Authentication Bypass

Dokans SaaS e-commerce platform v3.9.2 has a CVSS 10.0 authentication bypass allowing unauthenticated attackers to obtain sensitive application secrets and tenant data.

chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. [CVSS 7.5 HIGH]

FUXA v1.2.7 has hard-coded JWT credentials (EPSS 4.8%) that allow attackers to forge authentication tokens and bypass all access controls on the SCADA interface.

GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access. [CVSS 6.5 MEDIUM]

Rapid7 InsightVM before 8.34.0 has a SAML signature verification bypass (CVSS 9.6) allowing attackers to forge authentication assertions and gain unauthorized access.

RustFS is a distributed object storage system built in Rust. [CVSS 7.5 HIGH]

The Passster WordPress plugin through version 4.2.25 contains an authorization bypass that allows authenticated users to access content protection mechanisms without proper permission validation. An attacker with low-privilege WordPress credentials can circumvent access controls to view protected content that should be restricted. No patch is currently available for this vulnerability.

Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor is affected by missing authorization (CVSS 5.4).

Mizan Themes Mizan Demo Importer mizan-demo-importer is affected by missing authorization (CVSS 5.4).

Atarim visual collaboration plugin versions 4.3.1 and earlier contain an access control bypass that allows unauthenticated remote attackers to modify data through improperly configured security levels. The vulnerability affects all installations of the affected plugin and requires no user interaction to exploit. No patch is currently available for this authorization flaw.

Nelio Popups versions 1.3.5 and earlier contain an authorization bypass vulnerability that allows authenticated users to modify popup content without proper access controls. An attacker with valid credentials can exploit misconfigured access control levels to make unauthorized changes to popups. No patch is currently available.

ILLID Share This Image plugin version 2.09 and earlier contains an access control bypass that allows unauthenticated remote attackers to modify content through improperly configured authorization checks. The vulnerability requires no user interaction and can be exploited over the network to alter shared images or related data. No patch is currently available.

Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management is affected by missing authorization (CVSS 5.3).

WPElemento Importer through version 0.6.4 contains a missing authorization flaw that allows authenticated users to modify data due to improper access control enforcement. An attacker with valid credentials can exploit this vulnerability to perform unauthorized modifications without requiring user interaction. No patch is currently available for this issue.

Iulia Cazan Latest Post Shortcode latest-post-shortcode is affected by missing authorization (CVSS 4.3).

sunshinephotocart Sunshine Photo Cart sunshine-photo-cart is affected by missing authorization (CVSS 5.3).

HT Plugins Extensions For CF7 extensions-for-cf7 is affected by authorization bypass through user-controlled key (CVSS 5.3).

Brecht Visual Link Preview versions 2.2.9 and earlier contain an authorization bypass vulnerability that allows authenticated users to access sensitive information they should not have permission to view. An attacker with valid credentials can exploit misconfigured access controls to read confidential data, though they cannot modify or delete information. No patch is currently available for this vulnerability.

Brainstorm Force Spectra ultimate-addons-for-gutenberg is affected by missing authorization (CVSS 5.3).

Amelia booking plugin versions up to 1.2.38 contain an authorization bypass that allows unauthenticated remote attackers to access sensitive information through improperly configured access control mechanisms. The vulnerability requires no user interaction and can be exploited over the network to disclose confidential data. No patch is currently available.

Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery is affected by missing authorization (CVSS 4.3).

Unauthorized information disclosure in WordPress Strong Testimonials plugin version 3.2.20 and earlier stems from improper access control validation, allowing authenticated users to access sensitive data they should not have permission to view. An attacker with low-privilege WordPress account credentials can exploit this vulnerability to read confidential information without requiring user interaction. Currently, no patch is available for this vulnerability.

Insufficient access control checks in myCred plugin version 2.9.7.3 and earlier allow authenticated users to modify data they should not have permission to change. An attacker with valid credentials could exploit misconfigured security levels to perform unauthorized modifications, though the vulnerability requires legitimate user access and has no currently available patch.

LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit is affected by missing authorization (CVSS 4.3).

Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 is affected by missing authorization (CVSS 5.3).

Insufficient access control in Themefic Travelfic Toolkit version 1.3.3 and earlier allows authenticated users to modify data due to improperly configured authorization checks. An attacker with valid credentials can bypass intended permission restrictions to perform unauthorized actions. No patch is currently available for this vulnerability.

WP Chill Modula Image Gallery modula-best-grid-gallery is affected by missing authorization (CVSS 4.3).

Moodle contains a vulnerability that allows attackers to authenticate through the Learning Tools Interoperability (LTI) Provider (CVSS 8.1).

Data Master ADM 4.1.0-4.3.3 and 5.0.0-5.1.1 are vulnerable to man-in-the-middle attacks due to improper SSL/TLS certificate validation in the NAT traversal module, allowing attackers to intercept tunnel establishment and redirect connections to the signaling server. An attacker exploiting this can proxy device service communications, disrupt availability, or position themselves for follow-on attacks, though further authentication is required to access actual device services. No patch is currently available.

The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. [CVSS 3.7 LOW]

Data Master versions 4.1.0-4.3.3 and 5.0.0-5.1.1 fail to validate SSL/TLS certificates during HTTPS communication, enabling unauthenticated attackers to conduct man-in-the-middle attacks and intercept sensitive data including emails, password hashes, and device serial numbers. The vulnerability affects API communication with no available patch, leaving affected installations at persistent risk of credential and information disclosure.

NixOS Odoo package from 21.11 to before 25.11 publicly exposes the database manager interface without authentication, enabling full database control.

Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index. This attack requir...

No password by default on industrial device — ships without any authentication, and setting a password is not enforced. Unauthenticated remote full access.

A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN. [CVSS 6.5 MEDIUM]

An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485). [CVSS 6.5 MEDIUM]

An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (TCP). [CVSS 7.5 HIGH]

An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP. [CVSS 7.5 HIGH]

Lunary contains a vulnerability that allows attackers to delete prompts created in other organizations through ID manipulation (CVSS 6.5).

Unauthenticated clients can invoke resource-intensive Socket.IO events in lollms 5.9.0 due to missing authentication checks in the event handler registration, allowing attackers to trigger denial of service and state corruption. The vulnerability is compounded by improper use of global state flags in multi-client environments, enabling attackers to interfere with legitimate client operations and manipulate server state through race conditions. No patch is currently available for this high-severity flaw affecting the AI/ML framework.

Garoon contains a vulnerability that allows attackers to unauthorized alteration of portal settings, potentially blocking access to the p (CVSS 7.5).

Hardcoded database credentials in Samsung MagicInfo9 Server allow direct database access and manipulation.

A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. [CVSS 3.1 LOW]

The VPN service in EFM ipTIME A8004T firmware 14.18.2 contains an unrestricted file upload vulnerability in the commit_vpncli_file_upload function that allows authenticated remote attackers to upload arbitrary files. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. An attacker with high-level privileges could exploit this to upload malicious files and potentially compromise the device.

EFM ipTIME A8004T firmware versions up to 14.18.2 contain an authentication bypass in the /cgi/timepro.cgi interface that allows remote attackers to circumvent session validation without credentials. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early disclosure notification. Successful exploitation grants attackers unauthorized access with potential to read sensitive data, modify configurations, and disrupt service availability.

An improper access control vulnerability exists in ASUS Secure Delete Driver of ASUS Business Manager. This vulnerability can be triggered by a local user sending a specially crafted request, potentially leading to the creation of arbitrary files in a specified path.

IP spoofing vulnerability in Crystal Shard http-protection 0.2.0 allows attackers to bypass protection middleware by manipulating request headers. PoC available.

Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues. [CVSS 6.2 MEDIUM]

Authenticated users of HIKSEMI NAS products can access and modify file resources belonging to other users due to insufficient access control checks. This allows any logged-in attacker to manipulate arbitrary files across user accounts without authorization, though a valid account is required to exploit the vulnerability. No patch is currently available.

A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions up to 2025 is affected by missing authentication for critical function.

Tanium addressed an improper access controls vulnerability in Tanium Server. [CVSS 4.3 MEDIUM]

Tanium addressed an improper access controls vulnerability in Interact. [CVSS 3.1 LOW]

Ax12 Pro Firmware versions up to 16.03.49.24_cn is affected by use of hard-coded password (CVSS 8.1).

Missing authentication in KiloView Encoder Series allows unauthenticated attackers to create or delete admin accounts on video encoding equipment.

EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. [CVSS 7.5 HIGH]

Authentication bypass leading to command execution in Ajenti 2.1.36. Despite requiring login, the authentication can be bypassed for subsequent command execution. EPSS 0.64% with PoC available.

Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. [CVSS 8.2 HIGH]

Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Exploitation of Trusted Identifiers.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. [CVSS 5.7 MEDIUM]

Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse.This issue affects QR Menu: before s1.05.12. [CVSS 8.0 HIGH]

Multiple MFPs provided by Brother Industries, Ltd. does not properly validate server certificates, which may allow a man-in-the-middle attacker to replace the set of root certificates used by the product with a set of arbitrary certificates. [CVSS 3.7 LOW]

Podman Desktop versions prior to 1.25.1 contain an authentication bypass in the extension permission framework where the `isAccessAllowed()` function always returns true, allowing malicious extensions to hijack authentication sessions and access sensitive resources without authorization. Public exploit code exists for this vulnerability, affecting all current deployments of the affected product. Administrators should upgrade to version 1.25.1 or later immediately.

NocoDB versions prior to 0.301.0 contain an open redirect vulnerability in the login flow where the `continueAfterSignIn` parameter is not validated, allowing attackers to redirect authenticated users to arbitrary external websites. Public exploit code exists for this vulnerability, which enables phishing attacks by abusing user trust in the legitimate login process to facilitate credential theft through social engineering. Authenticated users are at risk of being redirected to attacker-controlled domains immediately after successful login.

Discourse versions before 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allow non-admin moderators to access restricted staff action logs containing sensitive data such as webhook secrets, API keys, private messages, and restricted category information. An attacker with moderator privileges could extract confidential information and use leaked webhook credentials to spoof events to integrated services. No patch is currently available for this access control bypass.

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. [CVSS 6.5 MEDIUM]

Discourse is an open source discussion platform. [CVSS 6.9 MEDIUM]

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. [CVSS 6.5 MEDIUM]

Dell PremierColor Panel Driver, versions prior to 1.0.0.1 A01, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. [CVSS 7.8 HIGH]

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3. [CVSS 4.2 MEDIUM]

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. [CVSS 5.3 MEDIUM]

Insufficient input validation in OpenProject's BlockNote editor extension allows authenticated users to craft malicious documents containing relative links that trigger arbitrary GET requests to any URL within the OpenProject instance when opened. An attacker with document creation privileges can exploit this to access sensitive information or perform unauthorized actions on behalf of other users. A patch is available in OpenProject 17.0.2 and op-blocknote-extensions 0.0.22.

Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication tokens by exploiting insufficient validation of backend URLs in the real-time collaboration synchronization server. An attacker with valid credentials could redirect the synchronization server to a controlled endpoint, forcing it to send the decrypted token and enabling unauthorized access to document collaboration features. No patch is currently available for this high-severity vulnerability affecting authenticated users.

Commerce Paybox versions up to 7.X-1.5. is affected by improper verification of cryptographic signature (CVSS 7.5).

Discourse is an open source discussion platform. [CVSS 5.4 MEDIUM]

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. [CVSS 7.1 HIGH]

M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. [CVSS 6.5 MEDIUM]

Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypass vulnerability that allows unauthenticated attackers to download router configuration files. [CVSS 7.5 HIGH]

Simple User Registration (WordPress plugin) versions up to 6.7 is affected by improper access control (CVSS 8.8).

The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. [CVSS 8.8 HIGH]

Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate ‘self-signed’ access URLs.

Authenticated attackers with Author-level permissions can read, modify, and delete document library entries belonging to other users in the Document Embedder plugin for WordPress through improper access control checks in multiple AJAX handlers. The vulnerability affects all versions up to 2.0.4 and requires no additional user interaction, allowing privilege escalation within the plugin's document management system. No patch is currently available.

SolarWinds Web Help Desk has a second authentication bypass (EPSS 7.8%) providing yet another path to unauthenticated admin access.

SolarWinds Web Help Desk has an authentication bypass vulnerability (EPSS 9.9%) that allows unauthenticated attackers to gain admin access to the helpdesk system.

SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. [CVSS 7.5 HIGH]

SolarWinds Web Help Desk contains a security control bypass vulnerability (CVE-2025-40536) that allows unauthenticated attackers to access restricted functionality. With EPSS 69% and KEV listing, this CVSS 8.1 vulnerability is particularly concerning given SolarWinds' history of being targeted in supply chain attacks and the sensitive IT service data typically stored in help desk systems.

The Easy Replace Image plugin for WordPress up to version 3.5.2 lacks proper authorization checks on its AJAX image replacement function, allowing authenticated users with Contributor-level privileges to replace arbitrary image attachments with external URLs. This enables attackers to deface sites, conduct phishing attacks, or manipulate content without administrative oversight. No patch is currently available for this medium-severity vulnerability.

The 2100 Technology Document Management System contains an authorization bypass that permits authenticated users to access and read all official documents by manipulating front-end code. An attacker with valid credentials can exploit this vulnerability to disclose sensitive documents without requiring additional privileges or user interaction. No patch is currently available for this vulnerability.

Dokploy versions before 0.26.6 contain hardcoded database credentials in the installation script, causing nearly all deployments to share identical credentials that can be obtained from the publicly available install.sh file. An authenticated attacker on the network can leverage these credentials to access the database, potentially achieving high-impact compromise of confidentiality, integrity, and availability. Public exploit code exists for this vulnerability and a patch is available in version 0.26.6 and later.

headless content management system. versions up to 0.2.0 is affected by authorization bypass through user-controlled key (CVSS 6.5).

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. [CVSS 8.8 HIGH]

Authentication bypass in Juniper Networks Session Smart Router and Conductor allows network-based attackers to gain administrative control without credentials. The vulnerability affects multiple versions of the routing platform used in enterprise SD-WAN deployments.