exploit. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Broken access control in Teable's v2 REST API lets any authenticated user bypass authorization and act across bases and tables they should not reach. Because the ORPC controller endpoints (e.g. GET /api/v2/tables/get, POST /api/v2/tables/updateRecords) ship without the required @Permissions metadata, an attacker holding even a low-privileged account can enumerate schemas, create tables, and modify or delete arbitrary records. No public exploit is identified at time of analysis, and the issue is not on CISA KEV, but a vendor fix (PR #3285) and patched release are available.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Availability-impacting Insecure Direct Object Reference in the WordPress Toolset Forms (CRED Frontend Editor) plugin version 2.6.24 and earlier lets unauthenticated remote attackers manipulate object identifiers to act on records they should not control. The flaw was reported by Patchstack and carries CVSS 7.5; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV. Because the CVSS vector scores only Availability (A:H), the practical impact is disruption or destruction of plugin-managed objects rather than data disclosure.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Broken access control in the WordPress "MailChimp Block" plugin (versions 1.1.15 and earlier) lets unauthenticated remote attackers invoke protected plugin functionality without any authorization check, per the CVSS:3.1 vector (AV:N/PR:N/UI:N) and Patchstack's CWE-862 classification. The scope-changed vector (S:C) with low confidentiality, integrity, and availability impact indicates the missing authorization can affect resources beyond the vulnerable component itself. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper authorization in the Subscriptions for WooCommerce WordPress plugin (versions 1.9.5 and earlier) lets unauthenticated remote attackers reach functionality that should be access-restricted, enabling unauthorized modification of subscription data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms network-reachable, no-authentication, low-complexity abuse with a high integrity impact but no confidentiality or availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated IDOR in Payment Gateway Based Fees and Discounts for WooCommerce (versions up to and including 3.0.0) allows remote, unauthenticated attackers to manipulate payment gateway fee and discount object references, resulting in unauthorized modification of pricing logic and potential disruption of checkout availability. The CVSS vector (PR:N/UI:N/AV:N) confirms exploitation requires no authentication or user interaction, making this trivially reachable on any exposed WooCommerce storefront running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated entry point lowers the barrier for opportunistic abuse.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Frisbii Pay (reepay-checkout-gateway) WordPress plugin through version 1.8.2 allows a low-privileged authenticated user holding a Contributor role to elevate to higher privileges due to a missing authorization check. Reported through Patchstack's audit program and tagged as both Authentication Bypass and Privilege Escalation, the flaw carries a CVSS 8.8 and full confidentiality, integrity, and availability impact, meaning a successful actor can effectively take administrative control of the affected WordPress site. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Paymob for WooCommerce WordPress plugin (versions <= 4.1.2) allows remote unauthenticated attackers to invoke a protected function or action that lacks an authorization check, producing a high integrity impact (CVSS 7.5, CVSS:3.1/.../I:H). The flaw maps to CWE-862 (Missing Authorization), meaning a function reachable over the network performs no capability or ownership validation before acting. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data exposure in the Stylish Cost Calculator WordPress plugin (versions 8.3.9 and earlier) lets remote unauthenticated attackers reach functionality that should be access-controlled, exposing sensitive information. Reported through Patchstack and classified as a broken access control / missing authorization flaw (CWE-862), it carries a CVSS 7.5 with confidentiality-only impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive data disclosure in the Syncee Premium Dropshipping & Wholesale WordPress plugin (versions <= 1.0.27) lets remote unauthenticated attackers reach functionality that should be access-restricted, exposing confidential information without any login. Reported by Patchstack and tagged as an authentication bypass, the flaw stems from missing authorization checks (CWE-862) on plugin endpoints. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the supplied data, but the CVSS 3.1 base score of 7.5 reflects easy network reach with a high confidentiality impact.

Authentication Bypass
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Missing authorization in the Newsletters (newsletters-lite) WordPress plugin through version 4.13 lets unauthenticated remote attackers reach functionality that should be access-controlled, producing limited confidentiality, integrity, and availability impact (CVSS 7.3). Reported by Patchstack and tagged as an authentication bypass, the flaw requires no credentials or user interaction, though no public exploit code or CISA KEV listing exists at time of analysis. The partial (Low) impact across all three dimensions suggests scoped data exposure or unauthorized actions rather than full site compromise.

Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive data exposure in the Trinity Backup WordPress plugin (versions 2.0.9 and earlier) allows remote unauthenticated attackers to retrieve confidential information without any credentials. Because the plugin manages full-site backups, the exposed data may include database dumps, configuration files, and credentials. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the All-In-One Intranet WordPress plugin (versions ≤ 1.8.1) allows unauthenticated remote attackers to bypass the plugin's core 'force login / private site' restriction and read content that is supposed to be visible only to authenticated intranet members. The flaw is a missing authorization check (CWE-862) that undermines the single security feature the plugin exists to provide. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Improper authorization in the Five Star Restaurant Menu WordPress plugin (versions <= 2.5.2) lets unauthenticated remote attackers invoke restricted functionality and modify data without any credentials. The CVSS 3.1 vector (AV:N/PR:N/UI:N) and CWE-862 indicate the plugin exposes one or more actions that lack capability/nonce checks, scored 7.5 with integrity-only impact (C:N/I:H/A:N). No public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Patchstack's audit team and tagged as an Authentication Bypass.

Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data modification in the Gutenverse Companion WordPress plugin (versions 2.5.0 and earlier) lets remote unauthenticated attackers invoke protected functionality due to a missing authorization check. The CVSS 3.1 vector (AV:N/PR:N/UI:N, I:H, C:N, A:N) indicates a network-reachable, no-login integrity compromise rather than data theft or outage. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Insecure Direct Object Reference in the SupportCandy WordPress helpdesk plugin (versions 3.4.6 and earlier) lets an authenticated low-privilege user (Subscriber) access support tickets and data belonging to other users by manipulating object identifiers, effectively bypassing authorization controls. The flaw carries a CVSS 3.1 base score of 7.6 (PR:L) and was reported by Patchstack; no public exploit code or active exploitation has been identified at time of analysis. Because SupportCandy frequently runs on sites with open user registration, the Subscriber prerequisite is often trivially met.

Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the WordPress User Registration plugin (versions <= 5.2.2) allows unauthenticated remote attackers to bypass authorization checks and access or manipulate functionality restricted to privileged users. The flaw stems from missing authorization (CWE-862) on one or more plugin endpoints, permitting network-accessible exploitation with no credentials or user interaction required. No public exploit code or CISA KEV listing is identified at time of analysis, but the low attack complexity and zero-authentication requirement make this straightforward to exploit opportunistically.

Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Broken access control in the SiteGround Email Marketing WordPress plugin (versions 1.7.5 and earlier) permits unauthenticated remote attackers to perform privileged actions due to missing authorization checks (CWE-862). The CVSS vector confirms network-accessible, low-complexity, zero-privilege exploitation with an integrity-only impact, meaning attackers can manipulate plugin-managed data or functionality without logging in. No active exploitation has been confirmed at time of analysis, and no public exploit code has been identified.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated IDOR in the BookPro WordPress plugin (versions ≤ 1.1.0) exposes arbitrary booking records to remote attackers without any authentication. By manipulating object reference identifiers in HTTP requests, an unauthenticated attacker can retrieve booking data belonging to other users, bypassing authorization entirely. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS confirms the impact is limited to partial confidentiality disclosure with no integrity or availability consequence.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Broken access control in the Donation Thermometer WordPress plugin version 2.2.7 and earlier allows unauthenticated remote attackers to perform unauthorized actions with low integrity impact against affected WordPress installations. The flaw stems from missing authorization checks (CWE-862), permitting requests that should be gated behind authentication or capability checks to succeed without credentials. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.3 Medium reflects the limited impact scope.

Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in the Live Copy Paste for Elementor WordPress plugin (versions <= 1.5.3) allows contributor-level authenticated users to access restricted functionality beyond their intended authorization scope, resulting in unauthorized read access to content. The vulnerability stems from missing authorization checks (CWE-862) on plugin endpoints, and the 'Authentication Bypass' tag from Patchstack indicates contributors can bypass role-based restrictions enforced elsewhere. No public exploit code has been identified at time of analysis, and the plugin is not listed in the CISA KEV catalog.

Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in the Restaurant Menu by MotoPress WordPress plugin (versions <= 2.4.11) allows authenticated users with subscriber-level privileges to perform actions reserved for higher-privileged roles. The root cause is CWE-862 (Missing Authorization) - the plugin fails to verify whether the authenticated caller holds the required capability before executing sensitive operations, enabling low-privilege users to manipulate menu data or plugin functionality beyond their intended scope. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

Authentication Bypass
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Broken access control in the 'Forget About Shortcode Buttons' WordPress plugin (versions <= 2.1.3) allows authenticated Contributors to invoke restricted plugin functionality without proper authorization checks. The root cause is CWE-862 (Missing Authorization), meaning the plugin exposes one or more privileged endpoints or actions without verifying that the calling user holds a sufficient role. An attacker with a Contributor account on the target WordPress site can exploit this to make unauthorized integrity or availability modifications within the scope of what the plugin controls. No public exploit code and no CISA KEV listing are identified at time of analysis.

Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before version 2026.2.16593 permits authenticated low-privileged users to read saved queries and tags outside their authorized scope. The flaw stems from missing authorization checks (CWE-862), meaning the application fails to verify whether the requesting user holds the required permissions before serving these resources over the network. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible nature of the issue means any authenticated user on an exposed YouTrack instance is a potential threat actor.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper authorization in JetBrains YouTrack's app configurations endpoint lets remote attackers modify project settings they should not be permitted to change, affecting all versions before 2026.2.16593. The flaw (CWE-862, Missing Authorization) impacts integrity only - no data disclosure or service disruption - and was self-reported by JetBrains with a patch already available. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.16%, 5th percentile).

Authentication Bypass Youtrack
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Project settings disclosure in JetBrains YouTrack before version 2026.2.16593 allows an authenticated low-privileged user to read project configuration data they are not authorized to access via the MCP (Model Context Protocol) integration. The root cause is a missing authorization check (CWE-862) on MCP-exposed endpoints, meaning the server returns project settings without validating the requesting user's project-level permissions. No public exploit has been identified at time of analysis, no KEV listing exists, and a vendor-released patch is available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in JetBrains YouTrack before 2026.2.16593 allows remote attackers to read other users' private data through a missing authorization check on the comment templates endpoint. The flaw is unauthenticated and network-reachable per the CVSS vector (PR:N), exposing confidential information without any user interaction. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.16%, 6th percentile).

Authentication Bypass Youtrack
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH HOSTED Monitor

{orgId} REST endpoints they should not be able to access by appending a semicolon to the request path. With a scope-changing CVSS of 7.7 and confidentiality impact, a low-privileged tenant could read data belonging to other organizations managed by the same platform. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Incontrol
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Authentication bypass in Apache Kerby before 2.1.2 lets remote attackers defeat Kerberos pre-authentication by submitting a PA-DATA element with an unrecognized or unsupported type, causing the KDC to skip the pre-auth check rather than reject the request. The flaw affects all Apache Kerby deployments below 2.1.2 acting as a Kerberos KDC/AS, and is fixed in version 2.1.2. There is no public exploit identified at time of analysis, no CISA KEV listing, and EPSS data was not provided; CVSS is rated 7.3 (High) with partial confidentiality, integrity, and availability impact.

Authentication Bypass Apache Apache Kerby
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Cross-tenant VM compromise in KubeVirt (and Red Hat OpenShift Virtualization 4) occurs when spec.configuration.migrations.disableTLS is set to true, causing virt-handler to expose an unauthenticated plaintext TCP proxy into a virt-launcher's virtqemud control socket on all interfaces. An authenticated tenant who can run any pod on the cluster network can reach this listener and issue arbitrary libvirt RPC commands against another tenant's virtual machine - reading guest memory, altering VM state via QMP, or destroying the VM. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided.

Authentication Bypass Red Hat Openshift Virtualization 4
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Payment bypass in WPEverest's User Registration & Membership WordPress plugin (versions up to and including 5.2.0) allows unauthenticated remote attackers to activate paid memberships without completing payment. The vulnerability stems from missing authorization checks in the confirm_payment() function (CWE-862), which fails to validate that a legitimate payment transaction occurred before granting membership access. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity and requires no authentication, making it trivially reachable by any internet-connected adversary.

Authentication Bypass WordPress User Registration Membership Free Paid Memberships Subscriptions Content Restriction User Profile Custom User Registration Login Builder
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Server-side request forgery in WSO2 API Manager lets unauthenticated remote attackers coerce the gateway into making server-initiated requests to attacker-chosen destinations by injecting crafted WS-Addressing headers into the message flow. Because the API Manager typically sits at the network edge with reachability into internal systems, this allows pivoting to otherwise unreachable internal resources and services. The vendor rates it CVSS 10.0; it is not in CISA KEV and no public exploit identified at time of analysis, with a low EPSS of 0.20% (10th percentile).

Authentication Bypass SSRF Wso2 Api Manager
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link their own trackers to campaigns belonging to other managers on the same instance via the `tracker-campaigns.php` script. This is a bypass of the fix introduced for CVE-2026-34913, which applied ownership checks only to the forward linking operation but omitted the reverse direction. The impact is confined to integrity - specifically, creation of inconsistent cross-manager ownership relationships - with no confidentiality or availability consequences. No public exploit identified at time of analysis.

Authentication Bypass PHP Adserver
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to bypass the admin-only restriction on that API. The ox.login method issues a valid session cookie in HTTP response headers before completing credential validation; when authentication fails, the error is returned to the caller but the underlying server-side session is never torn down. A threat actor who captures that leaked cookie can then replay it to invoke otherwise admin-restricted XML-RPC methods without possessing admin credentials. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Adserver
NVD
EPSS 1% CVSS 6.9
MEDIUM This Month

Unauthenticated remote access to the /run-patcher maintenance endpoint in FOSSBilling versions 0.5.4 through 0.7.2 allows any network-reachable attacker to trigger privileged database schema changes (including ALTER TABLE and DROP TABLE), configuration file migrations, filesystem mutations, and batch token regeneration for all admin and client accounts via a single HTTP GET request. The attack requires no credentials, no CSRF token, and no special headers, making it trivially automatable against any publicly exposed instance. No active exploitation has been confirmed in the CISA KEV catalog, but the attack surface is broad and the operational impact - forced session invalidation, potential database inconsistency from concurrent invocations, and cache destruction - constitutes a meaningful denial-of-service risk against production instances.

Authentication Bypass CSRF
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a physically proximate attacker to obtain stored WPA2 credentials in cleartext and to read or write arbitrary memory via the serial console.

Authentication Bypass Tenda N A
NVD GitHub VulDB
CVSS 9.9
CRITICAL POC PATCH Act Now

Privilege escalation to AWS IAM and PKI compromise in Netflix Lemur 1.9.0 (and earlier) lets any SSO-authenticated, low-privilege user chain an ACME acme_url SSRF with a creator-equality IDOR to steal the worker's AWS STS credentials and retain permanent access to issued TLS private keys. Because Lemur auto-provisions new SSO identities as active=True, any holder of a trusted federated identity can reach the vulnerable authority-creation and key-fetch endpoints. A detailed, fully reproduced proof-of-concept (Docker lab plus asciinema recording) exists publicly, though there is no public exploit identified as being used in active attacks and the issue is fixed in 1.9.2.

Python Authentication Bypass SSRF +2
NVD GitHub
CVSS 4.9
MEDIUM PATCH This Month

Cleartext password storage in Netflix Lemur's user-update service path allows any attacker who gains read access to the Lemur database, its backups, query logs, or read replicas to obtain directly usable plaintext credentials - no offline cracking required. The flaw affects all Lemur deployments running pip/lemur <= 1.9.1 and is triggered exclusively when an administrator resets a user password through the admin-gated PUT /api/1/users/<id> API endpoint. No public exploit is required: the advisory itself contains precise reproduction steps, and the side effect (immediate login failure for affected users) makes the exposure operationally detectable. No KEV listing exists at time of analysis.

Authentication Bypass Hashicorp Python
NVD GitHub
CVSS 6.3
MEDIUM PATCH This Month

Incorrect authorization in Netflix Lemur's role management API allows any authenticated role member to rewrite the membership list and rename their own role via the PUT /api/1/roles/<id> endpoint in versions up to and including 1.9.1. The RoleMemberPermission check uses OR-semantics, meaning membership of a role is sufficient to mutate it - an authorization oversight confirmed by the asymmetry with the DELETE handler on the same resource, which correctly enforces admin-only access. Exploitation enables lateral privilege escalation within a Lemur PKI deployment: a malicious role member can inject colluders into certificate or authority management roles, remove legitimate members, or rename roles. No public exploit identified at time of analysis, though detailed reproduction steps are published in the GitHub security advisory GHSA-x3vf-mgxj-7785.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Authentication bypass in Flowise on-premise (npm package 'flowise', version 3.0.1 and earlier) lets unauthenticated remote attackers POST to the /api/v1/account/register endpoint to self-provision arbitrary user accounts and then log in, obtaining full API access without any prior credentials. The endpoint is open by default and the registration request is reusable, so an attacker can repeatedly create privileged ('type':'pro') accounts. A working proof-of-concept exists (publicly available exploit code exists via the VulnCheck/GHSA advisory), and the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact.

Authentication Bypass Flowise
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Lockdown mode in GitHub MCP Server HTTP deployments (versions 0.22.0-1.1.1) fails to isolate per-user GraphQL credentials due to a process-global singleton that retains the first authenticated user's client for the lifetime of the process. All subsequent users' IsSafeContent checks-the security gate that decides whether content from external contributors is sanitized before reaching the AI model-are evaluated under the first user's GitHub token and identity, producing wrong access control decisions for every user except the first. A publicly available proof-of-concept confirms the singleton pointer collision; no active exploitation (CISA KEV) has been confirmed at time of analysis.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Certificate IP address name constraint enforcement in wolfSSL is silently disabled when the library is compiled without the WOLFSSL_IP_ALT_NAME preprocessor define, allowing a CA operator to issue certificates bearing IP address Subject Alternative Names that the issuing CA's nameConstraints extension was intended to prohibit. Any wolfSSL-based TLS endpoint built in this configuration will accept these constraint-violating certificates as valid, undermining PKI-enforced IP address restrictions. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.7 reflects meaningful exploitation constraints including high-privilege CA access and a specific non-default build configuration.

Authentication Bypass Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Session authentication bypass in wolfSSL exposes servers running multiple TLS virtual hosts to cross-vhost peer-authentication spoofing via stateful session-ID resumption. When a client resumes a cached session using a session ID rather than a session ticket, wolfSSL previously skipped the SNI and ALPN binding verification that was already enforced on the ticket-based resumption path - allowing the cached peerAuthGood state and peer-certificate context from one virtual host to be silently carried into a second virtual host with a different client-authentication policy. The upstream fix (PR #10489) extends the binding check to cover stateful resumption, declining mismatched resumptions and falling back to a full handshake. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.0 with AC:H and AT:P reflects the non-trivial configuration prerequisites.

Authentication Bypass Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Post-handshake authentication bypass in wolfSSL TLS 1.3 permits a connected client to skip certificate verification during server-initiated post-handshake re-authentication. When a server has issued a post-handshake CertificateRequest via wolfSSL_request_certificate(), a client can send a Finished message without providing a Certificate or CertificateVerify; the server incorrectly applies an initial-handshake exemption and accepts it, treating the client as authenticated. No public exploit is identified and this is not listed in CISA KEV; the vulnerability was self-disclosed by wolfSSL with a patch available in GitHub PR #10702.

Authentication Bypass Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Emergency

Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. CVSS 4.0 rates this 9.3 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though it is the subject of a CISA ICS advisory (ICSA-26-176-02).

Authentication Bypass Privilege Escalation Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH Act Now

Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management system) stems from its WebSocket API enforcing no rate limit on authentication requests, letting a remote, network-positioned attacker flood the authentication endpoint to exhaust resources or rapidly guess credentials for unauthorized access. CISA's ICS-CERT (advisory ICSA-26-176-02) coordinated this issue, which carries a CVSS 4.0 base of 8.7 driven by high availability impact. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Red Hat Build of Keycloak 26.6/26.6.4) lets an attacker holding valid client credentials abuse a JWT algorithm-confusion weakness in the JWT Authorization Grant flow to forge client assertions and mint unauthorized access tokens. The forged tokens allow impersonation of any federated user tied to the affected Identity Provider, yielding unauthorized access and potential privilege escalation. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; Red Hat rates it 8.1 (High).

Privilege Escalation Jwt Attack Authentication Bypass +6
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Authentication bypass and denial-of-service in Evoke Systems' Evoke CSMS electric-vehicle charging station management system stems from predictable WebSocket session identifiers derived from charging station IDs, with no enforcement against duplicate session reuse. Remote unauthenticated attackers can guess or reuse a session identifier to impersonate another charging station/user, or flood the backend with valid session requests to exhaust resources. Reported to CISA by ICS-CERT (advisory ICSA-26-176-02); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
EPSS 0% CVSS 1.0
LOW PATCH Monitor

Certificate Revocation List processing in wolfSSL silently accepts CRLs containing unrecognized critical extensions rather than rejecting them as mandated by RFC 5280, constituting an improper certificate validation flaw (CWE-295). Affected are only wolfSSL builds explicitly compiled with CRL support (HAVE_CRL preprocessor flag) where the attacker can present a crafted CRL carrying a trusted CA signature - conditions that substantially limit the attack surface. An adversary satisfying these prerequisites could cause a revoked certificate to be treated as valid, enabling an authentication bypass. No public exploit has been identified and this CVE is absent from CISA KEV; the CVSS 4.0 score of 1.0 accurately reflects the extreme exploitation constraints.

Authentication Bypass Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

X.509 DNS name constraint enforcement in wolfSSL fails to evaluate the Subject Common Name when no Subject Alternative Name extension is present, allowing a certificate whose CN violates an issuing CA's DNS name constraints to be accepted as valid. Affected deployments include any application using wolfSSL's certificate manager for chain verification where name-constrained intermediate or root CAs are in use. An attacker who can obtain or forge a certificate with a non-compliant CN and no SAN can bypass the policy boundary the constraining CA was intended to enforce, enabling impersonation of hosts outside the permitted domain set. No public exploit identified at time of analysis; upstream fix available as a GitHub pull request.

Authentication Bypass Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

wolfSSL's certificate chain validation logic incorrectly evaluates wildcard DNS Subject Alternative Names (SANs) against CA-enforced name constraints, allowing certificates that should be rejected under a constrained PKI hierarchy to be silently accepted. Any wolfSSL-powered application that validates certificate chains in a PKI where intermediate or root CAs define permitted or excluded DNS name constraints per RFC 5280 §4.2.1.10 is affected; all versions matching cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:* are listed as affected. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified; an upstream patch is available via PR #10549 but a tagged release version has not been independently confirmed.

Authentication Bypass Wolfssl
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

X.509 trust-chain bypass in wolfSSL's OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert/X509_verify_cert) allows an attacker to have an attacker-controlled certificate accepted as valid by presenting a chain that never reaches a configured trust anchor. The flaw affects only builds compiled with --enable-opensslextra whose applications perform certificate validation via the OpenSSL-compat X509_verify_cert() API using caller-supplied untrusted intermediates; for those deployments it is critical (CVSS 4.0 base 8.7, integrity impact only). There is no public exploit identified at time of analysis and it is not on CISA KEV, but an upstream fix is available via wolfSSL PR #10674.

Authentication Bypass OpenSSL Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Certificate validation bypass in wolfSSL (builds compiled with HAVE_RPK) allows a peer to present an un-negotiated Raw Public Key (RFC 7250) in place of a full X.509 certificate, defeating chain-of-trust validation. Because a raw public key carries no certificate chain, ParseCertRelative() accepts it without performing any trust verification, so an attacker presenting a bare key can impersonate a server (or client) when neither side actually negotiated the RPK certificate type. No public exploit identified at time of analysis and the issue is not in CISA KEV; the high CVSS (8.2, CVSS 4.0) reflects a full authentication/integrity bypass, but exploitation is gated by the non-default HAVE_RPK build option.

Authentication Bypass Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user via an IDOR vulnerability in the PreviewInvoiceController endpoints. The missing ManageOrganizationBillingRequirement authorization check permits a valid session holder to supply an arbitrary organizationId and retrieve Stripe-derived billing details - including tax totals, subscription status, and customer data - for organizations they do not belong to. A public proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at the time of analysis.

Authentication Bypass Server
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a Custom role with the ManageUsers permission delete Admin accounts from the organization, undermining administrative control. The flaw stems from the bulk user-remove (DELETE) endpoint omitting the role-hierarchy guard that the single-user removal path enforces, so a lower-privileged user can strip Admins by submitting their organization-user IDs in a batch request. Publicly available exploit code exists (VulnCheck/researcher write-up), it is not listed in CISA KEV, and no EPSS score was provided in the input.

Authentication Bypass Privilege Escalation Server
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM This Month

Missing authorization in the Mattermost Google Drive plugin's file creation endpoint (all versions before 1.1.0) allows authenticated Mattermost users with a linked Google account to share Drive files into private channels they are not a member of, and to infer the existence and membership of those private channels. The root cause is CWE-862 (Missing Authorization): the endpoint processes the target channel ID supplied by the caller without verifying the caller belongs to that channel. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Mattermost Google +1
NVD GitHub VulDB
CVSS 8.8
HIGH PATCH This Week

Privilege escalation via broken authorization in Netflix Lemur (versions <= 1.9.0) lets any authenticated user - including the shipped lowest-privilege `read-only` role - perform admin-only certificate-management actions. Because the `StrictRolePermission` and `AuthorityCreatorPermission` classes were instantiated with an empty Need set when their config flags were left at the default `False`, Flask-Principal's `allows()` returns True for every identity, removing the only role gate in front of CA creation, certificate upload, notification (SSRF sink) management, and domain registry edits. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation requires only a single low-privilege credential, making it a direct pivot to control of the PKI issuance plane.

Authentication Bypass SSRF Python
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Authenticated session hijacking via IDOR in Kanboard through 1.2.52 allows any low-privilege user to mass-invalidate the persistent 'Remember Me' sessions of arbitrary users, including administrators, by enumerating sequential integer session IDs against the unguarded `removeSession` endpoint. The root-cause fix - scoping `RememberMeSessionModel::remove()` to the requesting user's own `user_id` - is confirmed in commit 928c68a via PR #5831. A publicly available proof-of-concept exists on GitHub (issue #5829); this vulnerability is not currently listed in the CISA KEV catalog, though the trivially low exploitation barrier warrants prompt patching.

Authentication Bypass Denial Of Service Kanboard
NVD GitHub
Prev Page 14 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy