Skip to main content

Authentication Bypass

31264 CVEs technique

Monthly

CVE-2026-11515 MEDIUM This Month

Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7765 MEDIUM PATCH This Month

Incorrect authorization in Checkmk's User Messages dashboard widget exposes the dashboard creator's personal messages to any party possessing a valid public dashboard share token. The message-fetching endpoints resolve messages using the dashboard creator's identity rather than the requesting party's identity, meaning that direct API calls with a share token return the issuer's private messages regardless of whether the User Messages widget is actually present on the shared dashboard. All Checkmk deployments running versions prior to 2.5.0p5 that use the public dashboard sharing feature are affected. No public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Checkmk
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-11577 HIGH This Week

{realm}/partialImport endpoint to bypass Fine-Grained Admin Permissions (FGAP) and promote themselves to full realm administrator. The flaw is an improper authorization check (CWE-863) on imported users carrying realm-admin role mappings. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform 8 Red Hat Jboss Enterprise Application Platform Expansion Pack +1
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-50751 CRITICAL POC KEV THREAT NEWS Emergency

Authentication bypass in Check Point Quantum Security Gateway and Spark Firewalls allows unauthenticated remote attackers to establish Remote Access and Mobile Access VPN sessions without valid credentials by abusing a logic flaw in deprecated IKEv1 certificate validation. The flaw (CVSS 9.3, CWE-287) was reported by Check Point themselves and publicly available exploit code exists, though EPSS exploitation probability remains very low (0.01%) and the issue is not currently listed in CISA KEV. Affected deployments include multiple Quantum R80.40-R82.10 trains and Spark R80.20.X-R82.00.X firmware.

Authentication Bypass Microsoft
NVD VulDB GitHub
CVSS 3.1
9.3
EPSS
0.0%
Threat
5.8
CVE-2026-50752 HIGH Act Now

Certificate validation bypass in Check Point Quantum Security Gateway and Spark Firewalls allows network-positioned attackers to subvert IKEv1 certificate-based authentication in site-to-site VPN tunnels. A man-in-the-middle adversary can intercept or modify traffic traversing the tunnel without possessing valid credentials. No public exploit identified at time of analysis, and the issue is constrained to the deprecated IKEv1 protocol path.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-11500 LOW POC PATCH Monitor

Authorization bypass in Weaviate's Static API Key Handler (versions 1.37.0-1.37.7) stems from the validateConfig function failing to reject duplicate API keys mapped to distinct users, allowing key-to-user resolution to resolve ambiguously. An authenticated low-privilege attacker holding a duplicated key can authenticate to Weaviate and be resolved as an unintended user identity, bypassing user-level authorization controls. Publicly available exploit code exists (GitHub issue #11392), though the CVSS 4.0 score of 1.3 reflects high attack complexity and the authenticated, misconfiguration-dependent nature of the attack - no public exploitation or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Weaviate
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.1%
CVE-2023-54352 CRITICAL POC Act Now

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress Authentication Bypass
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2023-54350 HIGH POC This Week

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress Authentication Bypass
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-11476 LOW POC Monitor

Privilege escalation in Kushan2k student-management-system allows authenticated remote attackers to grant themselves administrator rights by manipulating the `isadmin` parameter in the Profile Update Endpoint. The `edit-admin` function in `controllers/AdminController.php` performs no server-side authorization check on this parameter, enabling any low-privileged account holder to self-elevate to admin. A publicly available exploit exists per VulDB and a GitHub issue disclosure; the vendor has not yet responded, and no patch has been released under the rolling-release model.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11466 LOW POC PATCH Monitor

Improper access control in zilliztech deep-searcher up to version 0.0.2 allows authenticated remote attackers to bypass collection-level authorization in the vector database layer. The CollectionRouter.invoke function in collection_router.py lists and queries all vector database collections without filtering by the caller's authorized scope, meaning a low-privileged user can retrieve data from collections they should not have access to. No public exploit identified via CISA KEV, but publicly available exploit code (POC) exists per the GitHub issue tracker and the CVSS 4.0 E:P modifier confirms this.

Authentication Bypass Deep Searcher
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11462 MEDIUM POC PATCH This Month

Improper authorization in the BeikeShop e-commerce platform (versions up to 1.6.0.22) allows remote unauthenticated attackers to forge Stripe payment webhook callbacks and mark unpaid orders as paid. The flawed `callback` function in `plugins/Stripe/Controllers/StripeController.php` accepts arbitrary request bodies without verifying the Stripe-Signature header, and publicly available exploit code exists on GitHub. CVSS is 7.3 with EPSS not provided; the issue is not in CISA KEV but has a public POC, raising the practical risk for any internet-exposed BeikeShop store.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11461 LOW POC Monitor

Authorization bypass in NousResearch hermes-agent up to 0.12.0 allows remote low-privileged authenticated attackers to access or manipulate sessions belonging to other users by supplying an arbitrary session title to the resume endpoint's `resolve_session_by_title` function without ownership verification. A public proof-of-concept exploit has been disclosed via GitHub Gist, and the vendor did not respond to pre-disclosure contact, meaning no patch is currently available. With CVSS 6.3 and a temporal exploit-partial modifier, this presents elevated practical risk in multi-tenant or shared-instance deployments where session isolation is a security boundary.

Authentication Bypass Hermes Agent
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11441 MEDIUM PATCH This Month

Improper authorization in OneDev's Pull Request Handler allows authenticated remote attackers to bypass issue access controls. The `canAccessIssue` function in the `/issues/` endpoint of theonedev/onedev versions through 15.0.5 fails to correctly enforce authorization, enabling a low-privileged user to access issues they should not be permitted to view or modify. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 15.0.6.

Authentication Bypass Onedev
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11440 MEDIUM PATCH This Month

{projectId}/default-branch` endpoint. All OneDev versions through 15.0.5 are affected; the CVSS vector (PR:L) confirms a low-privilege authenticated user is sufficient to trigger the flaw remotely with no user interaction required. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; vendor-released patch v15.0.6 is available.

Authentication Bypass Onedev
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11439 MEDIUM PATCH This Month

Improper authorization in theonedev OneDev versions up to 15.0.5 allows authenticated low-privileged users to manipulate the `project.parentId` parameter in the `/projects/` Parent Project Handler endpoint, bypassing access controls on project hierarchy operations. The CVSS vector (PR:L/AV:N/AC:L) confirms this is a network-exploitable flaw requiring only a low-privilege account with no user interaction. Although the base impact scores are uniformly low (C:L/I:L/A:L), in a self-hosted DevOps platform context - where projects may contain source code, CI/CD pipelines, and secrets - the real-world risk to sensitive deployments exceeds what the 6.3 CVSS score alone conveys. No public exploit or CISA KEV listing exists at time of analysis; an official patch is available as v15.0.6.

Authentication Bypass Onedev
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11438 MEDIUM PATCH This Month

Improper authorization in theonedev OneDev up to version 15.0.5 allows authenticated remote attackers to bypass access controls by manipulating the `project.forkedFromId` argument in requests to the `/projects` endpoint. The flaw, classified under CWE-285, enables low-privileged users to perform actions or access project data beyond their authorization scope. No public exploit code has been identified at time of analysis, and a vendor-released patch (v15.0.6) is available.

Authentication Bypass Onedev
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-9851 HIGH This Week

Privilege escalation in the Booking Package plugin for WordPress (versions up to and including 1.7.16) allows authenticated attackers with Editor-level access or above to take over any account, including Administrator accounts, by abusing the 'updateUser' branch of the package_app_action AJAX endpoint. The handler validates only a nonce and passes a hard-coded administrator flag to Schedule::updateUser(), letting attackers supply arbitrary target user IDs to wp_update_user() and reset the email and password of any account. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and results in full site compromise once an Editor account is obtained.

Authentication Bypass Privilege Escalation WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-8611 MEDIUM This Month

Insecure Direct Object Reference in the Klamra Paycal for Aspaclaria WordPress plugin (all versions through 1.1.4) allows authenticated attackers with subscriber-level access to download invoices belonging to other customers by enumerating sequential WordPress post IDs via the unvalidated 'invoice_id' parameter. Exposed data includes full name, email address, phone number, order total, line items, and customer notes - constituting a significant billing PII breach for any e-commerce site running this plugin. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the low attack complexity and sequential enumeration method make mass harvesting of customer data straightforward for any authenticated user.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8839 MEDIUM POC This Month

{mapid}` endpoint - harvesting POI titles, addresses, geolocation coordinates, and body content - because the permission callback is hardcoded to `__return_true`. Separately, any authenticated user with at least Contributor-level WordPress access can issue write operations (update, delete, trash/restore, clone) against maps owned by other authors, because write endpoints gate only on the generic `edit_posts` capability and the model layer (`Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, `empty_trash()`) performs no ownership validation at any depth. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-7624 MEDIUM This Month

Authorization bypass in the Squirrly SEO WordPress plugin (all versions through 12.4.16) allows authenticated attackers with contributor-level access to invoke privileged Squirrly cloud API operations reserved for administrators, including revoking the site's Google Search Console and Google Analytics integrations via the `api/gsc/revoke` and `api/ga/revoke` endpoints. The flaw stems from the plugin's failure to verify the `sq_manage_settings` capability before processing these state-changing cloud API calls, meaning any contributor can silently destroy critical SEO and analytics data connections without administrator knowledge. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Google WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8502 MEDIUM This Month

Sensitive information exposure in LearnPress WordPress LMS Plugin (all versions through 4.3.6) allows unauthenticated remote attackers to extract plaintext passwords and unpublished course content via a crafted REST API request. The /wp-json/lp/v1/courses/archive-course endpoint accepts two query parameters - c_status=all and return_type=json - that together bypass a publish-only post_status filter and suppress a safe DISTINCT(ID) field override, triggering an unrestricted SELECT * fallback query against the WordPress posts table. Exposed data includes post_password in plaintext for password-protected courses, and post_content, post_author, and post_name for draft, private, and pending courses. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector makes it trivially scriptable at scale.

Authentication Bypass Information Disclosure WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-7665 MEDIUM This Month

Information exposure in Essential Addons for Elementor (all versions ≤ 6.6.4) allows unauthenticated remote attackers to extract content from password-protected, private, and draft WordPress posts via the plugin's ajax_load_more AJAX endpoint. The root cause (CWE-639) is that user-controlled query parameters are accepted without enforcing WordPress native post-visibility access controls, bypassing the platform's built-in confidentiality model. No public exploit code has been identified at time of analysis, but the zero-authentication, zero-complexity attack surface on one of the most widely deployed Elementor add-ons makes this a realistic target for automated scanning campaigns.

Authentication Bypass Information Disclosure WordPress Elementor
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-9008 MEDIUM This Month

Missing authorization in the Page-list WordPress plugin (all versions up to and including 6.2) allows authenticated contributors to read private and draft page content beyond their intended access scope. The [pagelist_ext] shortcode in the pagelist_unqprfx_ext_shortcode() function passes attacker-supplied post_status, post_type, and show_meta_key attributes directly into get_pages() and get_post_meta() with no capability check, and a critical amplification trigger - when no child pages exist, the query falls back to child_of => 0, broadening scope to every matching page on the entire site. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and straightforward exploitation path via shortcode injection make this a meaningful insider-threat risk on sites with sensitive unpublished content.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8976 MEDIUM This Month

Authorization bypass in the RSS Aggregator by Feedzy WordPress plugin (all versions through 5.1.7) allows authenticated contributors to perform privileged import management actions - including force-deleting all posts tied to any import job, creating and executing RSS imports, clearing error logs, and enumerating taxonomy terms and post meta keys. The attack surface is widened by a nonce leak: the required nonce is exposed to any user holding the edit_posts capability via the feedzyjs localized script injected into the WordPress block editor, eliminating the need for any separate token-theft step. No public exploit has been identified at time of analysis, and CISA KEV listing is absent.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-10038 MEDIUM This Month

Arbitrary Media Library attachment deletion in the Charitable donation plugin for WordPress (versions through 1.8.11.1) is achievable by any authenticated user with Subscriber-level access or above via a two-stage IDOR exploit chain in the profile avatar update flow. The attack chains two weak points: Charitable_Data_Processor::process_picture() returns a raw user-supplied attachment ID verbatim when no file is uploaded, allowing an attacker to poison their own avatar user meta with any arbitrary attachment ID, which save_avatar() then blindly passes to wp_delete_attachment() without verifying that the target attachment belongs to the requesting user. No public exploit has been identified at time of analysis, and exploitation is constrained to authenticated users on sites with active user registration.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-34123 HIGH PATCH This Week

Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to execute privileged operations they are not entitled to perform. By abusing the device API's legitimate method mapping behavior, an authenticated low-privilege attacker on the adjacent network can disguise sensitive calls as whitelisted ones, leading to integrity loss and high availability impact including device resets and configuration changes. No public exploit identified at time of analysis, and the issue was reported by TP-Link itself with a vendor patch available.

Authentication Bypass Tapo C520Ws V2
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-7523 MEDIUM This Month

Authorization bypass in the Alba Board WordPress plugin (all versions through 2.1.3) exposes private project card data to unauthorized access. Despite the CVSS vector assigning PR:L (low privileges required), the vulnerability description explicitly reveals a more severe exploitation path: the AJAX handler is registered under the wp_ajax_nopriv_ hook, and the required nonce is broadcast to all site visitors via wp_localize_script on any page rendering the [alba_board] shortcode - enabling fully unauthenticated access to private alba_card records including titles, descriptions, assignees, due dates, tags, and comments. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, though the vulnerable code path is publicly browsable in the WordPress plugin repository.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47732 PHP HIGH PATCH GHSA This Week

Sandbox policy bypass in Twig templating engine versions 3.25.0 and earlier allows sandboxed template authors to invoke arbitrary `__toString()` methods on any `Stringable` object reachable in the render context, even when those methods are not allowlisted by `SecurityPolicy::checkMethodAllowed()`. The flaw stems from `SandboxNodeVisitor` only wrapping a hardcoded subset of AST nodes in `CheckToStringNode`, leaving many string-coercion points (conditional expressions, comparison/`matches` operators, tests, ranges, includes, spread arguments) unguarded - and the comparison-operator vector enables byte-by-byte oracle recovery of sensitive object string forms. No public exploit identified at time of analysis; fix shipped in Twig 3.26.0 (also referenced by Symfony's advisory page).

PHP Authentication Bypass Oracle
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-45776 MEDIUM PATCH This Month

Session variable manipulation in Open XDMoD prior to version 11.0.3 enables low-privileged authenticated remote attackers to bypass access control logic by submitting a crafted HTTPS POST request that overrides a session variable governing authorization decisions. Exploitation is contingent on the optional Job Performance (SUPReMM) module being installed; without it, the vulnerable code path is not reachable. No public exploit code exists and no active exploitation has been identified at time of analysis; the vendor released a fix in v11.0.3 on 2026-05-12 following private disclosure on 2026-04-06.

Authentication Bypass Xdmod
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-46401 MEDIUM PATCH This Month

Persistent session token access in HAX CMS (haxtheweb) prior to version 26.0.0 allows attackers who possess a valid authentication token to retain access to CMS administrative functions and metadata even after the legitimate user has logged out. The root cause is CWE-613 (Insufficient Session Expiration): authentication tokens are not invalidated server-side upon logout, meaning the session termination mechanism is cosmetic rather than functional. Both PHP and NodeJS backend deployments are affected. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, but the fix is available in version 26.0.0.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-11414 CRITICAL PATCH Act Now

Unauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-reachable attacker to forge signed Vault download URLs using a hard-coded key shipped identically across all installations. Chained with a co-located path traversal in the same download endpoint (and optionally CVE-2026-9152 for enumeration), an attacker can read arbitrary server-side files including configuration and key material, leading to full server compromise. No public exploit identified at time of analysis; CVSS 4.0 score is 10.0 and Altium 365 SaaS is not affected because cloud deployments use object storage rather than the local filesystem.

Authentication Bypass Path Traversal Hashicorp Altium Enterprise Server
NVD VulDB
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-5415 HIGH This Week

Authentication bypass in WP Captcha PRO (and the free Advanced Google reCAPTCHA plugin sharing the same slug) for WordPress versions through 5.38 allows authenticated Subscriber-level users to log in as any account, including Administrator. The flaw chains a missing capability check in the ajax_run_tool() AJAX handler with the create_temporary_link tool that issues passwordless login links for arbitrary users, enabling full account takeover. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass Google WordPress
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10580 CRITICAL POC Act Now

Unauthenticated administrator account takeover in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) allows remote attackers to reset any user's password - including the site administrator's - by sending a single crafted POST request to a cloned REST route. The root cause is a logic conflation in HippooPermissions::get_user_permissions() that returns the same null sentinel for both administrators and anonymous visitors, which is then interpreted as full admin access. No public exploit identified at time of analysis, but the trivial exploitation path and 9.8 CVSS score make this an urgent patch priority for any WordPress site running the plugin.

Authentication Bypass WordPress Hippoo Mobile App For Woocommerce
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-46390 MEDIUM PATCH This Month

Unauthenticated repository exposure in HAX CMS PHP (versions 2.0.0 through 25.x) allows any remote attacker to browse git repositories and full commit history via the unprotected gitlist plugin. The CVSS 4.0 vector confirms no authentication, no user interaction, and network-level access with low complexity, making exploitation trivially achievable against any public-facing instance. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the absence of access controls on the gitlist endpoint represents a direct confidentiality risk for any sensitive data stored in or committed to those repositories.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-46389 CRITICAL PATCH Act Now

Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows remote unauthenticated attackers to obtain OAuth2 tokens for any Keycloak client using the client-kubernetes-secret authenticator by submitting an arbitrary client_secret value. A logic flaw in the custom authenticator overwrites the submitted secret with the mounted Kubernetes secret prior to comparison, rendering the comparison meaningless. With EPSS at 0.04% there is no public exploit identified at time of analysis, but the SSVC technical impact is rated total and exploitation is automatable, making this a high-priority patch for UDS Core operators.

Authentication Bypass Kubernetes Uds Identity Config
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45746 CRITICAL PATCH Act Now

Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an authenticated low-privileged user to hijack another user's active File Manager session by tampering with a client-supplied sessionId, gaining full read/write/execute access to that victim's remote VPS over their established SSH connection. The CVSS 9.0 score reflects scope change (the compromised session crosses the trust boundary into the victim's separate VPS) and high impact across CIA. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the trivial nature of incrementing/guessing an unvalidated identifier makes exploitation straightforward once a foothold account exists.

Authentication Bypass Termix
NVD GitHub
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-45743 HIGH PATCH This Week

Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control another user's connected SSH host via predictable session identifiers. Sixteen file-manager endpoints fail to verify ownership of the `sessionId` parameter, enabling read, write, delete, download, and execute operations on victim hosts. No public exploit identified at time of analysis, but the multi-tenant deployment model and low attack complexity make this a high-priority issue for shared installations.

Authentication Bypass Termix
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-71318 CRITICAL POC Act Now

Unauthenticated administrative access in Riello UPS NetMan 204 network management cards allows remote attackers to read sensitive configuration and invoke privileged power-control commands by requesting administrative pages directly. With CVSS 4.0 score 9.3, publicly available exploit code exists (Exploit-DB 52183), enabling attackers to trigger UPS shutdown, reboot, bypass-switching, and battery tests against the protected infrastructure without any credentials.

Authentication Bypass Netman 204
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-71317 CRITICAL POC Act Now

Remote unauthenticated administrative access to Riello UPS NetMan 204 devices is possible via a hard-coded backdoor account ('eurek'/'eurek') exposed through the cgi-bin/login.cgi endpoint. The flaw (CWE-798) carries a CVSS 4.0 base of 9.3 and publicly available exploit code exists (Exploit-DB 52183, VulnCheck advisory), enabling full takeover of UPS management functions including configuration changes and enabling telnet/SSH. No public exploit identified at time of analysis as actively exploited in CISA KEV, but the trivially abusable static credential makes opportunistic exploitation highly likely.

Authentication Bypass Netman 204
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-47419 PyPI HIGH PATCH GHSA This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform before 0.1.4 allows any authenticated workspace member to read, modify, or delete AI agents belonging to entirely different workspaces by supplying a foreign agent UUID to the CRUD endpoints. The membership authorization gate checks only whether the caller belongs to the workspace in the URL path - it never verifies that the target agent actually resides in that workspace - so an attacker with any valid JWT can pivot across tenant boundaries. In multi-tenant deployments where agents store LLM API keys in runtime_config (BYOK), this also becomes a credential theft vector. No public exploit is identified at time of analysis, though GHSA-7p8g-6c6g-h9w7 publishes a complete step-by-step exploit chain.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-47388 npm LOW PATCH GHSA Monitor

Unauthorized cross-tenant file read in NocoDB's MCP readAttachment tool allows any low-privilege MCP token holder to stream arbitrary attachment files from shared storage, including those belonging to unrelated bases and workspaces. Affected versions are all NocoDB releases up to and including 2026.05.0 (npm/nocodb). The root cause is CWE-639: the tool accepted caller-supplied path or URL values and streamed them directly without verifying that the referenced file's base_id matched the caller's MCP context. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-47381 npm MEDIUM PATCH GHSA This Month

Cross-workspace tenant isolation bypass in NocoDB exposes database integration credentials across organizational boundaries via the testConnection endpoint. Any authenticated user holding a creator or owner role on any base in any workspace can supply a foreign workspace's integration ID to invoke its connection test, gaining access to that workspace's stored database credentials and the ability to drive its underlying database. No public exploit code is identified at time of analysis, but vendor-released patch 2026.05.1 is available and resolves the issue.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-47378 npm MEDIUM PATCH GHSA This Month

Hidden column exposure in NocoDB public shared-view endpoints allows unauthenticated attackers holding only a shared-view UUID to read data that view owners explicitly marked as hidden. Three independent bypass paths exist: groupBy parameters accept arbitrary column names and return raw cell values, filter and sort arrays accept hidden column IDs enabling boolean-blind row-count extraction, and the related-data list endpoint accepts link-column IDs from unrelated tables in the same base - leaking records beyond the intended view scope. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV, but the attack requires no credentials and targets a commonly shared URL, making any NocoDB deployment with public shared views and hidden sensitive columns an immediately addressable risk.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-47279 npm MEDIUM PATCH GHSA This Month

Hidden LTAR column exposure in NocoDB's public shared-view API allows anyone holding a valid share UUID to read linked records from columns the view owner explicitly hid. The handlers `publicMmList`, `publicHmList`, and `relDataList` enforced column-to-view-model membership but omitted a check on the per-column `show` flag, creating a gap between the public `/rows` response (which correctly omits hidden columns) and the relation sub-endpoints (which did not). All nocodb npm package versions up to and including 2026.05.0 are affected; a vendor-released patch is available in 2026.05.1. No public exploit code or CISA KEV listing is identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-47261 Cargo HIGH PATCH GHSA This Week

File truncation bypass in wasmtime-wasi allows guest WebAssembly modules to truncate (destroy contents of) host files that should be read-only, by invoking the wasip2 `descriptor.open-at` or wasip1 `path_open` interfaces with only the `OpenFlags::TRUNCATE` flag set. The bug affects embeddings that combine `DirPerms::MUTATE` with `FilePerms::READ` (read-only file permissions plus directory mutation), defeating the host's enforced `FilePerms::WRITE` access control. No public exploit identified at time of analysis; CVSS 7.5 reflects the integrity-only impact (C:N/I:H/A:N).

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-11336 LOW POC Monitor

Improper authorization in tittuvarghese CollegeManagementSystem exposes the Admin Interface to privilege escalation by low-privileged authenticated users who can manipulate the UserAuthData parameter in dashboard_page/admin_page.php. A publicly available exploit exists (referenced in GitHub issue #5), raising practical risk above what the mid-range CVSS score of 6.3 alone would suggest. The vendor has not responded to the responsible disclosure, and no patch has been released; all deployed instances across the rolling release track remain exposed.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6209 CRITICAL Act Now

Authorization bypass in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access restricted functionality and sensitive geospatial tracking data due to missing ACL enforcement. The CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) vector and CWE-284 classification indicate trivially exploitable broken access control affecting confidentiality and integrity of tracked entities. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Geographic Tracking System
NVD VulDB
CVSS 3.1
9.1
CVE-2026-6208 CRITICAL Act Now

Authorization bypass in HAVELSAN Inc. Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access or modify other users' data by manipulating user-controlled identifiers. The CVSS 9.1 score reflects high confidentiality and integrity impact achievable over the network without authentication, though no public exploit identified at time of analysis. The flaw was reported by TR-CERT (Turkey's national CERT), suggesting coordinated disclosure for a regionally deployed product.

Authentication Bypass Geographic Tracking System
NVD VulDB
CVSS 3.1
9.1
CVE-2026-11369 HIGH This Week

Cross-tenant comment access in linqi BPM platform versions through 1.4.8.5 allows any authenticated user to read and write comments on arbitrary process objects across all business units by supplying a chosen GUID to the /api/Comment endpoints. The flaw stems from missing authorization checks on the relatedObjectId parameter and carries a CVSS 4.0 score of 7.1 with no public exploit identified at time of analysis. Because exploitation requires only low-privilege credentials and no user interaction, it is well-suited to insider abuse or post-compromise lateral movement within multi-tenant deployments.

Authentication Bypass Linqi
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-11345 MEDIUM PATCH This Month

Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the ValidateAnonFileAccess authorization check by supplying an 'AnonFile' query parameter of exactly 256 characters. Despite the CVSS 4.0 score of 6.9 and a PR:N/AC:L attack vector suggesting easy, unauthenticated exploitation, the vendor's own advisory explicitly confirms the security impact is negligible: the only resources accessible via this bypass are minified JavaScript and CSS files already served publicly through a CDN. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing.

Authentication Bypass Information Disclosure Linqi
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-21036 MEDIUM This Month

Improper authorization in Samsung Internet (Android browser) prior to version 30.0.0.39 allows a local attacker with low-level privileges to access sensitive information stored or processed by the browser, with downstream high-severity impact on subsequent systems as reflected in the CVSS 4.0 SC:H/SI:H/SA:H scores. The vulnerability requires only local access and no user interaction, making it exploitable by any co-resident low-privileged app or user account on the device. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and Samsung Mobile has released a patched version.

Samsung Authentication Bypass Samsung Internet
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-21031 MEDIUM This Month

Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged attacker to launch arbitrary Android Activities without proper permission checks. Exploitation requires passive user interaction (CVSS 4.0 UI:P) and local device access, but the confidentiality impact on the vulnerable system is rated High (VC:H), consistent with the reported Information Disclosure tag. No public exploit code exists and the vulnerability is not listed in CISA's KEV catalog at time of analysis; Samsung has released a patch in SMR Jun-2026 Release 1.

Authentication Bypass Samsung Mobile Devices
NVD VulDB
CVSS 4.0
5.2
EPSS
0.0%
CVE-2026-6274 CRITICAL PATCH Act Now

Authentication bypass in DTS Electronics Redline WR3200 firmware versions 7.1.3 through 7.1.7 allows remote unauthenticated attackers to access functionality not properly constrained by ACLs, leading to full compromise of the device. The CVSS 9.8 rating reflects network-reachable exploitation with no privileges or user interaction required, though no public exploit identified at time of analysis. The flaw maps to CWE-287 (Improper Authentication) and was reported through Turkey's national CERT (USOM).

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-48907 CRITICAL POC KEV EUVD KEV THREAT Act Now

Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create editor profiles without authentication, then leverage that capability to upload and execute arbitrary PHP code on the server. With a CVSS 4.0 score of 10.0 and the CVSS:4.0 'U:Red' urgency flag set by the vendor, this represents a critical broken-access-control flaw, though no public exploit has been identified at time of analysis.

PHP Authentication Bypass Joomla Content Editor Jce Extension For Joomla
NVD VulDB GitHub
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-11302 MEDIUM PATCH This Month

Insufficient policy enforcement in Google Chrome for iOS (prior to 149.0.7827.53) allows remote unauthenticated attackers to bypass discretionary access controls via a crafted HTML page, resulting in limited integrity impact. User interaction is required, and exploitation probability is extremely low - EPSS sits at 0.02% (4th percentile). No public exploit identified at time of analysis, and Chromium's own security team rated this as 'Low' severity, consistent with the CVSS 4.3 score and SSVC's 'partial' technical impact assessment.

Apple Authentication Bypass Google Chrome Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11298 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome on iOS prior to 149.0.7827.53 allows a remote, unauthenticated attacker to violate cross-origin isolation by delivering a crafted HTML page to a victim. The flaw stems from an inappropriate implementation (CWE-346) in the iOS-specific Chrome codebase, meaning the iOS browser incorrectly validates origin boundaries in a way the desktop build does not. No active exploitation is confirmed (no CISA KEV listing), EPSS is 0.02% (4th percentile), and SSVC rates exploitation as none - placing this firmly in a routine patching priority rather than an emergency response.

Apple Authentication Bypass Google Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11297 HIGH PATCH This Week

Navigation restriction bypass in Google Chrome on Android prior to 149.0.7827.53 allows a local attacker to circumvent Reader Mode input validation by supplying a malicious file. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (4th percentile), but Google has released a fix in the stable channel. Chromium internally rates this as Low severity despite the elevated NVD CVSS of 7.7.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-11292 MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.53) enables unauthenticated remote attackers to circumvent CSP directives by delivering a crafted HTML page that requires only a user visit to trigger. The impact is confined to low-severity integrity violations (CVSS I:L) with no confidentiality or availability consequences, consistent with Chromium's own Low severity rating. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) reflects negligible near-term exploitation probability.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11291 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Android Autofill implementation allows remote unauthenticated attackers to perform limited cross-origin integrity violations by delivering a crafted HTML page to a victim user. Affected are all Chrome for Android versions prior to 149.0.7827.53. Impact is constrained to integrity (I:L) with no confidentiality or availability consequence, consistent with Chromium's own 'Low' severity rating. No public exploit code exists and no active exploitation has been confirmed; EPSS exploitation probability sits at 0.02% (4th percentile), making this a low operational priority despite being network-reachable.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11287 MEDIUM PATCH This Month

Navigation policy bypass in Google Chrome on Android (prior to 149.0.7827.53) enables a remote attacker who has already achieved renderer process compromise to circumvent navigation restrictions through a specially crafted HTML page. The vulnerability carries a CVSS integrity impact of High (I:H) with no confidentiality or availability impact, indicating the primary risk is unauthorized navigation to restricted targets - a technique commonly used to chain into further exploitation. No public exploit identified at time of analysis, and EPSS of 0.02% (6th percentile) reflects negligible current exploitation probability; however, its value as a chaining primitive in multi-stage browser attacks warrants attention.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11283 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Shortcuts feature on macOS allows remote attackers to circumvent Chrome's internal URL filtering or navigation controls via a crafted malicious file. Affected versions are all Chrome releases on Mac prior to 149.0.7827.53. The CVSS vector (PR:N, UI:R, I:H) indicates no attacker authentication is required but user interaction with the malicious file is mandatory; EPSS at 0.02% (4th percentile) and no public exploit identified at time of analysis confirm low exploitation probability, consistent with Chromium's own 'Low' severity rating.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11277 MEDIUM PATCH This Month

Insufficient policy enforcement in Google Chrome for iOS (prior to 149.0.7827.53) enables remote attackers to bypass discretionary access controls by directing a victim to a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the attack is network-reachable, requires no authentication, and produces a limited integrity impact with no confidentiality or availability consequences. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects very low exploitation probability; Chromium internally rated this Low severity.

Apple Authentication Bypass Google Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11275 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for Android's Page Info component (prior to 149.0.7827.53) enables an attacker who has already compromised the renderer process to circumvent Chrome's navigation controls via a specially crafted HTML page. This is a chained exploitation scenario: the vulnerability cannot be triggered standalone but requires a prior renderer compromise as a prerequisite, limiting its practical threat surface. No public exploit has been identified at time of analysis, EPSS is negligible at 0.02%, and the vulnerability is not listed in CISA KEV. Google rates its internal severity as Low.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11274 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's DOM Distiller component on iOS allows a remote attacker to circumvent page navigation controls by serving a specially crafted HTML page. Affected users are running Chrome on iOS prior to version 149.0.7827.53, and exploitation requires the victim to visit an attacker-controlled page. No public exploit identified at time of analysis and EPSS probability sits at 0.02% (4th percentile), consistent with the vendor's own 'Low' severity classification - real-world impact is limited to integrity degradation with no confidentiality or availability consequence.

Apple Authentication Bypass Google Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11267 MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 149.0.7827.53 allows a remote attacker who convinces a victim to install a crafted malicious extension to circumvent CSP protections on web pages, enabling unauthorized content injection. The flaw stems from insufficient policy enforcement in Chrome's Extensions subsystem (CWE-602), rated Low severity by the Chromium security team with a CVSS base score of 4.3. No public exploit code exists and no active exploitation has been confirmed; EPSS is 0.01% (1st percentile), reflecting minimal real-world exploitation pressure at time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11266 MEDIUM PATCH This Month

SafeBrowsing protection mechanism bypass in Google Chrome prior to version 149.0.7827.53 allows remote unauthenticated attackers to deliver malicious files that evade Chrome's built-in phishing and malware detection layer. The bypass is triggered through user interaction - such as visiting a crafted page or downloading a manipulated file - without requiring any special privileges or configuration. No public exploit has been identified and EPSS is 0.02% (4th percentile), indicating low current exploitation probability; however, successful exploitation silently removes a critical user-facing protection layer, enabling downstream malware delivery.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11264 MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to version 149.0.7827.53 enables remote attackers to circumvent CSP protections via a crafted HTML page, with the victim's browser failing to enforce declared content restrictions. The vulnerability requires user interaction (UI:R) and produces limited integrity impact (I:L) only - no confidentiality or availability loss. EPSS at 0.02% (4th percentile) and no CISA KEV listing indicate negligible current exploitation activity; Chromium has internally rated this Low severity, aligning with the constrained impact scope.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11260 MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 149.0.7827.53 stems from an inappropriate implementation in the browser's Permissions subsystem, enabling a remote attacker to circumvent CSP restrictions through a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the impact is limited to a partial integrity violation - no confidentiality or availability consequences are indicated. No public exploit identified at time of analysis; EPSS at 0.01% (2nd percentile) and Chromium's own 'Low' severity rating together indicate very low near-term exploitation likelihood.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11259 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Cast component exposes users to limited cross-origin integrity violations via a crafted HTML page, affecting all desktop Chrome versions prior to 149.0.7827.53. An unauthenticated remote attacker can circumvent the browser's fundamental cross-origin boundary by exploiting insufficient input validation in the Cast subsystem, achieving a low-severity integrity impact against a visiting user. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) combined with Chromium's own 'Low' severity rating indicate minimal real-world exploitation risk.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11258 MEDIUM PATCH This Month

File System Access API in Google Chrome prior to 149.0.7827.53 allows a remote attacker to bypass discretionary access control (DAC) by convincing a user to perform specific UI gestures on a crafted HTML page. The CVSS vector (I:H, C:N, A:N) confirms the impact is limited to unauthorized file integrity compromise - an attacker could write or modify local files beyond what the user explicitly permitted. No public exploit code exists and EPSS is 0.02% (4th percentile), aligning with Chromium's own internal 'Low' severity rating, indicating limited real-world exploitation likelihood at time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11257 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 149.0.7827.53 allows a remote unauthenticated attacker to circumvent browser-enforced navigation controls by delivering a crafted HTML page to a victim. The flaw is classified by Google as an inappropriate implementation in the browser component, carrying a CVSS 4.3 (Medium) with limited integrity impact and no confidentiality or availability consequence. No public exploit has been identified at time of analysis, EPSS exploitation probability stands at 0.02% (4th percentile), and Google's internal Chromium severity rating is Low - consistent signals pointing to a low-urgency, routine-patch item outside of specialized deployment contexts.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11252 MEDIUM PATCH This Month

Content Settings policy enforcement bypass in Google Chrome prior to 149.0.7827.53 enables remote attackers to circumvent discretionary access control by delivering a crafted HTML page to a victim who must interact with it. Rooted in CWE-284 (Improper Access Control), the flaw affects Chrome's Content Settings subsystem - which governs site-level permissions such as cookies, notifications, and script access - yielding a limited integrity impact with no confidentiality or availability consequences. No public exploit has been identified and the vulnerability is absent from CISA KEV; the vendor itself rates this as Low severity, consistent with the CVSS 4.3 base score.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11251 LOW PATCH Monitor

Insufficient policy enforcement in Google Chrome's Password Manager (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to bypass discretionary access control via a crafted HTML page, resulting in limited confidentiality exposure. This is a chained vulnerability: exploitation is contingent on a prior renderer process compromise, which substantially elevates attack complexity and limits realistic blast radius. No public exploit code exists and this CVE is not listed in the CISA KEV catalog. Google has rated this Low severity and released a fix in Chrome 149.0.7827.53.

Authentication Bypass Google Chrome
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-11248 HIGH PATCH This Week

Navigation restriction bypass in Google Chrome's Lens component prior to version 149.0.7827.53 allows a remote attacker to circumvent browser security boundaries via a crafted HTML page. The flaw requires user interaction (UI:R) to trigger, but no authentication, and Google classifies the Chromium security severity as Low despite the NVD CVSS of 8.8. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11246 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's IndexedDB implementation affects all versions prior to 149.0.7827.53, enabling an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. The integrity-only impact (C:N/I:H/A:N) means a successful exploitation could allow unauthorized writes or data manipulation across origins, but does not directly expose confidential data. No public exploit code has been identified at time of analysis, and Google's own Chromium security team rated this Low severity; a vendor-released patch is available at version 149.0.7827.53.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-11244 LOW PATCH Monitor

Same-origin policy bypass in Google Chrome's WebAuthentication component affects all Chrome versions prior to 149.0.7827.53, exploitable only by a remote attacker who has already compromised the renderer process. Insufficient input validation in the WebAuthn subsystem allows crafted HTML pages to circumvent same-origin restrictions, resulting in limited confidentiality disclosure (C:L). Chromium's own severity classification is Low, consistent with the CVSS 3.1 score of 3.1, and no public exploit or CISA KEV listing has been identified at time of analysis. The mandatory prerequisite of renderer process compromise significantly constrains the realistic attacker population to sophisticated, multi-stage threat actors.

Authentication Bypass Google Chrome
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-11243 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Downloads subsystem prior to version 149.0.7827.53 enables a remote unauthenticated attacker to circumvent browser navigation controls by luring a user to a crafted HTML page. The flaw is rooted in an inappropriate implementation classified as CWE-346 (Origin Validation Error), meaning Chrome fails to properly validate the origin of requests or data within the Downloads flow. Rated Medium by CVSS (5.4) and Low by Chromium's own severity scale, no public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-11240 LOW PATCH Monitor

Site isolation bypass in Google Chrome's Loader component (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape Chrome's cross-site data boundary via a crafted HTML page. The vulnerability stems from insufficient validation of untrusted input in the Loader, enabling a post-exploitation primitive that leaks limited confidentiality data across site boundaries. With a CVSS score of 3.1 (Low), EPSS at 0.02% (6th percentile), no CISA KEV listing, and Chromium's own classification as Low severity, this represents a low-urgency chained-exploit stepping stone rather than a standalone critical threat; no public exploit identified at time of analysis.

Authentication Bypass Google Chrome
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-11238 MEDIUM PATCH This Month

Inappropriate implementation in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a crafted Chrome Extension to access and read sensitive data from process memory. Exploitation requires social engineering a target user into installing a malicious extension, after which the extension can invoke under-guarded DevTools APIs to extract potentially sensitive in-memory content such as credentials, tokens, or session data. No public exploit has been identified at time of analysis, and the EPSS score of 0.01% indicates very low observed exploitation probability; however, the confidentiality impact is rated High by CVSS.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-11326 MEDIUM PATCH This Month

OpenAI Atlas before 1.2025.288.15 improperly exposed privileged browser APIs - including browser history access and tab open/close controls - to any web content loaded from *.openai.com origins, including the publicly accessible forum.openai.com. Because forum.openai.com harbored an independent cross-site scripting vulnerability, an attacker could chain the two weaknesses: inject a script via the forum XSS, which then silently invokes Atlas's privileged APIs against a visiting victim. No public exploit or CISA KEV listing has been confirmed at time of analysis, though a public security research blog (hacktron.ai) describes the attack surface; the EPSS score of 0.02% (4th percentile) reflects low observed exploitation probability.

Authentication Bypass XSS Openai Atlas
NVD
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-37737 PyPI MEDIUM This Month

CORS origin allowlist bypass in sanic-cors 2.2.0 and prior enables cross-origin access to authenticated resources by exploiting an unanchored regular expression in the origin-matching logic. The library's try_match() function in sanic_cors/core.py uses Python's re.match() - which matches only from the start of a string, not the full string - allowing an attacker who controls a domain prefixed with a trusted origin (e.g., trusted.example.com.attacker.com) to satisfy the allowlist check. Exploitation requires a victim user to visit an attacker-controlled page, placing this in a network-accessible, user-interaction-required threat model. No public exploit code has been identified at time of analysis, and no KEV listing exists.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11234 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's FoldableAPIs component allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The vulnerability carries a CVSS 4.3 score, an EPSS of 0.02% (4th percentile), is not listed in CISA KEV, and no public exploit has been identified - consistent with Chromium's own 'Low' severity rating. A vendor-released patch (149.0.7827.53) is available.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11233 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's FoldableAPIs component (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data by delivering a crafted HTML page. Rated Medium (CVSS 4.7) with a Changed scope, this is a second-stage exploit primitive - not a standalone critical - requiring a pre-existing renderer compromise before it is triggerable. EPSS at 0.02% (6th percentile), SSVC exploitation status of 'none', and Google's internal 'Low' severity rating collectively confirm this is a patch-on-schedule rather than emergency-response priority. No public exploit identified at time of analysis.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-11226 MEDIUM PATCH This Month

Same-origin policy bypass in the PreviewTab component of Google Chrome for Android (versions prior to 149.0.7827.53) enables a remote unauthenticated attacker to violate cross-origin isolation and corrupt content integrity. Exploitation requires social engineering - the victim must visit a crafted HTML page and be manipulated into performing specific UI gestures within the PreviewTab interface. The CVSS vector scores high integrity impact (I:H) with no confidentiality or availability impact, indicating an attacker can alter or inject content across origin boundaries but cannot directly exfiltrate data. No public exploit code or CISA KEV listing has been identified; EPSS sits at 0.02% (4th percentile), reflecting very low current exploitation probability.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11223 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Network component (versions prior to 149.0.7827.53) enables a post-compromise attacker who already controls the renderer process to subvert cross-origin enforcement via a crafted HTML page. The CVSS integrity impact is rated High (I:H), but exploitation is gated behind a required renderer-process pre-compromise, substantially raising the real-world attack bar. No public exploit code exists and no CISA KEV listing is present; EPSS stands at 0.02% (6th percentile), consistent with Google's own Low severity rating for this issue.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11220 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Navigation component allows a remote attacker who has already compromised the renderer process to break Chrome's cross-origin security boundary via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The CVSS vector (I:H) reflects high integrity impact against protected origins, but the real-world risk is substantially gated by the prerequisite of renderer process compromise - a condition Google itself rates as 'Low' severity in Chromium's internal classification. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11219 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 149.0.7827.53 allows remote unauthenticated attackers to circumvent Chrome's built-in navigation controls by delivering a crafted HTML page to a victim. The flaw stems from an inappropriate implementation in Chrome's Navigation subsystem (CWE-693: Protection Mechanism Failure), yielding low integrity impact with no confidentiality or availability consequences. No public exploit has been identified at time of analysis and EPSS exploitation probability is 0.02% (4th percentile), consistent with Google Chromium's own Low severity classification for this issue.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11217 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Fenced Frames component allows an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53 on desktop platforms. No public exploit code has been identified at time of analysis, and EPSS sits at a low 0.02% (4th percentile), consistent with Chromium's own 'Low' severity rating despite the 6.5 CVSS score - real-world risk is contingent on a separate, preceding renderer exploit.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11212 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's DevTools component (prior to 149.0.7827.53) enables an attacker to bypass same-origin policy enforcement through a crafted malicious extension. Exploitation requires convincing a target user to install the attacker-controlled extension, after which cross-origin data can be exfiltrated via insufficient DevTools policy controls. No public exploit code has been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11210 MEDIUM PATCH This Month

Safe Browsing bypass in Google Chrome prior to 149.0.7827.53 allows a remote attacker to circumvent discretionary access control protections by delivering a specially crafted RAR file to a victim who interacts with it. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms no authentication or elevated privileges are required on the attacker side, but exploitation depends on user interaction - the victim must engage with the malicious RAR file. The integrity impact is rated High (I:H) with no confidentiality or availability impact, indicating the primary risk is bypassing file-based access controls enforced by the Safe Browsing subsystem. No public exploit identified at time of analysis, and EPSS at 0.02% (4th percentile) reflects very low observed exploitation probability.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM This Month

Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Incorrect authorization in Checkmk's User Messages dashboard widget exposes the dashboard creator's personal messages to any party possessing a valid public dashboard share token. The message-fetching endpoints resolve messages using the dashboard creator's identity rather than the requesting party's identity, meaning that direct API calls with a share token return the issuer's private messages regardless of whether the User Messages widget is actually present on the shared dashboard. All Checkmk deployments running versions prior to 2.5.0p5 that use the public dashboard sharing feature are affected. No public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Checkmk
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

{realm}/partialImport endpoint to bypass Fine-Grained Admin Permissions (FGAP) and promote themselves to full realm administrator. The flaw is an improper authorization check (CWE-863) on imported users carrying realm-admin role mappings. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Data Grid 8 +3
NVD GitHub VulDB
EPSS 0% 5.8 CVSS 9.3
CRITICAL POC KEV THREAT Emergency

Authentication bypass in Check Point Quantum Security Gateway and Spark Firewalls allows unauthenticated remote attackers to establish Remote Access and Mobile Access VPN sessions without valid credentials by abusing a logic flaw in deprecated IKEv1 certificate validation. The flaw (CVSS 9.3, CWE-287) was reported by Check Point themselves and publicly available exploit code exists, though EPSS exploitation probability remains very low (0.01%) and the issue is not currently listed in CISA KEV. Affected deployments include multiple Quantum R80.40-R82.10 trains and Spark R80.20.X-R82.00.X firmware.

Authentication Bypass Microsoft
NVD VulDB GitHub
EPSS 0% CVSS 7.4
HIGH Act Now

Certificate validation bypass in Check Point Quantum Security Gateway and Spark Firewalls allows network-positioned attackers to subvert IKEv1 certificate-based authentication in site-to-site VPN tunnels. A man-in-the-middle adversary can intercept or modify traffic traversing the tunnel without possessing valid credentials. No public exploit identified at time of analysis, and the issue is constrained to the deprecated IKEv1 protocol path.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Authorization bypass in Weaviate's Static API Key Handler (versions 1.37.0-1.37.7) stems from the validateConfig function failing to reject duplicate API keys mapped to distinct users, allowing key-to-user resolution to resolve ambiguously. An authenticated low-privilege attacker holding a duplicated key can authenticate to Weaviate and be resolved as an unintended user identity, bypassing user-level authorization controls. Publicly available exploit code exists (GitHub issue #11392), though the CVSS 4.0 score of 1.3 reflects high attack complexity and the authenticated, misconfiguration-dependent nature of the attack - no public exploitation or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Weaviate
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

Privilege escalation in Kushan2k student-management-system allows authenticated remote attackers to grant themselves administrator rights by manipulating the `isadmin` parameter in the Profile Update Endpoint. The `edit-admin` function in `controllers/AdminController.php` performs no server-side authorization check on this parameter, enabling any low-privileged account holder to self-elevate to admin. A publicly available exploit exists per VulDB and a GitHub issue disclosure; the vendor has not yet responded, and no patch has been released under the rolling-release model.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Improper access control in zilliztech deep-searcher up to version 0.0.2 allows authenticated remote attackers to bypass collection-level authorization in the vector database layer. The CollectionRouter.invoke function in collection_router.py lists and queries all vector database collections without filtering by the caller's authorized scope, meaning a low-privileged user can retrieve data from collections they should not have access to. No public exploit identified via CISA KEV, but publicly available exploit code (POC) exists per the GitHub issue tracker and the CVSS 4.0 E:P modifier confirms this.

Authentication Bypass Deep Searcher
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Improper authorization in the BeikeShop e-commerce platform (versions up to 1.6.0.22) allows remote unauthenticated attackers to forge Stripe payment webhook callbacks and mark unpaid orders as paid. The flawed `callback` function in `plugins/Stripe/Controllers/StripeController.php` accepts arbitrary request bodies without verifying the Stripe-Signature header, and publicly available exploit code exists on GitHub. CVSS is 7.3 with EPSS not provided; the issue is not in CISA KEV but has a public POC, raising the practical risk for any internet-exposed BeikeShop store.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Authorization bypass in NousResearch hermes-agent up to 0.12.0 allows remote low-privileged authenticated attackers to access or manipulate sessions belonging to other users by supplying an arbitrary session title to the resume endpoint's `resolve_session_by_title` function without ownership verification. A public proof-of-concept exploit has been disclosed via GitHub Gist, and the vendor did not respond to pre-disclosure contact, meaning no patch is currently available. With CVSS 6.3 and a temporal exploit-partial modifier, this presents elevated practical risk in multi-tenant or shared-instance deployments where session isolation is a security boundary.

Authentication Bypass Hermes Agent
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in OneDev's Pull Request Handler allows authenticated remote attackers to bypass issue access controls. The `canAccessIssue` function in the `/issues/` endpoint of theonedev/onedev versions through 15.0.5 fails to correctly enforce authorization, enabling a low-privileged user to access issues they should not be permitted to view or modify. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 15.0.6.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

{projectId}/default-branch` endpoint. All OneDev versions through 15.0.5 are affected; the CVSS vector (PR:L) confirms a low-privilege authenticated user is sufficient to trigger the flaw remotely with no user interaction required. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; vendor-released patch v15.0.6 is available.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in theonedev OneDev versions up to 15.0.5 allows authenticated low-privileged users to manipulate the `project.parentId` parameter in the `/projects/` Parent Project Handler endpoint, bypassing access controls on project hierarchy operations. The CVSS vector (PR:L/AV:N/AC:L) confirms this is a network-exploitable flaw requiring only a low-privilege account with no user interaction. Although the base impact scores are uniformly low (C:L/I:L/A:L), in a self-hosted DevOps platform context - where projects may contain source code, CI/CD pipelines, and secrets - the real-world risk to sensitive deployments exceeds what the 6.3 CVSS score alone conveys. No public exploit or CISA KEV listing exists at time of analysis; an official patch is available as v15.0.6.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in theonedev OneDev up to version 15.0.5 allows authenticated remote attackers to bypass access controls by manipulating the `project.forkedFromId` argument in requests to the `/projects` endpoint. The flaw, classified under CWE-285, enables low-privileged users to perform actions or access project data beyond their authorization scope. No public exploit code has been identified at time of analysis, and a vendor-released patch (v15.0.6) is available.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in the Booking Package plugin for WordPress (versions up to and including 1.7.16) allows authenticated attackers with Editor-level access or above to take over any account, including Administrator accounts, by abusing the 'updateUser' branch of the package_app_action AJAX endpoint. The handler validates only a nonce and passes a hard-coded administrator flag to Schedule::updateUser(), letting attackers supply arbitrary target user IDs to wp_update_user() and reset the email and password of any account. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and results in full site compromise once an Editor account is obtained.

Authentication Bypass Privilege Escalation WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Klamra Paycal for Aspaclaria WordPress plugin (all versions through 1.1.4) allows authenticated attackers with subscriber-level access to download invoices belonging to other customers by enumerating sequential WordPress post IDs via the unvalidated 'invoice_id' parameter. Exposed data includes full name, email address, phone number, order total, line items, and customer notes - constituting a significant billing PII breach for any e-commerce site running this plugin. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the low attack complexity and sequential enumeration method make mass harvesting of customer data straightforward for any authenticated user.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

{mapid}` endpoint - harvesting POI titles, addresses, geolocation coordinates, and body content - because the permission callback is hardcoded to `__return_true`. Separately, any authenticated user with at least Contributor-level WordPress access can issue write operations (update, delete, trash/restore, clone) against maps owned by other authors, because write endpoints gate only on the generic `edit_posts` capability and the model layer (`Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, `empty_trash()`) performs no ownership validation at any depth. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Squirrly SEO WordPress plugin (all versions through 12.4.16) allows authenticated attackers with contributor-level access to invoke privileged Squirrly cloud API operations reserved for administrators, including revoking the site's Google Search Console and Google Analytics integrations via the `api/gsc/revoke` and `api/ga/revoke` endpoints. The flaw stems from the plugin's failure to verify the `sq_manage_settings` capability before processing these state-changing cloud API calls, meaning any contributor can silently destroy critical SEO and analytics data connections without administrator knowledge. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Google WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Sensitive information exposure in LearnPress WordPress LMS Plugin (all versions through 4.3.6) allows unauthenticated remote attackers to extract plaintext passwords and unpublished course content via a crafted REST API request. The /wp-json/lp/v1/courses/archive-course endpoint accepts two query parameters - c_status=all and return_type=json - that together bypass a publish-only post_status filter and suppress a safe DISTINCT(ID) field override, triggering an unrestricted SELECT * fallback query against the WordPress posts table. Exposed data includes post_password in plaintext for password-protected courses, and post_content, post_author, and post_name for draft, private, and pending courses. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector makes it trivially scriptable at scale.

Authentication Bypass Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Information exposure in Essential Addons for Elementor (all versions ≤ 6.6.4) allows unauthenticated remote attackers to extract content from password-protected, private, and draft WordPress posts via the plugin's ajax_load_more AJAX endpoint. The root cause (CWE-639) is that user-controlled query parameters are accepted without enforcing WordPress native post-visibility access controls, bypassing the platform's built-in confidentiality model. No public exploit code has been identified at time of analysis, but the zero-authentication, zero-complexity attack surface on one of the most widely deployed Elementor add-ons makes this a realistic target for automated scanning campaigns.

Authentication Bypass Information Disclosure WordPress +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the Page-list WordPress plugin (all versions up to and including 6.2) allows authenticated contributors to read private and draft page content beyond their intended access scope. The [pagelist_ext] shortcode in the pagelist_unqprfx_ext_shortcode() function passes attacker-supplied post_status, post_type, and show_meta_key attributes directly into get_pages() and get_post_meta() with no capability check, and a critical amplification trigger - when no child pages exist, the query falls back to child_of => 0, broadening scope to every matching page on the entire site. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and straightforward exploitation path via shortcode injection make this a meaningful insider-threat risk on sites with sensitive unpublished content.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the RSS Aggregator by Feedzy WordPress plugin (all versions through 5.1.7) allows authenticated contributors to perform privileged import management actions - including force-deleting all posts tied to any import job, creating and executing RSS imports, clearing error logs, and enumerating taxonomy terms and post meta keys. The attack surface is widened by a nonce leak: the required nonce is exposed to any user holding the edit_posts capability via the feedzyjs localized script injected into the WordPress block editor, eliminating the need for any separate token-theft step. No public exploit has been identified at time of analysis, and CISA KEV listing is absent.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Arbitrary Media Library attachment deletion in the Charitable donation plugin for WordPress (versions through 1.8.11.1) is achievable by any authenticated user with Subscriber-level access or above via a two-stage IDOR exploit chain in the profile avatar update flow. The attack chains two weak points: Charitable_Data_Processor::process_picture() returns a raw user-supplied attachment ID verbatim when no file is uploaded, allowing an attacker to poison their own avatar user meta with any arbitrary attachment ID, which save_avatar() then blindly passes to wp_delete_attachment() without verifying that the target attachment belongs to the requesting user. No public exploit has been identified at time of analysis, and exploitation is constrained to authenticated users on sites with active user registration.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to execute privileged operations they are not entitled to perform. By abusing the device API's legitimate method mapping behavior, an authenticated low-privilege attacker on the adjacent network can disguise sensitive calls as whitelisted ones, leading to integrity loss and high availability impact including device resets and configuration changes. No public exploit identified at time of analysis, and the issue was reported by TP-Link itself with a vendor patch available.

Authentication Bypass Tapo C520Ws V2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Alba Board WordPress plugin (all versions through 2.1.3) exposes private project card data to unauthorized access. Despite the CVSS vector assigning PR:L (low privileges required), the vulnerability description explicitly reveals a more severe exploitation path: the AJAX handler is registered under the wp_ajax_nopriv_ hook, and the required nonce is broadcast to all site visitors via wp_localize_script on any page rendering the [alba_board] shortcode - enabling fully unauthenticated access to private alba_card records including titles, descriptions, assignees, due dates, tags, and comments. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, though the vulnerable code path is publicly browsable in the WordPress plugin repository.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sandbox policy bypass in Twig templating engine versions 3.25.0 and earlier allows sandboxed template authors to invoke arbitrary `__toString()` methods on any `Stringable` object reachable in the render context, even when those methods are not allowlisted by `SecurityPolicy::checkMethodAllowed()`. The flaw stems from `SandboxNodeVisitor` only wrapping a hardcoded subset of AST nodes in `CheckToStringNode`, leaving many string-coercion points (conditional expressions, comparison/`matches` operators, tests, ranges, includes, spread arguments) unguarded - and the comparison-operator vector enables byte-by-byte oracle recovery of sensitive object string forms. No public exploit identified at time of analysis; fix shipped in Twig 3.26.0 (also referenced by Symfony's advisory page).

PHP Authentication Bypass Oracle
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Session variable manipulation in Open XDMoD prior to version 11.0.3 enables low-privileged authenticated remote attackers to bypass access control logic by submitting a crafted HTTPS POST request that overrides a session variable governing authorization decisions. Exploitation is contingent on the optional Job Performance (SUPReMM) module being installed; without it, the vulnerable code path is not reachable. No public exploit code exists and no active exploitation has been identified at time of analysis; the vendor released a fix in v11.0.3 on 2026-05-12 following private disclosure on 2026-04-06.

Authentication Bypass Xdmod
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Persistent session token access in HAX CMS (haxtheweb) prior to version 26.0.0 allows attackers who possess a valid authentication token to retain access to CMS administrative functions and metadata even after the legitimate user has logged out. The root cause is CWE-613 (Insufficient Session Expiration): authentication tokens are not invalidated server-side upon logout, meaning the session termination mechanism is cosmetic rather than functional. Both PHP and NodeJS backend deployments are affected. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, but the fix is available in version 26.0.0.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-reachable attacker to forge signed Vault download URLs using a hard-coded key shipped identically across all installations. Chained with a co-located path traversal in the same download endpoint (and optionally CVE-2026-9152 for enumeration), an attacker can read arbitrary server-side files including configuration and key material, leading to full server compromise. No public exploit identified at time of analysis; CVSS 4.0 score is 10.0 and Altium 365 SaaS is not affected because cloud deployments use object storage rather than the local filesystem.

Authentication Bypass Path Traversal Hashicorp +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in WP Captcha PRO (and the free Advanced Google reCAPTCHA plugin sharing the same slug) for WordPress versions through 5.38 allows authenticated Subscriber-level users to log in as any account, including Administrator. The flaw chains a missing capability check in the ajax_run_tool() AJAX handler with the create_temporary_link tool that issues passwordless login links for arbitrary users, enabling full account takeover. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass Google WordPress
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated administrator account takeover in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) allows remote attackers to reset any user's password - including the site administrator's - by sending a single crafted POST request to a cloned REST route. The root cause is a logic conflation in HippooPermissions::get_user_permissions() that returns the same null sentinel for both administrators and anonymous visitors, which is then interpreted as full admin access. No public exploit identified at time of analysis, but the trivial exploitation path and 9.8 CVSS score make this an urgent patch priority for any WordPress site running the plugin.

Authentication Bypass WordPress Hippoo Mobile App For Woocommerce
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated repository exposure in HAX CMS PHP (versions 2.0.0 through 25.x) allows any remote attacker to browse git repositories and full commit history via the unprotected gitlist plugin. The CVSS 4.0 vector confirms no authentication, no user interaction, and network-level access with low complexity, making exploitation trivially achievable against any public-facing instance. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the absence of access controls on the gitlist endpoint represents a direct confidentiality risk for any sensitive data stored in or committed to those repositories.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows remote unauthenticated attackers to obtain OAuth2 tokens for any Keycloak client using the client-kubernetes-secret authenticator by submitting an arbitrary client_secret value. A logic flaw in the custom authenticator overwrites the submitted secret with the mounted Kubernetes secret prior to comparison, rendering the comparison meaningless. With EPSS at 0.04% there is no public exploit identified at time of analysis, but the SSVC technical impact is rated total and exploitation is automatable, making this a high-priority patch for UDS Core operators.

Authentication Bypass Kubernetes Uds Identity Config
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an authenticated low-privileged user to hijack another user's active File Manager session by tampering with a client-supplied sessionId, gaining full read/write/execute access to that victim's remote VPS over their established SSH connection. The CVSS 9.0 score reflects scope change (the compromised session crosses the trust boundary into the victim's separate VPS) and high impact across CIA. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the trivial nature of incrementing/guessing an unvalidated identifier makes exploitation straightforward once a foothold account exists.

Authentication Bypass Termix
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control another user's connected SSH host via predictable session identifiers. Sixteen file-manager endpoints fail to verify ownership of the `sessionId` parameter, enabling read, write, delete, download, and execute operations on victim hosts. No public exploit identified at time of analysis, but the multi-tenant deployment model and low attack complexity make this a high-priority issue for shared installations.

Authentication Bypass Termix
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Unauthenticated administrative access in Riello UPS NetMan 204 network management cards allows remote attackers to read sensitive configuration and invoke privileged power-control commands by requesting administrative pages directly. With CVSS 4.0 score 9.3, publicly available exploit code exists (Exploit-DB 52183), enabling attackers to trigger UPS shutdown, reboot, bypass-switching, and battery tests against the protected infrastructure without any credentials.

Authentication Bypass Netman 204
NVD Exploit-DB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Remote unauthenticated administrative access to Riello UPS NetMan 204 devices is possible via a hard-coded backdoor account ('eurek'/'eurek') exposed through the cgi-bin/login.cgi endpoint. The flaw (CWE-798) carries a CVSS 4.0 base of 9.3 and publicly available exploit code exists (Exploit-DB 52183, VulnCheck advisory), enabling full takeover of UPS management functions including configuration changes and enabling telnet/SSH. No public exploit identified at time of analysis as actively exploited in CISA KEV, but the trivially abusable static credential makes opportunistic exploitation highly likely.

Authentication Bypass Netman 204
NVD Exploit-DB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform before 0.1.4 allows any authenticated workspace member to read, modify, or delete AI agents belonging to entirely different workspaces by supplying a foreign agent UUID to the CRUD endpoints. The membership authorization gate checks only whether the caller belongs to the workspace in the URL path - it never verifies that the target agent actually resides in that workspace - so an attacker with any valid JWT can pivot across tenant boundaries. In multi-tenant deployments where agents store LLM API keys in runtime_config (BYOK), this also becomes a credential theft vector. No public exploit is identified at time of analysis, though GHSA-7p8g-6c6g-h9w7 publishes a complete step-by-step exploit chain.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Unauthorized cross-tenant file read in NocoDB's MCP readAttachment tool allows any low-privilege MCP token holder to stream arbitrary attachment files from shared storage, including those belonging to unrelated bases and workspaces. Affected versions are all NocoDB releases up to and including 2026.05.0 (npm/nocodb). The root cause is CWE-639: the tool accepted caller-supplied path or URL values and streamed them directly without verifying that the referenced file's base_id matched the caller's MCP context. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-workspace tenant isolation bypass in NocoDB exposes database integration credentials across organizational boundaries via the testConnection endpoint. Any authenticated user holding a creator or owner role on any base in any workspace can supply a foreign workspace's integration ID to invoke its connection test, gaining access to that workspace's stored database credentials and the ability to drive its underlying database. No public exploit code is identified at time of analysis, but vendor-released patch 2026.05.1 is available and resolves the issue.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Hidden column exposure in NocoDB public shared-view endpoints allows unauthenticated attackers holding only a shared-view UUID to read data that view owners explicitly marked as hidden. Three independent bypass paths exist: groupBy parameters accept arbitrary column names and return raw cell values, filter and sort arrays accept hidden column IDs enabling boolean-blind row-count extraction, and the related-data list endpoint accepts link-column IDs from unrelated tables in the same base - leaking records beyond the intended view scope. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV, but the attack requires no credentials and targets a commonly shared URL, making any NocoDB deployment with public shared views and hidden sensitive columns an immediately addressable risk.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Hidden LTAR column exposure in NocoDB's public shared-view API allows anyone holding a valid share UUID to read linked records from columns the view owner explicitly hid. The handlers `publicMmList`, `publicHmList`, and `relDataList` enforced column-to-view-model membership but omitted a check on the per-column `show` flag, creating a gap between the public `/rows` response (which correctly omits hidden columns) and the relation sub-endpoints (which did not). All nocodb npm package versions up to and including 2026.05.0 are affected; a vendor-released patch is available in 2026.05.1. No public exploit code or CISA KEV listing is identified at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

File truncation bypass in wasmtime-wasi allows guest WebAssembly modules to truncate (destroy contents of) host files that should be read-only, by invoking the wasip2 `descriptor.open-at` or wasip1 `path_open` interfaces with only the `OpenFlags::TRUNCATE` flag set. The bug affects embeddings that combine `DirPerms::MUTATE` with `FilePerms::READ` (read-only file permissions plus directory mutation), defeating the host's enforced `FilePerms::WRITE` access control. No public exploit identified at time of analysis; CVSS 7.5 reflects the integrity-only impact (C:N/I:H/A:N).

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in tittuvarghese CollegeManagementSystem exposes the Admin Interface to privilege escalation by low-privileged authenticated users who can manipulate the UserAuthData parameter in dashboard_page/admin_page.php. A publicly available exploit exists (referenced in GitHub issue #5), raising practical risk above what the mid-range CVSS score of 6.3 alone would suggest. The vendor has not responded to the responsible disclosure, and no patch has been released; all deployed instances across the rolling release track remain exposed.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 9.1
CRITICAL Act Now

Authorization bypass in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access restricted functionality and sensitive geospatial tracking data due to missing ACL enforcement. The CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) vector and CWE-284 classification indicate trivially exploitable broken access control affecting confidentiality and integrity of tracked entities. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Geographic Tracking System
NVD VulDB
CVSS 9.1
CRITICAL Act Now

Authorization bypass in HAVELSAN Inc. Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access or modify other users' data by manipulating user-controlled identifiers. The CVSS 9.1 score reflects high confidentiality and integrity impact achievable over the network without authentication, though no public exploit identified at time of analysis. The flaw was reported by TR-CERT (Turkey's national CERT), suggesting coordinated disclosure for a regionally deployed product.

Authentication Bypass Geographic Tracking System
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-tenant comment access in linqi BPM platform versions through 1.4.8.5 allows any authenticated user to read and write comments on arbitrary process objects across all business units by supplying a chosen GUID to the /api/Comment endpoints. The flaw stems from missing authorization checks on the relatedObjectId parameter and carries a CVSS 4.0 score of 7.1 with no public exploit identified at time of analysis. Because exploitation requires only low-privilege credentials and no user interaction, it is well-suited to insider abuse or post-compromise lateral movement within multi-tenant deployments.

Authentication Bypass Linqi
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the ValidateAnonFileAccess authorization check by supplying an 'AnonFile' query parameter of exactly 256 characters. Despite the CVSS 4.0 score of 6.9 and a PR:N/AC:L attack vector suggesting easy, unauthenticated exploitation, the vendor's own advisory explicitly confirms the security impact is negligible: the only resources accessible via this bypass are minified JavaScript and CSS files already served publicly through a CDN. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing.

Authentication Bypass Information Disclosure Linqi
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Improper authorization in Samsung Internet (Android browser) prior to version 30.0.0.39 allows a local attacker with low-level privileges to access sensitive information stored or processed by the browser, with downstream high-severity impact on subsequent systems as reflected in the CVSS 4.0 SC:H/SI:H/SA:H scores. The vulnerability requires only local access and no user interaction, making it exploitable by any co-resident low-privileged app or user account on the device. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and Samsung Mobile has released a patched version.

Samsung Authentication Bypass Samsung Internet
NVD VulDB
EPSS 0% CVSS 5.2
MEDIUM This Month

Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged attacker to launch arbitrary Android Activities without proper permission checks. Exploitation requires passive user interaction (CVSS 4.0 UI:P) and local device access, but the confidentiality impact on the vulnerable system is rated High (VC:H), consistent with the reported Information Disclosure tag. No public exploit code exists and the vulnerability is not listed in CISA's KEV catalog at time of analysis; Samsung has released a patch in SMR Jun-2026 Release 1.

Authentication Bypass Samsung Mobile Devices
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in DTS Electronics Redline WR3200 firmware versions 7.1.3 through 7.1.7 allows remote unauthenticated attackers to access functionality not properly constrained by ACLs, leading to full compromise of the device. The CVSS 9.8 rating reflects network-reachable exploitation with no privileges or user interaction required, though no public exploit identified at time of analysis. The flaw maps to CWE-287 (Improper Authentication) and was reported through Turkey's national CERT (USOM).

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC KEV EUVD KEV THREAT Act Now

Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create editor profiles without authentication, then leverage that capability to upload and execute arbitrary PHP code on the server. With a CVSS 4.0 score of 10.0 and the CVSS:4.0 'U:Red' urgency flag set by the vendor, this represents a critical broken-access-control flaw, though no public exploit has been identified at time of analysis.

PHP Authentication Bypass Joomla Content Editor Jce Extension For Joomla
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient policy enforcement in Google Chrome for iOS (prior to 149.0.7827.53) allows remote unauthenticated attackers to bypass discretionary access controls via a crafted HTML page, resulting in limited integrity impact. User interaction is required, and exploitation probability is extremely low - EPSS sits at 0.02% (4th percentile). No public exploit identified at time of analysis, and Chromium's own security team rated this as 'Low' severity, consistent with the CVSS 4.3 score and SSVC's 'partial' technical impact assessment.

Apple Authentication Bypass Google +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome on iOS prior to 149.0.7827.53 allows a remote, unauthenticated attacker to violate cross-origin isolation by delivering a crafted HTML page to a victim. The flaw stems from an inappropriate implementation (CWE-346) in the iOS-specific Chrome codebase, meaning the iOS browser incorrectly validates origin boundaries in a way the desktop build does not. No active exploitation is confirmed (no CISA KEV listing), EPSS is 0.02% (4th percentile), and SSVC rates exploitation as none - placing this firmly in a routine patching priority rather than an emergency response.

Apple Authentication Bypass Google +1
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Navigation restriction bypass in Google Chrome on Android prior to 149.0.7827.53 allows a local attacker to circumvent Reader Mode input validation by supplying a malicious file. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (4th percentile), but Google has released a fix in the stable channel. Chromium internally rates this as Low severity despite the elevated NVD CVSS of 7.7.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.53) enables unauthenticated remote attackers to circumvent CSP directives by delivering a crafted HTML page that requires only a user visit to trigger. The impact is confined to low-severity integrity violations (CVSS I:L) with no confidentiality or availability consequences, consistent with Chromium's own Low severity rating. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) reflects negligible near-term exploitation probability.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Android Autofill implementation allows remote unauthenticated attackers to perform limited cross-origin integrity violations by delivering a crafted HTML page to a victim user. Affected are all Chrome for Android versions prior to 149.0.7827.53. Impact is constrained to integrity (I:L) with no confidentiality or availability consequence, consistent with Chromium's own 'Low' severity rating. No public exploit code exists and no active exploitation has been confirmed; EPSS exploitation probability sits at 0.02% (4th percentile), making this a low operational priority despite being network-reachable.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation policy bypass in Google Chrome on Android (prior to 149.0.7827.53) enables a remote attacker who has already achieved renderer process compromise to circumvent navigation restrictions through a specially crafted HTML page. The vulnerability carries a CVSS integrity impact of High (I:H) with no confidentiality or availability impact, indicating the primary risk is unauthorized navigation to restricted targets - a technique commonly used to chain into further exploitation. No public exploit identified at time of analysis, and EPSS of 0.02% (6th percentile) reflects negligible current exploitation probability; however, its value as a chaining primitive in multi-stage browser attacks warrants attention.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Shortcuts feature on macOS allows remote attackers to circumvent Chrome's internal URL filtering or navigation controls via a crafted malicious file. Affected versions are all Chrome releases on Mac prior to 149.0.7827.53. The CVSS vector (PR:N, UI:R, I:H) indicates no attacker authentication is required but user interaction with the malicious file is mandatory; EPSS at 0.02% (4th percentile) and no public exploit identified at time of analysis confirm low exploitation probability, consistent with Chromium's own 'Low' severity rating.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient policy enforcement in Google Chrome for iOS (prior to 149.0.7827.53) enables remote attackers to bypass discretionary access controls by directing a victim to a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the attack is network-reachable, requires no authentication, and produces a limited integrity impact with no confidentiality or availability consequences. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects very low exploitation probability; Chromium internally rated this Low severity.

Apple Authentication Bypass Google +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for Android's Page Info component (prior to 149.0.7827.53) enables an attacker who has already compromised the renderer process to circumvent Chrome's navigation controls via a specially crafted HTML page. This is a chained exploitation scenario: the vulnerability cannot be triggered standalone but requires a prior renderer compromise as a prerequisite, limiting its practical threat surface. No public exploit has been identified at time of analysis, EPSS is negligible at 0.02%, and the vulnerability is not listed in CISA KEV. Google rates its internal severity as Low.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's DOM Distiller component on iOS allows a remote attacker to circumvent page navigation controls by serving a specially crafted HTML page. Affected users are running Chrome on iOS prior to version 149.0.7827.53, and exploitation requires the victim to visit an attacker-controlled page. No public exploit identified at time of analysis and EPSS probability sits at 0.02% (4th percentile), consistent with the vendor's own 'Low' severity classification - real-world impact is limited to integrity degradation with no confidentiality or availability consequence.

Apple Authentication Bypass Google +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 149.0.7827.53 allows a remote attacker who convinces a victim to install a crafted malicious extension to circumvent CSP protections on web pages, enabling unauthorized content injection. The flaw stems from insufficient policy enforcement in Chrome's Extensions subsystem (CWE-602), rated Low severity by the Chromium security team with a CVSS base score of 4.3. No public exploit code exists and no active exploitation has been confirmed; EPSS is 0.01% (1st percentile), reflecting minimal real-world exploitation pressure at time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

SafeBrowsing protection mechanism bypass in Google Chrome prior to version 149.0.7827.53 allows remote unauthenticated attackers to deliver malicious files that evade Chrome's built-in phishing and malware detection layer. The bypass is triggered through user interaction - such as visiting a crafted page or downloading a manipulated file - without requiring any special privileges or configuration. No public exploit has been identified and EPSS is 0.02% (4th percentile), indicating low current exploitation probability; however, successful exploitation silently removes a critical user-facing protection layer, enabling downstream malware delivery.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to version 149.0.7827.53 enables remote attackers to circumvent CSP protections via a crafted HTML page, with the victim's browser failing to enforce declared content restrictions. The vulnerability requires user interaction (UI:R) and produces limited integrity impact (I:L) only - no confidentiality or availability loss. EPSS at 0.02% (4th percentile) and no CISA KEV listing indicate negligible current exploitation activity; Chromium has internally rated this Low severity, aligning with the constrained impact scope.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 149.0.7827.53 stems from an inappropriate implementation in the browser's Permissions subsystem, enabling a remote attacker to circumvent CSP restrictions through a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the impact is limited to a partial integrity violation - no confidentiality or availability consequences are indicated. No public exploit identified at time of analysis; EPSS at 0.01% (2nd percentile) and Chromium's own 'Low' severity rating together indicate very low near-term exploitation likelihood.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Cast component exposes users to limited cross-origin integrity violations via a crafted HTML page, affecting all desktop Chrome versions prior to 149.0.7827.53. An unauthenticated remote attacker can circumvent the browser's fundamental cross-origin boundary by exploiting insufficient input validation in the Cast subsystem, achieving a low-severity integrity impact against a visiting user. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) combined with Chromium's own 'Low' severity rating indicate minimal real-world exploitation risk.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

File System Access API in Google Chrome prior to 149.0.7827.53 allows a remote attacker to bypass discretionary access control (DAC) by convincing a user to perform specific UI gestures on a crafted HTML page. The CVSS vector (I:H, C:N, A:N) confirms the impact is limited to unauthorized file integrity compromise - an attacker could write or modify local files beyond what the user explicitly permitted. No public exploit code exists and EPSS is 0.02% (4th percentile), aligning with Chromium's own internal 'Low' severity rating, indicating limited real-world exploitation likelihood at time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 149.0.7827.53 allows a remote unauthenticated attacker to circumvent browser-enforced navigation controls by delivering a crafted HTML page to a victim. The flaw is classified by Google as an inappropriate implementation in the browser component, carrying a CVSS 4.3 (Medium) with limited integrity impact and no confidentiality or availability consequence. No public exploit has been identified at time of analysis, EPSS exploitation probability stands at 0.02% (4th percentile), and Google's internal Chromium severity rating is Low - consistent signals pointing to a low-urgency, routine-patch item outside of specialized deployment contexts.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Settings policy enforcement bypass in Google Chrome prior to 149.0.7827.53 enables remote attackers to circumvent discretionary access control by delivering a crafted HTML page to a victim who must interact with it. Rooted in CWE-284 (Improper Access Control), the flaw affects Chrome's Content Settings subsystem - which governs site-level permissions such as cookies, notifications, and script access - yielding a limited integrity impact with no confidentiality or availability consequences. No public exploit has been identified and the vulnerability is absent from CISA KEV; the vendor itself rates this as Low severity, consistent with the CVSS 4.3 base score.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient policy enforcement in Google Chrome's Password Manager (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to bypass discretionary access control via a crafted HTML page, resulting in limited confidentiality exposure. This is a chained vulnerability: exploitation is contingent on a prior renderer process compromise, which substantially elevates attack complexity and limits realistic blast radius. No public exploit code exists and this CVE is not listed in the CISA KEV catalog. Google has rated this Low severity and released a fix in Chrome 149.0.7827.53.

Authentication Bypass Google Chrome
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Navigation restriction bypass in Google Chrome's Lens component prior to version 149.0.7827.53 allows a remote attacker to circumvent browser security boundaries via a crafted HTML page. The flaw requires user interaction (UI:R) to trigger, but no authentication, and Google classifies the Chromium security severity as Low despite the NVD CVSS of 8.8. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's IndexedDB implementation affects all versions prior to 149.0.7827.53, enabling an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. The integrity-only impact (C:N/I:H/A:N) means a successful exploitation could allow unauthorized writes or data manipulation across origins, but does not directly expose confidential data. No public exploit code has been identified at time of analysis, and Google's own Chromium security team rated this Low severity; a vendor-released patch is available at version 149.0.7827.53.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Same-origin policy bypass in Google Chrome's WebAuthentication component affects all Chrome versions prior to 149.0.7827.53, exploitable only by a remote attacker who has already compromised the renderer process. Insufficient input validation in the WebAuthn subsystem allows crafted HTML pages to circumvent same-origin restrictions, resulting in limited confidentiality disclosure (C:L). Chromium's own severity classification is Low, consistent with the CVSS 3.1 score of 3.1, and no public exploit or CISA KEV listing has been identified at time of analysis. The mandatory prerequisite of renderer process compromise significantly constrains the realistic attacker population to sophisticated, multi-stage threat actors.

Authentication Bypass Google Chrome
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Downloads subsystem prior to version 149.0.7827.53 enables a remote unauthenticated attacker to circumvent browser navigation controls by luring a user to a crafted HTML page. The flaw is rooted in an inappropriate implementation classified as CWE-346 (Origin Validation Error), meaning Chrome fails to properly validate the origin of requests or data within the Downloads flow. Rated Medium by CVSS (5.4) and Low by Chromium's own severity scale, no public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Site isolation bypass in Google Chrome's Loader component (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape Chrome's cross-site data boundary via a crafted HTML page. The vulnerability stems from insufficient validation of untrusted input in the Loader, enabling a post-exploitation primitive that leaks limited confidentiality data across site boundaries. With a CVSS score of 3.1 (Low), EPSS at 0.02% (6th percentile), no CISA KEV listing, and Chromium's own classification as Low severity, this represents a low-urgency chained-exploit stepping stone rather than a standalone critical threat; no public exploit identified at time of analysis.

Authentication Bypass Google Chrome
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Inappropriate implementation in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a crafted Chrome Extension to access and read sensitive data from process memory. Exploitation requires social engineering a target user into installing a malicious extension, after which the extension can invoke under-guarded DevTools APIs to extract potentially sensitive in-memory content such as credentials, tokens, or session data. No public exploit has been identified at time of analysis, and the EPSS score of 0.01% indicates very low observed exploitation probability; however, the confidentiality impact is rated High by CVSS.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenAI Atlas before 1.2025.288.15 improperly exposed privileged browser APIs - including browser history access and tab open/close controls - to any web content loaded from *.openai.com origins, including the publicly accessible forum.openai.com. Because forum.openai.com harbored an independent cross-site scripting vulnerability, an attacker could chain the two weaknesses: inject a script via the forum XSS, which then silently invokes Atlas's privileged APIs against a visiting victim. No public exploit or CISA KEV listing has been confirmed at time of analysis, though a public security research blog (hacktron.ai) describes the attack surface; the EPSS score of 0.02% (4th percentile) reflects low observed exploitation probability.

Authentication Bypass XSS Openai Atlas
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

CORS origin allowlist bypass in sanic-cors 2.2.0 and prior enables cross-origin access to authenticated resources by exploiting an unanchored regular expression in the origin-matching logic. The library's try_match() function in sanic_cors/core.py uses Python's re.match() - which matches only from the start of a string, not the full string - allowing an attacker who controls a domain prefixed with a trusted origin (e.g., trusted.example.com.attacker.com) to satisfy the allowlist check. Exploitation requires a victim user to visit an attacker-controlled page, placing this in a network-accessible, user-interaction-required threat model. No public exploit code has been identified at time of analysis, and no KEV listing exists.

Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's FoldableAPIs component allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The vulnerability carries a CVSS 4.3 score, an EPSS of 0.02% (4th percentile), is not listed in CISA KEV, and no public exploit has been identified - consistent with Chromium's own 'Low' severity rating. A vendor-released patch (149.0.7827.53) is available.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's FoldableAPIs component (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data by delivering a crafted HTML page. Rated Medium (CVSS 4.7) with a Changed scope, this is a second-stage exploit primitive - not a standalone critical - requiring a pre-existing renderer compromise before it is triggerable. EPSS at 0.02% (6th percentile), SSVC exploitation status of 'none', and Google's internal 'Low' severity rating collectively confirm this is a patch-on-schedule rather than emergency-response priority. No public exploit identified at time of analysis.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in the PreviewTab component of Google Chrome for Android (versions prior to 149.0.7827.53) enables a remote unauthenticated attacker to violate cross-origin isolation and corrupt content integrity. Exploitation requires social engineering - the victim must visit a crafted HTML page and be manipulated into performing specific UI gestures within the PreviewTab interface. The CVSS vector scores high integrity impact (I:H) with no confidentiality or availability impact, indicating an attacker can alter or inject content across origin boundaries but cannot directly exfiltrate data. No public exploit code or CISA KEV listing has been identified; EPSS sits at 0.02% (4th percentile), reflecting very low current exploitation probability.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Network component (versions prior to 149.0.7827.53) enables a post-compromise attacker who already controls the renderer process to subvert cross-origin enforcement via a crafted HTML page. The CVSS integrity impact is rated High (I:H), but exploitation is gated behind a required renderer-process pre-compromise, substantially raising the real-world attack bar. No public exploit code exists and no CISA KEV listing is present; EPSS stands at 0.02% (6th percentile), consistent with Google's own Low severity rating for this issue.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Navigation component allows a remote attacker who has already compromised the renderer process to break Chrome's cross-origin security boundary via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The CVSS vector (I:H) reflects high integrity impact against protected origins, but the real-world risk is substantially gated by the prerequisite of renderer process compromise - a condition Google itself rates as 'Low' severity in Chromium's internal classification. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 149.0.7827.53 allows remote unauthenticated attackers to circumvent Chrome's built-in navigation controls by delivering a crafted HTML page to a victim. The flaw stems from an inappropriate implementation in Chrome's Navigation subsystem (CWE-693: Protection Mechanism Failure), yielding low integrity impact with no confidentiality or availability consequences. No public exploit has been identified at time of analysis and EPSS exploitation probability is 0.02% (4th percentile), consistent with Google Chromium's own Low severity classification for this issue.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Fenced Frames component allows an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53 on desktop platforms. No public exploit code has been identified at time of analysis, and EPSS sits at a low 0.02% (4th percentile), consistent with Chromium's own 'Low' severity rating despite the 6.5 CVSS score - real-world risk is contingent on a separate, preceding renderer exploit.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's DevTools component (prior to 149.0.7827.53) enables an attacker to bypass same-origin policy enforcement through a crafted malicious extension. Exploitation requires convincing a target user to install the attacker-controlled extension, after which cross-origin data can be exfiltrated via insufficient DevTools policy controls. No public exploit code has been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Safe Browsing bypass in Google Chrome prior to 149.0.7827.53 allows a remote attacker to circumvent discretionary access control protections by delivering a specially crafted RAR file to a victim who interacts with it. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms no authentication or elevated privileges are required on the attacker side, but exploitation depends on user interaction - the victim must engage with the malicious RAR file. The integrity impact is rated High (I:H) with no confidentiality or availability impact, indicating the primary risk is bypassing file-based access controls enforced by the Safe Browsing subsystem. No public exploit identified at time of analysis, and EPSS at 0.02% (4th percentile) reflects very low observed exploitation probability.

Authentication Bypass Google Red Hat +2
NVD
Prev Page 27 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy