Skip to main content

Authentication Bypass

31263 CVEs technique

Monthly

CVE-2026-45588 HIGH PATCH Exploit Unlikely This Week

Security feature bypass in Windows Secure Boot enables a high-privileged local attacker to circumvent boot-time integrity protections, undermining the chain of trust that prevents unauthorized firmware and bootloader code from executing. The flaw (CWE-693, Protection Mechanism Failure) carries a CVSS 7.9 rating driven by scope change and high confidentiality/integrity impact, and no public exploit identified at time of analysis. Because Secure Boot is the foundation for downstream protections like BitLocker, Virtualization-Based Security, and Measured Boot, bypass enables persistent pre-OS implants that survive reimaging.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.9
EPSS
0.1%
CVE-2026-45503 MEDIUM PATCH This Month

Server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low privileges to coerce the Exchange server into making arbitrary outbound requests, resulting in disclosure of sensitive information and potential integrity impact across internal network resources. The CVSS 8.1 score reflects the high confidentiality and integrity impact from a network-reachable, low-complexity attack, though no public exploit identified at time of analysis. The vulnerability is tagged as an Authentication Bypass / SSRF, suggesting the SSRF primitive may be leveraged to bypass network-based authentication boundaries (e.g., reaching internal trusted endpoints).

Authentication Bypass Microsoft SSRF Exchange Server Exchange Server Subscription Edition
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-45491 NuGet MEDIUM POC PATCH GHSA This Month

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthenticated attacker to redirect file operations to unintended targets, achieving high-integrity impact without requiring elevated privileges. The vulnerability stems from improper link resolution (CWE-59) before file access, enabling unauthorized modification of files the attacker would otherwise lack write access to. No public exploit identified at time of analysis and no CISA KEV listing, but the low attack complexity (AC:L) and absence of privilege requirements (PR:N) make exploitation straightforward for any actor with local access.

Authentication Bypass Net
NVD VulDB GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-45490 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft .NET allows an authenticated low-privileged user to elevate to higher privileges through an improper authorization flaw (CWE-285). The vulnerability carries a CVSS 7.8 (High) rating with local attack vector and low complexity, and no public exploit identified at time of analysis. Tagged as an Authentication Bypass, it requires an existing foothold on the host but no user interaction once that foothold is established.

Authentication Bypass Net
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-45486 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office Word is possible when a user opens a maliciously crafted document that triggers an untrusted pointer dereference (CWE-416 use-after-free). The flaw lets an unauthorized attacker execute arbitrary code in the context of the current user, and no public exploit identified at time of analysis. Risk hinges on user interaction (UI:R), making phishing-style document delivery the realistic attack pathway.

Microsoft Authentication Bypass Use After Free Memory Corruption 365 Apps +3
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-45471 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office Word enables an attacker to run arbitrary code in the context of the current user by tricking them into opening a malicious document that triggers an untrusted pointer dereference. With a CVSS 7.8 score and no public exploit identified at time of analysis, the flaw is exploited locally but unauthenticated, relying on user interaction to open a crafted file. Microsoft has issued an advisory via the MSRC Security Update Guide.

Authentication Bypass Microsoft 365 Apps Microsoft 365 Office 2019 +4
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-45459 LOW PATCH Exploit Unlikely Monitor

Excel across multiple Microsoft Office product lines fails to properly enforce an internal protection mechanism, enabling a local attacker to bypass a security feature and access limited confidential data within the process context. Affected builds span Microsoft 365 Apps for Enterprise, Office LTSC 2024, and Mac variants of Office. With a CVSS score of 3.3, this is a low-severity finding - no public exploit has been identified at time of analysis, and exploitation requires both local system access and deliberate user interaction.

Authentication Bypass Microsoft 365 Apps Microsoft 365 Office 2021 +1
NVD VulDB
CVSS 3.1
3.3
EPSS
0.1%
CVE-2026-45458 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Office via a type confusion flaw (CWE-416) permits unauthorized attackers to run arbitrary code in the context of the Office process without requiring privileges or user interaction. The issue carries a high CVSS 3.1 score of 8.4 with full impact across confidentiality, integrity, and availability, though exploitation requires local attack vector access to the target system. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Microsoft Authentication Bypass Use After Free Memory Corruption 365 Apps +6
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-45456 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Office stems from a type confusion (CWE-843) flaw that allows an unauthenticated attacker with local access to run arbitrary code in the context of the Office process. The CVSS 8.4 score reflects high impact on confidentiality, integrity, and availability without requiring privileges or user interaction, though the attack vector is local. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Authentication Bypass Memory Corruption 365 Apps Microsoft 365 +5
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-44823 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office Excel stems from an integer underflow that, when triggered by opening a crafted spreadsheet, allows an attacker to run arbitrary code in the context of the current user. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) confirms exploitation requires the victim to open a malicious file, and there is no public exploit identified at time of analysis. With a base score of 7.8 and full confidentiality, integrity, and availability impact, successful exploitation effectively gives the attacker the victim's privileges on the host.

Authentication Bypass Microsoft 365 Apps Excel Microsoft 365 +4
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-44818 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office Excel can be achieved by an unauthenticated attacker who tricks a user into opening a malicious spreadsheet that triggers an integer underflow condition. The flaw carries a CVSS 7.0 rating reflecting high attack complexity and required user interaction, and no public exploit identified at time of analysis. There is a notable mismatch between the description (integer underflow) and the assigned CWE-362 (race condition), which warrants verification with Microsoft's advisory.

Authentication Bypass Microsoft Race Condition 365 Apps Excel +5
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-44817 HIGH PATCH This Week

Local code execution in Microsoft Office Excel arises from an integer underflow condition that corrupts memory when a malicious spreadsheet is opened. The flaw requires user interaction (UI:R) to trigger but needs no prior authentication, enabling attackers to run arbitrary code in the security context of the victim user. At the time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Authentication Bypass Memory Corruption 365 Apps Excel +5
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-44810 HIGH PATCH NEWS Exploit Unlikely This Week

Local privilege escalation in Windows Cryptographic Services on Windows 11 (23H2 through 26H1) and Windows Server 2022/2025 allows a low-privileged authenticated user to elevate to higher privileges through an improper authentication flaw (CWE-287). Microsoft has released patches via MSRC, and while no public exploit identified at time of analysis, CISA SSVC rates the technical impact as total, meaning successful exploitation yields full system compromise. EPSS probability is very low (0.06%), reflecting the local attack vector and absence of known exploitation activity.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-42981 HIGH PATCH Exploit Unlikely This Week

Remote code execution in Windows Performance Monitor enables unauthenticated network attackers to execute arbitrary code by triggering an integer underflow condition in the component's data handling logic. The flaw carries a CVSS score of 8.1 with high attack complexity, and while no public exploit identified at time of analysis, the SSVC assessment rates technical impact as total. Microsoft has released a patch via MSRC, and the issue is also tracked in VulDB entry 369628.

Authentication Bypass Microsoft Integer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-42974 HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Windows Performance Monitor (PerfMon) allows unauthenticated network-based attackers to execute arbitrary code by triggering an integer underflow condition. The flaw carries a CVSS 3.1 score of 8.1 driven by high impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) tempers exploitability. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but Microsoft has released a patch via MSRC guidance.

Authentication Bypass Microsoft Integer Overflow Windows 11 23h2 Windows 11 24h2 +4
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-42902 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft PowerToys allows an authenticated low-privileged user on a Windows system with PowerToys installed to elevate to higher privileges by abusing an improper authorization check (CWE-285). The flaw requires existing local access and low-level credentials, with no public exploit identified at time of analysis and no CISA KEV listing. Successful exploitation yields full confidentiality, integrity, and availability impact on the affected host.

Authentication Bypass Microsoft Powertoys
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-42829 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Administrator Protection allows an authorized attacker with low-privilege access to bypass a security feature on affected Windows systems. The flaw stems from improper access control (CWE-284) in the Administrator Protection mechanism, and while no public exploit identified at time of analysis, the high CVSS 7.8 reflects the meaningful impact on confidentiality, integrity, and availability once the bypass is achieved. The issue was reported by Microsoft (secure@microsoft.com) and is tracked through MSRC rather than CISA KEV.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-41092 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Kinect allows an authenticated low-privileged user to elevate to higher privileges due to improper access control (CWE-284). The vulnerability carries a CVSS 7.8 (High) rating with local attack vector and low complexity, and no public exploit identified at time of analysis. Successful exploitation yields high impact to confidentiality, integrity, and availability on the affected host.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-40376 HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attackers to elevate privileges over a network by exploiting improper input validation (CWE-20). Microsoft has released a patched build (1.119.1) and SSVC rates technical impact as total, though EPSS remains low at 0.09% with no public exploit identified at time of analysis.

Authentication Bypass Visual Studio Code
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-49956 HIGH PATCH This Week

Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and transcript message content from other users' profiles by querying the sessions search endpoint, which fails to scope results to the caller's active profile. The flaw was reported by VulnCheck and a vendor patch is available; no public exploit identified at time of analysis, but the issue is trivial to trigger for any logged-in account.

Authentication Bypass Hermes Webui
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-49848 MEDIUM PATCH This Month

mod_verto session state pollution in FreeSWITCH allows an authenticated WebSocket user to inject arbitrary userVariables into connection state before password verification completes, with those values persisting into any subsequent successful login on the same connection. All versions prior to 1.11.1 are affected via the check_auth userauth branch, which performs append-only state writes before the password comparison gate, and crucially does not close the connection on a failed compare. No public exploit has been identified and the vulnerability is not in CISA KEV, but the vendor explicitly labeled this release a critical security fix and strongly urged immediate upgrade.

Authentication Bypass Freeswitch
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49843 MEDIUM PATCH This Month

Session eviction via unauthenticated sessid collision in FreeSWITCH mod_verto (all versions prior to 1.11.1) allows a remote unauthenticated attacker who knows a target client's session UUID to forcibly disconnect that client - terminating active calls and closing their WebSocket connection - by racing a crafted JSON-RPC first-frame before the authentication gate. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms full network reachability with no credentials required; the sole prerequisite is knowledge of the victim's session UUID. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.

Authentication Bypass Freeswitch
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-9212 MEDIUM PATCH This Month

Insufficient authentication (CWE-306) and input validation weaknesses across more than 25 NETGEAR router and mesh system models allow an adjacent-network attacker with low-level privileges to execute arbitrary commands and read sensitive configuration data, or alter certain device settings. The CVSS 4.0 vector confirms the attack is limited to adjacent network segments (AV:A) and requires low privileges (PR:L), with high confidentiality impact on both the vulnerable component and subsequent systems (VC:H, SC:H). No public exploit has been identified at time of analysis, and NETGEAR has self-reported the issue with patches available for all listed product lines.

Authentication Bypass Netgear Lbr1020 Lbr20 R6700Ax +22
NVD VulDB
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-0415 MEDIUM PATCH This Month

Insufficient input validation across multiple NETGEAR Orbi mesh router models (RBR/RBS/RBE series) permits authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their intended privilege scope. Affected are all firmware versions prior to V7.2.8.5 on most Orbi models and prior to V9.12.4.9 on the RBE97x series. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; NETGEAR self-reported and has released patched firmware addressing the flaw.

Authentication Bypass Netgear Rbe97X Rbr750 Rbr840 +10
NVD VulDB
CVSS 4.0
4.3
EPSS
0.1%
CVE-2026-9210 MEDIUM PATCH This Month

Insufficient input validation across 30+ NETGEAR router, range extender, and mesh networking models enables local network-adjacent modification of router software and functionality. The CVSS 4.0 vector assigns PR:N (no privileges required) and AV:A (adjacent network), yet the CVE description scopes the vulnerability to 'authenticated administrators' - the 'Authentication Bypass' tag supplied by NETGEAR suggests the input validation flaw may itself circumvent authentication controls, reconciling this apparent conflict. Integrity impact is rated High (VI:H) against the vulnerable system, meaning successful exploitation allows unauthorized firmware or configuration modification. No public exploit is identified at time of analysis (E:U), and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass Netgear Ex3700 Ex3800 Ex6120 +28
NVD
CVSS 4.0
4.9
EPSS
0.1%
CVE-2026-9211 MEDIUM PATCH This Month

Unauthenticated local-network control of NETGEAR CAX30, RAX30, RAX5, and RAXE300 routers is possible through an authentication bypass rooted in improper input validation (CWE-20). An attacker already present on the local network segment - such as a guest Wi-Fi user, a compromised IoT device, or a rogue actor on the same LAN - can circumvent authentication and gain full administrative control, enabling arbitrary configuration changes, traffic interception, or persistent backdoor installation. No public exploit code has been identified at time of analysis, and NETGEAR has released firmware patches for all four affected product lines.

Authentication Bypass Cax30 Rax30 Rax5 Raxe300
NVD
CVSS 4.0
5.2
EPSS
0.0%
CVE-2026-0412 MEDIUM This Month

Insufficient input validation in the NETGEAR JR6150 AC750 router (firmware ≤1.0.1.26) enables authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their intended authorization scope. The device reached End-of-Support in 2018 and will receive no security patches. No public exploit code exists and no active exploitation has been identified; however, the device's permanent unpatched status makes risk acceptance or replacement the only long-term posture. The vulnerability was identified through firmware emulation and has not been verified on production hardware.

Authentication Bypass Netgear Jr6150
NVD VulDB
CVSS 4.0
4.3
EPSS
0.0%
CVE-2026-0410 LOW PATCH Monitor

Integrity controls on multiple NETGEAR router firmware lines can be subverted by authenticated administrators on the local network through improper input validation (CWE-20), enabling privilege escalation beyond the intended administrative authorization boundary and permitting unauthorized modifications to router software and functionality. Twenty distinct NETGEAR SKUs across the R7000, RAX, RAXE, and XR1000 series are confirmed affected per ENISA EUVD-2026-35452, each with specific patched firmware thresholds now released by the vendor. No public exploit exists at time of analysis (CVSS E:U), and multiple CVSS constraints - adjacent-only attack vector, high complexity, and high privilege requirement - substantially limit the realistic threat population.

Authentication Bypass R7000 Rax20 Rax35V2 Rax41 +16
NVD VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-49948 HIGH POC PATCH This Week

Authorization bypass in Mem0 self-hosted server versions through 0.2.8 allows any authenticated holder of a distributed API key to overwrite the global LLM and embedder configuration via the POST /configure endpoint, redirecting all model traffic to an attacker-controlled server. The malicious configuration is persisted to PostgreSQL and survives restarts, affecting every user and API key on the instance. Publicly available exploit code exists and a vendor patch has been released in commit ae7f406.

Authentication Bypass PostgreSQL Mem0
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-49938 MEDIUM This Month

Improper access control in Fortinet FortiPortal versions 7.0.x (all), 7.2.0-7.2.8, and 7.4.0-7.4.7 enables an authenticated low-privilege attacker to bypass authorization controls and gain unauthorized read access to sensitive data. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) indicates low-complexity network exploitation by any authenticated user, resulting in high confidentiality impact with no integrity or availability loss. No public exploit identified at time of analysis based on CISA KEV, though publicly available exploit code exists per the CVSS temporal E:P metric, and Fortinet has issued an official fix.

Fortinet Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-10523 CRITICAL POC NEWS Emergency

Authentication bypass in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows remote unauthenticated attackers to create arbitrary administrative accounts and gain full administrative control of the appliance. Publicly available exploit code exists (watchTowr Labs PoC chained with CVE-2026-10520 for RCE), though it is not yet listed in CISA KEV; EPSS sits at a modest 0.31% (54th percentile) despite the critical CVSS 9.8 rating.

Authentication Bypass Ivanti Sentry
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
Threat
4.2
CVE-2026-47901 MEDIUM This Month

Logseq's plugin sandbox can be escaped by a malicious plugin that injects arbitrary HTML event handler attributes into its host DOM container element, executing JavaScript in the privileged Electron renderer context. The attack is enabled by a disabled Content Security Policy in the host context, which removes the browser-level barrier that would otherwise block inline event handler execution. Only v0.10.15 has been confirmed vulnerable by CERT-PL; no patch has been released, and the vulnerability status of all other versions remains unknown. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog.

XSS Authentication Bypass Logseq
NVD
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-47352 PHP MEDIUM PATCH GHSA This Month

Improper authorization in TYPO3 CMS Backend API routes allows authenticated backend users to retrieve file metadata for files and folders outside their permitted file mounts or storages. Specifically, the ImageProcessController and LinkController endpoints failed to call checkActionPermission('read') before returning resource data, letting any backend-authenticated user enumerate file system structure beyond their assigned access scope. No active exploitation has been reported and no public exploit code has been identified at time of analysis, but the low-complexity network-accessible nature of the flaw makes it straightforward for any backend user to abuse.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-47350 PHP MEDIUM PATCH GHSA This Month

Missing authorization in TYPO3 CMS's DataHandler allows authenticated backend users with low privileges to move content records across pages without holding edit permissions on the source page. The `moveRecord()` method in `DataHandler.php` validated destination-page access but omitted the symmetrical check on the source page, enabling unauthorized restructuring of the content hierarchy. Affected versions are 13.0.0-13.4.31 and 14.0.0-14.3.3; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-47349 PHP MEDIUM POC PATCH GHSA This Month

Insufficient authorization in TYPO3 CMS's Recycler module allows authenticated backend users to restore soft-deleted records on pages or database tables they are not permitted to modify, resulting in unauthorized integrity impact across the content management system. Affected are TYPO3 CMS versions before 10.4.57 and multiple branches through 14.3.3, with fixes delivered via two upstream commits and documented under TYPO3-CORE-SA-2026-011. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is network-accessible and requires only low-privilege backend credentials.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-47346 PHP HIGH PATCH GHSA This Week

Privilege escalation in TYPO3 CMS Form Framework allows authenticated backend users with file write permissions to bypass upload restrictions using mixed-case file extensions (e.g., .FORM.YAML), then execute arbitrary SQL via crafted form definition files to create administrative backend accounts. The flaw affects TYPO3 versions before 10.4.57, 11.5.50, 12.4.45, 13.4.30, and 14.3.2 across all supported branches. No public exploit identified at time of analysis, but the upstream fix is published with detailed commit-level test cases that effectively serve as a roadmap for exploit development.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-47343 PHP HIGH PATCH GHSA This Week

Authorization bypass in TYPO3 CMS allows non-privileged backend users with file mount access to perform write operations (move, delete, rename) on the root folders of their assigned file mounts, which were intended to be protected. The flaw affects TYPO3 versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2, with CVSS 4.0 score 7.2 (High). No public exploit identified at time of analysis.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-11607 PHP HIGH POC PATCH GHSA This Week

Privilege escalation in TYPO3 CMS allows authenticated backend users with Form Framework access to execute arbitrary SQL by uploading malicious form definitions with non-standard file extensions, enabling creation of administrative backend accounts. The flaw stems from incomplete file-extension validation in FormPersistenceManager and affects every supported branch (10.4, 11.5, 12.4, 13.4, 14.3) below the fixed releases. No public exploit identified at time of analysis, but the upstream fix commits are public on GitHub.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-4058 MEDIUM This Month

Unauthorized subscription cancellation in weDevs User Frontend WordPress plugin (all versions through 4.3.2) allows any authenticated subscriber to cancel any other user's subscription pack, including administrators. The flaw stems from a missing capability check on the user_subscription_cancel() function, meaning low-privileged users can invoke privileged actions. No public exploit code has been identified and this is not listed in CISA KEV, but the low attack complexity and broad attacker pool (any registered subscriber) make this a realistic insider or account-takeover amplification risk.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46749 MEDIUM CISA This Month

Weak password hashing in Siemens SINEC INS (all versions prior to V1.0 SP2 Update 6) exposes stored credentials to efficient offline recovery due to a static, hardcoded salt shared universally across all users and installations, combined with an insufficient iteration count. An attacker who has obtained high-privileged local access and can extract the password store can leverage the known static salt to construct targeted rainbow tables or run accelerated brute-force attacks, potentially recovering plaintext passwords and achieving unauthorized access to the application and downstream industrial network infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the cryptographic weakness is deterministic - once hashes are obtained, the static salt eliminates per-user uniqueness and dramatically reduces attack cost.

Authentication Bypass Sinec Ins
NVD VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-25699 MEDIUM This Month

Apache Answer's Timeline API endpoints through version 2.0.0 fail to enforce authorization, exposing deleted, private, and unapproved content - along with full revision histories - to any authenticated regular user. The vulnerability is an information disclosure flaw affecting all Apache Answer deployments (community forums, help centers, knowledge platforms) running 2.0.0 or earlier. No public exploit has been identified and no KEV listing exists; however, in community deployments where user accounts are freely self-registered, the authentication prerequisite provides limited real-world protection.

Authentication Bypass Apache
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41986 LOW Monitor

File system logic bypass in Huawei HarmonyOS allows a physically present, unauthenticated attacker to circumvent file system control logic, resulting in limited availability impact on the affected device. CVSS scores this at 2.4 (Low), reflecting the mandatory physical access requirement and constrained availability-only impact with no confidentiality or integrity exposure. No public exploit code exists and the vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
2.4
EPSS
0.0%
CVE-2026-41985 MEDIUM This Month

Use-After-Free (UAF) in the HarmonyOS package management module allows a local attacker with high privileges to compromise service integrity. Successful exploitation requires high attack complexity and user interaction, limiting real-world exposure. The primary impact is integrity degradation (I:H), with minor confidentiality and availability effects; no public exploit or CISA KEV listing identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-41984 MEDIUM This Month

Use-after-free in the HarmonyOS package management module allows a locally authenticated, highly privileged attacker to corrupt memory and primarily impact service availability. The CVSS vector (AV:L/AC:H/PR:H) constrains the attack to local, high-complexity scenarios requiring administrative privileges, yielding a medium-severity score of 5.2. No public exploit code or CISA KEV listing has been identified at time of analysis, though the Authentication Bypass tag in the intelligence data warrants scrutiny given the high-privilege prerequisite implied by CVSS.

Authentication Bypass
NVD
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-44083 HIGH PATCH This Week

Authorization bypass in QNAP QuMagie versions prior to 2.9.1 allows remote unauthenticated attackers to manipulate user-controlled keys (IDOR-class flaw) and gain unintended privileges on the photo management application. The QNAP-issued advisory QSA-26-35 confirms the issue and ships a fix in 2.9.1; no public exploit identified at time of analysis, and the flaw is not currently listed in CISA KEV.

Authentication Bypass Qumagie
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-4986 MEDIUM PATCH This Month

WPForms WordPress plugin versions prior to 1.10.0.5 allow unauthenticated remote attackers to forge PayPal webhook payloads and manipulate the payment state of arbitrary transactions due to absent webhook authenticity verification. The endpoint blindly processes incoming PayPal webhook events without validating their origin or integrity, enabling attackers to mark pending or failed payments as completed. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects low current exploitation activity, though the business impact of fraudulent payment confirmation can materially exceed what the CVSS integrity score suggests.

Authentication Bypass WordPress
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-26236 HIGH PATCH This Week

Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass authorization checks over the network without authentication. The CVSS 4.0 score of 8.7 reflects high confidentiality impact with low attack complexity and no privileges required, though no public exploit identified at time of analysis and KEV listing is absent.

Authentication Bypass Qumagie
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41006 HIGH PATCH This Week

Denial-of-service via improper access control in Spring HATEOAS affects versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3, where the internal PropertyUtils.createObjectFromProperties method performs reflection-based bean property binding while ignoring Jackson access-control annotations (@JsonIgnore, @JsonProperty access modes). Remote unauthenticated attackers sending crafted Collection+JSON or UBER media type payloads can bind to properties the developer explicitly marked as inbound-restricted, causing high-availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Java Spring Hateoas
NVD HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41852 MEDIUM PATCH This Month

Spring Expression Language (SpEL) evaluation logic in Spring Framework 5.3.x through 7.0.x fails to enforce method invocation restrictions in read-only or restricted contexts, allowing remote unauthenticated attackers (CVSS PR:N, AV:N) to invoke arbitrary zero-argument methods and trigger unintended application logic. Scored LOW (3.7) with only availability impact per CVSS (A:L), though the 'Authentication Bypass' tag and CWE-863 (Incorrect Authorization) suggest the authorization bypass itself may have broader implications not fully reflected in the score. No public exploit identified at time of analysis and no CISA KEV listing, but the wide version range across four active Spring Framework release trains represents significant ecosystem exposure.

Authentication Bypass Java Spring Framework
NVD HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41847 MEDIUM PATCH This Month

Security bypass in Spring WebFlux's Kotlin Router DSL (CWE-284: Improper Access Control) allows remote unauthenticated attackers to circumvent access control rules in Spring Framework 5.3.0 through 5.3.48. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable exploitation without authentication, though high attack complexity constrains opportunistic exploitation. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Java
NVD HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41720 HIGH PATCH This Week

Authentication bypass in Spring LDAP's DirContextAuthenticationStrategy allows remote unauthenticated attackers to succeed at LDAP bind operations by supplying any non-empty username paired with an empty or null password, due to the framework failing to reject such anonymous-equivalent bind requests. Affected releases span Spring LDAP 2.4.0-2.4.4, 3.2.0-3.2.17, 3.3.0-3.3.7, and 4.0.0-4.0.3, putting Java applications that delegate authentication to these libraries at risk of impersonating arbitrary users. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Java Spring Ldap
NVD HeroDevs VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-9185 HIGH This Week

Unauthenticated tenant data disclosure in the 6Storage Rentals WordPress plugin (versions up to and including 2.22.0) allows remote attackers to read and modify arbitrary tenant profile records - including names, emails, phone numbers, physical addresses, and SSNs - by enumerating numeric userId values. The flaw stems from AJAX handlers exposed via wp_ajax_nopriv_* hooks without ownership checks or nonce validation. No public exploit identified at time of analysis, but the bug is trivially scriptable and reported by Wordfence.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-11621 LOW Monitor

Unrestricted file upload in Dcat-Admin up to 2.2.3-beta allows remote attackers with high privileges - or potentially with authentication bypass - to upload arbitrary files via the editorMDUpload function at the /admin/dcat-api/editor-md/upload endpoint on the User Setting Page. The vulnerability stems from improper access control (CWE-284) on the editormd-image-file parameter, enabling upload of potentially malicious file types. Publicly available exploit code exists (CVSS E:P confirmed), though no active exploitation is listed in CISA KEV. The low CVSS 4.0 base score of 2.0 reflects constrained impact scope, but the 'Authentication Bypass' tag warrants additional scrutiny of the effective privilege requirement.

Authentication Bypass File Upload
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-11618 MEDIUM This Month

Unauthenticated remote access to the Source Connection Test endpoint in DTStack Taier up to 1.4.0 is possible because the `preHandle` method in `LoginInterceptor.java` does not invoke `tokenService.decryption(token)`, allowing any network-reachable caller to bypass authentication entirely. The same patch commit reveals that `ConnFactory.getSimpleConn()` also lacked JDBC URL sanitization, meaning an unauthenticated attacker could supply dangerous parameters such as `autoDeserialize` or `allowLoadLocalInfile` to a malicious MySQL-compatible server, elevating the real-world impact well above the assigned CVSS 5.5 Medium rating. Publicly available exploit code exists (CVSS E:P confirmed); no CISA KEV listing is confirmed at time of analysis.

Authentication Bypass Java
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-44754 MEDIUM This Month

Unintended data disclosure in SAP's Operational Data Provisioning RFC (ODP-RFC) modules stems from missing caller identification controls that fail to restrict invocation to permitted SAP-internal applications. Highly privileged customer or third-party applications can invoke these internal RFC modules outside their intended usage context, exposing sensitive operational data across a Changed scope boundary (S:C). No public exploit has been identified at time of analysis, and this is not listed in CISA KEV; however, the High confidentiality impact combined with scope change warrants attention in SAP environments where ODP is exposed to external RFC consumers.

Authentication Bypass SAP
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-44751 HIGH This Week

Privilege escalation in SAP NetWeaver Application Server ABAP allows authenticated low-privilege users to invoke a report generation command that overwrites data belonging to other users, breaking tenant-level data integrity. The flaw stems from missing authorization checks (CWE-862) and carries a CVSS 7.1 rating with high integrity impact; no public exploit identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-44750 MEDIUM This Month

Privilege escalation in SAP MDG's Review Match Groups Application exposes restricted actions to low-privileged authenticated users due to missing authorization checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation requires only a valid low-privileged account over the network with no additional interaction, enabling unauthorized data modification. Impact is scoped to low integrity degradation - confidentiality and availability are unaffected - making this a moderate business risk primarily for organizations where MDG data integrity is compliance-critical. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass SAP
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44748 CRITICAL NEWS Act Now

Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privileged attackers to forge identity information by capturing a valid signed message and submitting modified signed XML documents that the verifier accepts. The scope-changing flaw (CVSS 9.9) enables unauthorized access to sensitive user data and disruption of normal operations across trust boundaries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SAP Authentication Bypass Jwt Attack
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-11693 HIGH PATCH This Week

Site isolation bypass in Google Chrome versions prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to escape cross-origin boundaries via a crafted HTML page. The flaw is rated High severity by Chromium and carries a CVSS score of 8.1, though EPSS is very low at 0.02% and no public exploit identified at time of analysis. This is a second-stage vulnerability requiring prior renderer compromise, typically chained with a separate RCE in the renderer sandbox.

Authentication Bypass Google Red Hat Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-11689 HIGH PATCH This Week

Site isolation bypass in Google Chrome's Passwords component prior to version 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to escape cross-origin boundaries via a crafted HTML page. The flaw is rated High severity by Chromium with a CVSS 8.1 score, but EPSS exploitation probability is very low (0.02%, 6th percentile) and no public exploit identified at time of analysis. The vendor has shipped a fix in the stable channel.

Google Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-11658 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Extensions subsystem prior to 149.0.7827.103 enables a remote attacker who has already compromised the renderer process to defeat cross-origin security boundaries via a crafted HTML page requiring one user interaction. The root cause is CWE-20 (Improper Input Validation) in the Extensions layer, meaning the Extensions subsystem fails to adequately validate untrusted input before acting on it across site isolation boundaries. EPSS is low at 0.02% (6th percentile), no public exploit code or CISA KEV listing exists at time of analysis, and a vendor patch is confirmed at 149.0.7827.103.

Authentication Bypass Google Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11653 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome Extensions (versions prior to 149.0.7827.103) enables a remote attacker who has already compromised the renderer process to escape cross-origin content boundaries via a crafted HTML page. The vulnerability stems from improper input validation (CWE-20) in the Extensions subsystem, producing a high integrity impact (I:H) with no confidentiality or availability loss per the CVSS vector. No public exploit code exists and no active exploitation has been confirmed, with EPSS at 0.02% (6th percentile), consistent with a chained, high-complexity attack path.

Authentication Bypass Google Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47737 Ruby HIGH PATCH GHSA This Week

Source IP spoofing in Puma Ruby web server versions 5.5.0 through 7.2.0 and 8.0.0 through 8.0.1 allows remote attackers to overwrite REMOTE_ADDR by injecting a second PROXY protocol v1 header between keep-alive requests on a persistent connection. Only deployments that explicitly enable `set_remote_address proxy_protocol: :v1` behind a trusted proxy are affected, and no public exploit identified at time of analysis. The flaw undermines any application or middleware logic that relies on client IP for access control, rate limiting, or auditing.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-39169 HIGH This Week

Unauthorized access in SEMCMS 5.0 allows remote attackers to reach the SEMCMS_copy.php endpoint without authentication, exposing sensitive functionality intended to be restricted. The CVSS 7.5 score reflects high confidentiality impact with no integrity or availability effect, and no public exploit identified at time of analysis beyond a referenced gist. The flaw stems from improper access control (CWE-284) in a PHP-based content management system.

PHP Authentication Bypass N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-36727 CRITICAL Act Now

Authentication bypass in bookcars v8.3 lets remote unauthenticated attackers forge JWT tokens against the /api/social-sign-in endpoint to impersonate arbitrary users. The flaw carries a CVSS 9.1 rating with no public exploit identified at time of analysis, though a third-party vulnerability writeup is referenced on GitHub. EPSS is very low (0.02%, 7th percentile), suggesting limited mass-scanning interest despite the high severity.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-36723 HIGH This Week

Remote code execution in BookCars v8.3 is achievable by authenticated attackers who abuse a path traversal flaw in the /api/create-user endpoint to rename and relocate files from temporary storage to attacker-chosen filesystem paths. The flaw is tagged as Authentication Bypass, Path Traversal, and RCE, and a public write-up exists in a third-party GitHub repository, though it is not listed in CISA KEV and EPSS is low at 0.17% (38th percentile).

RCE Path Traversal Authentication Bypass N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-36721 CRITICAL Act Now

A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.

Authentication Bypass Jwt Attack
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-36720 HIGH This Week

Privilege escalation in BookCars v8.3 allows authenticated low-privileged users to elevate themselves to administrator by modifying their own user type attribute, due to missing server-side authorization checks. The flaw is documented in a public GitHub vulnerability writeup but is not listed in CISA KEV, and no public weaponized exploit has been catalogued at time of analysis. CVSS 8.1 reflects high confidentiality and integrity impact achievable over the network with only a standard user account.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47726 Go HIGH PATCH GHSA This Week

Information disclosure in nebula-mesh through v0.3.1 allows any holder of an operator API key to read the server-wide audit log via GET /api/v1/audit-log, exposing cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entries. The handleGetAuditLog endpoint enforces only bearer authentication with no admin-role check, so a low-privilege tenant can enumerate staffing patterns and high-value targets. Publicly available exploit code exists in the form of a one-line curl reproducer published in the GHSA advisory; no public exploit identified at time of analysis as actively weaponized, and the issue is not on CISA KEV.

Authentication Bypass Google
NVD GitHub
EPSS
0.0%
CVE-2026-47724 Go CRITICAL PATCH GHSA Act Now

Privilege escalation and cross-tenant resource takeover in juev/nebula-mesh versions prior to v0.3.4 allow any authenticated low-privilege operator to mint admin API keys, hijack other operators' hosts via the reenroll endpoint, and perform unauthorized CRUD across hosts, networks, and firewall rules. The `/api/v1/*` route surface trusts the bearer token for authorization without enforcing per-CA ownership checks that the Web UI applies, breaking the per-operator CA tenancy model from ADR 0002. No public exploit identified at time of analysis, though a detailed exploit chain with working curl commands is published in the GHSA advisory.

Authentication Bypass Privilege Escalation
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-47721 npm MEDIUM GHSA This Month

Privilege escalation in FUXA's Scheduler API allows authenticated operator-level users to create or modify scheduled actions restricted to administrators, reaching PLC write and server-side script execution surfaces in SCADA deployments. The vulnerability (CWE-862) exists because POST /api/scheduler and DELETE /api/scheduler lacked the authJwt.haveAdminPermission() check applied to every other privileged write endpoint. Uniquely dangerous in OT environments: the scheduled-action model means an attacker does not need to maintain an active session - a repeating schedule persistently re-applies unauthorized setpoint or script changes even after manual admin remediation.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-47720 npm MEDIUM GHSA This Month

SQL injection in FUXA's TDengine DAQ storage connector allows unauthenticated remote attackers to read the complete historical PLC tag archive from any FUXA instance using TDengine as its storage backend. The flaw resides in `escapeTdString` (`server/runtime/storage/tdengine/index.js:10`), which doubles single quotes but fails to escape backslashes — enabling backslash-bypass injection via the `sids` parameter on `GET /api/daq` or the Socket.IO `DAQ_QUERY` event. Critically, enabling FUXA's own authentication layer does not close this gap: the Socket.IO handler carries no authorization check and the REST endpoint accepts guest-level requests by design, meaning the authentication bypass and SQLi are compounding issues. No public exploit identified at time of analysis; vendor-released fix confirmed in v1.3.2.

Authentication Bypass SQLi
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-47691 Maven CRITICAL PATCH GHSA Act Now

DNS cache poisoning in Netty's netty-resolver-dns library (versions prior to 4.1.135.Final and 4.2.0.Final through 4.2.14.Final) allows an attacker who controls an authoritative name server for any subdomain to inject forged NS and A records for parent zones such as .co.uk into the resolver's authoritativeDnsServerCache. The bailiwick check in DnsResolveContext.AuthoritativeNameServerList only blocks records targeting the root zone, so any Java application embedding Netty's resolver can be steered to attacker-controlled name servers for unrelated domains. EPSS is only 0.01% and no public exploit identified at time of analysis, but the SSVC technical impact is rated total.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-45674 Maven CRITICAL PATCH GHSA Act Now

DNS cache poisoning in Netty's netty-resolver-dns component (versions before 4.1.135.Final and 4.2.x before 4.2.15.Final) lets remote attackers inject forged CNAME records into the resolver cache by exploiting missing bailiwick (origin) validation in DnsResolveContext#buildAliasMap. Any JVM application relying on Netty for asynchronous DNS resolution may be redirected to attacker-controlled hosts, enabling man-in-the-middle on subsequent traffic. No public exploit identified at time of analysis, EPSS is 0.01%, and the issue is not on the CISA KEV list, but CVSS rates it 10.0 due to the scope-changing integrity/confidentiality impact.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-49141 MEDIUM PATCH This Month

Cross-tenant contact tampering in WACRM (arnasdon/wacrm) before commit 73041bf allows any authenticated tenant user to read and modify contacts owned by other tenants by passing an arbitrary contact_id to the automation engine endpoint, which invokes a Supabase service-role client that bypasses row-level security. The flaw is an IDOR/authorization bypass (CWE-639) reported by VulnCheck; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Wacrm
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-44249 Maven HIGH POC PATCH GHSA This Week

IPv6 access control bypass in Netty's netty-handler component (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows remote attackers to circumvent IpSubnetFilter restrictions due to a faulty bitwise masking operation in IpSubnetFilterRule.compareTo(). Because the comparator ANDs the incoming IP against the networkAddress instead of the subnetMask, valid public IPv6 addresses outside the configured allowlist/blocklist can pass filter checks. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-10787 MEDIUM This Month

Missing authorization on the deleted user groups API in Devolutions Server enables authenticated low-privileged users to enumerate metadata of deleted user groups via crafted API requests, bypassing intended access controls. Affected deployments include versions 2026.2.4.0 and 2026.1.20.0 and earlier, as confirmed by the vendor advisory DEVO-2026-0015. No public exploit exists and CISA SSVC confirms no active exploitation, placing this at low operational priority despite its network-accessible attack vector.

Authentication Bypass Server
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11552 MEDIUM This Month

Hard-coded credential exposure in SourceCodester's Online Examination & Learning Management System 1.0 (also distributed as Syllabus-aligned Learning Management and Examination System 1.0) allows remote unauthenticated attackers to exploit a statically embedded password ('CICT_2026') in the import_users.php file without any authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated remote exploitation at low complexity, and the E:P exploit maturity modifier alongside the CVE description's explicit statement of public disclosure confirm that publicly available exploit code exists. Impact is constrained to low confidentiality exposure against the vulnerable component with no confirmed integrity or availability consequences.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-25555 CRITICAL POC Act Now

Authentication bypass in OpenBullet2 through 0.3.2 lets unauthenticated remote attackers obtain full admin access by sending an empty X-Api-Key HTTP header, because the API key middleware compares the submitted value against a default empty AdminApiKey string. With CVSS 4.0 score 9.3, publicly available exploit code, and a writeup from VulnCheck/Hackernoon, this is a trivially exploitable flaw exposing the admin console and every API endpoint of any internet-reachable deployment running default configuration.

Authentication Bypass Openbullet2
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-11533 LOW POC Monitor

Improper authorization in the imvks786 student_management_system PHP application allows authenticated low-privileged remote attackers to delete student records they are not authorized to remove via manipulation of the `del` parameter at the /see.php Student Deletion Endpoint. The vulnerability (CWE-285) stems from the application failing to verify that the requesting user holds sufficient privileges to perform the deletion action, effectively enabling horizontal or vertical privilege escalation within the data management scope. No public exploit identified at time of analysis via CISA KEV, though publicly available exploit code exists per the referenced GitHub issue disclosure.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-39910 CRITICAL PATCH HOSTED Monitor

Privilege escalation in STACKIT IaaS API allows authenticated low-privileged users to compromise entire organization environments by attaching arbitrary high-privileged service accounts to attacker-controlled virtual machines. The flaw stems from a missing authorization check on the PUT servers service-accounts endpoint, letting attackers query the Instance Metadata Service for OAuth2 tokens and cross tenant boundaries. With a CVSS 4.0 score of 9.3 and the CVSS vector indicating network-reachable, low-complexity exploitation, this represents a severe cloud tenant-isolation failure, though no public exploit identified at time of analysis.

Authentication Bypass Iaas Api
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-11532 LOW POC Monitor

Improper access control in imvks786's Student Management System PHP application exposes the /add.php Student Record Handler endpoint to unauthorized manipulation by authenticated remote attackers. The vulnerability, classified under CWE-284, allows a low-privileged user to perform actions beyond their intended authorization scope - consistent with the 'Authentication Bypass' tag suggesting role-boundary violations rather than full pre-auth access. Public exploit code exists per the GitHub issue report, though the CVSS 4.0 score of 2.1 reflects limited impact scope (low confidentiality, integrity, and availability impact, no downstream system effect). The vendor has not responded to the coordinated disclosure.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-41448 CRITICAL PATCH Act Now

Authentication bypass in AdGuard Home prior to v0.107.77 allows unauthenticated remote attackers to gain full admin access when the binary is launched with the --glinet flag, by injecting a path traversal sequence into the Admin-Token cookie. The flaw lives in the authglinet middleware, which concatenates the cookie value into a file path without sanitization, letting attackers redirect token reads to arbitrary files. No public exploit identified at time of analysis, but the vendor advisory and a community-disclosed root cause make weaponization straightforward.

Authentication Bypass Path Traversal Adguardhome
NVD GitHub
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-48507 PHP HIGH POC PATCH GHSA This Week

Privilege escalation via authorization bypass in Snipe-IT versions prior to 8.6.0 allows any authenticated user holding only the granular `users.edit` permission to disable administrator and superuser accounts through the bulk-edit endpoint, effectively locking all admins out of the instance. By toggling the `activated` and `ldap_import` flags on admin targets, a low-privileged actor denies admins both interactive login and password-reset recovery. No public exploit identified at time of analysis, but the upstream fix and detailed advisory disclose the exact attack surface.

Authentication Bypass Snipe It
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46441 npm HIGH PATCH GHSA This Week

Cross-workspace tenant isolation bypass in FlowiseAI versions prior to 3.1.2 allows authenticated low-privileged users to reassign assistant resources to arbitrary workspaces by manipulating server-controlled fields in the assistant update endpoint. The flaw is a mass assignment issue (CWE-284) tracked as EUVD-2026-35109, with publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as widely deployed exploitation. SSVC indicates total technical impact but non-automatable exploitation.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-46657 HIGH PATCH This Week

Authentication bypass in Bludit CMS versions prior to 3.22.0 allows deactivated user accounts to retain authenticated access through persistent 'Remember Me' cookies, because the disable-account workflow fails to invalidate tokenAuth and tokenRemember values stored in the JSON database. Any user who previously logged in with the persistent session option can continue to act with their original privileges even after an administrator disables them. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Bludit
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-46656 HIGH PATCH This Week

Broken access control in Bludit CMS versions prior to 3.22.0 allows deleted user accounts to retain full authenticated access through pre-existing 'Ghost Sessions' that are never invalidated upon account removal. An authenticated attacker whose account is subsequently revoked can continue performing privileged operations until the session naturally expires. No public exploit identified at time of analysis, though the fix commit on GitHub publicly discloses the exact root cause.

Authentication Bypass Bludit
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11521 LOW POC Monitor

Improper authorization in Mohammed-eid35's bank-management-system-springboot exposes the Transaction Endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to or manipulation of financial transaction records belonging to other users. All versions up to commit 7b9bcc65ad7df3db29af71aed9bb500e5f24d948 are affected, with publicly available exploit code disclosed via GitHub issue #8. No patch has been released - the maintainer has not responded to the responsible disclosure report - making this an unresolved risk for any organization running this application.

Authentication Bypass Java
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11519 LOW Monitor

Improper authorization in SourceCodester Inventory System 1.0 allows authenticated remote attackers to manipulate the ROLE parameter in the account creation API endpoint, bypassing role-based access controls to create or modify accounts with elevated privileges beyond what is authorized. The affected component is /Product_Inventory/api/users_handler.php, a PHP endpoint that fails to enforce server-side authorization on the ROLE argument during account creation. A publicly available proof-of-concept exploit exists (CVSS temporal E:P), lowering the barrier for opportunistic abuse. No patch has been identified at time of analysis.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11515 MEDIUM This Month

Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
EPSS 0% CVSS 7.9
HIGH PATCH Exploit Unlikely This Week

Security feature bypass in Windows Secure Boot enables a high-privileged local attacker to circumvent boot-time integrity protections, undermining the chain of trust that prevents unauthorized firmware and bootloader code from executing. The flaw (CWE-693, Protection Mechanism Failure) carries a CVSS 7.9 rating driven by scope change and high confidentiality/integrity impact, and no public exploit identified at time of analysis. Because Secure Boot is the foundation for downstream protections like BitLocker, Virtualization-Based Security, and Measured Boot, bypass enables persistent pre-OS implants that survive reimaging.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low privileges to coerce the Exchange server into making arbitrary outbound requests, resulting in disclosure of sensitive information and potential integrity impact across internal network resources. The CVSS 8.1 score reflects the high confidentiality and integrity impact from a network-reachable, low-complexity attack, though no public exploit identified at time of analysis. The vulnerability is tagged as an Authentication Bypass / SSRF, suggesting the SSRF primitive may be leveraged to bypass network-based authentication boundaries (e.g., reaching internal trusted endpoints).

Authentication Bypass Microsoft SSRF +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthenticated attacker to redirect file operations to unintended targets, achieving high-integrity impact without requiring elevated privileges. The vulnerability stems from improper link resolution (CWE-59) before file access, enabling unauthorized modification of files the attacker would otherwise lack write access to. No public exploit identified at time of analysis and no CISA KEV listing, but the low attack complexity (AC:L) and absence of privilege requirements (PR:N) make exploitation straightforward for any actor with local access.

Authentication Bypass Net
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft .NET allows an authenticated low-privileged user to elevate to higher privileges through an improper authorization flaw (CWE-285). The vulnerability carries a CVSS 7.8 (High) rating with local attack vector and low complexity, and no public exploit identified at time of analysis. Tagged as an Authentication Bypass, it requires an existing foothold on the host but no user interaction once that foothold is established.

Authentication Bypass Net
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office Word is possible when a user opens a maliciously crafted document that triggers an untrusted pointer dereference (CWE-416 use-after-free). The flaw lets an unauthorized attacker execute arbitrary code in the context of the current user, and no public exploit identified at time of analysis. Risk hinges on user interaction (UI:R), making phishing-style document delivery the realistic attack pathway.

Microsoft Authentication Bypass Use After Free +5
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office Word enables an attacker to run arbitrary code in the context of the current user by tricking them into opening a malicious document that triggers an untrusted pointer dereference. With a CVSS 7.8 score and no public exploit identified at time of analysis, the flaw is exploited locally but unauthenticated, relying on user interaction to open a crafted file. Microsoft has issued an advisory via the MSRC Security Update Guide.

Authentication Bypass Microsoft 365 Apps +6
NVD VulDB
EPSS 0% CVSS 3.3
LOW PATCH Exploit Unlikely Monitor

Excel across multiple Microsoft Office product lines fails to properly enforce an internal protection mechanism, enabling a local attacker to bypass a security feature and access limited confidential data within the process context. Affected builds span Microsoft 365 Apps for Enterprise, Office LTSC 2024, and Mac variants of Office. With a CVSS score of 3.3, this is a low-severity finding - no public exploit has been identified at time of analysis, and exploitation requires both local system access and deliberate user interaction.

Authentication Bypass Microsoft 365 Apps +3
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office via a type confusion flaw (CWE-416) permits unauthorized attackers to run arbitrary code in the context of the Office process without requiring privileges or user interaction. The issue carries a high CVSS 3.1 score of 8.4 with full impact across confidentiality, integrity, and availability, though exploitation requires local attack vector access to the target system. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Microsoft Authentication Bypass Use After Free +8
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office stems from a type confusion (CWE-843) flaw that allows an unauthenticated attacker with local access to run arbitrary code in the context of the Office process. The CVSS 8.4 score reflects high impact on confidentiality, integrity, and availability without requiring privileges or user interaction, though the attack vector is local. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Authentication Bypass Memory Corruption +7
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office Excel stems from an integer underflow that, when triggered by opening a crafted spreadsheet, allows an attacker to run arbitrary code in the context of the current user. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) confirms exploitation requires the victim to open a malicious file, and there is no public exploit identified at time of analysis. With a base score of 7.8 and full confidentiality, integrity, and availability impact, successful exploitation effectively gives the attacker the victim's privileges on the host.

Authentication Bypass Microsoft 365 Apps +6
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office Excel can be achieved by an unauthenticated attacker who tricks a user into opening a malicious spreadsheet that triggers an integer underflow condition. The flaw carries a CVSS 7.0 rating reflecting high attack complexity and required user interaction, and no public exploit identified at time of analysis. There is a notable mismatch between the description (integer underflow) and the assigned CWE-362 (race condition), which warrants verification with Microsoft's advisory.

Authentication Bypass Microsoft Race Condition +7
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution in Microsoft Office Excel arises from an integer underflow condition that corrupts memory when a malicious spreadsheet is opened. The flaw requires user interaction (UI:R) to trigger but needs no prior authentication, enabling attackers to run arbitrary code in the security context of the victim user. At the time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Authentication Bypass Memory Corruption +7
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Cryptographic Services on Windows 11 (23H2 through 26H1) and Windows Server 2022/2025 allows a low-privileged authenticated user to elevate to higher privileges through an improper authentication flaw (CWE-287). Microsoft has released patches via MSRC, and while no public exploit identified at time of analysis, CISA SSVC rates the technical impact as total, meaning successful exploitation yields full system compromise. EPSS probability is very low (0.06%), reflecting the local attack vector and absence of known exploitation activity.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH Exploit Unlikely This Week

Remote code execution in Windows Performance Monitor enables unauthenticated network attackers to execute arbitrary code by triggering an integer underflow condition in the component's data handling logic. The flaw carries a CVSS score of 8.1 with high attack complexity, and while no public exploit identified at time of analysis, the SSVC assessment rates technical impact as total. Microsoft has released a patch via MSRC, and the issue is also tracked in VulDB entry 369628.

Authentication Bypass Microsoft Integer Overflow
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Windows Performance Monitor (PerfMon) allows unauthenticated network-based attackers to execute arbitrary code by triggering an integer underflow condition. The flaw carries a CVSS 3.1 score of 8.1 driven by high impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) tempers exploitability. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but Microsoft has released a patch via MSRC guidance.

Authentication Bypass Microsoft Integer Overflow +6
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft PowerToys allows an authenticated low-privileged user on a Windows system with PowerToys installed to elevate to higher privileges by abusing an improper authorization check (CWE-285). The flaw requires existing local access and low-level credentials, with no public exploit identified at time of analysis and no CISA KEV listing. Successful exploitation yields full confidentiality, integrity, and availability impact on the affected host.

Authentication Bypass Microsoft Powertoys
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Administrator Protection allows an authorized attacker with low-privilege access to bypass a security feature on affected Windows systems. The flaw stems from improper access control (CWE-284) in the Administrator Protection mechanism, and while no public exploit identified at time of analysis, the high CVSS 7.8 reflects the meaningful impact on confidentiality, integrity, and availability once the bypass is achieved. The issue was reported by Microsoft (secure@microsoft.com) and is tracked through MSRC rather than CISA KEV.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Kinect allows an authenticated low-privileged user to elevate to higher privileges due to improper access control (CWE-284). The vulnerability carries a CVSS 7.8 (High) rating with local attack vector and low complexity, and no public exploit identified at time of analysis. Successful exploitation yields high impact to confidentiality, integrity, and availability on the affected host.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attackers to elevate privileges over a network by exploiting improper input validation (CWE-20). Microsoft has released a patched build (1.119.1) and SSVC rates technical impact as total, though EPSS remains low at 0.09% with no public exploit identified at time of analysis.

Authentication Bypass Visual Studio Code
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and transcript message content from other users' profiles by querying the sessions search endpoint, which fails to scope results to the caller's active profile. The flaw was reported by VulnCheck and a vendor patch is available; no public exploit identified at time of analysis, but the issue is trivial to trigger for any logged-in account.

Authentication Bypass Hermes Webui
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

mod_verto session state pollution in FreeSWITCH allows an authenticated WebSocket user to inject arbitrary userVariables into connection state before password verification completes, with those values persisting into any subsequent successful login on the same connection. All versions prior to 1.11.1 are affected via the check_auth userauth branch, which performs append-only state writes before the password comparison gate, and crucially does not close the connection on a failed compare. No public exploit has been identified and the vulnerability is not in CISA KEV, but the vendor explicitly labeled this release a critical security fix and strongly urged immediate upgrade.

Authentication Bypass Freeswitch
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Session eviction via unauthenticated sessid collision in FreeSWITCH mod_verto (all versions prior to 1.11.1) allows a remote unauthenticated attacker who knows a target client's session UUID to forcibly disconnect that client - terminating active calls and closing their WebSocket connection - by racing a crafted JSON-RPC first-frame before the authentication gate. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms full network reachability with no credentials required; the sole prerequisite is knowledge of the victim's session UUID. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.

Authentication Bypass Freeswitch
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Insufficient authentication (CWE-306) and input validation weaknesses across more than 25 NETGEAR router and mesh system models allow an adjacent-network attacker with low-level privileges to execute arbitrary commands and read sensitive configuration data, or alter certain device settings. The CVSS 4.0 vector confirms the attack is limited to adjacent network segments (AV:A) and requires low privileges (PR:L), with high confidentiality impact on both the vulnerable component and subsequent systems (VC:H, SC:H). No public exploit has been identified at time of analysis, and NETGEAR has self-reported the issue with patches available for all listed product lines.

Authentication Bypass Netgear Lbr1020 +24
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient input validation across multiple NETGEAR Orbi mesh router models (RBR/RBS/RBE series) permits authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their intended privilege scope. Affected are all firmware versions prior to V7.2.8.5 on most Orbi models and prior to V9.12.4.9 on the RBE97x series. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; NETGEAR self-reported and has released patched firmware addressing the flaw.

Authentication Bypass Netgear Rbe97X +12
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Insufficient input validation across 30+ NETGEAR router, range extender, and mesh networking models enables local network-adjacent modification of router software and functionality. The CVSS 4.0 vector assigns PR:N (no privileges required) and AV:A (adjacent network), yet the CVE description scopes the vulnerability to 'authenticated administrators' - the 'Authentication Bypass' tag supplied by NETGEAR suggests the input validation flaw may itself circumvent authentication controls, reconciling this apparent conflict. Integrity impact is rated High (VI:H) against the vulnerable system, meaning successful exploitation allows unauthorized firmware or configuration modification. No public exploit is identified at time of analysis (E:U), and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass Netgear Ex3700 +30
NVD
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Unauthenticated local-network control of NETGEAR CAX30, RAX30, RAX5, and RAXE300 routers is possible through an authentication bypass rooted in improper input validation (CWE-20). An attacker already present on the local network segment - such as a guest Wi-Fi user, a compromised IoT device, or a rogue actor on the same LAN - can circumvent authentication and gain full administrative control, enabling arbitrary configuration changes, traffic interception, or persistent backdoor installation. No public exploit code has been identified at time of analysis, and NETGEAR has released firmware patches for all four affected product lines.

Authentication Bypass Cax30 Rax30 +2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Insufficient input validation in the NETGEAR JR6150 AC750 router (firmware ≤1.0.1.26) enables authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their intended authorization scope. The device reached End-of-Support in 2018 and will receive no security patches. No public exploit code exists and no active exploitation has been identified; however, the device's permanent unpatched status makes risk acceptance or replacement the only long-term posture. The vulnerability was identified through firmware emulation and has not been verified on production hardware.

Authentication Bypass Netgear Jr6150
NVD VulDB
EPSS 0% CVSS 1.9
LOW PATCH Monitor

Integrity controls on multiple NETGEAR router firmware lines can be subverted by authenticated administrators on the local network through improper input validation (CWE-20), enabling privilege escalation beyond the intended administrative authorization boundary and permitting unauthorized modifications to router software and functionality. Twenty distinct NETGEAR SKUs across the R7000, RAX, RAXE, and XR1000 series are confirmed affected per ENISA EUVD-2026-35452, each with specific patched firmware thresholds now released by the vendor. No public exploit exists at time of analysis (CVSS E:U), and multiple CVSS constraints - adjacent-only attack vector, high complexity, and high privilege requirement - substantially limit the realistic threat population.

Authentication Bypass R7000 Rax20 +18
NVD VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Authorization bypass in Mem0 self-hosted server versions through 0.2.8 allows any authenticated holder of a distributed API key to overwrite the global LLM and embedder configuration via the POST /configure endpoint, redirecting all model traffic to an attacker-controlled server. The malicious configuration is persisted to PostgreSQL and survives restarts, affecting every user and API key on the instance. Publicly available exploit code exists and a vendor patch has been released in commit ae7f406.

Authentication Bypass PostgreSQL Mem0
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper access control in Fortinet FortiPortal versions 7.0.x (all), 7.2.0-7.2.8, and 7.4.0-7.4.7 enables an authenticated low-privilege attacker to bypass authorization controls and gain unauthorized read access to sensitive data. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) indicates low-complexity network exploitation by any authenticated user, resulting in high confidentiality impact with no integrity or availability loss. No public exploit identified at time of analysis based on CISA KEV, though publicly available exploit code exists per the CVSS temporal E:P metric, and Fortinet has issued an official fix.

Fortinet Authentication Bypass
NVD VulDB
EPSS 0% 4.2 CVSS 9.8
CRITICAL POC Emergency

Authentication bypass in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows remote unauthenticated attackers to create arbitrary administrative accounts and gain full administrative control of the appliance. Publicly available exploit code exists (watchTowr Labs PoC chained with CVE-2026-10520 for RCE), though it is not yet listed in CISA KEV; EPSS sits at a modest 0.31% (54th percentile) despite the critical CVSS 9.8 rating.

Authentication Bypass Ivanti Sentry
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Logseq's plugin sandbox can be escaped by a malicious plugin that injects arbitrary HTML event handler attributes into its host DOM container element, executing JavaScript in the privileged Electron renderer context. The attack is enabled by a disabled Content Security Policy in the host context, which removes the browser-level barrier that would otherwise block inline event handler execution. Only v0.10.15 has been confirmed vulnerable by CERT-PL; no patch has been released, and the vulnerability status of all other versions remains unknown. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog.

XSS Authentication Bypass Logseq
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in TYPO3 CMS Backend API routes allows authenticated backend users to retrieve file metadata for files and folders outside their permitted file mounts or storages. Specifically, the ImageProcessController and LinkController endpoints failed to call checkActionPermission('read') before returning resource data, letting any backend-authenticated user enumerate file system structure beyond their assigned access scope. No active exploitation has been reported and no public exploit code has been identified at time of analysis, but the low-complexity network-accessible nature of the flaw makes it straightforward for any backend user to abuse.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing authorization in TYPO3 CMS's DataHandler allows authenticated backend users with low privileges to move content records across pages without holding edit permissions on the source page. The `moveRecord()` method in `DataHandler.php` validated destination-page access but omitted the symmetrical check on the source page, enabling unauthorized restructuring of the content hierarchy. Affected versions are 13.0.0-13.4.31 and 14.0.0-14.3.3; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Insufficient authorization in TYPO3 CMS's Recycler module allows authenticated backend users to restore soft-deleted records on pages or database tables they are not permitted to modify, resulting in unauthorized integrity impact across the content management system. Affected are TYPO3 CMS versions before 10.4.57 and multiple branches through 14.3.3, with fixes delivered via two upstream commits and documented under TYPO3-CORE-SA-2026-011. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is network-accessible and requires only low-privilege backend credentials.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Privilege escalation in TYPO3 CMS Form Framework allows authenticated backend users with file write permissions to bypass upload restrictions using mixed-case file extensions (e.g., .FORM.YAML), then execute arbitrary SQL via crafted form definition files to create administrative backend accounts. The flaw affects TYPO3 versions before 10.4.57, 11.5.50, 12.4.45, 13.4.30, and 14.3.2 across all supported branches. No public exploit identified at time of analysis, but the upstream fix is published with detailed commit-level test cases that effectively serve as a roadmap for exploit development.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Authorization bypass in TYPO3 CMS allows non-privileged backend users with file mount access to perform write operations (move, delete, rename) on the root folders of their assigned file mounts, which were intended to be protected. The flaw affects TYPO3 versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2, with CVSS 4.0 score 7.2 (High). No public exploit identified at time of analysis.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

Privilege escalation in TYPO3 CMS allows authenticated backend users with Form Framework access to execute arbitrary SQL by uploading malicious form definitions with non-standard file extensions, enabling creation of administrative backend accounts. The flaw stems from incomplete file-extension validation in FormPersistenceManager and affects every supported branch (10.4, 11.5, 12.4, 13.4, 14.3) below the fixed releases. No public exploit identified at time of analysis, but the upstream fix commits are public on GitHub.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized subscription cancellation in weDevs User Frontend WordPress plugin (all versions through 4.3.2) allows any authenticated subscriber to cancel any other user's subscription pack, including administrators. The flaw stems from a missing capability check on the user_subscription_cancel() function, meaning low-privileged users can invoke privileged actions. No public exploit code has been identified and this is not listed in CISA KEV, but the low attack complexity and broad attacker pool (any registered subscriber) make this a realistic insider or account-takeover amplification risk.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Weak password hashing in Siemens SINEC INS (all versions prior to V1.0 SP2 Update 6) exposes stored credentials to efficient offline recovery due to a static, hardcoded salt shared universally across all users and installations, combined with an insufficient iteration count. An attacker who has obtained high-privileged local access and can extract the password store can leverage the known static salt to construct targeted rainbow tables or run accelerated brute-force attacks, potentially recovering plaintext passwords and achieving unauthorized access to the application and downstream industrial network infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the cryptographic weakness is deterministic - once hashes are obtained, the static salt eliminates per-user uniqueness and dramatically reduces attack cost.

Authentication Bypass Sinec Ins
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Apache Answer's Timeline API endpoints through version 2.0.0 fail to enforce authorization, exposing deleted, private, and unapproved content - along with full revision histories - to any authenticated regular user. The vulnerability is an information disclosure flaw affecting all Apache Answer deployments (community forums, help centers, knowledge platforms) running 2.0.0 or earlier. No public exploit has been identified and no KEV listing exists; however, in community deployments where user accounts are freely self-registered, the authentication prerequisite provides limited real-world protection.

Authentication Bypass Apache
NVD VulDB
EPSS 0% CVSS 2.4
LOW Monitor

File system logic bypass in Huawei HarmonyOS allows a physically present, unauthenticated attacker to circumvent file system control logic, resulting in limited availability impact on the affected device. CVSS scores this at 2.4 (Low), reflecting the mandatory physical access requirement and constrained availability-only impact with no confidentiality or integrity exposure. No public exploit code exists and the vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Use-After-Free (UAF) in the HarmonyOS package management module allows a local attacker with high privileges to compromise service integrity. Successful exploitation requires high attack complexity and user interaction, limiting real-world exposure. The primary impact is integrity degradation (I:H), with minor confidentiality and availability effects; no public exploit or CISA KEV listing identified at time of analysis.

Authentication Bypass
NVD
EPSS 0% CVSS 5.2
MEDIUM This Month

Use-after-free in the HarmonyOS package management module allows a locally authenticated, highly privileged attacker to corrupt memory and primarily impact service availability. The CVSS vector (AV:L/AC:H/PR:H) constrains the attack to local, high-complexity scenarios requiring administrative privileges, yielding a medium-severity score of 5.2. No public exploit code or CISA KEV listing has been identified at time of analysis, though the Authentication Bypass tag in the intelligence data warrants scrutiny given the high-privilege prerequisite implied by CVSS.

Authentication Bypass
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authorization bypass in QNAP QuMagie versions prior to 2.9.1 allows remote unauthenticated attackers to manipulate user-controlled keys (IDOR-class flaw) and gain unintended privileges on the photo management application. The QNAP-issued advisory QSA-26-35 confirms the issue and ships a fix in 2.9.1; no public exploit identified at time of analysis, and the flaw is not currently listed in CISA KEV.

Authentication Bypass Qumagie
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

WPForms WordPress plugin versions prior to 1.10.0.5 allow unauthenticated remote attackers to forge PayPal webhook payloads and manipulate the payment state of arbitrary transactions due to absent webhook authenticity verification. The endpoint blindly processes incoming PayPal webhook events without validating their origin or integrity, enabling attackers to mark pending or failed payments as completed. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects low current exploitation activity, though the business impact of fraudulent payment confirmation can materially exceed what the CVSS integrity score suggests.

Authentication Bypass WordPress
NVD WPScan VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass authorization checks over the network without authentication. The CVSS 4.0 score of 8.7 reflects high confidentiality impact with low attack complexity and no privileges required, though no public exploit identified at time of analysis and KEV listing is absent.

Authentication Bypass Qumagie
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service via improper access control in Spring HATEOAS affects versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3, where the internal PropertyUtils.createObjectFromProperties method performs reflection-based bean property binding while ignoring Jackson access-control annotations (@JsonIgnore, @JsonProperty access modes). Remote unauthenticated attackers sending crafted Collection+JSON or UBER media type payloads can bind to properties the developer explicitly marked as inbound-restricted, causing high-availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Java Spring Hateoas
NVD HeroDevs VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Spring Expression Language (SpEL) evaluation logic in Spring Framework 5.3.x through 7.0.x fails to enforce method invocation restrictions in read-only or restricted contexts, allowing remote unauthenticated attackers (CVSS PR:N, AV:N) to invoke arbitrary zero-argument methods and trigger unintended application logic. Scored LOW (3.7) with only availability impact per CVSS (A:L), though the 'Authentication Bypass' tag and CWE-863 (Incorrect Authorization) suggest the authorization bypass itself may have broader implications not fully reflected in the score. No public exploit identified at time of analysis and no CISA KEV listing, but the wide version range across four active Spring Framework release trains represents significant ecosystem exposure.

Authentication Bypass Java Spring Framework
NVD HeroDevs VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Security bypass in Spring WebFlux's Kotlin Router DSL (CWE-284: Improper Access Control) allows remote unauthenticated attackers to circumvent access control rules in Spring Framework 5.3.0 through 5.3.48. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable exploitation without authentication, though high attack complexity constrains opportunistic exploitation. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Java
NVD HeroDevs VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authentication bypass in Spring LDAP's DirContextAuthenticationStrategy allows remote unauthenticated attackers to succeed at LDAP bind operations by supplying any non-empty username paired with an empty or null password, due to the framework failing to reject such anonymous-equivalent bind requests. Affected releases span Spring LDAP 2.4.0-2.4.4, 3.2.0-3.2.17, 3.3.0-3.3.7, and 4.0.0-4.0.3, putting Java applications that delegate authentication to these libraries at risk of impersonating arbitrary users. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Java Spring Ldap
NVD HeroDevs VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated tenant data disclosure in the 6Storage Rentals WordPress plugin (versions up to and including 2.22.0) allows remote attackers to read and modify arbitrary tenant profile records - including names, emails, phone numbers, physical addresses, and SSNs - by enumerating numeric userId values. The flaw stems from AJAX handlers exposed via wp_ajax_nopriv_* hooks without ownership checks or nonce validation. No public exploit identified at time of analysis, but the bug is trivially scriptable and reported by Wordfence.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Unrestricted file upload in Dcat-Admin up to 2.2.3-beta allows remote attackers with high privileges - or potentially with authentication bypass - to upload arbitrary files via the editorMDUpload function at the /admin/dcat-api/editor-md/upload endpoint on the User Setting Page. The vulnerability stems from improper access control (CWE-284) on the editormd-image-file parameter, enabling upload of potentially malicious file types. Publicly available exploit code exists (CVSS E:P confirmed), though no active exploitation is listed in CISA KEV. The low CVSS 4.0 base score of 2.0 reflects constrained impact scope, but the 'Authentication Bypass' tag warrants additional scrutiny of the effective privilege requirement.

Authentication Bypass File Upload
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unauthenticated remote access to the Source Connection Test endpoint in DTStack Taier up to 1.4.0 is possible because the `preHandle` method in `LoginInterceptor.java` does not invoke `tokenService.decryption(token)`, allowing any network-reachable caller to bypass authentication entirely. The same patch commit reveals that `ConnFactory.getSimpleConn()` also lacked JDBC URL sanitization, meaning an unauthenticated attacker could supply dangerous parameters such as `autoDeserialize` or `allowLoadLocalInfile` to a malicious MySQL-compatible server, elevating the real-world impact well above the assigned CVSS 5.5 Medium rating. Publicly available exploit code exists (CVSS E:P confirmed); no CISA KEV listing is confirmed at time of analysis.

Authentication Bypass Java
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM This Month

Unintended data disclosure in SAP's Operational Data Provisioning RFC (ODP-RFC) modules stems from missing caller identification controls that fail to restrict invocation to permitted SAP-internal applications. Highly privileged customer or third-party applications can invoke these internal RFC modules outside their intended usage context, exposing sensitive operational data across a Changed scope boundary (S:C). No public exploit has been identified at time of analysis, and this is not listed in CISA KEV; however, the High confidentiality impact combined with scope change warrants attention in SAP environments where ODP is exposed to external RFC consumers.

Authentication Bypass SAP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Privilege escalation in SAP NetWeaver Application Server ABAP allows authenticated low-privilege users to invoke a report generation command that overwrites data belonging to other users, breaking tenant-level data integrity. The flaw stems from missing authorization checks (CWE-862) and carries a CVSS 7.1 rating with high integrity impact; no public exploit identified at time of analysis.

Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Privilege escalation in SAP MDG's Review Match Groups Application exposes restricted actions to low-privileged authenticated users due to missing authorization checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation requires only a valid low-privileged account over the network with no additional interaction, enabling unauthorized data modification. Impact is scoped to low integrity degradation - confidentiality and availability are unaffected - making this a moderate business risk primarily for organizations where MDG data integrity is compliance-critical. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass SAP
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privileged attackers to forge identity information by capturing a valid signed message and submitting modified signed XML documents that the verifier accepts. The scope-changing flaw (CVSS 9.9) enables unauthorized access to sensitive user data and disruption of normal operations across trust boundaries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SAP Authentication Bypass Jwt Attack
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Site isolation bypass in Google Chrome versions prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to escape cross-origin boundaries via a crafted HTML page. The flaw is rated High severity by Chromium and carries a CVSS score of 8.1, though EPSS is very low at 0.02% and no public exploit identified at time of analysis. This is a second-stage vulnerability requiring prior renderer compromise, typically chained with a separate RCE in the renderer sandbox.

Authentication Bypass Google Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Site isolation bypass in Google Chrome's Passwords component prior to version 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to escape cross-origin boundaries via a crafted HTML page. The flaw is rated High severity by Chromium with a CVSS 8.1 score, but EPSS exploitation probability is very low (0.02%, 6th percentile) and no public exploit identified at time of analysis. The vendor has shipped a fix in the stable channel.

Google Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Extensions subsystem prior to 149.0.7827.103 enables a remote attacker who has already compromised the renderer process to defeat cross-origin security boundaries via a crafted HTML page requiring one user interaction. The root cause is CWE-20 (Improper Input Validation) in the Extensions layer, meaning the Extensions subsystem fails to adequately validate untrusted input before acting on it across site isolation boundaries. EPSS is low at 0.02% (6th percentile), no public exploit code or CISA KEV listing exists at time of analysis, and a vendor patch is confirmed at 149.0.7827.103.

Authentication Bypass Google Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome Extensions (versions prior to 149.0.7827.103) enables a remote attacker who has already compromised the renderer process to escape cross-origin content boundaries via a crafted HTML page. The vulnerability stems from improper input validation (CWE-20) in the Extensions subsystem, producing a high integrity impact (I:H) with no confidentiality or availability loss per the CVSS vector. No public exploit code exists and no active exploitation has been confirmed, with EPSS at 0.02% (6th percentile), consistent with a chained, high-complexity attack path.

Authentication Bypass Google Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Source IP spoofing in Puma Ruby web server versions 5.5.0 through 7.2.0 and 8.0.0 through 8.0.1 allows remote attackers to overwrite REMOTE_ADDR by injecting a second PROXY protocol v1 header between keep-alive requests on a persistent connection. Only deployments that explicitly enable `set_remote_address proxy_protocol: :v1` behind a trusted proxy are affected, and no public exploit identified at time of analysis. The flaw undermines any application or middleware logic that relies on client IP for access control, rate limiting, or auditing.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized access in SEMCMS 5.0 allows remote attackers to reach the SEMCMS_copy.php endpoint without authentication, exposing sensitive functionality intended to be restricted. The CVSS 7.5 score reflects high confidentiality impact with no integrity or availability effect, and no public exploit identified at time of analysis beyond a referenced gist. The flaw stems from improper access control (CWE-284) in a PHP-based content management system.

PHP Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass in bookcars v8.3 lets remote unauthenticated attackers forge JWT tokens against the /api/social-sign-in endpoint to impersonate arbitrary users. The flaw carries a CVSS 9.1 rating with no public exploit identified at time of analysis, though a third-party vulnerability writeup is referenced on GitHub. EPSS is very low (0.02%, 7th percentile), suggesting limited mass-scanning interest despite the high severity.

Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in BookCars v8.3 is achievable by authenticated attackers who abuse a path traversal flaw in the /api/create-user endpoint to rename and relocate files from temporary storage to attacker-chosen filesystem paths. The flaw is tagged as Authentication Bypass, Path Traversal, and RCE, and a public write-up exists in a third-party GitHub repository, though it is not listed in CISA KEV and EPSS is low at 0.17% (38th percentile).

RCE Path Traversal Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.

Authentication Bypass Jwt Attack
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Privilege escalation in BookCars v8.3 allows authenticated low-privileged users to elevate themselves to administrator by modifying their own user type attribute, due to missing server-side authorization checks. The flaw is documented in a public GitHub vulnerability writeup but is not listed in CISA KEV, and no public weaponized exploit has been catalogued at time of analysis. CVSS 8.1 reflects high confidentiality and integrity impact achievable over the network with only a standard user account.

Authentication Bypass
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Information disclosure in nebula-mesh through v0.3.1 allows any holder of an operator API key to read the server-wide audit log via GET /api/v1/audit-log, exposing cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entries. The handleGetAuditLog endpoint enforces only bearer authentication with no admin-role check, so a low-privilege tenant can enumerate staffing patterns and high-value targets. Publicly available exploit code exists in the form of a one-line curl reproducer published in the GHSA advisory; no public exploit identified at time of analysis as actively weaponized, and the issue is not on CISA KEV.

Authentication Bypass Google
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation and cross-tenant resource takeover in juev/nebula-mesh versions prior to v0.3.4 allow any authenticated low-privilege operator to mint admin API keys, hijack other operators' hosts via the reenroll endpoint, and perform unauthorized CRUD across hosts, networks, and firewall rules. The `/api/v1/*` route surface trusts the bearer token for authorization without enforcing per-CA ownership checks that the Web UI applies, breaking the per-operator CA tenancy model from ADR 0002. No public exploit identified at time of analysis, though a detailed exploit chain with working curl commands is published in the GHSA advisory.

Authentication Bypass Privilege Escalation
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Privilege escalation in FUXA's Scheduler API allows authenticated operator-level users to create or modify scheduled actions restricted to administrators, reaching PLC write and server-side script execution surfaces in SCADA deployments. The vulnerability (CWE-862) exists because POST /api/scheduler and DELETE /api/scheduler lacked the authJwt.haveAdminPermission() check applied to every other privileged write endpoint. Uniquely dangerous in OT environments: the scheduled-action model means an attacker does not need to maintain an active session - a repeating schedule persistently re-applies unauthorized setpoint or script changes even after manual admin remediation.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

SQL injection in FUXA's TDengine DAQ storage connector allows unauthenticated remote attackers to read the complete historical PLC tag archive from any FUXA instance using TDengine as its storage backend. The flaw resides in `escapeTdString` (`server/runtime/storage/tdengine/index.js:10`), which doubles single quotes but fails to escape backslashes — enabling backslash-bypass injection via the `sids` parameter on `GET /api/daq` or the Socket.IO `DAQ_QUERY` event. Critically, enabling FUXA's own authentication layer does not close this gap: the Socket.IO handler carries no authorization check and the REST endpoint accepts guest-level requests by design, meaning the authentication bypass and SQLi are compounding issues. No public exploit identified at time of analysis; vendor-released fix confirmed in v1.3.2.

Authentication Bypass SQLi
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

DNS cache poisoning in Netty's netty-resolver-dns library (versions prior to 4.1.135.Final and 4.2.0.Final through 4.2.14.Final) allows an attacker who controls an authoritative name server for any subdomain to inject forged NS and A records for parent zones such as .co.uk into the resolver's authoritativeDnsServerCache. The bailiwick check in DnsResolveContext.AuthoritativeNameServerList only blocks records targeting the root zone, so any Java application embedding Netty's resolver can be steered to attacker-controlled name servers for unrelated domains. EPSS is only 0.01% and no public exploit identified at time of analysis, but the SSVC technical impact is rated total.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

DNS cache poisoning in Netty's netty-resolver-dns component (versions before 4.1.135.Final and 4.2.x before 4.2.15.Final) lets remote attackers inject forged CNAME records into the resolver cache by exploiting missing bailiwick (origin) validation in DnsResolveContext#buildAliasMap. Any JVM application relying on Netty for asynchronous DNS resolution may be redirected to attacker-controlled hosts, enabling man-in-the-middle on subsequent traffic. No public exploit identified at time of analysis, EPSS is 0.01%, and the issue is not on the CISA KEV list, but CVSS rates it 10.0 due to the scope-changing integrity/confidentiality impact.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-tenant contact tampering in WACRM (arnasdon/wacrm) before commit 73041bf allows any authenticated tenant user to read and modify contacts owned by other tenants by passing an arbitrary contact_id to the automation engine endpoint, which invokes a Supabase service-role client that bypasses row-level security. The flaw is an IDOR/authorization bypass (CWE-639) reported by VulnCheck; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Wacrm
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

IPv6 access control bypass in Netty's netty-handler component (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows remote attackers to circumvent IpSubnetFilter restrictions due to a faulty bitwise masking operation in IpSubnetFilterRule.compareTo(). Because the comparator ANDs the incoming IP against the networkAddress instead of the subnetMask, valid public IPv6 addresses outside the configured allowlist/blocklist can pass filter checks. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization on the deleted user groups API in Devolutions Server enables authenticated low-privileged users to enumerate metadata of deleted user groups via crafted API requests, bypassing intended access controls. Affected deployments include versions 2026.2.4.0 and 2026.1.20.0 and earlier, as confirmed by the vendor advisory DEVO-2026-0015. No public exploit exists and CISA SSVC confirms no active exploitation, placing this at low operational priority despite its network-accessible attack vector.

Authentication Bypass Server
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Hard-coded credential exposure in SourceCodester's Online Examination & Learning Management System 1.0 (also distributed as Syllabus-aligned Learning Management and Examination System 1.0) allows remote unauthenticated attackers to exploit a statically embedded password ('CICT_2026') in the import_users.php file without any authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated remote exploitation at low complexity, and the E:P exploit maturity modifier alongside the CVE description's explicit statement of public disclosure confirm that publicly available exploit code exists. Impact is constrained to low confidentiality exposure against the vulnerable component with no confirmed integrity or availability consequences.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Authentication bypass in OpenBullet2 through 0.3.2 lets unauthenticated remote attackers obtain full admin access by sending an empty X-Api-Key HTTP header, because the API key middleware compares the submitted value against a default empty AdminApiKey string. With CVSS 4.0 score 9.3, publicly available exploit code, and a writeup from VulnCheck/Hackernoon, this is a trivially exploitable flaw exposing the admin console and every API endpoint of any internet-reachable deployment running default configuration.

Authentication Bypass Openbullet2
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in the imvks786 student_management_system PHP application allows authenticated low-privileged remote attackers to delete student records they are not authorized to remove via manipulation of the `del` parameter at the /see.php Student Deletion Endpoint. The vulnerability (CWE-285) stems from the application failing to verify that the requesting user holds sufficient privileges to perform the deletion action, effectively enabling horizontal or vertical privilege escalation within the data management scope. No public exploit identified at time of analysis via CISA KEV, though publicly available exploit code exists per the referenced GitHub issue disclosure.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH HOSTED Monitor

Privilege escalation in STACKIT IaaS API allows authenticated low-privileged users to compromise entire organization environments by attaching arbitrary high-privileged service accounts to attacker-controlled virtual machines. The flaw stems from a missing authorization check on the PUT servers service-accounts endpoint, letting attackers query the Instance Metadata Service for OAuth2 tokens and cross tenant boundaries. With a CVSS 4.0 score of 9.3 and the CVSS vector indicating network-reachable, low-complexity exploitation, this represents a severe cloud tenant-isolation failure, though no public exploit identified at time of analysis.

Authentication Bypass Iaas Api
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper access control in imvks786's Student Management System PHP application exposes the /add.php Student Record Handler endpoint to unauthorized manipulation by authenticated remote attackers. The vulnerability, classified under CWE-284, allows a low-privileged user to perform actions beyond their intended authorization scope - consistent with the 'Authentication Bypass' tag suggesting role-boundary violations rather than full pre-auth access. Public exploit code exists per the GitHub issue report, though the CVSS 4.0 score of 2.1 reflects limited impact scope (low confidentiality, integrity, and availability impact, no downstream system effect). The vendor has not responded to the coordinated disclosure.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Authentication bypass in AdGuard Home prior to v0.107.77 allows unauthenticated remote attackers to gain full admin access when the binary is launched with the --glinet flag, by injecting a path traversal sequence into the Admin-Token cookie. The flaw lives in the authglinet middleware, which concatenates the cookie value into a file path without sanitization, letting attackers redirect token reads to arbitrary files. No public exploit identified at time of analysis, but the vendor advisory and a community-disclosed root cause make weaponization straightforward.

Authentication Bypass Path Traversal Adguardhome
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Privilege escalation via authorization bypass in Snipe-IT versions prior to 8.6.0 allows any authenticated user holding only the granular `users.edit` permission to disable administrator and superuser accounts through the bulk-edit endpoint, effectively locking all admins out of the instance. By toggling the `activated` and `ldap_import` flags on admin targets, a low-privileged actor denies admins both interactive login and password-reset recovery. No public exploit identified at time of analysis, but the upstream fix and detailed advisory disclose the exact attack surface.

Authentication Bypass Snipe It
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-workspace tenant isolation bypass in FlowiseAI versions prior to 3.1.2 allows authenticated low-privileged users to reassign assistant resources to arbitrary workspaces by manipulating server-controlled fields in the assistant update endpoint. The flaw is a mass assignment issue (CWE-284) tracked as EUVD-2026-35109, with publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as widely deployed exploitation. SSVC indicates total technical impact but non-automatable exploitation.

Authentication Bypass Flowise
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authentication bypass in Bludit CMS versions prior to 3.22.0 allows deactivated user accounts to retain authenticated access through persistent 'Remember Me' cookies, because the disable-account workflow fails to invalidate tokenAuth and tokenRemember values stored in the JSON database. Any user who previously logged in with the persistent session option can continue to act with their original privileges even after an administrator disables them. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Bludit
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Broken access control in Bludit CMS versions prior to 3.22.0 allows deleted user accounts to retain full authenticated access through pre-existing 'Ghost Sessions' that are never invalidated upon account removal. An authenticated attacker whose account is subsequently revoked can continue performing privileged operations until the session naturally expires. No public exploit identified at time of analysis, though the fix commit on GitHub publicly discloses the exact root cause.

Authentication Bypass Bludit
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Mohammed-eid35's bank-management-system-springboot exposes the Transaction Endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to or manipulation of financial transaction records belonging to other users. All versions up to commit 7b9bcc65ad7df3db29af71aed9bb500e5f24d948 are affected, with publicly available exploit code disclosed via GitHub issue #8. No patch has been released - the maintainer has not responded to the responsible disclosure report - making this an unresolved risk for any organization running this application.

Authentication Bypass Java
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Improper authorization in SourceCodester Inventory System 1.0 allows authenticated remote attackers to manipulate the ROLE parameter in the account creation API endpoint, bypassing role-based access controls to create or modify accounts with elevated privileges beyond what is authorized. The affected component is /Product_Inventory/api/users_handler.php, a PHP endpoint that fails to enforce server-side authorization on the ROLE argument during account creation. A publicly available proof-of-concept exploit exists (CVSS temporal E:P), lowering the barrier for opportunistic abuse. No patch has been identified at time of analysis.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.

PHP Authentication Bypass
NVD VulDB
Prev Page 26 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy