Authentication Bypass
Monthly
Unauthenticated network access to NI grpc-device 2.17.0 and earlier is possible when the server is deployed without TLS configuration and bound to a non-loopback interface, exposing instrument control services to anyone on the local network. The flaw stems from insecure default credentials behavior and aligns with CWE-306 (missing authentication for a critical function). No public exploit identified at time of analysis, though the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact under default-prone deployments.
Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentials from an alternate CAS (Central Authentication Service) source to authenticate against routes protected by the cas-auth plugin, circumventing intended access controls on protected backend APIs. The flaw, rooted in insufficient credential-origin validation within the cas-auth plugin (CWE-287), enables a credential confusion attack across identity sources - potentially granting unauthorized access to downstream systems the gateway is meant to protect. No public exploit code or CISA KEV listing exists at time of analysis; Apache has released version 3.17.0 as the confirmed fix.
HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hmac-auth signed token to reuse that token indefinitely, entirely bypassing expiry enforcement under certain plugin configurations. The CVSS 4.0 vector (6.3, AT:P) confirms exploitation depends on a specific hmac-auth configuration condition, limiting blanket exposure but posing significant risk to affected deployments where tokens can be intercepted. No public exploit code or CISA KEV listing has been identified at time of analysis; the fix is available in version 3.17.0 per the Apache security advisory.
Unauthorized attachment file access in Flexera FlexNet Manager Suite 2025 R1 and R2 allows authenticated low-privileged users to retrieve attachment files belonging to other tenants or users due to insufficient access control enforcement. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list, but the CVSS 4.0 base score of 7.1 reflects meaningful confidentiality impact over the network with low privileges required. Organizations using FNMS for software asset management and license compliance should review the Flexera Community advisory and apply vendor guidance.
Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to relay forged identity headers to upstream services, potentially assuming elevated privileges on those services. Versions 3.5.0 through 3.16.0 are affected, but only when the OPA plugin is deployed in a non-default configuration that fails to sanitize inbound identity headers before forwarding them. No public exploit or active exploitation has been identified; the CVSS 4.0 score of 2.3 reflects the constrained real-world impact driven by the specific configuration prerequisite and the limitation that only downstream upstream services are affected rather than APISIX itself.
Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated network attackers to circumvent JWE token integrity validation and reach services protected by the gateway. The root cause (CWE-354) is improper validation of the JWE authentication tag under the plugin's default configuration, meaning crafted or tampered tokens are accepted as legitimate. No public exploit code and no CISA KEV listing are identified at time of analysis; the vendor-released fix is Apache APISIX 3.17.0.
Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged network attackers to bypass authentication controls and gain unauthorized access to protected upstream resources. The plugin, under its default configuration, fails to strip or validate incoming identity-bearing HTTP headers presented by clients before forwarding requests to backend services, allowing an attacker to inject arbitrary identity claims. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis, but the network-exploitable nature and high impact on subsequent systems (SC:H/SI:H in CVSS 4.0) elevate this beyond its moderate overall score.
Missing authentication in line-desktop-mcp prior to 1.1.2 lets any network-reachable client invoke MCP tools that read LINE chat history and send messages through the logged-in LINE Desktop application. When started with --http-mode, the server binds 0.0.0.0 and exposes /mcp without an MCP-layer auth check, enabling unauthenticated remote abuse. No public exploit identified at time of analysis, but the fix (1.1.2) and commit are public, making reconstruction trivial.
Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authenticate using credentials from a different identity source, effectively bypassing the intended authorization boundary. Affected versions span 2.14.1 through 3.16.0, covering a wide deployment surface for this popular open-source API gateway. The CVSS 4.0 vector signals no direct impact to APISIX itself but high confidentiality and integrity impact on subsequent systems - the upstream APIs and services the gateway is meant to protect. No public exploit code or CISA KEV listing has been identified at time of analysis.
Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication enforced by the jwt-auth plugin under certain configurations, granting unauthorized access to APIs that should require a valid JWT. The flaw stems from spoofable identity assertions (CWE-290) in the plugin's verification logic, and at time of analysis there is no public exploit identified, but the wide affected version range and gateway role make it operationally significant.
Privilege escalation in Flexera FlexNet Manager Suite 2025 R1 allows an authenticated user holding only read-only access to account settings to elevate themselves to full Administrator. The flaw is a server-side access-control failure (CWE-284) reachable over the network with low privileges and no user interaction, scoring CVSS 4.0 8.7. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in JetBrains Hub (the identity and account-management server behind TeamCity, YouTrack, and other JetBrains tools) lets an actor obtain administrative access by going through direct database access, per JetBrains' own advisory. Classified under CWE-306 (Missing Authentication for a Critical Function) and vendor-scored CVSS 9.8, it affects all builds before the fixed 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429 releases. There is no public exploit identified at time of analysis and the EPSS probability is low (0.44%, 35th percentile), but full administrative compromise is the stated technical impact.
Local privilege escalation in Dell Server Hardware Manager versions prior to 3.2.2 allows a low-privileged local user to gain higher privileges due to improper access control (CWE-284). The CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) reflects high impact across confidentiality, integrity, and availability once exploited. No public exploit identified at time of analysis and the CVE is not in CISA KEV.
Unauthorized subscription data exposure in the 2Download Connector for 2DL Hosted Checkout WordPress plugin allows unauthenticated network attackers to read arbitrary customers' subscription records - including subscription status, product names, order IDs, purchase dates, and expiry dates - across all versions up to and including 0.1.5. The root cause is a missing authorization check in the plugin's shortcode handlers (Shortcodes.php), meaning any unauthenticated HTTP request can trigger the data-retrieval logic without identity verification. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Unauthenticated REST API webhook manipulation in the STRABL checkout plugin for WordPress (all versions through 4.5) allows any remote attacker to commit payment fraud, manipulate WooCommerce order states, create customer-role user accounts, issue arbitrary refunds, cancel orders, and apply chargeback fees - all without credentials or payment. The root cause is a WordPress REST endpoint registered at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which bypasses all authentication by design. No public exploit code or KEV listing is confirmed at time of analysis, but the vulnerability is trivially exploitable given the open endpoint and well-documented attack surface.
Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) plugin for WordPress (≤3.1.39) allows any remote attacker to trigger immediate Subject Access Request (SAR) fulfillment for an arbitrary victim email, receiving tokenized download links in the HTTP response that expose WordPress account details, comment history, email addresses, and IP addresses. The plugin's CSRF nonce - the only gate protecting this action - is publicly rendered by the SAR shortcode form and shared across all anonymous visitors, rendering it entirely ineffective as an access control mechanism. No active exploitation is confirmed (not in CISA KEV) and no public POC is confirmed at time of analysis, though the Wordfence advisory includes direct source code references identifying the exact vulnerable code paths.
Sensitive information exposure in the Bogo WordPress plugin through version 3.9.1 allows authenticated users with subscriber-level access to extract the raw title, body content, excerpt, and password of any private, draft, or password-protected post by abusing the translation duplication endpoint. The REST API handler bogo_rest_create_post_translation enforced only a locale-access capability check, which all authenticated users can satisfy, and returned raw post field values in the API response without verifying whether the requestor had read or edit rights over the source content. No public exploit code or active exploitation (CISA KEV) is confirmed at time of analysis, though the attack path is straightforward for any authenticated WordPress user.
Missing authorization in the Classified Listing WordPress plugin (versions through 5.4.2) allows authenticated attackers with Subscriber-level accounts to overwrite the featured image of any listing on the site, regardless of ownership. The vulnerability originates in the rtcl_fb_gallery_image_update_as_feature AJAX handler, which accepts arbitrary user-supplied listing IDs and attachment IDs while relying solely on a nonce that is freely accessible to all logged-in frontend users - providing no meaningful access barrier for low-privilege accounts. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in CISA KEV.
Denial-of-service in the Apollo Pharmacy Blood Glucose Monitoring System (model APG-01 BT) allows an attacker within Bluetooth Low Energy radio range to seize the device's single BLE connection slot, blocking the legitimate patient app or clinician from pairing and reading glucose measurements. The flaw is rooted in missing authorization (CWE-862) on connection acceptance and was disclosed through CISA's ICS Medical advisory ICSMA-26-169-01. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) exposes a pickle.loads sink that can be reached without a valid pgAdmin session. The defect is the missing @pga_login_required decorator on DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did>; turning this into code execution additionally requires an attacker to possess the Flask SECRET_KEY and write access to the sessions/ directory from a separate channel. No public exploit identified at time of analysis, and the issue does not appear on CISA KEV.
Arbitrary shell command execution in PraisonAI before 4.5.128 allows authenticated UI users to bypass the human-in-the-loop approval gate because the Chainlit chat and code UI modules hardcode approval_mode='auto' after loading administrator config from PRAISON_APPROVAL_MODE. Once auto-approved, prompts to the LLM agent reach subprocess.run with shell=True, and the existing blocklists only filter command chaining operators - leaving single destructive commands (rm -rf, curl, dd, chmod) executable. No public exploit identified at time of analysis beyond the vendor PoC; not currently listed in CISA KEV.
Tool approval cache bypass in PraisonAI Agents (praisonaiagents < 4.5.128) allows an LLM agent to execute arbitrary subsequent shell commands without user consent after a single initial approval. The approval system caches decisions keyed only on tool name - once a user approves `execute_command` for any command (e.g., `ls -la`), all further `execute_command` invocations in that agent session bypass the approval prompt entirely. Combined with `os.environ.copy()` passing the full process environment to every subprocess, this enables silent exfiltration of API keys and credentials; a publicly available proof-of-concept is included in the GHSA advisory. No confirmed active exploitation in CISA KEV at time of analysis.
Privilege escalation in Microsoft Dynamics 365 allows authenticated low-privileged users to gain elevated rights across a network due to improper access control enforcement. The flaw carries a critical CVSS 9.9 score with scope change, indicating impact beyond the vulnerable component, and Microsoft has issued a patch via MSRC. No public exploit identified at time of analysis, and the vector's Exploit Code Maturity is rated Unproven.
Information disclosure in Microsoft 365 Copilot lets a remote, unauthenticated attacker reach a security-critical function that lacks an authentication check, exposing confidential data over the network. Classified CWE-306 (Missing Authentication for Critical Function) and rated CVSS 7.5, the flaw was reported by Microsoft and a vendor patch is available; there is no public exploit identified at time of analysis, though CISA's SSVC framework flags the issue as automatable with total technical impact. EPSS probability is low (0.50%, 39th percentile), indicating no current evidence of widespread exploitation.
Privilege elevation in Microsoft's Azure (AI) Bot Service lets an authenticated, network-based attacker bypass improper authentication checks (CWE-287) to gain higher privileges than originally granted. Tracked as CVE-2026-32174 (CVSS 8.8) and reported by Microsoft, it affects the cloud-hosted Azure Bot Service and carries high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.37%, 29th percentile), and CISA SSVC currently scores exploitation as 'none.'
Authorization bypass in Progress Chef 360 prior to version 1.7.1 allows authenticated users to access higher-privileged API endpoints by exploiting improper URL-encoded path handling during request processing. The flaw is a path traversal/normalization weakness (CWE-23) that lets standard access controls be circumvented before authorization checks run. No public exploit identified at time of analysis, but the vendor advisory confirms the issue and a fixed release is available.
Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.
Missing authorization in four write API endpoints of phpMyFAQ prior to version 4.1.4 allows any holder of the shared API key to create categories, create or update FAQs, and post questions regardless of their assigned role permissions. The vulnerability is a partial remediation gap: CVE-2026-24421 previously added `userHasPermission` checks to BackupController, but that fix was not consistently applied to CategoryController::create, FaqController::create, FaqController::update, and QuestionController::create. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.
Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on 0.0.0.0:8080 by default with no authentication, allowing any network-adjacent attacker to invoke every MCP tool - including SQL execution, schema creation, and table-config mutation - against the backing Apache Pinot cluster using the server's own credentials. The maximum CVSS 10.0 score reflects a scope-changing confused-deputy condition. No public exploit identified at time of analysis, but the trivial reachability and presence of write/DDL tooling make exploitation straightforward once the port is found.
{:ok}. No public exploit identified at time of analysis, and the issue is fixed in 1.2.0.
Unintended write access to conda-forge feedstock repositories in conda-smithy prior to 3.61.0 allows attackers who register an abandoned or relinquished GitHub username (a username takeover) to be auto-invited as a maintainer when the conda-forge webservices route repository invitations based on mutable usernames rather than immutable user IDs. The flaw maps to CWE-284 (Improper Access Control) and impacts the conda-forge package supply chain; no public exploit identified at time of analysis, but the GitHub security advisory GHSA-g95q-3cmj-fvh8 and a fix commit are public.
Arbitrary file write in OneDev 15.0.6 and earlier allows any authenticated user with CI Job write access to overwrite files anywhere on the server filesystem by uploading a crafted TAR archive whose symbolic link entries point to absolute paths outside the extraction directory. The flaw is an incomplete-fix bypass of CVE-2021-21251, which only blocked `..` path traversal in TAR entry names but never validated symlink targets. No public exploit has been identified at time of analysis, but the official patch commit and GitHub Security Advisory GHSA-55g8-94r5-cj37 publicly describe the bypass mechanism.
Authentication bypass in Bitnami Cassandra container images (4.0.x, 4.1.x, 5.0.x lines) allows remote attackers to access the database as superuser using the built-in cassandra:cassandra credentials, even when operators configure a custom administrator via CASSANDRA_USER. The container init script provisions the new superuser but, in certain scenarios, fails to drop the default account, leaving an unintended privileged login path. No public exploit identified at time of analysis, but the trivially guessable default credentials make discovery and abuse straightforward once the CQL port is reachable.
Hardcoded default credentials in Bitnami MariaDB Galera container images and Helm chart expose all default deployments to unauthenticated replication status enumeration over the network. The health-check user `monitor` with password `monitor` is granted REPLICATION CLIENT privileges from any host (`%`), meaning any network-accessible cluster running affected images (10.6.x through 12.3.x) or Helm chart prior to 18.3.0 can be accessed using these publicly known credentials. The Helm chart structurally prevented operators from overriding these credentials at deploy time, making the exposure pervasive across all standard chart-based deployments; no public exploit has been identified and the vulnerability is not in CISA KEV at time of analysis.
Improper authorization in nl.nl-portal:documenten-api (NL Portal Backend Libraries) exposes document contents to any authenticated portal user, regardless of document ownership. The flaw persisted across versions 3.0.1 and 3.0.2 despite a prior fix attempt for CVE-2026-49463: the GraphQL fix added an authentication parameter that was never passed to the service layer, and a parallel REST endpoint was left entirely unaddressed and protected only by a misconfigured security rule pointing at the wrong URL. No public exploit in CISA KEV, but a functional proof-of-concept is documented in the vendor advisory, and the CVSS 6.5 (PR:L/C:H) score reflects meaningful real-world impact for citizen and business portal deployments handling sensitive personal documents.
Network access control bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows a remote attacker holding compromised administrator credentials to circumvent IP-based network restrictions by injecting an arbitrary X-Forwarded-For HTTP header. Both systems fail to validate or sanitize this header before using it to determine whether a request originates from an allowed network range, meaning a threat actor positioned anywhere on the internet can masquerade as a trusted network source. No public exploit code or CISA KEV listing has been identified at the time of analysis, and the high-privilege prerequisite (compromised admin credentials) significantly constrains opportunistic exploitation.
Insecure Direct Object Reference (IDOR) in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) permits remote unauthenticated attackers to harvest account-specific information from any registered user. By supplying an arbitrary 'user_id' value to the publicly exposed 'update-profile/' API endpoint, an attacker receives a JSON payload disclosing the target account's email address and associated metadata without any credential requirement. No public exploit code or CISA KEV listing exists at time of analysis, but the trivially low attack complexity - no authentication, no interaction, no special configuration - makes automated mass enumeration of the user base a realistic and immediate concern for agencies relying on these procurement dispute systems.
Authentication bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows remote, unauthenticated attackers to reset arbitrary user passwords by calling the '/update-profile/N' API endpoint, which fails to verify the requester's identity. Successful exploitation results in full account takeover of any user - including potentially privileged accounts handling federal bid protests and contract appeals - with no public exploit identified at time of analysis but a CVSS 4.0 base score of 9.3 (Critical) and CISA Coordinated Disclosure tracking.
Authentication bypass in Webmin's miniserv.pl HTTP server (versions prior to 2.641) allows remote unauthenticated attackers to impersonate any user, including root/admin, by sending a forged HTTP header that spoofs an SSL client certificate Distinguished Name. The flaw maps to CWE-290 (Authentication Bypass by Spoofing) and is rated CVSS 4.0 9.2 (Critical); a vendor-released fix exists in 2.641, but no public exploit is identified at time of analysis and the issue is not currently listed in CISA KEV.
Unauthenticated remote file disclosure in Webmin (all versions prior to 2.641) exposes the contents of any .conf file residing within module directories. The root cause is a flawed regular expression (CWE-185) that was intended to restrict accessible file paths but can be bypassed with a crafted request, allowing unauthenticated network attackers to read configuration files that may contain credentials, API keys, or other sensitive deployment data. No public exploit or CISA KEV listing has been identified at time of analysis, though the zero-authentication, network-accessible attack surface makes this straightforward to probe at scale.
MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authentication entirely by supplying the literal string 'webmin' as the HTTP User-Agent header, causing the server to accept basic authentication without requiring a session cookie or a second factor. The affected CPE covers all Webmin releases before 2.641, and the impact extends well beyond the low integrity score assigned by the official CVSS - Webmin is a full server administration panel, meaning successful authentication grants control over the underlying host. No public exploit code or CISA KEV listing has been identified at time of analysis; the issue was reported by CISA-CG and patched in the 2.641 release.
Unauthenticated call-control abuse in pipecat-ai development runner (>=0.0.77, <1.4.0) allows remote attackers reaching an exposed `/ws` telephony WebSocket to inject an attacker-controlled `callSid` that the server then submits to Twilio, Telnyx, or Plivo REST APIs using the operator's own credentials, forcibly terminating victim calls. Publicly available exploit code exists (a full Dockerized PoC is published in the GHSA advisory) and the maintainers shipped a fix in v1.4.0; no CISA KEV listing at time of analysis.
Authentication bypass in the githubreceiver component of opentelemetry-collector-contrib (versions ≤ 0.150.0) allows unauthenticated attackers to inject arbitrary webhook payloads into the OpenTelemetry observability pipeline. The `required_headers` configuration field is validated at startup but never enforced by `handleReq()` at request time, meaning any HTTP POST to the webhook endpoint is accepted regardless of header values. The risk is compounded when the `Secret` field is left at its empty default, which causes `github.ValidatePayload` to skip HMAC verification entirely - leaving deployments that rely solely on `required_headers` for auth with zero effective authentication. No public exploit code exists at time of analysis, but the advisory provides sufficient implementation detail to trivially reproduce the bypass.
Missing authorization in Kirby CMS lets authenticated users read the full content and metadata of pages they are not permitted to access via the /api/site/find REST route. It affects sites where a user role has the pages.access permission disabled (through user blueprints, model blueprint options, or a combination), on Kirby <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3. No public exploit identified at time of analysis; the flaw is read-only and cannot be used for write access, and the CVSS 4.0 vector rates confidentiality impact High (score 7.1).
Unauthorized file disclosure in Kirby CMS allows unauthenticated remote visitors to access files stored in top-level draft pages by requesting their clean file URL (e.g., /about-us/team.jpg) without authentication, draft-page authorization, or a valid preview token. The clean file redirect mechanism failed to enforce draft access controls before issuing the HTTP redirect to the physical media URL, affecting all Kirby 4 installations where content.fileRedirects has not been explicitly disabled and Kirby 5 installations where the option has been manually enabled. No public exploit or CISA KEV listing has been identified at time of analysis; patches are available in Kirby 4.9.4 and Kirby 5.4.4.
Missing authorization in Kirby CMS's page picker backend exposes restricted page metadata to authenticated users whose roles have `pages.access` disabled. Affected sites running Kirby up to 4.9.3 or between 5.0.0-alpha.1 and 5.4.3 allow such users to confirm the existence of arbitrary pages and read their title fields by supplying a known page path directly to the picker endpoint - bypassing role-based access controls. No public exploit or active exploitation has been identified; impact is strictly information disclosure with no write capability.
Agent impersonation in Woodpecker CI 3.0.0 through 3.14.0 allows any authenticated agent to assume the identity of any other agent on the same server by injecting a forged agent_id into outgoing gRPC metadata. The server validates the JWT correctly but then trusts the client-supplied agent_id over the cryptographically verified one, enabling cross-tenant job hijacking and integrity compromise of CI pipelines. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated live video stream access on the V380 IP Camera (firmware AppFHE1_V1.0.6.020230803, Shenzhen Liandian Communication Technology LTD) is achievable by any adjacent-network attacker who directly queries the RTSP media delivery endpoint, entirely bypassing the credential-enforced live-view authentication workflow. The root cause, CWE-306 (Missing Authentication for Critical Function), confirms that the RTSP pipeline lacks the authentication gate applied to the device's primary viewing interface - a structural authorization boundary failure rather than a logic bypass. The CVSS 4.0 supplemental metrics flag this as automatable (AU:Y), urgency Red (U:Red), and safety-impacting (S:P), elevating real-world priority for deployments in sensitive physical security environments despite the adjacent-only attack vector; no public exploit identified at time of analysis, though a researcher's GitHub documentation provides significant technical detail.
DNS covert-channel exfiltration in Docker Sandboxes (sbx) prior to v0.33.0 allows untrusted workloads executing inside internet-connected sandboxes to bypass the configured HTTP/S-only egress allowlist by encoding data into DNS subdomain labels. The per-network embedded DNS resolver forwards all queried names to the host resolver without consulting egress policy, undermining the core isolation guarantee that sbx provides for AI agent workloads. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector assigns high confidentiality impact (VC:H), consistent with the ability to exfiltrate arbitrary in-sandbox data - including API keys, environment variables, and workspace secrets - to an attacker-controlled authoritative DNS server.
Authentication bypass in ZITADEL's external JWT Identity Provider allows a legitimate user of a co-tenant service sharing the same enterprise IdP to authenticate to ZITADEL using a token issued for a different relying party. Affected versions span ZITADEL 3.0.0-3.4.11 and 4.0.0-4.11.0; the flaw arises because ZITADEL correctly validates the JWT cryptographic signature and `iss` claim but entirely omits validation of the `aud` claim, violating RFC 7519 audience binding semantics. No public exploit has been identified at time of analysis, and exploitation is tightly constrained to specific enterprise topologies where multiple services share a single trusted IdP.
Authentication bypass in Zitadel identity platform (versions 3.0.0-3.4.11 and 4.0.0-4.15.1) allows an attacker who has obtained a victim's authorization code, refresh token, or device authorization grant to redeem it under a different OAuth client registered on the same instance, because the server fails to validate the client_id binding required by RFC 6749 §4.1.3. No public exploit identified at time of analysis; CVSS 7.4 with high attack complexity reflects the requirement that the attacker first intercept the code or token through a separate weakness such as XSS, log exposure, or referrer leakage.
Cross-tenant user record leakage in ZITADEL versions 4.0.0-4.15.1 and 3.0.0-3.4.11 allows an organization administrator to inadvertently gain full access to a user record provisioned in a different tenant due to stale aggregate-ID ownership mappings persisting in the event store after user deletion. When a new user is later provisioned in a separate organization using the same ID as a previously deleted user, the event store's owner-resolution logic retrieves the original organization's mapping and incorrectly routes all new provisioning events there. No public exploit has been identified, CISA KEV listing is absent, and the vendor explicitly characterizes this as a non-targetable, low-practical-risk multi-tenancy isolation anomaly that cannot be forced or automated by a malicious actor.
Session replay attacks against Hydro competitive programming judge instances become viable because logout and session renewal flows create new tokens without invalidating the previous server-side session. An attacker who has captured a victim's stale sid cookie - via network interception, browser theft, or prior session compromise - can replay that cookie over HTTP or HTTPS at any point after logout and retain full authenticated access as the victim. The vulnerability affects hydrooj npm package versions 4.10.4 through 5.0.1; no public exploit or KEV listing is identified, but the attack primitive is straightforward once a stale cookie is obtained.
Multipart form-data field injection in the npm package http-proxy-middleware (versions 3.0.4-3.0.6 and 4.0.0-4.1.0) lets remote attackers smuggle additional form parts past gateway-side validation by embedding CRLF sequences in body values, causing the proxy and backend to parse different field sets. The flaw lives in fixRequestBody's handlerFormDataBodyData helper, which concatenates user-controlled keys and values directly into the multipart wire format without neutralizing \r\n. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified as actively used in the wild and no CISA KEV listing.
Authorization bypass in Google's MCP Toolbox for Databases (googleapis/mcp-toolbox) allows authenticated low-privilege clients to invoke high-privilege tools by selecting a legacy MCP protocol version. The flaw stems from missing scopesRequired enforcement in the 2025-06-18, 2025-03-26, and 2024-11-05 protocol handlers, and is reachable simply by omitting the MCP-Protocol-Version header so the server falls back to the vulnerable 2024-11-05 default. No public exploit identified at time of analysis, but the upstream fix (PR #3335) confirms the issue and its trivial triggering condition.
Authentication bypass in googleapis/mcp-toolbox allows remote unauthenticated attackers to gain access by presenting opaque OAuth tokens issued by unauthorized identity providers. The flaw lives in validateOpaqueToken's claim-checking logic, which silently skips issuer validation when an OAuth 2.0 introspection response omits the optional iss field. No public exploit identified at time of analysis, but the upstream fix in PR #3360 confirms the defect and CVSS 4.0 scores it 9.3 (Critical).
Authentication bypass in googleapis/mcp-toolbox lets remote unauthenticated attackers reach protected tools and backing data sources by submitting an OAuth 2.0 introspection response that omits the mandatory 'active' field. Because validateOpaqueToken stores Active as *bool and only rejects when the pointer is non-nil and false, a nil value falls through as authorized. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 and trivial logic flaw make this a priority fix.
Credential exposure in Worksnaps client application before version 1.6.20260201 allows attackers who obtain the binaries to extract hardcoded AWS root credentials and S3 bucket identifiers, granting access to production cloud resources containing sensitive user desktop screenshots. The flaw was disclosed by SEC-VLab (SEC Consult) and a vendor-patched build is available; no public exploit identified at time of analysis, though credential extraction from distributed binaries is trivial once the artifact is obtained.
Insecure Direct Object Reference in the UsersWP WordPress plugin (versions through 1.2.63) allows authenticated editor-level users to permanently delete or reset the avatar and banner images of any WordPress user account, including site administrators, by supplying an arbitrary user_id parameter. The vulnerability lies in missing authorization validation on the user_id key within image management handlers across class-forms.php, class-userswp.php, and class-profile.php, directly manipulating the uwp_usermeta table. No public exploit has been identified at time of analysis, and real-world severity is constrained by the high-privilege authentication prerequisite.
Persistent local denial of service in Google Android (Wear OS) is possible due to a missing permission check declared in AndroidManifest.xml, allowing a co-resident unprivileged app to invoke a protected component and render device functionality unavailable. No user interaction or elevated privileges are required, but exploitation is local rather than remote despite the headline CVSS 4.0 score of 10.0. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authorization bypass in the Simple Membership WordPress plugin (≤4.7.5) enables unauthenticated remote attackers to forcibly deactivate any member account by submitting a forged Stripe charge.refunded webhook payload carrying a known victim subscription ID. The plugin's webhook handler skips HMAC signature verification when the stripe-webhook-signing-secret option is absent - the default installation state - accepting the forged event as legitimate and setting the target account_state to 'inactive', firing cancellation hooks, recording a transaction status change, and dispatching a cancellation notification email. No public exploit has been identified at time of analysis, and no KEV listing exists, but the zero-prerequisite network attack path against default-configured sites elevates practical risk above the 5.3 CVSS score suggests.
Unauthorized cross-teacher quiz rule tampering in the PressPrimer Quiz WordPress plugin (all versions ≤ 2.3.0) is possible via an IDOR flaw in the plugin's REST API, where the `rule_id` parameter is accepted without ownership validation. Any authenticated user holding a custom-level role or above - such as a teacher - can supply arbitrary `rule_id` values to modify or delete quiz rules belonging to other teachers. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 3.1 score of 4.3 (PR:L, I:L) reflects the authentication requirement and integrity-only impact.
Hostname validation bypass in Node.js (versions 22.22.3, 24.16.0, and 26.3.0) lets attackers smuggle embedded NUL bytes through the dns and net subsystems, truncating a hostname after the NUL so that application-level allowlists, SNI checks, or destination filters validate one host while the runtime resolves or connects to another. The Node.js project rates this specific issue Medium and shipped the fix in its June 2026 security release; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.28%, 20th percentile), and it is not in CISA KEV. Note a significant signal conflict: the aggregate input score of CVSS 9.8 with an 'Authentication Bypass' tag is far above the vendor's own Medium rating for this CVE and appears to be an inflated pre-NVD auto-score.
TLS SNI context matching in Node.js performs case-sensitive hostname comparison, enabling network-accessible low-privileged attackers to bypass intended server-side TLS context selection by varying the casing of the SNI hostname in a ClientHello message. Affected versions prior to 26.3.1 may serve an incorrect TLS certificate or context when a client sends an SNI value with unexpected casing (e.g., 'EXAMPLE.COM' versus 'example.com'), yielding limited confidentiality and integrity impacts in multi-hostname deployments. No public exploit code or active exploitation has been identified; the fix shipped as part of the Node.js June 2026 coordinated security release alongside ten other CVEs.
Pre-NVD disclosure via GitHub release '2026-06-18, Version 26.3.1 (Current), @aduh95' (nodejs/node). This is a security release. ### Notable Changes * (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High * (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High * (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium * (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium * (CVE-2026-48928) tls: fix case-sensitive SNI context matching
Node.js Permission Model fails to apply net scope guards to pipe open and chmod operations, enabling a local authenticated user to bypass intended access control boundaries enforced by the experimental Permission Model. Affected is Node.js v26.x prior to v26.3.1 (Current release line), disclosed in the June 2026 security release. Rated Low severity by the Node.js team; no public exploit identified at time of analysis and not listed in CISA KEV.
Unauthenticated sensitive information exposure in the Event Koi Lite WordPress plugin (all versions through 1.3.13.1) allows any remote visitor to retrieve private, draft, and pending event data via the unprotected get_events API endpoint. Exposed data includes virtual meeting URLs, physical venue addresses, GPS coordinates (latitude/longitude), Google Maps links, and RSVP configuration - all belonging to events deliberately kept out of public view. The root cause is CWE-862 (Missing Authorization): the get_events handler performs no publication-status or capability check before returning event records. No public exploit identified at time of analysis, but the endpoint is trivially callable by any unauthenticated HTTP client.
Authorization bypass in Equalize Digital Accessibility Checker for WordPress (all versions ≤ 1.42.1) allows authenticated author-level users to dismiss, ignore, or restore accessibility audit records belonging to posts they do not own. The flaw lies in the plugin's REST API handler accepting the attacker's own issue ID as a sufficient authorization token, and the `largeBatch=true` parameter then triggers a bulk operation that propagates the action across all site-wide issues sharing the same 'object' value - including those on administrator-owned posts. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; however, the Wordfence advisory includes direct source code references confirming the vulnerable logic.
Privilege escalation in the E2Pdf - Export Pdf Tool for WordPress plugin (versions ≤ 1.32.26) allows authenticated low-privilege users with the e2pdf_templates capability to overwrite arbitrary WordPress options and elevate themselves to administrator. The flaw stems from the screen_action() function lacking a capability check and nonce verification, letting attackers pass attacker-controlled option names and values directly to update_option(). No public exploit identified at time of analysis, but the issue was disclosed by Wordfence with detailed source-line references making weaponization straightforward.
Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allows authenticated vendor-level users to manipulate arbitrary marketplace orders they do not own, in all versions up to and including 5.0.3. Affected operations include changing order status, injecting customer-facing notes that trigger WooCommerce notification emails to buyers, deleting any order note or WordPress comment by raw ID, inserting fraudulent shipping tracking data, and granting or revoking downloadable product access on any order in the installation. The nonce-based CSRF protection provides no ownership barrier because vendors legitimately generate valid nonces from their own dashboard pages and can replay them against any order ID - no public exploit identified at time of analysis, though vulnerable code paths are confirmed in source at version 5.0.1 by Wordfence.
Improper access control in vantage6 nodes prior to version 5.0.0 allows malicious algorithm containers to read input and output files belonging to other algorithms running on the same node. This directly undermines the core privacy guarantee of the platform - a federated learning infrastructure explicitly designed for privacy-preserving analysis - by exposing sensitive intermediate data to adversarially crafted algorithms. No public exploit has been identified at time of analysis, and a patch is available in version 5.0.0.
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete theme templates belonging to other workspaces by supplying a foreign themeTemplateId to the handleSaveThemeTemplate and handleDeleteThemeTemplate handlers. The handlers verify only that the caller is a non-guest member of the workspaceId argument but execute Prisma queries that omit workspaceId from the WHERE clause, producing an Insecure Direct Object Reference (CWE-639). No public exploit identified at time of analysis, and the issue was remediated in Typebot 3.16.0.
XianYuLauncher, a Minecraft Java Edition launcher, exposes Microsoft OAuth authentication tokens to local attackers in all versions prior to 1.5.5 due to an OAuth 2.0 Authorization Code flow implemented without PKCE or state parameter validation. A local attacker running a concurrent process on the same machine can race the launcher's fixed localhost redirect URI to intercept the authorization code, then exchange it for valid Microsoft and Minecraft access tokens without any special privileges. Compounding the exposure, ClientToken was stored on disk in plaintext and JWT/Bearer tokens could be leaked into log output. No public exploit has been identified and this vulnerability is not listed in CISA KEV.
Unauthenticated remote PowerShell execution in CursorTouch Windows-MCP prior to version 0.7.5 allows attackers to reach the MCP control plane over HTTP and invoke the built-in PowerShell tool as the Windows user running the server. The flaw stems from SSE and streamable-http transports being built without an auth provider while wildcard CORS (allow_origins=*) is applied, opening the path to cross-origin browser pages and any non-browser HTTP client. No CISA KEV listing exists, but the CVSS 4.0 vector includes E:P, indicating publicly available exploit code exists.
HTTP request smuggling in Tinyproxy through 1.11.3 allows remote unauthenticated attackers to desynchronize the proxy and its backend by sending requests with multiple Content-Length headers having differing values. Because Tinyproxy forwards all duplicate Content-Length headers while parsing only the first value, downstream servers may interpret request boundaries differently, enabling cache poisoning, access control bypass, and request hijacking. No public exploit identified at time of analysis, but the underlying primitive is well documented and the upstream commit 364cdb6 clearly demonstrates the parsing flaw.
HTTP request smuggling in Tinyproxy through 1.11.3 lets remote unauthenticated attackers desynchronize the proxy and backend by sending requests carrying both Content-Length and Transfer-Encoding: chunked headers. Tinyproxy forwards both headers verbatim while parsing the body using Content-Length, producing a classic CL.TE desync that enables cache poisoning, access control bypass, and request hijacking against the backend. No public exploit identified at time of analysis, though VulnCheck has published an advisory and the upstream issue/PR describe the bug in detail.
Authentication bypass in Network-AI versions 5.7.1 and earlier allows unauthenticated remote attackers to invoke all 22 MCP tools on the SSE server because the default secret is empty and `_isAuthorized()` returns true when no secret is configured. Despite the partial fix for CVE-2026-46701 in 5.4.5 (which restricted CORS to localhost origins), any non-browser caller - curl, SSRF, or a service exposed via a 0.0.0.0 bind - can still call privileged operations like `config_set`, `agent_spawn`, `blackboard_write`, and token management with zero credentials. No public exploit identified at time of analysis, but the GHSA advisory includes annotated source-code locations that effectively serve as a roadmap for exploitation.
Authentication bypass in Tinyproxy through 1.11.3 lets unauthenticated remote attackers reach the internal statistics page and smuggle transparent-proxy requests by forging or port-manipulating the HTTP Host header, because stathost detection used a brittle strcmp against the configured hostname. The flaw is a CWE-444 request-interpretation inconsistency reported by VulnCheck; no public exploit identified at time of analysis, though the upstream fix (commit 09312a1) and a detailed PR diff are publicly available, making a working PoC trivial to reconstruct.
Incorrect authorization in Sonatype Nexus Repository Manager before 3.93.0 permits a delegated repository administrator to read stored upstream proxy credentials beyond their intended authorization scope. The flaw resides in the proxy repository configuration pathway, where role-scoped administrators can retrieve credentials that should be restricted to higher-privilege system-level accounts. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, though the high confidentiality impact on stored upstream credentials is notable given that exposure enables potential unauthorized access to private upstream artifact repositories.
Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 allows authenticated low-privileged users to attach arbitrary related records to parent resources via a direct POST to the associations endpoint, bypassing the `attach_<association>?` policy enforced only on the form-rendering GET. Publicly available exploit code exists (Python PoC in the GHSA advisory), and in deployments where associations encode teams, tenants, roles, or memberships, exploitation yields privilege escalation and cross-tenant data exposure.
Improper access control in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 exposes the Student Self-Registration Endpoint (/index.php) to unauthenticated remote exploitation. The CWE-284 root cause, combined with the 'Authentication Bypass' tag, indicates that the self-registration flow fails to enforce intended access boundaries, potentially allowing unauthenticated users to access, manipulate, or enumerate data beyond their authorized scope. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
Namespace tenant-label hijack in Capsule v0.13.0-0.13.5 allows an authenticated Kubernetes user with namespaces/finalize RBAC permission to bypass the validating admission webhook and overwrite tenant isolation labels via the finalize subresource. The root cause is a one-character typo in the Helm chart configuration - `namespace/finalize` (singular) instead of `namespaces/finalize` (plural) - rendering the CVE-2026-30963 patch in v0.13.2 entirely ineffective. Publicly available exploit code (PoC) exists and has been confirmed on a kind cluster running Capsule v0.13.2; no active exploitation has been confirmed by CISA KEV.
Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth grants to read and modify private account resources via `/api/v1/user/...` self routes, despite the public-only flag being designed to restrict tokens to public data. The flaw is a systemic scope-boundary failure across many self routes (SSH keys, emails, OAuth apps, Actions secrets/variables/runners, private repos, webhooks), publicly available exploit code exists in the form of reproducible Go PoCs in the advisory, and the issue represents an incomplete fix of CVE-2025-68941 in a different route family.
Authorization bypass in Gitea versions prior to 1.26.0 lets a read-only organization member create repositories in the organization namespace via the API fork endpoint, despite a team configuration that denies repository creation (can_create_org_repo=false). Because the fork creator receives admin rights on the resulting repo, the attacker can enable Actions and push a workflow that exfiltrates all organization-level CI/CD secrets (deploy keys, cloud credentials, API tokens). Publicly available exploit code exists in the GHSA advisory with a full step-by-step PoC; no public exploit identified at time of analysis beyond the reporter's reproduction.
Cross-tenant confidentiality breach in Daytona's notification WebSocket gateway (versions 0.101.0 through 0.184.0) allows any JWT-authenticated user to passively receive realtime event data belonging to a different organization by supplying an arbitrary organization UUID during the WebSocket handshake. The gateway's JWT authentication flow accepted the client-supplied organizationId and joined the corresponding notification room without verifying organizational membership, exposing sandbox, snapshot, volume, and runner events across tenant boundaries. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, but the attack is mechanically trivial for any authenticated user who can obtain a target organization's UUID.
Incorrect authorization in Open WebUI versions 0.9.5 and earlier allows any authenticated non-admin user to route LLM inference requests to arbitrary configured Ollama backends - including internally restricted, higher-privilege, or admin-disabled instances - by supplying a raw integer `url_idx` path parameter on eight indexed proxy routes. The flaw bypasses backend-level access isolation entirely: model authorization is checked, but backend authorization is silently skipped when `url_idx` is caller-supplied, and disabled backends remain reachable because their disabled state is never re-evaluated at request time. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the attack requires only a valid user account and knowledge of the URL pattern, making it a low-barrier insider threat in any multi-backend deployment.
Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session transcripts belonging to other profiles by calling the session export endpoint with a guessed or known session ID. The flaw is a classic IDOR (CWE-639) in the _handle_session_export handler, which omits active-profile ownership checks before serializing the requested session. No public exploit identified at time of analysis, but VulnCheck published a coordinated advisory and the upstream fix is shipped in v0.51.443.
Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation transcripts and metadata belonging to other profiles by passing a foreign session_id to the /api/session endpoint. The flaw is a classic IDOR (CWE-639) where profile boundary checks are missing on by-id reads. No public exploit identified at time of analysis, but the trigger is a single trivial GET request and the upstream patch openly describes the fix as 'scope session by-id reads + exports to active profile,' which discloses the bypass.
Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first passkey on instances where HERMES_WEBUI_PASSKEY=1 is set and no credentials yet exist, yielding permanent administrative control. The flaw resides in the passkey registration API endpoints, which fail to enforce authentication during the initial enrollment window. No public exploit identified at time of analysis, but a vendor patch is available and the issue was disclosed by VulnCheck.
Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files, and resources belonging to other profiles by forging the hermes_profile cookie. The flaw lives in get_profile_cookie(), which trusted attacker-supplied profile names without binding them to the authenticated session. VulnCheck reported the issue and an upstream patch is available; no public exploit identified at time of analysis.
Unauthenticated network access to NI grpc-device 2.17.0 and earlier is possible when the server is deployed without TLS configuration and bound to a non-loopback interface, exposing instrument control services to anyone on the local network. The flaw stems from insecure default credentials behavior and aligns with CWE-306 (missing authentication for a critical function). No public exploit identified at time of analysis, though the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact under default-prone deployments.
Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentials from an alternate CAS (Central Authentication Service) source to authenticate against routes protected by the cas-auth plugin, circumventing intended access controls on protected backend APIs. The flaw, rooted in insufficient credential-origin validation within the cas-auth plugin (CWE-287), enables a credential confusion attack across identity sources - potentially granting unauthorized access to downstream systems the gateway is meant to protect. No public exploit code or CISA KEV listing exists at time of analysis; Apache has released version 3.17.0 as the confirmed fix.
HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hmac-auth signed token to reuse that token indefinitely, entirely bypassing expiry enforcement under certain plugin configurations. The CVSS 4.0 vector (6.3, AT:P) confirms exploitation depends on a specific hmac-auth configuration condition, limiting blanket exposure but posing significant risk to affected deployments where tokens can be intercepted. No public exploit code or CISA KEV listing has been identified at time of analysis; the fix is available in version 3.17.0 per the Apache security advisory.
Unauthorized attachment file access in Flexera FlexNet Manager Suite 2025 R1 and R2 allows authenticated low-privileged users to retrieve attachment files belonging to other tenants or users due to insufficient access control enforcement. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list, but the CVSS 4.0 base score of 7.1 reflects meaningful confidentiality impact over the network with low privileges required. Organizations using FNMS for software asset management and license compliance should review the Flexera Community advisory and apply vendor guidance.
Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to relay forged identity headers to upstream services, potentially assuming elevated privileges on those services. Versions 3.5.0 through 3.16.0 are affected, but only when the OPA plugin is deployed in a non-default configuration that fails to sanitize inbound identity headers before forwarding them. No public exploit or active exploitation has been identified; the CVSS 4.0 score of 2.3 reflects the constrained real-world impact driven by the specific configuration prerequisite and the limitation that only downstream upstream services are affected rather than APISIX itself.
Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated network attackers to circumvent JWE token integrity validation and reach services protected by the gateway. The root cause (CWE-354) is improper validation of the JWE authentication tag under the plugin's default configuration, meaning crafted or tampered tokens are accepted as legitimate. No public exploit code and no CISA KEV listing are identified at time of analysis; the vendor-released fix is Apache APISIX 3.17.0.
Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged network attackers to bypass authentication controls and gain unauthorized access to protected upstream resources. The plugin, under its default configuration, fails to strip or validate incoming identity-bearing HTTP headers presented by clients before forwarding requests to backend services, allowing an attacker to inject arbitrary identity claims. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis, but the network-exploitable nature and high impact on subsequent systems (SC:H/SI:H in CVSS 4.0) elevate this beyond its moderate overall score.
Missing authentication in line-desktop-mcp prior to 1.1.2 lets any network-reachable client invoke MCP tools that read LINE chat history and send messages through the logged-in LINE Desktop application. When started with --http-mode, the server binds 0.0.0.0 and exposes /mcp without an MCP-layer auth check, enabling unauthenticated remote abuse. No public exploit identified at time of analysis, but the fix (1.1.2) and commit are public, making reconstruction trivial.
Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authenticate using credentials from a different identity source, effectively bypassing the intended authorization boundary. Affected versions span 2.14.1 through 3.16.0, covering a wide deployment surface for this popular open-source API gateway. The CVSS 4.0 vector signals no direct impact to APISIX itself but high confidentiality and integrity impact on subsequent systems - the upstream APIs and services the gateway is meant to protect. No public exploit code or CISA KEV listing has been identified at time of analysis.
Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication enforced by the jwt-auth plugin under certain configurations, granting unauthorized access to APIs that should require a valid JWT. The flaw stems from spoofable identity assertions (CWE-290) in the plugin's verification logic, and at time of analysis there is no public exploit identified, but the wide affected version range and gateway role make it operationally significant.
Privilege escalation in Flexera FlexNet Manager Suite 2025 R1 allows an authenticated user holding only read-only access to account settings to elevate themselves to full Administrator. The flaw is a server-side access-control failure (CWE-284) reachable over the network with low privileges and no user interaction, scoring CVSS 4.0 8.7. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in JetBrains Hub (the identity and account-management server behind TeamCity, YouTrack, and other JetBrains tools) lets an actor obtain administrative access by going through direct database access, per JetBrains' own advisory. Classified under CWE-306 (Missing Authentication for a Critical Function) and vendor-scored CVSS 9.8, it affects all builds before the fixed 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429 releases. There is no public exploit identified at time of analysis and the EPSS probability is low (0.44%, 35th percentile), but full administrative compromise is the stated technical impact.
Local privilege escalation in Dell Server Hardware Manager versions prior to 3.2.2 allows a low-privileged local user to gain higher privileges due to improper access control (CWE-284). The CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) reflects high impact across confidentiality, integrity, and availability once exploited. No public exploit identified at time of analysis and the CVE is not in CISA KEV.
Unauthorized subscription data exposure in the 2Download Connector for 2DL Hosted Checkout WordPress plugin allows unauthenticated network attackers to read arbitrary customers' subscription records - including subscription status, product names, order IDs, purchase dates, and expiry dates - across all versions up to and including 0.1.5. The root cause is a missing authorization check in the plugin's shortcode handlers (Shortcodes.php), meaning any unauthenticated HTTP request can trigger the data-retrieval logic without identity verification. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Unauthenticated REST API webhook manipulation in the STRABL checkout plugin for WordPress (all versions through 4.5) allows any remote attacker to commit payment fraud, manipulate WooCommerce order states, create customer-role user accounts, issue arbitrary refunds, cancel orders, and apply chargeback fees - all without credentials or payment. The root cause is a WordPress REST endpoint registered at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which bypasses all authentication by design. No public exploit code or KEV listing is confirmed at time of analysis, but the vulnerability is trivially exploitable given the open endpoint and well-documented attack surface.
Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) plugin for WordPress (≤3.1.39) allows any remote attacker to trigger immediate Subject Access Request (SAR) fulfillment for an arbitrary victim email, receiving tokenized download links in the HTTP response that expose WordPress account details, comment history, email addresses, and IP addresses. The plugin's CSRF nonce - the only gate protecting this action - is publicly rendered by the SAR shortcode form and shared across all anonymous visitors, rendering it entirely ineffective as an access control mechanism. No active exploitation is confirmed (not in CISA KEV) and no public POC is confirmed at time of analysis, though the Wordfence advisory includes direct source code references identifying the exact vulnerable code paths.
Sensitive information exposure in the Bogo WordPress plugin through version 3.9.1 allows authenticated users with subscriber-level access to extract the raw title, body content, excerpt, and password of any private, draft, or password-protected post by abusing the translation duplication endpoint. The REST API handler bogo_rest_create_post_translation enforced only a locale-access capability check, which all authenticated users can satisfy, and returned raw post field values in the API response without verifying whether the requestor had read or edit rights over the source content. No public exploit code or active exploitation (CISA KEV) is confirmed at time of analysis, though the attack path is straightforward for any authenticated WordPress user.
Missing authorization in the Classified Listing WordPress plugin (versions through 5.4.2) allows authenticated attackers with Subscriber-level accounts to overwrite the featured image of any listing on the site, regardless of ownership. The vulnerability originates in the rtcl_fb_gallery_image_update_as_feature AJAX handler, which accepts arbitrary user-supplied listing IDs and attachment IDs while relying solely on a nonce that is freely accessible to all logged-in frontend users - providing no meaningful access barrier for low-privilege accounts. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in CISA KEV.
Denial-of-service in the Apollo Pharmacy Blood Glucose Monitoring System (model APG-01 BT) allows an attacker within Bluetooth Low Energy radio range to seize the device's single BLE connection slot, blocking the legitimate patient app or clinician from pairing and reading glucose measurements. The flaw is rooted in missing authorization (CWE-862) on connection acceptance and was disclosed through CISA's ICS Medical advisory ICSMA-26-169-01. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) exposes a pickle.loads sink that can be reached without a valid pgAdmin session. The defect is the missing @pga_login_required decorator on DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did>; turning this into code execution additionally requires an attacker to possess the Flask SECRET_KEY and write access to the sessions/ directory from a separate channel. No public exploit identified at time of analysis, and the issue does not appear on CISA KEV.
Arbitrary shell command execution in PraisonAI before 4.5.128 allows authenticated UI users to bypass the human-in-the-loop approval gate because the Chainlit chat and code UI modules hardcode approval_mode='auto' after loading administrator config from PRAISON_APPROVAL_MODE. Once auto-approved, prompts to the LLM agent reach subprocess.run with shell=True, and the existing blocklists only filter command chaining operators - leaving single destructive commands (rm -rf, curl, dd, chmod) executable. No public exploit identified at time of analysis beyond the vendor PoC; not currently listed in CISA KEV.
Tool approval cache bypass in PraisonAI Agents (praisonaiagents < 4.5.128) allows an LLM agent to execute arbitrary subsequent shell commands without user consent after a single initial approval. The approval system caches decisions keyed only on tool name - once a user approves `execute_command` for any command (e.g., `ls -la`), all further `execute_command` invocations in that agent session bypass the approval prompt entirely. Combined with `os.environ.copy()` passing the full process environment to every subprocess, this enables silent exfiltration of API keys and credentials; a publicly available proof-of-concept is included in the GHSA advisory. No confirmed active exploitation in CISA KEV at time of analysis.
Privilege escalation in Microsoft Dynamics 365 allows authenticated low-privileged users to gain elevated rights across a network due to improper access control enforcement. The flaw carries a critical CVSS 9.9 score with scope change, indicating impact beyond the vulnerable component, and Microsoft has issued a patch via MSRC. No public exploit identified at time of analysis, and the vector's Exploit Code Maturity is rated Unproven.
Information disclosure in Microsoft 365 Copilot lets a remote, unauthenticated attacker reach a security-critical function that lacks an authentication check, exposing confidential data over the network. Classified CWE-306 (Missing Authentication for Critical Function) and rated CVSS 7.5, the flaw was reported by Microsoft and a vendor patch is available; there is no public exploit identified at time of analysis, though CISA's SSVC framework flags the issue as automatable with total technical impact. EPSS probability is low (0.50%, 39th percentile), indicating no current evidence of widespread exploitation.
Privilege elevation in Microsoft's Azure (AI) Bot Service lets an authenticated, network-based attacker bypass improper authentication checks (CWE-287) to gain higher privileges than originally granted. Tracked as CVE-2026-32174 (CVSS 8.8) and reported by Microsoft, it affects the cloud-hosted Azure Bot Service and carries high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.37%, 29th percentile), and CISA SSVC currently scores exploitation as 'none.'
Authorization bypass in Progress Chef 360 prior to version 1.7.1 allows authenticated users to access higher-privileged API endpoints by exploiting improper URL-encoded path handling during request processing. The flaw is a path traversal/normalization weakness (CWE-23) that lets standard access controls be circumvented before authorization checks run. No public exploit identified at time of analysis, but the vendor advisory confirms the issue and a fixed release is available.
Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.
Missing authorization in four write API endpoints of phpMyFAQ prior to version 4.1.4 allows any holder of the shared API key to create categories, create or update FAQs, and post questions regardless of their assigned role permissions. The vulnerability is a partial remediation gap: CVE-2026-24421 previously added `userHasPermission` checks to BackupController, but that fix was not consistently applied to CategoryController::create, FaqController::create, FaqController::update, and QuestionController::create. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.
Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on 0.0.0.0:8080 by default with no authentication, allowing any network-adjacent attacker to invoke every MCP tool - including SQL execution, schema creation, and table-config mutation - against the backing Apache Pinot cluster using the server's own credentials. The maximum CVSS 10.0 score reflects a scope-changing confused-deputy condition. No public exploit identified at time of analysis, but the trivial reachability and presence of write/DDL tooling make exploitation straightforward once the port is found.
{:ok}. No public exploit identified at time of analysis, and the issue is fixed in 1.2.0.
Unintended write access to conda-forge feedstock repositories in conda-smithy prior to 3.61.0 allows attackers who register an abandoned or relinquished GitHub username (a username takeover) to be auto-invited as a maintainer when the conda-forge webservices route repository invitations based on mutable usernames rather than immutable user IDs. The flaw maps to CWE-284 (Improper Access Control) and impacts the conda-forge package supply chain; no public exploit identified at time of analysis, but the GitHub security advisory GHSA-g95q-3cmj-fvh8 and a fix commit are public.
Arbitrary file write in OneDev 15.0.6 and earlier allows any authenticated user with CI Job write access to overwrite files anywhere on the server filesystem by uploading a crafted TAR archive whose symbolic link entries point to absolute paths outside the extraction directory. The flaw is an incomplete-fix bypass of CVE-2021-21251, which only blocked `..` path traversal in TAR entry names but never validated symlink targets. No public exploit has been identified at time of analysis, but the official patch commit and GitHub Security Advisory GHSA-55g8-94r5-cj37 publicly describe the bypass mechanism.
Authentication bypass in Bitnami Cassandra container images (4.0.x, 4.1.x, 5.0.x lines) allows remote attackers to access the database as superuser using the built-in cassandra:cassandra credentials, even when operators configure a custom administrator via CASSANDRA_USER. The container init script provisions the new superuser but, in certain scenarios, fails to drop the default account, leaving an unintended privileged login path. No public exploit identified at time of analysis, but the trivially guessable default credentials make discovery and abuse straightforward once the CQL port is reachable.
Hardcoded default credentials in Bitnami MariaDB Galera container images and Helm chart expose all default deployments to unauthenticated replication status enumeration over the network. The health-check user `monitor` with password `monitor` is granted REPLICATION CLIENT privileges from any host (`%`), meaning any network-accessible cluster running affected images (10.6.x through 12.3.x) or Helm chart prior to 18.3.0 can be accessed using these publicly known credentials. The Helm chart structurally prevented operators from overriding these credentials at deploy time, making the exposure pervasive across all standard chart-based deployments; no public exploit has been identified and the vulnerability is not in CISA KEV at time of analysis.
Improper authorization in nl.nl-portal:documenten-api (NL Portal Backend Libraries) exposes document contents to any authenticated portal user, regardless of document ownership. The flaw persisted across versions 3.0.1 and 3.0.2 despite a prior fix attempt for CVE-2026-49463: the GraphQL fix added an authentication parameter that was never passed to the service layer, and a parallel REST endpoint was left entirely unaddressed and protected only by a misconfigured security rule pointing at the wrong URL. No public exploit in CISA KEV, but a functional proof-of-concept is documented in the vendor advisory, and the CVSS 6.5 (PR:L/C:H) score reflects meaningful real-world impact for citizen and business portal deployments handling sensitive personal documents.
Network access control bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows a remote attacker holding compromised administrator credentials to circumvent IP-based network restrictions by injecting an arbitrary X-Forwarded-For HTTP header. Both systems fail to validate or sanitize this header before using it to determine whether a request originates from an allowed network range, meaning a threat actor positioned anywhere on the internet can masquerade as a trusted network source. No public exploit code or CISA KEV listing has been identified at the time of analysis, and the high-privilege prerequisite (compromised admin credentials) significantly constrains opportunistic exploitation.
Insecure Direct Object Reference (IDOR) in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) permits remote unauthenticated attackers to harvest account-specific information from any registered user. By supplying an arbitrary 'user_id' value to the publicly exposed 'update-profile/' API endpoint, an attacker receives a JSON payload disclosing the target account's email address and associated metadata without any credential requirement. No public exploit code or CISA KEV listing exists at time of analysis, but the trivially low attack complexity - no authentication, no interaction, no special configuration - makes automated mass enumeration of the user base a realistic and immediate concern for agencies relying on these procurement dispute systems.
Authentication bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows remote, unauthenticated attackers to reset arbitrary user passwords by calling the '/update-profile/N' API endpoint, which fails to verify the requester's identity. Successful exploitation results in full account takeover of any user - including potentially privileged accounts handling federal bid protests and contract appeals - with no public exploit identified at time of analysis but a CVSS 4.0 base score of 9.3 (Critical) and CISA Coordinated Disclosure tracking.
Authentication bypass in Webmin's miniserv.pl HTTP server (versions prior to 2.641) allows remote unauthenticated attackers to impersonate any user, including root/admin, by sending a forged HTTP header that spoofs an SSL client certificate Distinguished Name. The flaw maps to CWE-290 (Authentication Bypass by Spoofing) and is rated CVSS 4.0 9.2 (Critical); a vendor-released fix exists in 2.641, but no public exploit is identified at time of analysis and the issue is not currently listed in CISA KEV.
Unauthenticated remote file disclosure in Webmin (all versions prior to 2.641) exposes the contents of any .conf file residing within module directories. The root cause is a flawed regular expression (CWE-185) that was intended to restrict accessible file paths but can be bypassed with a crafted request, allowing unauthenticated network attackers to read configuration files that may contain credentials, API keys, or other sensitive deployment data. No public exploit or CISA KEV listing has been identified at time of analysis, though the zero-authentication, network-accessible attack surface makes this straightforward to probe at scale.
MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authentication entirely by supplying the literal string 'webmin' as the HTTP User-Agent header, causing the server to accept basic authentication without requiring a session cookie or a second factor. The affected CPE covers all Webmin releases before 2.641, and the impact extends well beyond the low integrity score assigned by the official CVSS - Webmin is a full server administration panel, meaning successful authentication grants control over the underlying host. No public exploit code or CISA KEV listing has been identified at time of analysis; the issue was reported by CISA-CG and patched in the 2.641 release.
Unauthenticated call-control abuse in pipecat-ai development runner (>=0.0.77, <1.4.0) allows remote attackers reaching an exposed `/ws` telephony WebSocket to inject an attacker-controlled `callSid` that the server then submits to Twilio, Telnyx, or Plivo REST APIs using the operator's own credentials, forcibly terminating victim calls. Publicly available exploit code exists (a full Dockerized PoC is published in the GHSA advisory) and the maintainers shipped a fix in v1.4.0; no CISA KEV listing at time of analysis.
Authentication bypass in the githubreceiver component of opentelemetry-collector-contrib (versions ≤ 0.150.0) allows unauthenticated attackers to inject arbitrary webhook payloads into the OpenTelemetry observability pipeline. The `required_headers` configuration field is validated at startup but never enforced by `handleReq()` at request time, meaning any HTTP POST to the webhook endpoint is accepted regardless of header values. The risk is compounded when the `Secret` field is left at its empty default, which causes `github.ValidatePayload` to skip HMAC verification entirely - leaving deployments that rely solely on `required_headers` for auth with zero effective authentication. No public exploit code exists at time of analysis, but the advisory provides sufficient implementation detail to trivially reproduce the bypass.
Missing authorization in Kirby CMS lets authenticated users read the full content and metadata of pages they are not permitted to access via the /api/site/find REST route. It affects sites where a user role has the pages.access permission disabled (through user blueprints, model blueprint options, or a combination), on Kirby <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3. No public exploit identified at time of analysis; the flaw is read-only and cannot be used for write access, and the CVSS 4.0 vector rates confidentiality impact High (score 7.1).
Unauthorized file disclosure in Kirby CMS allows unauthenticated remote visitors to access files stored in top-level draft pages by requesting their clean file URL (e.g., /about-us/team.jpg) without authentication, draft-page authorization, or a valid preview token. The clean file redirect mechanism failed to enforce draft access controls before issuing the HTTP redirect to the physical media URL, affecting all Kirby 4 installations where content.fileRedirects has not been explicitly disabled and Kirby 5 installations where the option has been manually enabled. No public exploit or CISA KEV listing has been identified at time of analysis; patches are available in Kirby 4.9.4 and Kirby 5.4.4.
Missing authorization in Kirby CMS's page picker backend exposes restricted page metadata to authenticated users whose roles have `pages.access` disabled. Affected sites running Kirby up to 4.9.3 or between 5.0.0-alpha.1 and 5.4.3 allow such users to confirm the existence of arbitrary pages and read their title fields by supplying a known page path directly to the picker endpoint - bypassing role-based access controls. No public exploit or active exploitation has been identified; impact is strictly information disclosure with no write capability.
Agent impersonation in Woodpecker CI 3.0.0 through 3.14.0 allows any authenticated agent to assume the identity of any other agent on the same server by injecting a forged agent_id into outgoing gRPC metadata. The server validates the JWT correctly but then trusts the client-supplied agent_id over the cryptographically verified one, enabling cross-tenant job hijacking and integrity compromise of CI pipelines. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated live video stream access on the V380 IP Camera (firmware AppFHE1_V1.0.6.020230803, Shenzhen Liandian Communication Technology LTD) is achievable by any adjacent-network attacker who directly queries the RTSP media delivery endpoint, entirely bypassing the credential-enforced live-view authentication workflow. The root cause, CWE-306 (Missing Authentication for Critical Function), confirms that the RTSP pipeline lacks the authentication gate applied to the device's primary viewing interface - a structural authorization boundary failure rather than a logic bypass. The CVSS 4.0 supplemental metrics flag this as automatable (AU:Y), urgency Red (U:Red), and safety-impacting (S:P), elevating real-world priority for deployments in sensitive physical security environments despite the adjacent-only attack vector; no public exploit identified at time of analysis, though a researcher's GitHub documentation provides significant technical detail.
DNS covert-channel exfiltration in Docker Sandboxes (sbx) prior to v0.33.0 allows untrusted workloads executing inside internet-connected sandboxes to bypass the configured HTTP/S-only egress allowlist by encoding data into DNS subdomain labels. The per-network embedded DNS resolver forwards all queried names to the host resolver without consulting egress policy, undermining the core isolation guarantee that sbx provides for AI agent workloads. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector assigns high confidentiality impact (VC:H), consistent with the ability to exfiltrate arbitrary in-sandbox data - including API keys, environment variables, and workspace secrets - to an attacker-controlled authoritative DNS server.
Authentication bypass in ZITADEL's external JWT Identity Provider allows a legitimate user of a co-tenant service sharing the same enterprise IdP to authenticate to ZITADEL using a token issued for a different relying party. Affected versions span ZITADEL 3.0.0-3.4.11 and 4.0.0-4.11.0; the flaw arises because ZITADEL correctly validates the JWT cryptographic signature and `iss` claim but entirely omits validation of the `aud` claim, violating RFC 7519 audience binding semantics. No public exploit has been identified at time of analysis, and exploitation is tightly constrained to specific enterprise topologies where multiple services share a single trusted IdP.
Authentication bypass in Zitadel identity platform (versions 3.0.0-3.4.11 and 4.0.0-4.15.1) allows an attacker who has obtained a victim's authorization code, refresh token, or device authorization grant to redeem it under a different OAuth client registered on the same instance, because the server fails to validate the client_id binding required by RFC 6749 §4.1.3. No public exploit identified at time of analysis; CVSS 7.4 with high attack complexity reflects the requirement that the attacker first intercept the code or token through a separate weakness such as XSS, log exposure, or referrer leakage.
Cross-tenant user record leakage in ZITADEL versions 4.0.0-4.15.1 and 3.0.0-3.4.11 allows an organization administrator to inadvertently gain full access to a user record provisioned in a different tenant due to stale aggregate-ID ownership mappings persisting in the event store after user deletion. When a new user is later provisioned in a separate organization using the same ID as a previously deleted user, the event store's owner-resolution logic retrieves the original organization's mapping and incorrectly routes all new provisioning events there. No public exploit has been identified, CISA KEV listing is absent, and the vendor explicitly characterizes this as a non-targetable, low-practical-risk multi-tenancy isolation anomaly that cannot be forced or automated by a malicious actor.
Session replay attacks against Hydro competitive programming judge instances become viable because logout and session renewal flows create new tokens without invalidating the previous server-side session. An attacker who has captured a victim's stale sid cookie - via network interception, browser theft, or prior session compromise - can replay that cookie over HTTP or HTTPS at any point after logout and retain full authenticated access as the victim. The vulnerability affects hydrooj npm package versions 4.10.4 through 5.0.1; no public exploit or KEV listing is identified, but the attack primitive is straightforward once a stale cookie is obtained.
Multipart form-data field injection in the npm package http-proxy-middleware (versions 3.0.4-3.0.6 and 4.0.0-4.1.0) lets remote attackers smuggle additional form parts past gateway-side validation by embedding CRLF sequences in body values, causing the proxy and backend to parse different field sets. The flaw lives in fixRequestBody's handlerFormDataBodyData helper, which concatenates user-controlled keys and values directly into the multipart wire format without neutralizing \r\n. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified as actively used in the wild and no CISA KEV listing.
Authorization bypass in Google's MCP Toolbox for Databases (googleapis/mcp-toolbox) allows authenticated low-privilege clients to invoke high-privilege tools by selecting a legacy MCP protocol version. The flaw stems from missing scopesRequired enforcement in the 2025-06-18, 2025-03-26, and 2024-11-05 protocol handlers, and is reachable simply by omitting the MCP-Protocol-Version header so the server falls back to the vulnerable 2024-11-05 default. No public exploit identified at time of analysis, but the upstream fix (PR #3335) confirms the issue and its trivial triggering condition.
Authentication bypass in googleapis/mcp-toolbox allows remote unauthenticated attackers to gain access by presenting opaque OAuth tokens issued by unauthorized identity providers. The flaw lives in validateOpaqueToken's claim-checking logic, which silently skips issuer validation when an OAuth 2.0 introspection response omits the optional iss field. No public exploit identified at time of analysis, but the upstream fix in PR #3360 confirms the defect and CVSS 4.0 scores it 9.3 (Critical).
Authentication bypass in googleapis/mcp-toolbox lets remote unauthenticated attackers reach protected tools and backing data sources by submitting an OAuth 2.0 introspection response that omits the mandatory 'active' field. Because validateOpaqueToken stores Active as *bool and only rejects when the pointer is non-nil and false, a nil value falls through as authorized. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 and trivial logic flaw make this a priority fix.
Credential exposure in Worksnaps client application before version 1.6.20260201 allows attackers who obtain the binaries to extract hardcoded AWS root credentials and S3 bucket identifiers, granting access to production cloud resources containing sensitive user desktop screenshots. The flaw was disclosed by SEC-VLab (SEC Consult) and a vendor-patched build is available; no public exploit identified at time of analysis, though credential extraction from distributed binaries is trivial once the artifact is obtained.
Insecure Direct Object Reference in the UsersWP WordPress plugin (versions through 1.2.63) allows authenticated editor-level users to permanently delete or reset the avatar and banner images of any WordPress user account, including site administrators, by supplying an arbitrary user_id parameter. The vulnerability lies in missing authorization validation on the user_id key within image management handlers across class-forms.php, class-userswp.php, and class-profile.php, directly manipulating the uwp_usermeta table. No public exploit has been identified at time of analysis, and real-world severity is constrained by the high-privilege authentication prerequisite.
Persistent local denial of service in Google Android (Wear OS) is possible due to a missing permission check declared in AndroidManifest.xml, allowing a co-resident unprivileged app to invoke a protected component and render device functionality unavailable. No user interaction or elevated privileges are required, but exploitation is local rather than remote despite the headline CVSS 4.0 score of 10.0. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authorization bypass in the Simple Membership WordPress plugin (≤4.7.5) enables unauthenticated remote attackers to forcibly deactivate any member account by submitting a forged Stripe charge.refunded webhook payload carrying a known victim subscription ID. The plugin's webhook handler skips HMAC signature verification when the stripe-webhook-signing-secret option is absent - the default installation state - accepting the forged event as legitimate and setting the target account_state to 'inactive', firing cancellation hooks, recording a transaction status change, and dispatching a cancellation notification email. No public exploit has been identified at time of analysis, and no KEV listing exists, but the zero-prerequisite network attack path against default-configured sites elevates practical risk above the 5.3 CVSS score suggests.
Unauthorized cross-teacher quiz rule tampering in the PressPrimer Quiz WordPress plugin (all versions ≤ 2.3.0) is possible via an IDOR flaw in the plugin's REST API, where the `rule_id` parameter is accepted without ownership validation. Any authenticated user holding a custom-level role or above - such as a teacher - can supply arbitrary `rule_id` values to modify or delete quiz rules belonging to other teachers. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 3.1 score of 4.3 (PR:L, I:L) reflects the authentication requirement and integrity-only impact.
Hostname validation bypass in Node.js (versions 22.22.3, 24.16.0, and 26.3.0) lets attackers smuggle embedded NUL bytes through the dns and net subsystems, truncating a hostname after the NUL so that application-level allowlists, SNI checks, or destination filters validate one host while the runtime resolves or connects to another. The Node.js project rates this specific issue Medium and shipped the fix in its June 2026 security release; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.28%, 20th percentile), and it is not in CISA KEV. Note a significant signal conflict: the aggregate input score of CVSS 9.8 with an 'Authentication Bypass' tag is far above the vendor's own Medium rating for this CVE and appears to be an inflated pre-NVD auto-score.
TLS SNI context matching in Node.js performs case-sensitive hostname comparison, enabling network-accessible low-privileged attackers to bypass intended server-side TLS context selection by varying the casing of the SNI hostname in a ClientHello message. Affected versions prior to 26.3.1 may serve an incorrect TLS certificate or context when a client sends an SNI value with unexpected casing (e.g., 'EXAMPLE.COM' versus 'example.com'), yielding limited confidentiality and integrity impacts in multi-hostname deployments. No public exploit code or active exploitation has been identified; the fix shipped as part of the Node.js June 2026 coordinated security release alongside ten other CVEs.
Pre-NVD disclosure via GitHub release '2026-06-18, Version 26.3.1 (Current), @aduh95' (nodejs/node). This is a security release. ### Notable Changes * (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High * (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High * (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium * (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium * (CVE-2026-48928) tls: fix case-sensitive SNI context matching
Node.js Permission Model fails to apply net scope guards to pipe open and chmod operations, enabling a local authenticated user to bypass intended access control boundaries enforced by the experimental Permission Model. Affected is Node.js v26.x prior to v26.3.1 (Current release line), disclosed in the June 2026 security release. Rated Low severity by the Node.js team; no public exploit identified at time of analysis and not listed in CISA KEV.
Unauthenticated sensitive information exposure in the Event Koi Lite WordPress plugin (all versions through 1.3.13.1) allows any remote visitor to retrieve private, draft, and pending event data via the unprotected get_events API endpoint. Exposed data includes virtual meeting URLs, physical venue addresses, GPS coordinates (latitude/longitude), Google Maps links, and RSVP configuration - all belonging to events deliberately kept out of public view. The root cause is CWE-862 (Missing Authorization): the get_events handler performs no publication-status or capability check before returning event records. No public exploit identified at time of analysis, but the endpoint is trivially callable by any unauthenticated HTTP client.
Authorization bypass in Equalize Digital Accessibility Checker for WordPress (all versions ≤ 1.42.1) allows authenticated author-level users to dismiss, ignore, or restore accessibility audit records belonging to posts they do not own. The flaw lies in the plugin's REST API handler accepting the attacker's own issue ID as a sufficient authorization token, and the `largeBatch=true` parameter then triggers a bulk operation that propagates the action across all site-wide issues sharing the same 'object' value - including those on administrator-owned posts. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; however, the Wordfence advisory includes direct source code references confirming the vulnerable logic.
Privilege escalation in the E2Pdf - Export Pdf Tool for WordPress plugin (versions ≤ 1.32.26) allows authenticated low-privilege users with the e2pdf_templates capability to overwrite arbitrary WordPress options and elevate themselves to administrator. The flaw stems from the screen_action() function lacking a capability check and nonce verification, letting attackers pass attacker-controlled option names and values directly to update_option(). No public exploit identified at time of analysis, but the issue was disclosed by Wordfence with detailed source-line references making weaponization straightforward.
Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allows authenticated vendor-level users to manipulate arbitrary marketplace orders they do not own, in all versions up to and including 5.0.3. Affected operations include changing order status, injecting customer-facing notes that trigger WooCommerce notification emails to buyers, deleting any order note or WordPress comment by raw ID, inserting fraudulent shipping tracking data, and granting or revoking downloadable product access on any order in the installation. The nonce-based CSRF protection provides no ownership barrier because vendors legitimately generate valid nonces from their own dashboard pages and can replay them against any order ID - no public exploit identified at time of analysis, though vulnerable code paths are confirmed in source at version 5.0.1 by Wordfence.
Improper access control in vantage6 nodes prior to version 5.0.0 allows malicious algorithm containers to read input and output files belonging to other algorithms running on the same node. This directly undermines the core privacy guarantee of the platform - a federated learning infrastructure explicitly designed for privacy-preserving analysis - by exposing sensitive intermediate data to adversarially crafted algorithms. No public exploit has been identified at time of analysis, and a patch is available in version 5.0.0.
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete theme templates belonging to other workspaces by supplying a foreign themeTemplateId to the handleSaveThemeTemplate and handleDeleteThemeTemplate handlers. The handlers verify only that the caller is a non-guest member of the workspaceId argument but execute Prisma queries that omit workspaceId from the WHERE clause, producing an Insecure Direct Object Reference (CWE-639). No public exploit identified at time of analysis, and the issue was remediated in Typebot 3.16.0.
XianYuLauncher, a Minecraft Java Edition launcher, exposes Microsoft OAuth authentication tokens to local attackers in all versions prior to 1.5.5 due to an OAuth 2.0 Authorization Code flow implemented without PKCE or state parameter validation. A local attacker running a concurrent process on the same machine can race the launcher's fixed localhost redirect URI to intercept the authorization code, then exchange it for valid Microsoft and Minecraft access tokens without any special privileges. Compounding the exposure, ClientToken was stored on disk in plaintext and JWT/Bearer tokens could be leaked into log output. No public exploit has been identified and this vulnerability is not listed in CISA KEV.
Unauthenticated remote PowerShell execution in CursorTouch Windows-MCP prior to version 0.7.5 allows attackers to reach the MCP control plane over HTTP and invoke the built-in PowerShell tool as the Windows user running the server. The flaw stems from SSE and streamable-http transports being built without an auth provider while wildcard CORS (allow_origins=*) is applied, opening the path to cross-origin browser pages and any non-browser HTTP client. No CISA KEV listing exists, but the CVSS 4.0 vector includes E:P, indicating publicly available exploit code exists.
HTTP request smuggling in Tinyproxy through 1.11.3 allows remote unauthenticated attackers to desynchronize the proxy and its backend by sending requests with multiple Content-Length headers having differing values. Because Tinyproxy forwards all duplicate Content-Length headers while parsing only the first value, downstream servers may interpret request boundaries differently, enabling cache poisoning, access control bypass, and request hijacking. No public exploit identified at time of analysis, but the underlying primitive is well documented and the upstream commit 364cdb6 clearly demonstrates the parsing flaw.
HTTP request smuggling in Tinyproxy through 1.11.3 lets remote unauthenticated attackers desynchronize the proxy and backend by sending requests carrying both Content-Length and Transfer-Encoding: chunked headers. Tinyproxy forwards both headers verbatim while parsing the body using Content-Length, producing a classic CL.TE desync that enables cache poisoning, access control bypass, and request hijacking against the backend. No public exploit identified at time of analysis, though VulnCheck has published an advisory and the upstream issue/PR describe the bug in detail.
Authentication bypass in Network-AI versions 5.7.1 and earlier allows unauthenticated remote attackers to invoke all 22 MCP tools on the SSE server because the default secret is empty and `_isAuthorized()` returns true when no secret is configured. Despite the partial fix for CVE-2026-46701 in 5.4.5 (which restricted CORS to localhost origins), any non-browser caller - curl, SSRF, or a service exposed via a 0.0.0.0 bind - can still call privileged operations like `config_set`, `agent_spawn`, `blackboard_write`, and token management with zero credentials. No public exploit identified at time of analysis, but the GHSA advisory includes annotated source-code locations that effectively serve as a roadmap for exploitation.
Authentication bypass in Tinyproxy through 1.11.3 lets unauthenticated remote attackers reach the internal statistics page and smuggle transparent-proxy requests by forging or port-manipulating the HTTP Host header, because stathost detection used a brittle strcmp against the configured hostname. The flaw is a CWE-444 request-interpretation inconsistency reported by VulnCheck; no public exploit identified at time of analysis, though the upstream fix (commit 09312a1) and a detailed PR diff are publicly available, making a working PoC trivial to reconstruct.
Incorrect authorization in Sonatype Nexus Repository Manager before 3.93.0 permits a delegated repository administrator to read stored upstream proxy credentials beyond their intended authorization scope. The flaw resides in the proxy repository configuration pathway, where role-scoped administrators can retrieve credentials that should be restricted to higher-privilege system-level accounts. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, though the high confidentiality impact on stored upstream credentials is notable given that exposure enables potential unauthorized access to private upstream artifact repositories.
Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 allows authenticated low-privileged users to attach arbitrary related records to parent resources via a direct POST to the associations endpoint, bypassing the `attach_<association>?` policy enforced only on the form-rendering GET. Publicly available exploit code exists (Python PoC in the GHSA advisory), and in deployments where associations encode teams, tenants, roles, or memberships, exploitation yields privilege escalation and cross-tenant data exposure.
Improper access control in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 exposes the Student Self-Registration Endpoint (/index.php) to unauthenticated remote exploitation. The CWE-284 root cause, combined with the 'Authentication Bypass' tag, indicates that the self-registration flow fails to enforce intended access boundaries, potentially allowing unauthenticated users to access, manipulate, or enumerate data beyond their authorized scope. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
Namespace tenant-label hijack in Capsule v0.13.0-0.13.5 allows an authenticated Kubernetes user with namespaces/finalize RBAC permission to bypass the validating admission webhook and overwrite tenant isolation labels via the finalize subresource. The root cause is a one-character typo in the Helm chart configuration - `namespace/finalize` (singular) instead of `namespaces/finalize` (plural) - rendering the CVE-2026-30963 patch in v0.13.2 entirely ineffective. Publicly available exploit code (PoC) exists and has been confirmed on a kind cluster running Capsule v0.13.2; no active exploitation has been confirmed by CISA KEV.
Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth grants to read and modify private account resources via `/api/v1/user/...` self routes, despite the public-only flag being designed to restrict tokens to public data. The flaw is a systemic scope-boundary failure across many self routes (SSH keys, emails, OAuth apps, Actions secrets/variables/runners, private repos, webhooks), publicly available exploit code exists in the form of reproducible Go PoCs in the advisory, and the issue represents an incomplete fix of CVE-2025-68941 in a different route family.
Authorization bypass in Gitea versions prior to 1.26.0 lets a read-only organization member create repositories in the organization namespace via the API fork endpoint, despite a team configuration that denies repository creation (can_create_org_repo=false). Because the fork creator receives admin rights on the resulting repo, the attacker can enable Actions and push a workflow that exfiltrates all organization-level CI/CD secrets (deploy keys, cloud credentials, API tokens). Publicly available exploit code exists in the GHSA advisory with a full step-by-step PoC; no public exploit identified at time of analysis beyond the reporter's reproduction.
Cross-tenant confidentiality breach in Daytona's notification WebSocket gateway (versions 0.101.0 through 0.184.0) allows any JWT-authenticated user to passively receive realtime event data belonging to a different organization by supplying an arbitrary organization UUID during the WebSocket handshake. The gateway's JWT authentication flow accepted the client-supplied organizationId and joined the corresponding notification room without verifying organizational membership, exposing sandbox, snapshot, volume, and runner events across tenant boundaries. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, but the attack is mechanically trivial for any authenticated user who can obtain a target organization's UUID.
Incorrect authorization in Open WebUI versions 0.9.5 and earlier allows any authenticated non-admin user to route LLM inference requests to arbitrary configured Ollama backends - including internally restricted, higher-privilege, or admin-disabled instances - by supplying a raw integer `url_idx` path parameter on eight indexed proxy routes. The flaw bypasses backend-level access isolation entirely: model authorization is checked, but backend authorization is silently skipped when `url_idx` is caller-supplied, and disabled backends remain reachable because their disabled state is never re-evaluated at request time. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the attack requires only a valid user account and knowledge of the URL pattern, making it a low-barrier insider threat in any multi-backend deployment.
Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session transcripts belonging to other profiles by calling the session export endpoint with a guessed or known session ID. The flaw is a classic IDOR (CWE-639) in the _handle_session_export handler, which omits active-profile ownership checks before serializing the requested session. No public exploit identified at time of analysis, but VulnCheck published a coordinated advisory and the upstream fix is shipped in v0.51.443.
Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation transcripts and metadata belonging to other profiles by passing a foreign session_id to the /api/session endpoint. The flaw is a classic IDOR (CWE-639) where profile boundary checks are missing on by-id reads. No public exploit identified at time of analysis, but the trigger is a single trivial GET request and the upstream patch openly describes the fix as 'scope session by-id reads + exports to active profile,' which discloses the bypass.
Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first passkey on instances where HERMES_WEBUI_PASSKEY=1 is set and no credentials yet exist, yielding permanent administrative control. The flaw resides in the passkey registration API endpoints, which fail to enforce authentication during the initial enrollment window. No public exploit identified at time of analysis, but a vendor patch is available and the issue was disclosed by VulnCheck.
Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files, and resources belonging to other profiles by forging the hermes_profile cookie. The flaw lives in get_profile_cookie(), which trusted attacker-supplied profile names without binding them to the authenticated session. VulnCheck reported the issue and an upstream patch is available; no public exploit identified at time of analysis.