Skip to main content

Authentication Bypass

31255 CVEs technique

Monthly

CVE-2026-56774 MEDIUM POC PATCH This Month

Authenticated session hijacking via IDOR in Kanboard through 1.2.52 allows any low-privilege user to mass-invalidate the persistent 'Remember Me' sessions of arbitrary users, including administrators, by enumerating sequential integer session IDs against the unguarded `removeSession` endpoint. The root-cause fix - scoping `RememberMeSessionModel::remove()` to the requesting user's own `user_id` - is confirmed in commit 928c68a via PR #5831. A publicly available proof-of-concept exists on GitHub (issue #5829); this vulnerability is not currently listed in the CISA KEV catalog, though the trivially low exploitation barrier warrants prompt patching.

Authentication Bypass Denial Of Service Kanboard
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-56772 MEDIUM PATCH This Month

Broken access control in NewsBlur before 14.5.0 exposes any authenticated user's private social notification feed - follows, replies, and social activity - to any other authenticated user. The GET /social/interactions endpoint accepts an arbitrary user_id parameter and returns that user's MInteraction records without verifying the requesting session owns the account, a classic CWE-639 IDOR. No public exploit code has been identified and this is not listed in CISA KEV, but the low attack complexity (any registered account suffices) makes the flaw trivially exploitable by any NewsBlur user against any other.

Authentication Bypass Newsblur
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56768 HIGH PATCH This Week

Authorization bypass in Seahub (the Seafile web frontend) before 13.0.23 lets a holder of a folder share-link token call GET /api/v2.1/share-link-zip-task/ without honoring the SHARE_LINK_LOGIN_REQUIRED policy, obtaining a fileserver zip token to download entire shared directory trees. Classified as CWE-862 (Missing Authorization) and reported by VulnCheck with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS data was not provided in the input.

Authentication Bypass Seahub
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56767 HIGH PATCH This Week

Cross-tenant access in Maxun (the open-source no-code web data extraction/scraping platform) before 0.0.42 allows any authenticated user to read, modify, delete, or run other tenants' robots and to exfiltrate their plaintext Google and Airtable OAuth access tokens by abusing storage and webhook API handlers that never check resource ownership. The flaw stems from API endpoints querying robots by ID alone (e.g. Robot.findAll() with no userId scope), so a low-privileged account on a shared/multi-tenant instance can pivot across the entire tenant base. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the upstream fix is committed and the trivial nature of an IDOR makes it readily reproducible.

Authentication Bypass Google Maxun
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-54089 Go CRITICAL POC GHSA Act Now

Authentication bypass and privilege escalation in File Browser (versions 2.0.0-rc.1 and later) lets a remote unauthenticated attacker impersonate any account - including admin - by sending a single forged HTTP header when the server runs with proxy authentication (auth.method=proxy). The same flaw doubles as an unauthorized account-creation primitive, since supplying a non-existent username silently provisions a new user. Scored CVSS 9.1 (CWE-287); no public exploit identified at time of analysis, though the underlying behavior has been openly documented for years.

Authentication Bypass Filebrowser
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-46498 Maven HIGH PATCH GHSA This Week

OAuth2/OIDC token forgery in OpenIdentity Platform's OpenAM Community Edition (through 16.0.6) lets an attacker mint OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject (userName), clientID, realm, and scope by abusing the stateful token-read path's failure to namespace and type-check Core Token Store (CTS) rows. The flaw is an Authorization Bypass Through User-Controlled Key (CWE-639): any CTS row whose BLOB merely claims to be an OAuth token is trusted on read with no integrity check, so an attacker who can write attacker-controlled JSON to CTS under a known identifier can impersonate any user or client. No public exploit has been identified at time of analysis, and the issue is fixed in version 16.1.1; it does not by itself grant an OpenAM SSO session or admin-console access.

Authentication Bypass
NVD GitHub
CVE-2026-11999 HIGH PATCH This Week

Certificate trust-chain bypass in wolfSSL allows attackers to have an attacker-controlled certificate accepted as valid, but only in builds compiled with --enable-opensslextra where the application calls the OpenSSL-compatibility X509_verify_cert() with caller-supplied untrusted intermediates. The verifier returned success based on the last verified link instead of confirming the chain reaches a configured trust anchor, so a chain deeper than the maximum path depth (default 100) is accepted without ever validating against a trusted root. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; native wolfSSL TLS/DTLS and the default WOLFSSL_VERIFY_PEER handshake are unaffected.

Authentication Bypass OpenSSL Wolfssl
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-55698 npm HIGH POC PATCH GHSA This Week

Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository hijack pnpm's automatic version-switching mechanism. By committing crafted package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml - including matching pnpm and @pnpm/exe versions plus package records and snapshots - an attacker bypasses fresh package-manager resolution and causes pnpm to install and execute attacker-selected bytes when a developer runs pnpm in the cloned repo. No public exploit identified at time of analysis; the high CVSS of 8.8 reflects full confidentiality, integrity, and availability impact, gated only by the user running pnpm against the poisoned repository.

Authentication Bypass Pnpm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-9799 MEDIUM PATCH This Month

Authorization bypass in Red Hat Build of Keycloak's UMA engine lets an authenticated user who holds a valid permission ticket for a single resource escalate access to all resources of the same type on the resource server by crafting a specific permission request prefix. The bypass is silently permitted when the resource server operates in PERMISSIVE enforcement mode with ownerManagedAccess enabled and no explicit type-level policy in place. No public exploit code exists and this CVE is not listed in CISA KEV at time of analysis, but the low attack complexity and network vector make this a credible internal-privilege escalation path in affected Keycloak deployments.

Authentication Bypass Information Disclosure Red Hat Build Of Keycloak
NVD
CVSS 3.1
4.6
EPSS
0.2%
CVE-2026-9099 HIGH PATCH This Week

Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management rights over a single low-privilege group hijack the entire realm. A missing authorization check in the Admin REST API's GroupResource.addChild() endpoint allows reparenting an arbitrary group; when Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker can move a privileged group (e.g., one holding realm-admin) under a group they control, inheriting management and password-reset rights over its members. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the resulting full realm takeover makes it a serious escalation primitive in environments that delegate group administration.

Authentication Bypass Red Hat Build Of Keycloak
NVD
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-9800 HIGH PATCH This Week

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access controls - role, scope, and User-Managed Access (UMA) permission checks - by embedding the configured access-denied page path inside a request URL as a path segment or query parameter. The affected component ships in the Red Hat Build of Keycloak, and successful exploitation grants unauthorized access to protected resources. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Red Hat Build Of Keycloak
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-55411 MEDIUM PATCH This Month

Cross-tenant credential decryption in ToolJet prior to 3.20.1780-lts allows any authenticated user to retrieve plaintext data-source secrets belonging to any other organization on the same instance. The POST /api/data-sources/decrypt endpoint omits the ValidateDataSourceGuard present on all neighboring routes and performs no organization-scoped lookup, meaning a valid session from any tenant is sufficient to exfiltrate database passwords, API keys, and other stored secrets across tenant boundaries. No public exploit has been identified at time of analysis, but the attack is mechanically trivial for any user with a valid account and knowledge of a target credential_id.

Authentication Bypass Tooljet
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-13350 LOW PATCH Monitor

Incorrect authorization logic during room creation in Venueless permits authenticated low-privilege users to create room types they are not permitted to create. The CVSS 4.0 score of 2.3 reflects the narrow, integrity-only impact and significant attack preconditions - requiring authentication, high complexity, and specific prerequisites. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Venueless
NVD GitHub
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-54573 MEDIUM PATCH This Month

API key scope bypass in Outline prior to 1.8.0 allows an authenticated attacker holding a limited-scope API key or OAuth token to perform actions on restricted endpoints by exploiting a URL fragment handling discrepancy. The `AuthenticationHelper.canAccess` function evaluates authorization against the fragment-appended URL path rather than the actual routed endpoint, enabling privilege escalation beyond the key's intended permissions. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity (PR:L, AC:L) makes this straightforward to exploit for any valid API key holder.

Authentication Bypass Privilege Escalation Outline
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-54027 MEDIUM PATCH This Month

LibreChat's POST /api/files/images endpoint lacks the authorization check that was correctly applied to the POST /api/files route in a prior patch, allowing any authenticated user to upload files into arbitrary agents' tool_resources (including context and execute_code environments) without ownership or EDIT permission verification. All LibreChat deployments prior to 0.8.4-rc1 are affected across any multi-user configuration. No active exploitation has been confirmed (not in CISA KEV), but the bypass is trivially exercisable by any valid session holder who knows a target agent ID.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54029 MEDIUM PATCH This Month

Broken object-level authorization in LibreChat's message deletion endpoint allows any authenticated user to permanently delete messages belonging to other users. Affected are all LibreChat deployments prior to 0.8.4-rc1. By supplying their own valid conversationId for middleware validation while targeting a victim's messageId in the underlying MongoDB query, an attacker bypasses the per-user authorization check and irreversibly removes arbitrary messages. No public exploit or CISA KEV listing exists at time of analysis, but the flaw is straightforward to exploit once a valid messageId is obtained.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54040 HIGH PATCH This Week

Authentication-bypass weakness in LibreChat before 0.8.4-rc1 lets an attacker who already holds a valid session silently regenerate all of a victim's two-factor backup codes via POST /api/auth/2fa/backup/regenerate, which never asks for a current TOTP token or an existing backup code. With fresh codes in hand, the attacker can bypass 2FA at login or turn 2FA off entirely, neutralizing the account's second factor. EPSS is low (0.15%, 5th percentile) and no active exploitation is recorded, but proof-of-concept exploitation is acknowledged in the SSVC framework.

Authentication Bypass Librechat
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-54036 HIGH PATCH This Week

Two-factor authentication takeover in LibreChat before 0.8.4-rc1 lets any authenticated user — or an attacker wielding a stolen session token — call the GET /api/auth/2fa/enable endpoint to silently overwrite an account's existing TOTP secret, regenerate backup codes, and flip twoFactorEnabled to false, all without TOTP or backup-code verification. The flaw destroys the victim's working second factor and can lock the legitimate owner out of their own 2FA. Publicly available exploit code exists (SSVC: PoC), but EPSS is low (0.18%, 8th percentile) and it is not listed in CISA KEV.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-4522 MEDIUM PATCH This Month

Credential interception in HYPR Passwordless on Windows (all versions before 11.1.1) is possible due to a missing authentication check on a critical internal function (CWE-306), allowing a low-privileged local attacker to capture authentication material during an active user session. The CVSS 4.0 vector's SC:H metric confirms the intercepted credentials are usable against downstream systems that HYPR protects, elevating the downstream blast radius beyond the compromised endpoint. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Microsoft Passwordless
NVD
CVSS 4.0
6.7
EPSS
0.1%
CVE-2026-48941 MEDIUM This Month

Unauthorized folder deletion in the K2 Extension for Joomla (versions 1.0 through 2.26) exposes a public-facing `item.checkin` task that accepts an unauthenticated `sigProFolder` query parameter and passes it directly to `JFolder::delete()` under `/media/k2/galleries/`, with no authorization check whatsoever (CWE-862). Any unauthenticated remote attacker can trigger deletion of gallery directories simply by crafting an HTTP request - no session, token, or credentials required. No public exploit code has been identified at time of analysis, though SSVC rates this as automatable with partial technical impact, meaning scripted bulk targeting of affected Joomla installations is straightforward.

Authentication Bypass K2 Extension For Joomla
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-9651 MEDIUM CISA This Month

Incorrect file permission assignment on Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP Remote Terminal Units exposes password hashes stored in system files to unauthorized reading by privileged local users. An attacker who has already obtained privileged local access to the RTU can read these improperly protected files, extract credential hashes, and perform offline cracking to achieve account compromise. No public exploit code exists at time of analysis, and the vulnerability has not been listed in CISA KEV, but the high confidentiality impact on credential material in OT/ICS environments warrants attention.

Authentication Bypass Easylogic T150 Formerly Saitel Dr Remote Terminal Unit Controller Saitel Dp Remote Terminal Unit Controller
NVD
CVSS 4.0
6.7
EPSS
0.1%
CVE-2026-9650 HIGH CISA Act Now

Credential exposure in Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP Remote Terminal Units & Controllers allows an unauthenticated attacker to recover credentials that are insufficiently protected within device firmware or system files (CWE-522). The recovered credentials can then be used to fully compromise the device when the attacker also has physical access. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; vendor advisory SEVD-2026-160-02 covers the affected OT products.

Authentication Bypass Easylogic T150 Formerly Saitel Dr Remote Terminal Unit Controller Saitel Dp Remote Terminal Unit Controller
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-46734 HIGH This Week

Protection mechanism bypass in Dell Display and Peripheral Manager for Mac (versions prior to 2.3) stems from improper certificate validation, allowing a low-privileged local user to defeat a security control the application relies on. Dell self-reported the issue and there is no public exploit identified at time of analysis; EPSS is very low (0.07%) and CISA SSVC marks exploitation status as 'none', though technical impact is rated 'total'. The flaw affects the macOS build of DDPM, a companion utility for Dell monitors and peripherals.

Authentication Bypass Dell Display And Peripheral Manager
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-56050 MEDIUM This Month

Improper access control in PPOM for WooCommerce (all versions through 33.0.18) enables unauthenticated remote attackers to bypass access controls and perform unauthorized operations affecting the integrity and availability of affected WooCommerce stores. Classified under CWE-284 and confirmed as an authentication bypass by Patchstack, the flaw exposes plugin-managed product option data to manipulation or disruption without requiring any credentials. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV.

Authentication Bypass WordPress Ppom For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-46733 HIGH This Week

Local privilege escalation to code execution affects Dell Display and Peripheral Manager (DDPM) for Windows in all versions prior to 2.3, where an Improper Access Control flaw (CWE-284) lets a low-privileged local user execute arbitrary code in a higher-privileged context. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact from a local, low-privilege starting point with no user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Dell Microsoft RCE Display And Peripheral Manager
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-54842 HIGH This Week

Broken access control in the Royal MCP WordPress plugin (versions up to and including 1.4.25) lets authenticated low-privilege users reach functionality that should be restricted, due to a missing authorization check. With a CVSS of 8.1 and high confidentiality and integrity impact, an attacker holding even a basic account can read and alter data they should not be able to touch. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Royal Mcp
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-57429 MEDIUM This Month

Broken access control in the Slim SEO WordPress plugin through version 4.6.2 allows authenticated users holding the Contributor role to bypass authorization checks and access restricted data, yielding a high confidentiality impact per CVSS C:H. The flaw is rooted in CWE-862 (Missing Authorization), meaning the plugin fails to verify whether the requesting user holds sufficient privileges before executing certain privileged actions. No public exploit code and no CISA KEV listing exist at time of analysis; however, low attack complexity and no required user interaction make this straightforward to exploit by any valid contributor-level account holder.

Authentication Bypass Slim Seo
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-56023 MEDIUM This Month

Broken Access Control in the UPI QR Code Payment Gateway for WooCommerce plugin (versions <= 1.6.2) allows authenticated low-privilege WordPress users to perform actions or access endpoints reserved for higher-privileged roles, resulting in unauthorized modification of payment data or disruption of payment processing. The flaw, rooted in missing authorization checks (CWE-862), was disclosed by Patchstack and affects sites running WooCommerce with this Knit Pay plugin installed. No public exploit code has been identified at time of analysis, and it has not been confirmed as actively exploited.

Authentication Bypass WordPress Upi Qr Code Payment Gateway For Woocommerce
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-56013 MEDIUM This Month

Unauthenticated IDOR in License Manager for WooCommerce (versions <= 3.0.15) allows remote, unauthenticated attackers to reference and manipulate arbitrary license records by supplying or iterating object identifiers in plugin requests, yielding integrity and availability impacts on license data. The CVSS vector (PR:N, AV:N, AC:L) confirms no authentication or special conditions are needed, making the attack trivially repeatable against any reachable WooCommerce store running the affected plugin. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress License Manager For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54844 HIGH This Week

Missing authorization in the CheckView Automated Testing WordPress plugin (versions 2.1.0 and earlier) lets remote unauthenticated attackers reach functionality that should be access-controlled, enabling unauthorized modification of site data or test/automation state. The CVSS 3.1 vector (7.5, AV:N/AC:L/PR:N/UI:N) reflects a network-reachable, no-interaction flaw with high integrity impact but no confidentiality or availability loss. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Checkview Automated Testing
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54830 HIGH This Week

Missing authorization in the Five Star Restaurant Reservations WordPress plugin (version 2.7.19 and earlier) lets remote unauthenticated attackers invoke protected plugin functionality and modify data without holding any account, per the CVSS PR:N vector. The flaw is a broken access control / missing capability check (CWE-862) reported by Patchstack, with a CVSS 3.1 base score of 7.5 driven entirely by integrity impact (C:N/I:H/A:N). No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Five Star Restaurant Reservations
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54828 HIGH This Week

Unauthorized data modification in the Motors car dealership and classified listings plugin for WordPress (versions <= 1.4.109) lets remote unauthenticated attackers invoke privileged actions they should not reach, due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/PR:N/UI:N) confirms no authentication and no user interaction are required, with a high integrity impact but no confidentiality or availability impact. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Motors
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-27366 HIGH This Week

Broken access control in the MainWP Child WordPress plugin (versions 6.1.1 and earlier) allows remote attackers to invoke privileged actions without proper authorization checks (CWE-862). Because the flaw is reachable without authentication (PR:N) it can be triggered by external attackers, though exploitation depends on tricking a user into an action (UI:R) and on overcoming non-trivial conditions (AC:H). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Mainwp Child
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-57619 MEDIUM This Month

Sensitive data exposure in Elementor Website Builder for WordPress (versions <= 4.1.3) allows contributor-level authenticated users to access protected information due to missing authorization checks (CWE-862). The vulnerability stems from insufficient capability verification before exposing sensitive data to lower-privileged roles, enabling a contributor to retrieve data they should not have access to. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and high confidentiality impact make this a meaningful risk on any site with untrusted contributor accounts.

Authentication Bypass Information Disclosure Elementor Website Builder
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-52690 MEDIUM PATCH This Month

DNSSEC validation in PowerDNS Recursor can be silently undermined by network-positioned attackers who spoof DNS replies to trick the Recursor into permanently marking a legitimate authoritative server's IP as EDNS-incapable. Once that state is poisoned, the Recursor is unable to perform proper DNSSEC validation for any zones served by that authoritative server, effectively disabling a critical security layer for downstream clients. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the attack complexity is rated High due to the spoofing prerequisite.

Recursor Authentication Bypass Suse
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2026-53248 HIGH PATCH This Week

Use-after-free in the Linux kernel's Airoha (airoha_eth) network driver allows memory corruption when metadata dst objects are torn down while still referenced by in-flight receive skbs. The airoha_metadata_dst_free() routine called metadata_dst_free()/kfree() directly, bypassing the RCU grace period required by the noref dst pointers set via skb_dst_set_noref() in the RX path, so RCU readers could dereference freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile); the issue is patched in current stable kernels.

Authentication Bypass Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53247 CRITICAL PATCH Act Now

Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. No public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not in CISA KEV - despite the input's nominal CVSS of 9.8.

Authentication Bypass Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53234 HIGH This Week

Use-after-free in the Linux kernel's IBM EMAC Ethernet driver (drivers/net/ethernet/ibm/emac) lets in-flight packet processing touch hardware resources that have already been freed during device removal, because devm_register_netdev() deferred unregister_netdev() until after emac_remove() tore down the hardware. A local attacker who can trigger driver unbind/hot-removal while the interface handles traffic can corrupt kernel memory, potentially escalating to code execution or crashing the system. This is a fixed regression window on IBM PowerPC EMAC hardware; no public exploit identified at time of analysis and EPSS risk is low (0.18%, 7th percentile).

Memory Corruption Authentication Bypass Linux Use After Free IBM
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53201 HIGH This Week

Local privilege/memory-integrity exposure in the Linux kernel's drm/xe Intel GPU driver stems from a missed TLB invalidation: a previously merged optimization that skipped GuC scheduler suspend toggling when an exec queue was idle has been reverted because it bypassed the context switch that flushes TLB entries for invalidated userptr VMAs. On Intel Xe GPUs running in long-running (LR)/preempt-fence VM mode, this leaves stale TLB mappings to invalidated user pointers, producing page faults and stale-memory access during userptr invalidation. There is no public exploit identified at time of analysis and EPSS is low (0.17%, 7th percentile); the fix is the revert commit itself, restoring unconditional schedule toggling on suspend.

Authentication Bypass Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-12490 HIGH PATCH This Week

Zone-transfer authentication bypass in NLnet Labs NSD allows unauthorized secondaries to obtain full zone contents without presenting the required TLS client certificate. Although a provide-xfr rule specifies a tls-auth-name (mandating client-certificate authentication), NSD only enforces this on the dedicated tls-auth-port; requests arriving over plain TCP on the regular port or over TLS on the regular tls-port are served when the remaining provide-xfr conditions match, defeating mutual-TLS access control. Reported by NLnet Labs with CVSS 4.0 8.2; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Nsd Red Hat Suse
NVD VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-5952 MEDIUM PATCH This Month

Incorrect authorization in GitLab CE/EE allows authenticated users holding developer-role permissions to bypass Maven package protection rules and overwrite protected package metadata. All GitLab versions from 17.11 through 18.11.5, 19.0.0 through 19.0.2, and 19.1.0 are affected, with patched releases available across all three trains. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; real-world impact is scoped to organizations that have explicitly configured Maven package protection rules and host untrusted developer-role users.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-5796 MEDIUM PATCH This Month

Incorrect authorization in GitLab CE/EE's group packages feature exposes package metadata from projects where the Package Registry has been explicitly disabled, allowing any authenticated Reporter-level group member to enumerate package names, versions, and publish timestamps that project owners intended to restrict. The flaw spans a very wide version range - all 13.6+ releases up to the newly-issued fixes in 18.11.6, 19.0.3, and 19.1.1 - meaning a large proportion of self-hosted GitLab deployments are affected. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-5309 MEDIUM PATCH This Month

Authorization bypass in GitLab Enterprise Edition's virtual registry cleanup policy feature allows authenticated users to read or modify cleanup policy settings belonging to groups they do not own. Affected versions span all GitLab EE releases from 18.6 through 18.11.5, 19.0 through 19.0.2, and 19.1.0. Exploitation requires a valid GitLab EE account but no elevated privileges; no public exploit code exists and this is not in CISA KEV at time of analysis.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-3176 LOW PATCH Monitor

Insufficient authorization checks in GitLab Enterprise Edition expose project information to authenticated users with limited permissions under specific, undisclosed conditions. Affecting all EE releases from 18.6 up to (but not including) 18.11.6, 19.0.3, and 19.1.1, this CWE-862 flaw allows a low-privileged authenticated attacker to read project data they should not have access to. No public exploit code exists and no active exploitation has been confirmed; the high attack complexity (AC:H) and requirement for an authenticated session substantially limit real-world risk.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-2238 MEDIUM PATCH This Month

Confidential issue references in GitLab CE/EE public projects are exposed to unauthenticated users due to missing authorization checks (CWE-862). Affecting all GitLab versions from 17.5 through 18.11.5, 19.0.0-19.0.2, and 19.1.0, this flaw enables any unauthenticated remote attacker to retrieve references to confidential issues on public projects - potentially revealing issue IDs, titles, or internal metadata that project owners explicitly restricted. No public exploit code or CISA KEV listing exists at time of analysis; however, the unauthenticated, low-complexity network vector makes this trivially automatable for reconnaissance against large GitLab installations.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-11379 MEDIUM PATCH This Month

Incorrect authorization in GitLab Enterprise Edition's DAST site profile management exposes stored secrets to users with the Developer role under certain conditions. Affecting all GitLab EE releases from 13.11 through the recently patched 18.11.6, 19.0.3, and 19.1.1, the flaw allows a lower-privileged authenticated user to read secrets - such as authentication credentials or API tokens - embedded in DAST site profiles they should not have access to. No public exploit code or CISA KEV listing has been identified at time of analysis, and the high attack complexity (AC:H) implies specific conditions must align for exploitation to succeed.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-0934 LOW PATCH Monitor

Protected environment configuration bypass in GitLab Enterprise Edition exposes CI/CD deployment gates to authenticated users holding custom role permissions, even when CI/CD visibility is explicitly disabled for the project. Affecting all EE versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1, this CWE-863 (Incorrect Authorization) flaw allows such users to view, create, or delete protected environment rules that should be inaccessible. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
3.8
EPSS
0.2%
CVE-2026-9780 HIGH This Week

Authentication bypass via cross-site scripting in Quest NetVault Backup's addclient3 webpage allows remote attackers to inject arbitrary script that executes in a victim's authenticated session, bypassing access controls. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-369, formerly ZDI-CAN-27666), the flaw requires user interaction - the target must visit a malicious page or open a malicious file - and can be chained with other weaknesses to achieve code execution in the SYSTEM context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, though the high CVSS of 8.8 reflects the serious downstream RCE potential.

Authentication Bypass XSS RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-7569 HIGH This Week

Authentication bypass via cross-site scripting in the Quest NetVault Backup viewclient web interface lets remote attackers inject arbitrary script that, when a victim visits a malicious page or opens a malicious file, runs in the application context and circumvents authentication. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-377, ZDI-CAN-28202), the flaw can be chained with additional vulnerabilities to achieve code execution as SYSTEM. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 8.8 rating reflects the high impact of the auth-bypass-plus-RCE chain.

Authentication Bypass XSS RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-49278 MEDIUM PATCH This Month

Rocket.Chat's Omnichannel visitors.info API endpoint exposes visitor session tokens in response payloads, enabling a privileged caller to capture and reuse those tokens for authentication bypass against LiveChat visitor identities. Affected deployments span multiple 7.x and 8.x release branches, with vendor-confirmed fixes across seven patch releases. No public exploit code and no CISA KEV listing exist at time of analysis; however, the CWE-285 (Improper Authorization) classification and 'Authentication Bypass' tag confirm meaningful post-exploitation potential for session impersonation.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.7
EPSS
0.2%
CVE-2026-45688 CRITICAL PATCH Act Now

{"$gt": ""} matches the first unexpired credential-token document, yielding a full Meteor auth token bound to a legitimate victim - and full instance compromise if that victim is an administrator. No public exploit identified at time of analysis, but the CVSS 9.1 rating and trivial exploitability make this a high-priority patch.

Authentication Bypass Nosql Injection
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-45677 HIGH PATCH This Week

Session-destruction denial of service in Rocket.Chat's SAML single logout allows an unauthenticated remote attacker to forcibly log out any SAML-authenticated user by submitting a forged, unsigned LogoutRequest to the SP logout endpoint. Because the integration never validates the SAML signature, an attacker who knows only a victim's NameID - typically their email address, as exposed by Okta, Google Workspace, Microsoft Entra ID, and JumpCloud - can repeatedly destroy sessions and script the attack across many accounts to render the instance unusable. No public exploit identified at time of analysis; the CVSS 4.0 base score is 8.7 (availability-only impact), and fixes are available across all maintained release branches.

Authentication Bypass Microsoft Google
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-33543 CRITICAL PATCH Act Now

Authentication bypass in FOSSBilling 0.7.2 and earlier lets remote unauthenticated attackers create a fully privileged administrator account through the guest bootstrap endpoint /api/guest/staff/create, which fails to lock after the first admin exists. Because the account can immediately authenticate, this yields complete takeover of the billing and client-management platform. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial network-based exploitation (CVSS 4.0 9.3) makes it a serious exposure for any internet-facing instance.

Authentication Bypass
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-13208 MEDIUM This Month

KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for any other VMI scheduled on the same Kubernetes node, causing virt-handler to corrupt that VMI's state and disrupt its lifecycle management. The root cause is that gRPC handlers for HandleDomainEvent and HandleK8SEvent accept VMI namespace/name exclusively from the request body, never cross-checking against the per-VMI pipe socket the connection arrived on. With CVSS 6.5 (AV:L/S:C), the attack requires local access via a compromised container but can impact multiple VMIs across tenants on the same node; no public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Kubevirt Openshift Virtualization
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-54068 Go MEDIUM POC PATCH GHSA This Month

SiYuan's personal knowledge management system prior to 3.7.0 exposes all user note content to unauthenticated database exfiltration through a deliberately auth-excluded API endpoint. The `/api/icon/getDynamicIcon` endpoint, when invoked with `type=8` and a valid block ID, renders a Go template that executes arbitrary SELECT queries against SiYuan's SQLite backend via `querySQL` and `queryBlocks` functions - functions designed for note querying but reachable without any credential check. An attacker with network adjacency who possesses a valid block ID can read the entire database: note content, tags, asset references, and block attributes. No public exploit or CISA KEV listing has been identified at time of analysis; the AC:H rating reflects the block ID prerequisite. A fix is available in version 3.7.0.

Authentication Bypass Siyuan
NVD GitHub
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-55762 HIGH PATCH This Week

{"setDeploymentAs": "new-workspace"}. The endpoint correctly requires authentication but performs no role/permission check (CWE-862), so the action wipes cloud credentials, removes the workspace license, and breaks push notifications for all users until manual re-registration. No public exploit identified at time of analysis; the issue is a denial-of-service / integrity flaw rather than data theft (CVSS C:N, I:H, A:H = 8.1).

Authentication Bypass Rocket Chat
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-55759 HIGH PATCH This Week

Authentication bypass in Rocket.Chat's Apple Sign-In handler allows attackers to impersonate any user by replaying a captured Apple identity token. The handler verifies the JWT signature but skips validation of the aud, exp, nbf, and nonce claims, so any Apple-signed token with a non-empty iss is accepted indefinitely with no replay-window expiry. Affected versions are those prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Apple Rocket Chat
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-55666 CRITICAL PATCH Act Now

Authentication bypass leading to account takeover in Rocket.Chat affects the Apple Sign-In OAuth flow prior to versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. The handleIdentityToken function in the Apple login handler falls back to trusting an attacker-supplied email value when the Apple-issued JWT omits an email claim, so a remote unauthenticated attacker can forge an email-less Apple JWT and log in as any victim by their email address. No public exploit is identified at time of analysis, but the CVSS 4.0 base score of 9.3 (critical) and trivial exploitation conditions make this a high priority for any instance with Apple login enabled.

Authentication Bypass Apple Rocket Chat
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-52795 MEDIUM This Month

Private repository metadata in Gogs 0.14.3 and earlier leaks to any authenticated user due to a boolean inversion in the Watch API access control check. An authenticated attacker who watches a private repository they are not authorized to view will receive commit messages, branch names, issue titles, and PR details via their dashboard activity feed - and full issue and comment content via email if notifications are enabled. No public exploit has been identified at time of analysis, though the single-line boolean fix published in the upstream commit makes the flaw trivial to reproduce by any authenticated user who reads the commit diff.

Authentication Bypass Gogs
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-50128 MEDIUM PATCH This Month

Signature bypass in Mastodon's ActivityPub federation layer allows remote unauthenticated attackers to falsely attribute article authorship by manipulating the `toot:attributionDomains` property of signed Update activities. Affected are all Mastodon instances running versions 4.3.0 through 4.5.10 or 4.4.x through 4.4.17, where a JSON-LD definition error renders Linked Data Signatures on this specific property non-binding. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and the federated, internet-exposed nature of the protocol make exploitation straightforward for any actor able to send ActivityPub messages.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1840 HIGH PATCH CISA Act Now

Missing authentication in the Aclara Metrum Cellular Web Interface (a Hubbell/Aclara cellular communications module used in utility smart-grid metering) lets remote attackers reach critical system functions without any credentials. Per the CVSS:4.0 vector (PR:N/UI:N) an unauthenticated network attacker can read and modify operational configuration and force device restarts, and repeated restarts can sever device communications - a pure availability impact (VA:H, no confidentiality or integrity loss). There is no public exploit identified at time of analysis and this CVE is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Aclara Metrum Cellular Web Interface
NVD GitHub
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-27708 HIGH PATCH This Week

Insecure direct object reference (IDOR) in FOSSBilling's Servicecustom Client API (versions 0.7.2 and prior) lets any authenticated client retrieve another client's custom service records by supplying a guessed sequential order_id, because the __call method fetches the order without an ownership check. The exposed data includes other clients' PII (name, email, phone, address, company details, VAT number) and service configuration, making this a cross-tenant confidentiality breach. No public exploit identified at time of analysis, and the issue is resolved in version 0.8.0.

Authentication Bypass Fossbilling
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-55583 HIGH PATCH This Week

Cross-workspace data disclosure in Twenty CRM before 2.9.0 lets any authenticated user holding the AI settings flag (a workspace owner by default) read another tenant's AI agent chat history and trigger LLM evaluations against the victim's data on the same instance. By supplying a victim's agentId or turnId to the agentTurns query or evaluateAgentTurn mutation, an attacker retrieves raw chat text, tool calls, and tool outputs that belong to a different workspace. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Twenty
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-13034 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Passwords implementation allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.197 on desktop platforms. Google has confirmed this as a High severity Chromium issue; no public exploit code or active exploitation has been identified at time of analysis, and CISA SSVC categorizes exploitation status as none.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-13024 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Navigation component allows an attacker who has already compromised the renderer process to escape Chrome's cross-origin containment boundary via a crafted HTML page, affecting all Chrome versions prior to 149.0.7827.197. The vulnerability stems from insufficient input validation (CWE-20) in the Navigation subsystem, which fails to properly enforce site isolation when navigations are initiated from a compromised renderer. No public exploit code has been identified and CISA SSVC confirms no known active exploitation at time of analysis, though the prerequisite of renderer compromise makes this a meaningful second-stage escalation primitive.

Authentication Bypass Google Red Hat
NVD VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13021 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's DeviceBoundSessionCredentials (DBSC) feature affects all Chrome versions prior to 149.0.7827.197, allowing a remote attacker to read limited cross-origin data via a crafted HTML page. The flaw stems from incorrect origin validation (CWE-346) in the DBSC implementation, a relatively new anti-session-hijacking subsystem. SSVC assessment confirms no exploitation at time of analysis, and no public exploit code has been identified; the CVSS score of 4.3 Medium reflects meaningful but bounded confidentiality impact contingent on user interaction.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-56091 HIGH This Week

Authentication bypass in Apache Shiro affects deployments using the shiro-guice module in a web servlet context, where a specially crafted HTTP request can evade path-based access controls and reach protected resources without valid credentials. It mirrors the older shiro-spring flaw CVE-2020-1957 but targets the Guice integration instead, impacting all Shiro releases through 2.x and 3.0.0-alpha-1. No public exploit identified at time of analysis, though the CVSS 4.0 base score of 8.2 reflects high confidentiality impact and the close analogy to a previously exploited bug class.

Authentication Bypass Java Apache
NVD VulDB
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-53944 MEDIUM PATCH This Month

Server-side request forgery (SSRF) filter bypass in Ghost CMS 6.0.9 through 6.21.0 allows remote unauthenticated attackers to direct the application to reach internal network services by supplying IPv6 literals that map to private IPv4 addresses, circumventing Ghost's outbound IP blocklist. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): the filter validates against RFC 1918 private ranges but does not normalize IPv6-mapped IPv4 notation before comparison. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; Ghost 6.21.1 resolves the issue.

Node.js Authentication Bypass Ghost
NVD GitHub
CVSS 3.1
5.8
EPSS
0.2%
CVE-2026-53945 MEDIUM PATCH This Month

DNS rebinding bypasses Ghost CMS's private-IP validation for outbound HTTP requests, enabling server-side request forgery (SSRF) against internal network resources. Versions 6.0.9 through 6.21.0 are affected; the root cause is a TOCTOU race (CWE-367) between Ghost's allowlist check and the actual TCP connection, which a DNS-rebinding attacker exploits by switching DNS records between check-time and connect-time. No public exploit code identified and not listed in CISA KEV, but the scope-changed CVSS rating (S:C) reflects that successful exploitation escapes Ghost's network boundary into adjacent internal infrastructure.

Node.js Authentication Bypass Ghost
NVD GitHub
CVSS 3.1
4.0
EPSS
0.1%
CVE-2026-45052 Maven CRITICAL PATCH GHSA Act Now

Improper authorization in OpenAM Community Edition's Liberty ID-WSF SOAP receiver lets an unauthenticated remote attacker write persistent entries into the Liberty Discovery store on any user's LDAP entry and into a shared root-realm Discovery branch, with the writes executed server-side under elevated internal privileges (the global path explicitly uses the internal admin token). All Open Identity Platform OpenAM Community Edition releases through 16.0.6 that expose the Liberty Web Services component are affected; the issue is fixed in 16.1.1. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the affected code ships in default configuration.

Authentication Bypass
NVD GitHub
CVE-2026-48721 HIGH PATCH This Week

Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_00 through the fix in 0.2026.05.06.15.42.stable_01) lets denylisted, confirmation-required commands auto-execute. Because the non-interactive CLI agent matched command strings against its denylist before stripping leading environment-variable assignments, an attacker able to influence the agent's emitted command output (e.g., via prompt injection) can prefix a blocked command such as 'rm' with 'X=1' to evade the safety boundary. No public exploit is identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Warp
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-55611 NONE PATCH Awaiting Data

{} blocks that fire unconditionally - even when the preceding ownership-checked read fails - scoping deletion only by raw primary key with no userId or workspaceId constraint. Versions 1.11.1 through 1.14.0 are affected; no public exploit or CISA KEV listing identified at time of analysis, though the fix commit confirms the root cause and makes exploitation trivially reproducible.

Authentication Bypass Anything Llm
NVD GitHub
EPSS
0.2%
CVE-2026-8924 CRITICAL PATCH Act Now

Cross-domain cookie injection in curl (versions 7.46.0 through 8.20.0) lets a malicious or compromised HTTP server set 'super cookies' that bypass the Public Suffix List (PSL) safeguard, causing curl to scope attacker-supplied cookies to unrelated third-party domains and transmit them on later requests. Rated CVSS 9.1 and tagged as an authentication bypass, the flaw undermines cookie origin isolation, but EPSS is low at 0.22% (12th percentile), there is no CISA KEV listing, and no public exploit was identified at time of analysis. A patched release is available from the curl project.

Authentication Bypass Curl
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-12064 HIGH PATCH This Week

SSH host-key verification bypass in curl/libcurl (versions through 8.20.0) lets a network man-in-the-middle silently impersonate an SFTP/SCP server when a user invokes curl with a schemeless URL plus '--proto-default sftp' (or scp). In this specific invocation the command-line tool layer misidentifies the scheme and skips setting CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS, while libcurl still honors CURLOPT_DEFAULT_PROTOCOL and completes the connection, so curl connects to an unverified host without any error. Tagged an Authentication Bypass; EPSS is low (0.21%, 11th percentile) and no public exploit was identified at time of analysis.

Authentication Bypass Curl Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13164 HIGH PATCH This Week

Unauthenticated account self-registration in MailerUp before 1.0.1 lets any remote attacker POST to /api/auth/register/ and obtain a working account, even on instances where operators intended registration to be closed, because the RegisterView is wired with Django REST Framework's AllowAny permission and enforces no email verification, CAPTCHA, or admin approval. Once registered, the attacker can read every email stored by the instance, yielding full disclosure of all stored messages. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch (1.0.1) removes the public registration endpoint entirely.

Authentication Bypass Mailerup
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-11877 MEDIUM This Month

Unauthorized configuration modification in OpenText Access Manager before 5.1.3 allows a remote unauthenticated attacker to alter system configuration via API calls that lack proper authorization enforcement, classified under CWE-648 (Incorrect Use of Privileged APIs). Affected deployments expose privileged API endpoints without adequate access control, enabling integrity impact across both the vulnerable system and subsequent systems relying on it for identity and access decisions. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Access Manager
NVD VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-35025 HIGH This Week

Directory ACL bypass in ProFTPD (through 1.3.9b and 1.3.10rc2) lets authenticated FTP users reach files inside DenyAll-protected directories by prefixing paths with /proc/self/root in the RNFR (rename-from) command. Because the CVSS 4.0 vector specifies PR:L, exploitation requires a valid low-privilege FTP account, after which an attacker can rename and then retrieve files that configured Directory ACLs were meant to protect. There is no public exploit identified at time of analysis and no KEV listing, but the VulnCheck-assessed CVSS of 8.6 reflects the strong confidentiality and integrity impact on file-access controls.

Authentication Bypass Proftpd
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-57307 MEDIUM This Month

A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Jenkins Jenkins Zowe Zdevops Plugin Authentication Bypass
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-57304 MEDIUM This Month

Jenkins Assembla Plugin 1.4 and earlier exposes a connection-test endpoint without adequate permission enforcement, allowing any Jenkins user holding only Overall/Read permission to trigger outbound HTTP connections to an arbitrary attacker-controlled URL with attacker-supplied credentials. This enables both a limited Server-Side Request Forgery (SSRF) vector for internal network probing and credential interception on the attacker's endpoint. No public exploit code or active exploitation has been identified at time of analysis; SSVC assessment confirms exploitation status as none.

Authentication Bypass Jenkins Jenkins Assembla Plugin
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57300 MEDIUM This Month

A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb_2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access.

Jenkins Jenkins Mcp Server Plugin Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57299 MEDIUM This Month

Missing authorization checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow any authenticated Jenkins user with the low-privilege Overall/Read permission to enumerate the names of configured Contrast metadata via a network-accessible endpoint. The vulnerability is classified CWE-862 (Missing Authorization) and has an EPSS score of 0.15% (4th percentile), indicating negligible real-world exploitation activity. No public exploit code and no CISA KEV listing have been identified, making this a low-urgency but real information-disclosure concern for multi-tenant Jenkins environments with untrusted users.

Authentication Bypass Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57297 MEDIUM This Month

Missing authorization in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier permits any authenticated Jenkins user holding the minimal Overall/Read permission to invoke a connection test endpoint with fully attacker-controlled URL, username, API key, and service key. This enables the Jenkins server to make arbitrary outbound HTTP connections - a Server-Side Request Forgery (SSRF)-class impact - without the elevated privileges that should guard such functionality. No public exploit has been identified at time of analysis and EPSS sits at the 4th percentile, indicating low current exploitation probability despite network reachability.

Authentication Bypass Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57294 MEDIUM This Month

Missing permission check in Jenkins EC2 Fleet Plugin versions up to 4.2.3.539.v8fedff2a_81c3 enables any authenticated user holding the low-privilege Overall/Read role to trigger a credential-capture attack by directing the plugin to connect to an attacker-controlled endpoint and transmitting AWS credentials stored in Jenkins. The attacker must independently obtain a valid credential ID before exploiting this flaw, making it a chained attack rather than a direct standalone exploit. No public exploit code has been identified at time of analysis and CISA has not added this to the KEV catalog; SSVC rates exploitation status as none.

Authentication Bypass Jenkins Jenkins Ec2 Fleet Plugin
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57293 MEDIUM This Month

Credential ID enumeration in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows authenticated attackers holding only global Item/Configure permission to bypass the intended per-job permission boundary and list credential IDs stored in Jenkins. The root cause is an incorrect permission check (CWE-862) that conflates global and job-scoped authorization, leaking credential identifiers without requiring job-level rights. No public exploit code exists and SSVC rates exploitation status as none; however, enumerated credential IDs can serve as reconnaissance for chained attacks targeting those credentials.

Authentication Bypass Jenkins Jenkins Gitee Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57291 MEDIUM This Month

Missing permission checks in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allow any authenticated user holding the minimal Overall/Read Jenkins role to trigger outbound connections from the Jenkins controller to an attacker-specified URL using credential IDs sourced through a secondary method. This creates an SSRF-like primitive enabling internal network probing and credential ID validation without administrative access. No public exploit code has been identified at time of analysis, and SSVC confirms current exploitation status as none.

Jenkins Jenkins Gitee Plugin Authentication Bypass
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57286 MEDIUM This Month

A missing permission check in Jenkins Git Parameter Plugin 462.vdcf3df2ed2ca_ and earlier allows attackers with Item/Read permission to obtain information about the SCM repository used by a job, such as branch names, tag names, and revision metadata.

Jenkins Jenkins Git Parameter Plugin Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57285 MEDIUM This Month

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration.

Jenkins Jenkins Github Branch Source Plugin Authentication Bypass Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57280 HIGH This Week

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.

Authentication Bypass Jenkins Jenkins Script Security Plugin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-56310 MEDIUM PATCH This Month

Authorization bypass in Capgo (cap-go before 12.128.2) allows holders of org-limited API keys to read membership data from organizations outside their assigned scope by calling the GET /organization/members endpoint without proper enforcement of limited_to_orgs restrictions. Exposed fields include uid, email, image_url, role, and is_tmp - sufficient to enumerate organization membership and email addresses across tenants. No public exploit identified at time of analysis; CVSS 4.0 scores this at 5.3 reflecting a low-privilege, network-accessible attack with limited confidentiality impact.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56302 MEDIUM PATCH This Month

Unauthenticated remote attackers can read, insert, and delete stored app icons in Capgo (all versions before 12.128.2) due to a Supabase images bucket entirely lacking row-level security (RLS) controls. Exploitation leaks sensitive app IDs and user IDs embedded in bucket metadata, and enables full icon deletion causing visual degradation of hosted applications. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 12.128.2.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Authenticated session hijacking via IDOR in Kanboard through 1.2.52 allows any low-privilege user to mass-invalidate the persistent 'Remember Me' sessions of arbitrary users, including administrators, by enumerating sequential integer session IDs against the unguarded `removeSession` endpoint. The root-cause fix - scoping `RememberMeSessionModel::remove()` to the requesting user's own `user_id` - is confirmed in commit 928c68a via PR #5831. A publicly available proof-of-concept exists on GitHub (issue #5829); this vulnerability is not currently listed in the CISA KEV catalog, though the trivially low exploitation barrier warrants prompt patching.

Authentication Bypass Denial Of Service Kanboard
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Broken access control in NewsBlur before 14.5.0 exposes any authenticated user's private social notification feed - follows, replies, and social activity - to any other authenticated user. The GET /social/interactions endpoint accepts an arbitrary user_id parameter and returns that user's MInteraction records without verifying the requesting session owns the account, a classic CWE-639 IDOR. No public exploit code has been identified and this is not listed in CISA KEV, but the low attack complexity (any registered account suffices) makes the flaw trivially exploitable by any NewsBlur user against any other.

Authentication Bypass Newsblur
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authorization bypass in Seahub (the Seafile web frontend) before 13.0.23 lets a holder of a folder share-link token call GET /api/v2.1/share-link-zip-task/ without honoring the SHARE_LINK_LOGIN_REQUIRED policy, obtaining a fileserver zip token to download entire shared directory trees. Classified as CWE-862 (Missing Authorization) and reported by VulnCheck with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS data was not provided in the input.

Authentication Bypass Seahub
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-tenant access in Maxun (the open-source no-code web data extraction/scraping platform) before 0.0.42 allows any authenticated user to read, modify, delete, or run other tenants' robots and to exfiltrate their plaintext Google and Airtable OAuth access tokens by abusing storage and webhook API handlers that never check resource ownership. The flaw stems from API endpoints querying robots by ID alone (e.g. Robot.findAll() with no userId scope), so a low-privileged account on a shared/multi-tenant instance can pivot across the entire tenant base. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the upstream fix is committed and the trivial nature of an IDOR makes it readily reproducible.

Authentication Bypass Google Maxun
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

Authentication bypass and privilege escalation in File Browser (versions 2.0.0-rc.1 and later) lets a remote unauthenticated attacker impersonate any account - including admin - by sending a single forged HTTP header when the server runs with proxy authentication (auth.method=proxy). The same flaw doubles as an unauthorized account-creation primitive, since supplying a non-existent username silently provisions a new user. Scored CVSS 9.1 (CWE-287); no public exploit identified at time of analysis, though the underlying behavior has been openly documented for years.

Authentication Bypass Filebrowser
NVD GitHub
HIGH PATCH This Week

OAuth2/OIDC token forgery in OpenIdentity Platform's OpenAM Community Edition (through 16.0.6) lets an attacker mint OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject (userName), clientID, realm, and scope by abusing the stateful token-read path's failure to namespace and type-check Core Token Store (CTS) rows. The flaw is an Authorization Bypass Through User-Controlled Key (CWE-639): any CTS row whose BLOB merely claims to be an OAuth token is trusted on read with no integrity check, so an attacker who can write attacker-controlled JSON to CTS under a known identifier can impersonate any user or client. No public exploit has been identified at time of analysis, and the issue is fixed in version 16.1.1; it does not by itself grant an OpenAM SSO session or admin-console access.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Certificate trust-chain bypass in wolfSSL allows attackers to have an attacker-controlled certificate accepted as valid, but only in builds compiled with --enable-opensslextra where the application calls the OpenSSL-compatibility X509_verify_cert() with caller-supplied untrusted intermediates. The verifier returned success based on the last verified link instead of confirming the chain reaches a configured trust anchor, so a chain deeper than the maximum path depth (default 100) is accepted without ever validating against a trusted root. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; native wolfSSL TLS/DTLS and the default WOLFSSL_VERIFY_PEER handshake are unaffected.

Authentication Bypass OpenSSL Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository hijack pnpm's automatic version-switching mechanism. By committing crafted package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml - including matching pnpm and @pnpm/exe versions plus package records and snapshots - an attacker bypasses fresh package-manager resolution and causes pnpm to install and execute attacker-selected bytes when a developer runs pnpm in the cloned repo. No public exploit identified at time of analysis; the high CVSS of 8.8 reflects full confidentiality, integrity, and availability impact, gated only by the user running pnpm against the poisoned repository.

Authentication Bypass Pnpm
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Authorization bypass in Red Hat Build of Keycloak's UMA engine lets an authenticated user who holds a valid permission ticket for a single resource escalate access to all resources of the same type on the resource server by crafting a specific permission request prefix. The bypass is silently permitted when the resource server operates in PERMISSIVE enforcement mode with ownerManagedAccess enabled and no explicit type-level policy in place. No public exploit code exists and this CVE is not listed in CISA KEV at time of analysis, but the low attack complexity and network vector make this a credible internal-privilege escalation path in affected Keycloak deployments.

Authentication Bypass Information Disclosure Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management rights over a single low-privilege group hijack the entire realm. A missing authorization check in the Admin REST API's GroupResource.addChild() endpoint allows reparenting an arbitrary group; when Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker can move a privileged group (e.g., one holding realm-admin) under a group they control, inheriting management and password-reset rights over its members. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the resulting full realm takeover makes it a serious escalation primitive in environments that delegate group administration.

Authentication Bypass Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access controls - role, scope, and User-Managed Access (UMA) permission checks - by embedding the configured access-denied page path inside a request URL as a path segment or query parameter. The affected component ships in the Red Hat Build of Keycloak, and successful exploitation grants unauthorized access to protected resources. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Cross-tenant credential decryption in ToolJet prior to 3.20.1780-lts allows any authenticated user to retrieve plaintext data-source secrets belonging to any other organization on the same instance. The POST /api/data-sources/decrypt endpoint omits the ValidateDataSourceGuard present on all neighboring routes and performs no organization-scoped lookup, meaning a valid session from any tenant is sufficient to exfiltrate database passwords, API keys, and other stored secrets across tenant boundaries. No public exploit has been identified at time of analysis, but the attack is mechanically trivial for any user with a valid account and knowledge of a target credential_id.

Authentication Bypass Tooljet
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Incorrect authorization logic during room creation in Venueless permits authenticated low-privilege users to create room types they are not permitted to create. The CVSS 4.0 score of 2.3 reflects the narrow, integrity-only impact and significant attack preconditions - requiring authentication, high complexity, and specific prerequisites. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Venueless
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

API key scope bypass in Outline prior to 1.8.0 allows an authenticated attacker holding a limited-scope API key or OAuth token to perform actions on restricted endpoints by exploiting a URL fragment handling discrepancy. The `AuthenticationHelper.canAccess` function evaluates authorization against the fragment-appended URL path rather than the actual routed endpoint, enabling privilege escalation beyond the key's intended permissions. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity (PR:L, AC:L) makes this straightforward to exploit for any valid API key holder.

Authentication Bypass Privilege Escalation Outline
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

LibreChat's POST /api/files/images endpoint lacks the authorization check that was correctly applied to the POST /api/files route in a prior patch, allowing any authenticated user to upload files into arbitrary agents' tool_resources (including context and execute_code environments) without ownership or EDIT permission verification. All LibreChat deployments prior to 0.8.4-rc1 are affected across any multi-user configuration. No active exploitation has been confirmed (not in CISA KEV), but the bypass is trivially exercisable by any valid session holder who knows a target agent ID.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Broken object-level authorization in LibreChat's message deletion endpoint allows any authenticated user to permanently delete messages belonging to other users. Affected are all LibreChat deployments prior to 0.8.4-rc1. By supplying their own valid conversationId for middleware validation while targeting a victim's messageId in the underlying MongoDB query, an attacker bypasses the per-user authorization check and irreversibly removes arbitrary messages. No public exploit or CISA KEV listing exists at time of analysis, but the flaw is straightforward to exploit once a valid messageId is obtained.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authentication-bypass weakness in LibreChat before 0.8.4-rc1 lets an attacker who already holds a valid session silently regenerate all of a victim's two-factor backup codes via POST /api/auth/2fa/backup/regenerate, which never asks for a current TOTP token or an existing backup code. With fresh codes in hand, the attacker can bypass 2FA at login or turn 2FA off entirely, neutralizing the account's second factor. EPSS is low (0.15%, 5th percentile) and no active exploitation is recorded, but proof-of-concept exploitation is acknowledged in the SSVC framework.

Authentication Bypass Librechat
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Two-factor authentication takeover in LibreChat before 0.8.4-rc1 lets any authenticated user — or an attacker wielding a stolen session token — call the GET /api/auth/2fa/enable endpoint to silently overwrite an account's existing TOTP secret, regenerate backup codes, and flip twoFactorEnabled to false, all without TOTP or backup-code verification. The flaw destroys the victim's working second factor and can lock the legitimate owner out of their own 2FA. Publicly available exploit code exists (SSVC: PoC), but EPSS is low (0.18%, 8th percentile) and it is not listed in CISA KEV.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Credential interception in HYPR Passwordless on Windows (all versions before 11.1.1) is possible due to a missing authentication check on a critical internal function (CWE-306), allowing a low-privileged local attacker to capture authentication material during an active user session. The CVSS 4.0 vector's SC:H metric confirms the intercepted credentials are usable against downstream systems that HYPR protects, elevating the downstream blast radius beyond the compromised endpoint. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Microsoft Passwordless
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized folder deletion in the K2 Extension for Joomla (versions 1.0 through 2.26) exposes a public-facing `item.checkin` task that accepts an unauthenticated `sigProFolder` query parameter and passes it directly to `JFolder::delete()` under `/media/k2/galleries/`, with no authorization check whatsoever (CWE-862). Any unauthenticated remote attacker can trigger deletion of gallery directories simply by crafting an HTTP request - no session, token, or credentials required. No public exploit code has been identified at time of analysis, though SSVC rates this as automatable with partial technical impact, meaning scripted bulk targeting of affected Joomla installations is straightforward.

Authentication Bypass K2 Extension For Joomla
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Incorrect file permission assignment on Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP Remote Terminal Units exposes password hashes stored in system files to unauthorized reading by privileged local users. An attacker who has already obtained privileged local access to the RTU can read these improperly protected files, extract credential hashes, and perform offline cracking to achieve account compromise. No public exploit code exists at time of analysis, and the vulnerability has not been listed in CISA KEV, but the high confidentiality impact on credential material in OT/ICS environments warrants attention.

Authentication Bypass Easylogic T150 Formerly Saitel Dr Remote Terminal Unit Controller Saitel Dp Remote Terminal Unit Controller
NVD
EPSS 0% CVSS 8.7
HIGH Act Now

Credential exposure in Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP Remote Terminal Units & Controllers allows an unauthenticated attacker to recover credentials that are insufficiently protected within device firmware or system files (CWE-522). The recovered credentials can then be used to fully compromise the device when the attacker also has physical access. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; vendor advisory SEVD-2026-160-02 covers the affected OT products.

Authentication Bypass Easylogic T150 Formerly Saitel Dr Remote Terminal Unit Controller Saitel Dp Remote Terminal Unit Controller
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Protection mechanism bypass in Dell Display and Peripheral Manager for Mac (versions prior to 2.3) stems from improper certificate validation, allowing a low-privileged local user to defeat a security control the application relies on. Dell self-reported the issue and there is no public exploit identified at time of analysis; EPSS is very low (0.07%) and CISA SSVC marks exploitation status as 'none', though technical impact is rated 'total'. The flaw affects the macOS build of DDPM, a companion utility for Dell monitors and peripherals.

Authentication Bypass Dell Display And Peripheral Manager
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper access control in PPOM for WooCommerce (all versions through 33.0.18) enables unauthenticated remote attackers to bypass access controls and perform unauthorized operations affecting the integrity and availability of affected WooCommerce stores. Classified under CWE-284 and confirmed as an authentication bypass by Patchstack, the flaw exposes plugin-managed product option data to manipulation or disruption without requiring any credentials. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV.

Authentication Bypass WordPress Ppom For Woocommerce
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation to code execution affects Dell Display and Peripheral Manager (DDPM) for Windows in all versions prior to 2.3, where an Improper Access Control flaw (CWE-284) lets a low-privileged local user execute arbitrary code in a higher-privileged context. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact from a local, low-privilege starting point with no user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Dell Microsoft +2
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Broken access control in the Royal MCP WordPress plugin (versions up to and including 1.4.25) lets authenticated low-privilege users reach functionality that should be restricted, due to a missing authorization check. With a CVSS of 8.1 and high confidentiality and integrity impact, an attacker holding even a basic account can read and alter data they should not be able to touch. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Royal Mcp
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Slim SEO WordPress plugin through version 4.6.2 allows authenticated users holding the Contributor role to bypass authorization checks and access restricted data, yielding a high confidentiality impact per CVSS C:H. The flaw is rooted in CWE-862 (Missing Authorization), meaning the plugin fails to verify whether the requesting user holds sufficient privileges before executing certain privileged actions. No public exploit code and no CISA KEV listing exist at time of analysis; however, low attack complexity and no required user interaction make this straightforward to exploit by any valid contributor-level account holder.

Authentication Bypass Slim Seo
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Broken Access Control in the UPI QR Code Payment Gateway for WooCommerce plugin (versions <= 1.6.2) allows authenticated low-privilege WordPress users to perform actions or access endpoints reserved for higher-privileged roles, resulting in unauthorized modification of payment data or disruption of payment processing. The flaw, rooted in missing authorization checks (CWE-862), was disclosed by Patchstack and affects sites running WooCommerce with this Knit Pay plugin installed. No public exploit code has been identified at time of analysis, and it has not been confirmed as actively exploited.

Authentication Bypass WordPress Upi Qr Code Payment Gateway For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated IDOR in License Manager for WooCommerce (versions <= 3.0.15) allows remote, unauthenticated attackers to reference and manipulate arbitrary license records by supplying or iterating object identifiers in plugin requests, yielding integrity and availability impacts on license data. The CVSS vector (PR:N, AV:N, AC:L) confirms no authentication or special conditions are needed, making the attack trivially repeatable against any reachable WooCommerce store running the affected plugin. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress License Manager For Woocommerce
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Missing authorization in the CheckView Automated Testing WordPress plugin (versions 2.1.0 and earlier) lets remote unauthenticated attackers reach functionality that should be access-controlled, enabling unauthorized modification of site data or test/automation state. The CVSS 3.1 vector (7.5, AV:N/AC:L/PR:N/UI:N) reflects a network-reachable, no-interaction flaw with high integrity impact but no confidentiality or availability loss. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Checkview Automated Testing
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Missing authorization in the Five Star Restaurant Reservations WordPress plugin (version 2.7.19 and earlier) lets remote unauthenticated attackers invoke protected plugin functionality and modify data without holding any account, per the CVSS PR:N vector. The flaw is a broken access control / missing capability check (CWE-862) reported by Patchstack, with a CVSS 3.1 base score of 7.5 driven entirely by integrity impact (C:N/I:H/A:N). No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Five Star Restaurant Reservations
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data modification in the Motors car dealership and classified listings plugin for WordPress (versions <= 1.4.109) lets remote unauthenticated attackers invoke privileged actions they should not reach, due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/PR:N/UI:N) confirms no authentication and no user interaction are required, with a high integrity impact but no confidentiality or availability impact. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Motors
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the MainWP Child WordPress plugin (versions 6.1.1 and earlier) allows remote attackers to invoke privileged actions without proper authorization checks (CWE-862). Because the flaw is reachable without authentication (PR:N) it can be triggered by external attackers, though exploitation depends on tricking a user into an action (UI:R) and on overcoming non-trivial conditions (AC:H). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Mainwp Child
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive data exposure in Elementor Website Builder for WordPress (versions <= 4.1.3) allows contributor-level authenticated users to access protected information due to missing authorization checks (CWE-862). The vulnerability stems from insufficient capability verification before exposing sensitive data to lower-privileged roles, enabling a contributor to retrieve data they should not have access to. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and high confidentiality impact make this a meaningful risk on any site with untrusted contributor accounts.

Authentication Bypass Information Disclosure Elementor Website Builder
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

DNSSEC validation in PowerDNS Recursor can be silently undermined by network-positioned attackers who spoof DNS replies to trick the Recursor into permanently marking a legitimate authoritative server's IP as EDNS-incapable. Once that state is poisoned, the Recursor is unable to perform proper DNSSEC validation for any zones served by that authoritative server, effectively disabling a critical security layer for downstream clients. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the attack complexity is rated High due to the spoofing prerequisite.

Recursor Authentication Bypass Suse
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's Airoha (airoha_eth) network driver allows memory corruption when metadata dst objects are torn down while still referenced by in-flight receive skbs. The airoha_metadata_dst_free() routine called metadata_dst_free()/kfree() directly, bypassing the RCU grace period required by the noref dst pointers set via skb_dst_set_noref() in the RX path, so RCU readers could dereference freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile); the issue is patched in current stable kernels.

Authentication Bypass Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. No public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not in CISA KEV - despite the input's nominal CVSS of 9.8.

Authentication Bypass Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Use-after-free in the Linux kernel's IBM EMAC Ethernet driver (drivers/net/ethernet/ibm/emac) lets in-flight packet processing touch hardware resources that have already been freed during device removal, because devm_register_netdev() deferred unregister_netdev() until after emac_remove() tore down the hardware. A local attacker who can trigger driver unbind/hot-removal while the interface handles traffic can corrupt kernel memory, potentially escalating to code execution or crashing the system. This is a fixed regression window on IBM PowerPC EMAC hardware; no public exploit identified at time of analysis and EPSS risk is low (0.18%, 7th percentile).

Memory Corruption Authentication Bypass Linux +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege/memory-integrity exposure in the Linux kernel's drm/xe Intel GPU driver stems from a missed TLB invalidation: a previously merged optimization that skipped GuC scheduler suspend toggling when an exec queue was idle has been reverted because it bypassed the context switch that flushes TLB entries for invalidated userptr VMAs. On Intel Xe GPUs running in long-running (LR)/preempt-fence VM mode, this leaves stale TLB mappings to invalidated user pointers, producing page faults and stale-memory access during userptr invalidation. There is no public exploit identified at time of analysis and EPSS is low (0.17%, 7th percentile); the fix is the revert commit itself, restoring unconditional schedule toggling on suspend.

Authentication Bypass Linux
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Zone-transfer authentication bypass in NLnet Labs NSD allows unauthorized secondaries to obtain full zone contents without presenting the required TLS client certificate. Although a provide-xfr rule specifies a tls-auth-name (mandating client-certificate authentication), NSD only enforces this on the dedicated tls-auth-port; requests arriving over plain TCP on the regular port or over TLS on the regular tls-port are served when the remaining provide-xfr conditions match, defeating mutual-TLS access control. Reported by NLnet Labs with CVSS 4.0 8.2; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Nsd Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect authorization in GitLab CE/EE allows authenticated users holding developer-role permissions to bypass Maven package protection rules and overwrite protected package metadata. All GitLab versions from 17.11 through 18.11.5, 19.0.0 through 19.0.2, and 19.1.0 are affected, with patched releases available across all three trains. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; real-world impact is scoped to organizations that have explicitly configured Maven package protection rules and host untrusted developer-role users.

Authentication Bypass Gitlab
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect authorization in GitLab CE/EE's group packages feature exposes package metadata from projects where the Package Registry has been explicitly disabled, allowing any authenticated Reporter-level group member to enumerate package names, versions, and publish timestamps that project owners intended to restrict. The flaw spans a very wide version range - all 13.6+ releases up to the newly-issued fixes in 18.11.6, 19.0.3, and 19.1.1 - meaning a large proportion of self-hosted GitLab deployments are affected. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Gitlab
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Authorization bypass in GitLab Enterprise Edition's virtual registry cleanup policy feature allows authenticated users to read or modify cleanup policy settings belonging to groups they do not own. Affected versions span all GitLab EE releases from 18.6 through 18.11.5, 19.0 through 19.0.2, and 19.1.0. Exploitation requires a valid GitLab EE account but no elevated privileges; no public exploit code exists and this is not in CISA KEV at time of analysis.

Authentication Bypass Gitlab
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient authorization checks in GitLab Enterprise Edition expose project information to authenticated users with limited permissions under specific, undisclosed conditions. Affecting all EE releases from 18.6 up to (but not including) 18.11.6, 19.0.3, and 19.1.1, this CWE-862 flaw allows a low-privileged authenticated attacker to read project data they should not have access to. No public exploit code exists and no active exploitation has been confirmed; the high attack complexity (AC:H) and requirement for an authenticated session substantially limit real-world risk.

Authentication Bypass Gitlab
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Confidential issue references in GitLab CE/EE public projects are exposed to unauthenticated users due to missing authorization checks (CWE-862). Affecting all GitLab versions from 17.5 through 18.11.5, 19.0.0-19.0.2, and 19.1.0, this flaw enables any unauthenticated remote attacker to retrieve references to confidential issues on public projects - potentially revealing issue IDs, titles, or internal metadata that project owners explicitly restricted. No public exploit code or CISA KEV listing exists at time of analysis; however, the unauthenticated, low-complexity network vector makes this trivially automatable for reconnaissance against large GitLab installations.

Authentication Bypass Gitlab
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Incorrect authorization in GitLab Enterprise Edition's DAST site profile management exposes stored secrets to users with the Developer role under certain conditions. Affecting all GitLab EE releases from 13.11 through the recently patched 18.11.6, 19.0.3, and 19.1.1, the flaw allows a lower-privileged authenticated user to read secrets - such as authentication credentials or API tokens - embedded in DAST site profiles they should not have access to. No public exploit code or CISA KEV listing has been identified at time of analysis, and the high attack complexity (AC:H) implies specific conditions must align for exploitation to succeed.

Authentication Bypass Gitlab
NVD VulDB
EPSS 0% CVSS 3.8
LOW PATCH Monitor

Protected environment configuration bypass in GitLab Enterprise Edition exposes CI/CD deployment gates to authenticated users holding custom role permissions, even when CI/CD visibility is explicitly disabled for the project. Affecting all EE versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1, this CWE-863 (Incorrect Authorization) flaw allows such users to view, create, or delete protected environment rules that should be inaccessible. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Authentication Bypass Gitlab
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Authentication bypass via cross-site scripting in Quest NetVault Backup's addclient3 webpage allows remote attackers to inject arbitrary script that executes in a victim's authenticated session, bypassing access controls. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-369, formerly ZDI-CAN-27666), the flaw requires user interaction - the target must visit a malicious page or open a malicious file - and can be chained with other weaknesses to achieve code execution in the SYSTEM context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, though the high CVSS of 8.8 reflects the serious downstream RCE potential.

Authentication Bypass XSS RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Authentication bypass via cross-site scripting in the Quest NetVault Backup viewclient web interface lets remote attackers inject arbitrary script that, when a victim visits a malicious page or opens a malicious file, runs in the application context and circumvents authentication. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-377, ZDI-CAN-28202), the flaw can be chained with additional vulnerabilities to achieve code execution as SYSTEM. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 8.8 rating reflects the high impact of the auth-bypass-plus-RCE chain.

Authentication Bypass XSS RCE +1
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Rocket.Chat's Omnichannel visitors.info API endpoint exposes visitor session tokens in response payloads, enabling a privileged caller to capture and reuse those tokens for authentication bypass against LiveChat visitor identities. Affected deployments span multiple 7.x and 8.x release branches, with vendor-confirmed fixes across seven patch releases. No public exploit code and no CISA KEV listing exist at time of analysis; however, the CWE-285 (Improper Authorization) classification and 'Authentication Bypass' tag confirm meaningful post-exploitation potential for session impersonation.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

{"$gt": ""} matches the first unexpired credential-token document, yielding a full Meteor auth token bound to a legitimate victim - and full instance compromise if that victim is an administrator. No public exploit identified at time of analysis, but the CVSS 9.1 rating and trivial exploitability make this a high-priority patch.

Authentication Bypass Nosql Injection
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Session-destruction denial of service in Rocket.Chat's SAML single logout allows an unauthenticated remote attacker to forcibly log out any SAML-authenticated user by submitting a forged, unsigned LogoutRequest to the SP logout endpoint. Because the integration never validates the SAML signature, an attacker who knows only a victim's NameID - typically their email address, as exposed by Okta, Google Workspace, Microsoft Entra ID, and JumpCloud - can repeatedly destroy sessions and script the attack across many accounts to render the instance unusable. No public exploit identified at time of analysis; the CVSS 4.0 base score is 8.7 (availability-only impact), and fixes are available across all maintained release branches.

Authentication Bypass Microsoft Google
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in FOSSBilling 0.7.2 and earlier lets remote unauthenticated attackers create a fully privileged administrator account through the guest bootstrap endpoint /api/guest/staff/create, which fails to lock after the first admin exists. Because the account can immediately authenticate, this yields complete takeover of the billing and client-management platform. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial network-based exploitation (CVSS 4.0 9.3) makes it a serious exposure for any internet-facing instance.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for any other VMI scheduled on the same Kubernetes node, causing virt-handler to corrupt that VMI's state and disrupt its lifecycle management. The root cause is that gRPC handlers for HandleDomainEvent and HandleK8SEvent accept VMI namespace/name exclusively from the request body, never cross-checking against the per-VMI pipe socket the connection arrived on. With CVSS 6.5 (AV:L/S:C), the attack requires local access via a compromised container but can impact multiple VMIs across tenants on the same node; no public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Kubevirt Openshift Virtualization
NVD
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

SiYuan's personal knowledge management system prior to 3.7.0 exposes all user note content to unauthenticated database exfiltration through a deliberately auth-excluded API endpoint. The `/api/icon/getDynamicIcon` endpoint, when invoked with `type=8` and a valid block ID, renders a Go template that executes arbitrary SELECT queries against SiYuan's SQLite backend via `querySQL` and `queryBlocks` functions - functions designed for note querying but reachable without any credential check. An attacker with network adjacency who possesses a valid block ID can read the entire database: note content, tags, asset references, and block attributes. No public exploit or CISA KEV listing has been identified at time of analysis; the AC:H rating reflects the block ID prerequisite. A fix is available in version 3.7.0.

Authentication Bypass Siyuan
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

{"setDeploymentAs": "new-workspace"}. The endpoint correctly requires authentication but performs no role/permission check (CWE-862), so the action wipes cloud credentials, removes the workspace license, and breaks push notifications for all users until manual re-registration. No public exploit identified at time of analysis; the issue is a denial-of-service / integrity flaw rather than data theft (CVSS C:N, I:H, A:H = 8.1).

Authentication Bypass Rocket Chat
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authentication bypass in Rocket.Chat's Apple Sign-In handler allows attackers to impersonate any user by replaying a captured Apple identity token. The handler verifies the JWT signature but skips validation of the aud, exp, nbf, and nonce claims, so any Apple-signed token with a non-empty iss is accepted indefinitely with no replay-window expiry. Affected versions are those prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Apple Rocket Chat
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass leading to account takeover in Rocket.Chat affects the Apple Sign-In OAuth flow prior to versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. The handleIdentityToken function in the Apple login handler falls back to trusting an attacker-supplied email value when the Apple-issued JWT omits an email claim, so a remote unauthenticated attacker can forge an email-less Apple JWT and log in as any victim by their email address. No public exploit is identified at time of analysis, but the CVSS 4.0 base score of 9.3 (critical) and trivial exploitation conditions make this a high priority for any instance with Apple login enabled.

Authentication Bypass Apple Rocket Chat
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Private repository metadata in Gogs 0.14.3 and earlier leaks to any authenticated user due to a boolean inversion in the Watch API access control check. An authenticated attacker who watches a private repository they are not authorized to view will receive commit messages, branch names, issue titles, and PR details via their dashboard activity feed - and full issue and comment content via email if notifications are enabled. No public exploit has been identified at time of analysis, though the single-line boolean fix published in the upstream commit makes the flaw trivial to reproduce by any authenticated user who reads the commit diff.

Authentication Bypass Gogs
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Signature bypass in Mastodon's ActivityPub federation layer allows remote unauthenticated attackers to falsely attribute article authorship by manipulating the `toot:attributionDomains` property of signed Update activities. Affected are all Mastodon instances running versions 4.3.0 through 4.5.10 or 4.4.x through 4.4.17, where a JSON-LD definition error renders Linked Data Signatures on this specific property non-binding. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and the federated, internet-exposed nature of the protocol make exploitation straightforward for any actor able to send ActivityPub messages.

Authentication Bypass Mastodon
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH Act Now

Missing authentication in the Aclara Metrum Cellular Web Interface (a Hubbell/Aclara cellular communications module used in utility smart-grid metering) lets remote attackers reach critical system functions without any credentials. Per the CVSS:4.0 vector (PR:N/UI:N) an unauthenticated network attacker can read and modify operational configuration and force device restarts, and repeated restarts can sever device communications - a pure availability impact (VA:H, no confidentiality or integrity loss). There is no public exploit identified at time of analysis and this CVE is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Aclara Metrum Cellular Web Interface
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Insecure direct object reference (IDOR) in FOSSBilling's Servicecustom Client API (versions 0.7.2 and prior) lets any authenticated client retrieve another client's custom service records by supplying a guessed sequential order_id, because the __call method fetches the order without an ownership check. The exposed data includes other clients' PII (name, email, phone, address, company details, VAT number) and service configuration, making this a cross-tenant confidentiality breach. No public exploit identified at time of analysis, and the issue is resolved in version 0.8.0.

Authentication Bypass Fossbilling
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-workspace data disclosure in Twenty CRM before 2.9.0 lets any authenticated user holding the AI settings flag (a workspace owner by default) read another tenant's AI agent chat history and trigger LLM evaluations against the victim's data on the same instance. By supplying a victim's agentId or turnId to the agentTurns query or evaluateAgentTurn mutation, an attacker retrieves raw chat text, tool calls, and tool outputs that belong to a different workspace. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Twenty
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Passwords implementation allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.197 on desktop platforms. Google has confirmed this as a High severity Chromium issue; no public exploit code or active exploitation has been identified at time of analysis, and CISA SSVC categorizes exploitation status as none.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Navigation component allows an attacker who has already compromised the renderer process to escape Chrome's cross-origin containment boundary via a crafted HTML page, affecting all Chrome versions prior to 149.0.7827.197. The vulnerability stems from insufficient input validation (CWE-20) in the Navigation subsystem, which fails to properly enforce site isolation when navigations are initiated from a compromised renderer. No public exploit code has been identified and CISA SSVC confirms no known active exploitation at time of analysis, though the prerequisite of renderer compromise makes this a meaningful second-stage escalation primitive.

Authentication Bypass Google Red Hat
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's DeviceBoundSessionCredentials (DBSC) feature affects all Chrome versions prior to 149.0.7827.197, allowing a remote attacker to read limited cross-origin data via a crafted HTML page. The flaw stems from incorrect origin validation (CWE-346) in the DBSC implementation, a relatively new anti-session-hijacking subsystem. SSVC assessment confirms no exploitation at time of analysis, and no public exploit code has been identified; the CVSS score of 4.3 Medium reflects meaningful but bounded confidentiality impact contingent on user interaction.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Authentication bypass in Apache Shiro affects deployments using the shiro-guice module in a web servlet context, where a specially crafted HTTP request can evade path-based access controls and reach protected resources without valid credentials. It mirrors the older shiro-spring flaw CVE-2020-1957 but targets the Guice integration instead, impacting all Shiro releases through 2.x and 3.0.0-alpha-1. No public exploit identified at time of analysis, though the CVSS 4.0 base score of 8.2 reflects high confidentiality impact and the close analogy to a previously exploited bug class.

Authentication Bypass Java Apache
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Server-side request forgery (SSRF) filter bypass in Ghost CMS 6.0.9 through 6.21.0 allows remote unauthenticated attackers to direct the application to reach internal network services by supplying IPv6 literals that map to private IPv4 addresses, circumventing Ghost's outbound IP blocklist. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): the filter validates against RFC 1918 private ranges but does not normalize IPv6-mapped IPv4 notation before comparison. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; Ghost 6.21.1 resolves the issue.

Node.js Authentication Bypass Ghost
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

DNS rebinding bypasses Ghost CMS's private-IP validation for outbound HTTP requests, enabling server-side request forgery (SSRF) against internal network resources. Versions 6.0.9 through 6.21.0 are affected; the root cause is a TOCTOU race (CWE-367) between Ghost's allowlist check and the actual TCP connection, which a DNS-rebinding attacker exploits by switching DNS records between check-time and connect-time. No public exploit code identified and not listed in CISA KEV, but the scope-changed CVSS rating (S:C) reflects that successful exploitation escapes Ghost's network boundary into adjacent internal infrastructure.

Node.js Authentication Bypass Ghost
NVD GitHub
CRITICAL PATCH Act Now

Improper authorization in OpenAM Community Edition's Liberty ID-WSF SOAP receiver lets an unauthenticated remote attacker write persistent entries into the Liberty Discovery store on any user's LDAP entry and into a shared root-realm Discovery branch, with the writes executed server-side under elevated internal privileges (the global path explicitly uses the internal admin token). All Open Identity Platform OpenAM Community Edition releases through 16.0.6 that expose the Liberty Web Services component are affected; the issue is fixed in 16.1.1. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the affected code ships in default configuration.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Command-execution permission bypass in Warp's default unsandboxed CLI agent profile (versions 0.2025.10.08.08.12.stable_00 through the fix in 0.2026.05.06.15.42.stable_01) lets denylisted, confirmation-required commands auto-execute. Because the non-interactive CLI agent matched command strings against its denylist before stripping leading environment-variable assignments, an attacker able to influence the agent's emitted command output (e.g., via prompt injection) can prefix a blocked command such as 'rm' with 'X=1' to evade the safety boundary. No public exploit is identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Warp
NVD GitHub
EPSS 0%
NONE PATCH Awaiting Data

{} blocks that fire unconditionally - even when the preceding ownership-checked read fails - scoping deletion only by raw primary key with no userId or workspaceId constraint. Versions 1.11.1 through 1.14.0 are affected; no public exploit or CISA KEV listing identified at time of analysis, though the fix commit confirms the root cause and makes exploitation trivially reproducible.

Authentication Bypass Anything Llm
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Cross-domain cookie injection in curl (versions 7.46.0 through 8.20.0) lets a malicious or compromised HTTP server set 'super cookies' that bypass the Public Suffix List (PSL) safeguard, causing curl to scope attacker-supplied cookies to unrelated third-party domains and transmit them on later requests. Rated CVSS 9.1 and tagged as an authentication bypass, the flaw undermines cookie origin isolation, but EPSS is low at 0.22% (12th percentile), there is no CISA KEV listing, and no public exploit was identified at time of analysis. A patched release is available from the curl project.

Authentication Bypass Curl
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

SSH host-key verification bypass in curl/libcurl (versions through 8.20.0) lets a network man-in-the-middle silently impersonate an SFTP/SCP server when a user invokes curl with a schemeless URL plus '--proto-default sftp' (or scp). In this specific invocation the command-line tool layer misidentifies the scheme and skips setting CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS, while libcurl still honors CURLOPT_DEFAULT_PROTOCOL and completes the connection, so curl connects to an unverified host without any error. Tagged an Authentication Bypass; EPSS is low (0.21%, 11th percentile) and no public exploit was identified at time of analysis.

Authentication Bypass Curl Red Hat
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Unauthenticated account self-registration in MailerUp before 1.0.1 lets any remote attacker POST to /api/auth/register/ and obtain a working account, even on instances where operators intended registration to be closed, because the RegisterView is wired with Django REST Framework's AllowAny permission and enforces no email verification, CAPTCHA, or admin approval. Once registered, the attacker can read every email stored by the instance, yielding full disclosure of all stored messages. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch (1.0.1) removes the public registration endpoint entirely.

Authentication Bypass Mailerup
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Unauthorized configuration modification in OpenText Access Manager before 5.1.3 allows a remote unauthenticated attacker to alter system configuration via API calls that lack proper authorization enforcement, classified under CWE-648 (Incorrect Use of Privileged APIs). Affected deployments expose privileged API endpoints without adequate access control, enabling integrity impact across both the vulnerable system and subsequent systems relying on it for identity and access decisions. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Access Manager
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Directory ACL bypass in ProFTPD (through 1.3.9b and 1.3.10rc2) lets authenticated FTP users reach files inside DenyAll-protected directories by prefixing paths with /proc/self/root in the RNFR (rename-from) command. Because the CVSS 4.0 vector specifies PR:L, exploitation requires a valid low-privilege FTP account, after which an attacker can rename and then retrieve files that configured Directory ACLs were meant to protect. There is no public exploit identified at time of analysis and no KEV listing, but the VulnCheck-assessed CVSS of 8.6 reflects the strong confidentiality and integrity impact on file-access controls.

Authentication Bypass Proftpd
NVD GitHub VulDB
EPSS 0% CVSS 4.2
MEDIUM This Month

A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Jenkins Jenkins Zowe Zdevops Plugin Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Jenkins Assembla Plugin 1.4 and earlier exposes a connection-test endpoint without adequate permission enforcement, allowing any Jenkins user holding only Overall/Read permission to trigger outbound HTTP connections to an arbitrary attacker-controlled URL with attacker-supplied credentials. This enables both a limited Server-Side Request Forgery (SSRF) vector for internal network probing and credential interception on the attacker's endpoint. No public exploit code or active exploitation has been identified at time of analysis; SSVC assessment confirms exploitation status as none.

Authentication Bypass Jenkins Jenkins Assembla Plugin
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb_2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access.

Jenkins Jenkins Mcp Server Plugin Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow any authenticated Jenkins user with the low-privilege Overall/Read permission to enumerate the names of configured Contrast metadata via a network-accessible endpoint. The vulnerability is classified CWE-862 (Missing Authorization) and has an EPSS score of 0.15% (4th percentile), indicating negligible real-world exploitation activity. No public exploit code and no CISA KEV listing have been identified, making this a low-urgency but real information-disclosure concern for multi-tenant Jenkins environments with untrusted users.

Authentication Bypass Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier permits any authenticated Jenkins user holding the minimal Overall/Read permission to invoke a connection test endpoint with fully attacker-controlled URL, username, API key, and service key. This enables the Jenkins server to make arbitrary outbound HTTP connections - a Server-Side Request Forgery (SSRF)-class impact - without the elevated privileges that should guard such functionality. No public exploit has been identified at time of analysis and EPSS sits at the 4th percentile, indicating low current exploitation probability despite network reachability.

Authentication Bypass Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing permission check in Jenkins EC2 Fleet Plugin versions up to 4.2.3.539.v8fedff2a_81c3 enables any authenticated user holding the low-privilege Overall/Read role to trigger a credential-capture attack by directing the plugin to connect to an attacker-controlled endpoint and transmitting AWS credentials stored in Jenkins. The attacker must independently obtain a valid credential ID before exploiting this flaw, making it a chained attack rather than a direct standalone exploit. No public exploit code has been identified at time of analysis and CISA has not added this to the KEV catalog; SSVC rates exploitation status as none.

Authentication Bypass Jenkins Jenkins Ec2 Fleet Plugin
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Credential ID enumeration in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows authenticated attackers holding only global Item/Configure permission to bypass the intended per-job permission boundary and list credential IDs stored in Jenkins. The root cause is an incorrect permission check (CWE-862) that conflates global and job-scoped authorization, leaking credential identifiers without requiring job-level rights. No public exploit code exists and SSVC rates exploitation status as none; however, enumerated credential IDs can serve as reconnaissance for chained attacks targeting those credentials.

Authentication Bypass Jenkins Jenkins Gitee Plugin
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing permission checks in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allow any authenticated user holding the minimal Overall/Read Jenkins role to trigger outbound connections from the Jenkins controller to an attacker-specified URL using credential IDs sourced through a secondary method. This creates an SSRF-like primitive enabling internal network probing and credential ID validation without administrative access. No public exploit code has been identified at time of analysis, and SSVC confirms current exploitation status as none.

Jenkins Jenkins Gitee Plugin Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

A missing permission check in Jenkins Git Parameter Plugin 462.vdcf3df2ed2ca_ and earlier allows attackers with Item/Read permission to obtain information about the SCM repository used by a job, such as branch names, tag names, and revision metadata.

Jenkins Jenkins Git Parameter Plugin Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration.

Jenkins Jenkins Github Branch Source Plugin Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.

Authentication Bypass Jenkins Jenkins Script Security Plugin
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authorization bypass in Capgo (cap-go before 12.128.2) allows holders of org-limited API keys to read membership data from organizations outside their assigned scope by calling the GET /organization/members endpoint without proper enforcement of limited_to_orgs restrictions. Exposed fields include uid, email, image_url, role, and is_tmp - sufficient to enumerate organization membership and email addresses across tenants. No public exploit identified at time of analysis; CVSS 4.0 scores this at 5.3 reflecting a low-privilege, network-accessible attack with limited confidentiality impact.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated remote attackers can read, insert, and delete stored app icons in Capgo (all versions before 12.128.2) due to a Supabase images bucket entirely lacking row-level security (RLS) controls. Exploitation leaks sensitive app IDs and user IDs embedded in bucket metadata, and enables full icon deletion causing visual degradation of hosted applications. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 12.128.2.

Authentication Bypass Capgo
NVD GitHub
Prev Page 15 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy