Skip to main content

Authentication Bypass

31268 CVEs technique

Monthly

CVE-2026-42736 HIGH This Week

Information disclosure in the BP Better Messages WordPress plugin (versions up to and including 2.14.16) allows remote unauthenticated attackers to read private messaging data belonging to other users by manipulating a user-controlled object identifier (IDOR). The CVSS 3.1 base score is 7.5 with confidentiality-only impact (C:H/I:N/A:N), and there is no public exploit identified at time of analysis. EPSS is very low at 0.03% (10th percentile), indicating no observed widespread exploitation activity.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42735 HIGH This Week

Authentication bypass in the KiviCare Clinic & Patient Management WordPress plugin (versions through 4.3.0) lets remote unauthenticated attackers abuse the password-recovery flow as an alternate channel to take over user accounts. Because the recovery process can be exploited to gain access without valid credentials, an attacker can compromise clinic accounts and read sensitive data. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed mass-exploitation pressure yet.

Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-42726 MEDIUM This Month

Missing authorization in the AWP Classifieds WordPress plugin (versions through 4.4.5) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification and availability disruption of classified listing data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated privileges against any internet-facing WordPress site running the affected plugin. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS at 0.04% (11th percentile) indicates low observed exploitation probability, though the unauthenticated attack surface broadens theoretical exposure.

Authentication Bypass WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42725 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in the WP Wham Checkout Files Upload for WooCommerce WordPress plugin exposes uploaded checkout files to unauthenticated remote attackers who manipulate user-controlled object keys. All plugin versions through 2.2.5 are affected, with the CVSS vector confirming no authentication or user interaction is required. Despite the straightforward exploit path - flagged as automatable by the SSVC framework - real-world risk is tempered by a very low EPSS score of 0.04% (12th percentile), no public exploit code, and no active exploitation per CISA KEV.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13392 HIGH PATCH This Week

Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know a valid account's distinguished name (DN) impersonate that identity and gain access to the NAS, with high confidentiality, integrity, and availability impact (CVSS 8.1). The flaw stems from an improper check of an exceptional condition (CWE-754) in the single sign-on flow. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 17th percentile), consistent with the high attack complexity Synology assigned.

Synology Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2024-47272 LOW PATCH Monitor

Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Synology
NVD VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2024-47268 MEDIUM PATCH This Month

Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Synology
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-48906 CRITICAL Act Now

Arbitrary file deletion in the Novarain/Tassos Framework system plugin (plg_system_nrframework) and the suite of Tassos.gr Joomla extensions that bundle it lets remote unauthenticated attackers delete arbitrary files on affected sites. The CVSS 4.0 vector (PR:N/UI:N) and the 'Authentication Bypass' tag indicate no credentials or interaction are needed, and the high integrity/availability impact reflects that deleting core files such as Joomla's configuration.php can lead to denial of service or site takeover. There is no public exploit identified at time of analysis, and EPSS is low (0.07%, 21st percentile) with no CISA KEV listing, indicating no observed exploitation despite the critical 9.3 base score.

Authentication Bypass Novarain Tassos Framework Plg System Nrframework Convert Forms Engagebox Google Structured Data +5
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-49002 CRITICAL Act Now

Improper access control in ZTE ZXUniPOS NDS-LTE (V24.40.40 and earlier, and V24.30.40CP02 and earlier) lets remote unauthenticated attackers reach functionality that should be permission-gated, allowing them to read and modify system configuration data beyond their authorization. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N) with high confidentiality and integrity impact but no availability impact, and the issue is tagged as an authentication bypass. EPSS is very low at 0.03% (9th percentile) and there is no public exploit identified at time of analysis.

Authentication Bypass Zxunipos Nds Lte
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-41704 MEDIUM PATCH This Month

Arbitrary blobstore deletion in BOSH Director allows a compromised, high-privileged BOSH-managed VM to delete any object from the shared Director blobstore by injecting crafted NATS reply messages. All BOSH Director versions prior to v282.1.12 are affected, with the root cause being a complete absence of UUID-format validation, ownership checks, and namespace prefixing in ResourceManager before executing blobstore.delete(). An attacker leveraging this post-compromise path can corrupt or destroy deployment artifacts, compiled packages, and release binaries relied upon by dependent deployments, producing cascading availability failures across the BOSH environment. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms exploitation status as none.

Authentication Bypass Bosh
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-3897 MEDIUM This Month

Stored Cross-Site Scripting in the Livemesh Addons for Beaver Builder WordPress plugin (all versions ≤3.9.2) allows authenticated attackers with Subscriber-level access or above to inject persistent malicious scripts via the `labb_admin_ajax` AJAX endpoint. The root flaw is a missing capability check - the handler validates a WordPress nonce (confirming form origin) but never verifies whether the requesting user holds privileges to modify plugin settings, effectively granting any registered user write access to plugin configuration. Injected scripts execute in the browser of administrators who visit the settings page or against any frontend visitor, enabling session hijacking or privilege escalation against admins. No public exploit code or active exploitation has been identified at time of analysis; EPSS is very low at 0.03% (8th percentile).

XSS WordPress Authentication Bypass
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3896 MEDIUM This Month

Stored Cross-Site Scripting in the Livemesh SiteOrigin Widgets WordPress plugin (all versions through 3.9.2) allows any authenticated subscriber-level user to permanently inject malicious scripts into plugin settings via the unprotected `lsow_admin_ajax` AJAX endpoint. The injected payload executes against administrators when they access the plugin settings page, and against any site visitor on the frontend - enabling session hijacking, credential theft, or unauthorized admin actions. No public exploit has been identified at time of analysis and CISA has not added this to the KEV catalog, but the low privilege bar (subscriber) makes it an attractive target on sites with open registration.

XSS WordPress Authentication Bypass
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3895 MEDIUM This Month

Stored Cross-Site Scripting in the WPBakery Page Builder Addons by Livemesh WordPress plugin (all versions through 3.9.4) allows authenticated attackers with as little as Subscriber-level access to permanently inject malicious JavaScript into plugin settings via the unprotected lvca_admin_ajax AJAX endpoint. The injected payload executes both when administrators access the plugin settings page and when any frontend visitor loads affected pages, achieving Changed Scope impact beyond the attacker's own session. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE, though the low authentication bar makes it a realistic risk on WordPress sites with open user registration.

XSS WordPress Authentication Bypass
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3279 MEDIUM This Month

Unauthorized jQuery downgrade in the Enable jQuery Migrate Helper WordPress plugin (all versions ≤1.4.1) allows any authenticated Subscriber-level user to replace the site-wide jQuery 3.7.1 with the legacy 1.12.4-wp release, which carries known security vulnerabilities. The root cause is a missing authorization check in the `downgrade_jquery_version()` function, which validates a nonce but never verifies user capabilities (CWE-862). No public exploit exists and CISA has not added this to KEV; however, the indirect impact is significant because a successful downgrade introduces a vulnerable jQuery version that could serve as a stepping stone for further exploitation of other weaknesses.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9014 MEDIUM This Month

Unauthenticated statistics reset in WP Promoter plugin (WordPress, versions ≤1.3) allows any remote attacker to permanently delete promotional bar and popup campaign analytics by exploiting a missing capability check on the reset_stats() function. The function is registered on the wp_ajax_nopriv_wpp-reset_stats action hook - WordPress's mechanism for unauthenticated AJAX access - with no nonce validation, capability check, or authentication enforcement of any kind, making the destructive operation trivially invocable via a single HTTP POST request. No public exploit code has been identified at time of analysis, EPSS is 0.06% (18th percentile), and SSVC rates exploitation as none, indicating no observed active exploitation.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-8994 HIGH This Week

Authentication bypass in the Login with NEAR WordPress plugin (all versions through 0.3.3) lets unauthenticated attackers log in as any existing user - including administrators - whose email matches the deterministic <account>@near.org pattern. The flaw stems from the unauthenticated ajaxLoginWithNear() handler issuing a valid WordPress auth cookie based only on a substring check for '.near', with no signature, challenge-response, or nonce verification. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.10%), but the technical impact is total per CISA SSVC.

Microsoft Authentication Bypass WordPress
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-8760 CRITICAL Act Now

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthenticated attackers log in as any user, including administrators. The flaw is an incomplete fix for CVE-2024-11178: the brute-force lockout was added only to the OTP-generation code path and never checked when an OTP is validated, and the 6-digit codes never expire, so an attacker can exhaustively guess the ~900,000-value OTP space and receive a valid WordPress session cookie. CVSS is 9.8; this is rated unauthenticated (CVSS PR:N) with low attack complexity, but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-14481 MEDIUM This Month

Insecure Direct Object Reference in Yoast SEO for WordPress (all versions through 26.5) allows authenticated Contributor-level users to read SEO metadata from any post on the site - including private posts, drafts, and content owned by other users - by supplying arbitrary post_id values to the Meta Search REST API endpoint. The flaw is a missing object-level authorization check: the plugin verified generic edit capability rather than per-post ownership. No public exploit identified at time of analysis, and EPSS stands at 0.03% (8th percentile), indicating low exploitation interest in the wild.

Authentication Bypass WordPress
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44974 npm HIGH PATCH GHSA This Week

Parameter smuggling in @hapi/content (the header parser used by the Hapi.js framework) before 6.0.2 lets remote unauthenticated attackers bypass upload security controls by sending duplicate Content-Disposition or Content-Type parameters. Because Content.disposition() kept the last duplicate while Content.type() kept the first, a filename allowlist enforced by a WAF, reverse proxy, or alternate parser that resolves duplicates the opposite way can be evaded (e.g. filename="safe.txt"; filename="shell.php"). No public exploit identified at time of analysis and EPSS is very low (0.05%), but a vendor-released patch (6.0.2) is available and the technique is trivially reproducible.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-44595 Maven MEDIUM POC PATCH GHSA This Month

Broken access control in Yamcs yamcs-core allows any authenticated user to enumerate all user accounts, superuser status, and group memberships via the IAM API. The four endpoints - listUsers, getUser, listGroups, and getGroup - in IamApi.java (lines 125, 180, 357, 372) fail to call ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess), a guard that is correctly applied to write operations like createUser. Affected versions are all releases prior to 5.12.7; a proof-of-concept using a single bearer-token HTTP GET is publicly documented in the GitHub Security Advisory GHSA-p2rj-mrmc-9w29, and no active exploitation (CISA KEV) has been identified at time of analysis.

Java Authentication Bypass
NVD GitHub Exploit-DB VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44176 PHP MEDIUM PATCH GHSA This Month

Kirby CMS's path resolver fails to enforce `pages.access` permission checks when rendering page drafts, allowing authenticated users who lack access to specific page models to view those drafts by knowing the full URL path. Affected installations are those explicitly configured to restrict certain user roles from accessing pages via `pages.access: false` in user or model blueprints - sites where all users may access all pages are unaffected. No public exploit or CISA KEV listing exists at time of analysis, but the impact is information disclosure of unpublished content such as pre-launch product pages or embargoed posts.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-43947 npm HIGH PATCH GHSA This Week

Unauthenticated remote code execution in FUXA 1.3.0 (the fuxa-server npm package) lets any network-reachable attacker run arbitrary OS commands on the SCADA/HMI host when secureEnabled is true. The POST /api/runscript endpoint authorizes a request against a stored script's permission, but with test:true it instead compiles and runs attacker-supplied code via Node's Module._compile, so a guest who knows a valid script ID and name (leaked via the unauthenticated GET /api/project endpoint) can execute code with full Node runtime access. Publicly available exploit code exists in the vendor advisory; no CVSS, EPSS, or CISA KEV data is provided.

RCE Information Disclosure Node.js Authentication Bypass
NVD GitHub
EPSS
0.6%
CVE-2026-43946 npm HIGH PATCH GHSA This Week

Unauthenticated disclosure of arbitrary industrial tag values in FUXA 1.3.0 lets remote actors read live process data through the /api/getTagValue endpoint. Per the vendor advisory (GHSA-fwcm-rqvw-j3p7), the API mints a signed 'guest' identity when no API key or access token is supplied, and the per-script authorization check fails open when the referenced sourceScriptName points to a non-existent script, so the guest request is treated as authorized. No CISA KEV listing and no weaponized public exploit code were identified, though the advisory documents the exact vulnerable code paths; the flaw is fixed in v1.3.1.

Authentication Bypass
NVD GitHub
EPSS
0.1%
CVE-2026-9603 MEDIUM POC This Month

Missing authorization in SourceCodester eDoc Doctor Appointment System 1.0 exposes the /admin/delete-session.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to delete arbitrary appointment sessions without any credential or privilege. The CVSS 4.0 vector confirms network-accessible, zero-complexity exploitation with no authentication required (PR:N), though impact is bounded to low integrity and availability degradation with no confidentiality loss. A publicly available exploit script (poc.sh) on GitHub confirms practical exploitability, though the vulnerability is not currently listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-48710 PyPI MEDIUM POC PATCH GHSA This Month

Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause `request.url.path` to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on `request.url` rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through `request.url` is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Request Smuggling Authentication Bypass Starlette
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9604 LOW POC PATCH Monitor

Improper access control in JeecgBoot's AiragModelController (versions up to 3.9.1) permits any authenticated low-privilege user to invoke the list and queryById API endpoints without proper authorization checks, exposing AI RAG model configuration data restricted to higher-privileged roles. The CVSS vector (PR:L, C:L) confirms this is an authorization bypass rather than a full authentication bypass, limiting impact to confidentiality of AI model metadata. Publicly available exploit code exists (GitHub issue #9599, referenced in the exploit tag), though no CISA KEV listing indicates confirmed widespread active exploitation at time of analysis.

Authentication Bypass Jeecgboot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-43451 MEDIUM PATCH This Month

Improper access control in Apple macOS (all versions before Tahoe 26) allows a locally installed application running with standard user privileges to access sensitive user data beyond its authorized scope. The root cause - a faulty permissions enforcement code path - was remediated by removing the vulnerable code entirely in macOS Tahoe 26. No public exploit identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Apple Authentication Bypass
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46307 MEDIUM PATCH This Month

Improper access control in Apple macOS allows a locally-executed app to read sensitive user data by exploiting a logic flaw in system-level restrictions. Affected are all macOS versions prior to Tahoe 26, per the CPE data and EUVD-2025-209943. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms exploitation requires no user interaction once an app is running under low privileges, and the confidentiality impact is rated High. No public exploit code exists and this vulnerability is not confirmed actively exploited (CISA KEV).

Apple Authentication Bypass
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43289 MEDIUM PATCH This Month

Improper authorization in Apple macOS allows a locally-installed malicious application to access sensitive user data without proper entitlement checks. Affected releases span three macOS generations: Sequoia (prior to 15.7), Sonoma (prior to 14.8), and the forthcoming Tahoe (prior to 26). The flaw stems from a logic issue in access validation, meaning apps lacking legitimate permissions can bypass gating controls to read protected data. No public exploit code or CISA KEV listing has been identified at time of analysis.

Apple Authentication Bypass
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-42013 HIGH PATCH This Week

Certificate validation bypass in GnuTLS (as shipped in Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images) lets a remote attacker defeat hostname verification: when a certificate carries an oversized Subject Alternative Name, the library incorrectly abandons SAN matching and falls back to the legacy Common Name field, accepting certificates it should reject. An attacker positioned to intercept traffic can present such a certificate to impersonate a trusted server and conduct spoofing or man-in-the-middle attacks against TLS clients that rely on GnuTLS. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score in the provided data.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +3
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-47672 Maven MEDIUM GHSA This Month

Unauthenticated write access to patient electronic health records in epa4all-client 1.2.4 and earlier exposes German Telematik Infrastruktur (ePA 3.0) deployments to unauthorized data manipulation. The REST adapter component ships with no authentication or authorization controls, allowing any adjacent-network caller to write arbitrary documents to any patient EHR accessible via the institution's SMC-B card. No public exploit code has been identified at time of analysis, but the CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and minimal technical complexity once network-adjacent.

Authentication Bypass Docker Java
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14361 HIGH This Week

Missing authorization in the AA-Team Woocommerce Envato Affiliates WordPress plugin (versions up to and including 1.2.1) lets a low-privileged authenticated user invoke functionality that is not properly gated by access-control checks, most likely modifying plugin settings as indicated by the Patchstack advisory slug. Because the action carries a high integrity impact, an attacker holding even a basic account can tamper with configuration that should be reserved for administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-42337 MEDIUM PATCH This Month

Broken access control in MaxKB 2.8.0 and earlier exposes the OSS file service URL fetch API (`chat/api/oss/get_url`) to cross-application data access by authenticated low-privilege users who supply arbitrary `application_id` values in the URL path. Because the endpoint performs no ownership validation against the requesting session, any authenticated user can retrieve OSS file URLs scoped to applications they do not own, violating multi-tenant isolation. No public exploit code exists and the issue is not listed in CISA KEV; a vendor-released patch is available in version 2.8.1.

Authentication Bypass Maxkb
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-44847 HIGH PATCH This Week

Authentication bypass in MaxKB (1Panel-dev) versions prior to 2.9.0 allows remote unauthenticated attackers to invoke webhook trigger endpoints and execute their bound tasks. The flaw stems from the WebhookAuth class unconditionally returning a successful authentication tuple, which Django REST Framework interprets as a valid identity, combined with no backend enforcement of per-trigger token requirements. No public exploit identified at time of analysis, but the trivial nature of the bypass and open-source visibility of the patch make exploitation straightforward for any attacker who can enumerate or guess trigger IDs.

Python Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-9580 MEDIUM POC PATCH This Month

Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/selectDepart, allowing remote attackers to bypass authorization checks tied to department/tenant selection during login. Publicly available exploit code exists per VulDB disclosure, and the vendor has shipped a fix in v3.9.2. No active in-the-wild exploitation has been confirmed (not in CISA KEV), but the public POC and network-reachable attack surface make opportunistic abuse plausible.

Authentication Bypass Jeecgboot
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-44443 MEDIUM PATCH This Month

Lumiverse's sign-up nonce mechanism prior to version 0.9.7 allows unauthenticated remote attackers to register unauthorized accounts by exploiting a race condition in the `consumeNonce()` function. When an admin's user-creation request fails due to a duplicate email - causing BetterAuth to reject at the validation layer - the nonce is set but never consumed, leaving a 10-second window during which any POST to `/api/auth/sign-up/email` will succeed regardless of the sender. No public exploit code exists and no CISA KEV listing is present; exploitation requires precise timing and the ability to observe or predict an admin's failed duplicate-email attempt, consistent with the CVSS AC:H rating.

Race Condition Authentication Bypass Lumiverse
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-44451 CRITICAL PATCH Act Now

Sandbox escape in Lumiverse AI chat application versions prior to 0.9.7 allows remote attackers to execute arbitrary JavaScript in a victim's authenticated session by delivering a malicious theme pack (.lumitheme / .lumiverse-theme). The component override system's Sucrase-transpiled TSX sandbox is bypassed via string concatenation of blocked identifiers and DOM ref traversal to retrieve the real window object, defeating both static source validation and runtime global shadowing. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-rgp6-55rw-5xf4) documents the exact bypass technique.

Authentication Bypass Lumiverse
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-48592 MEDIUM POC PATCH GHSA This Month

Unauthorized job worker substitution in oban_web 2.12.0-2.12.4 allows any authenticated low-privileged user to redirect background job execution to arbitrary existing worker modules. The server-side LiveView event handler for 'save-job' in Elixir.Oban.Web.Jobs.DetailComponent omits the can?/2 authorization check that all sibling handlers (cancel, delete, retry) correctly enforce, enabling a user granted only :read_only access to forge a WebSocket event and overwrite a queued job's worker field. No public exploit code exists and SSVC designates exploitation as none, but successful abuse causes Oban to invoke an attacker-chosen worker module on next execution, introducing real integrity risk to automated job pipelines.

Authentication Bypass Oban Web
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-9579 LOW POC PATCH Monitor

Improper access control in JeecgBoot versions up to 3.9.1 allows authenticated low-privileged remote attackers to bypass authorization checks by manipulating the `userIdentity` argument in the SysUser component's `user.getUsername` function at the `/sys/user/login/setting/userEdit` endpoint. A publicly available proof-of-concept exploit exists via GitHub issue #9596, increasing practical risk for any multi-user JeecgBoot deployment where adversaries hold a low-privileged account. Vendor-released patch v3.9.2 is available and explicitly remediates this access control failure alongside several other high-severity issues including RCE and SSRF, indicating a broad security hardening effort in this release cycle.

Authentication Bypass Jeecgboot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9642 CRITICAL Act Now

Unauthenticated remote database access in Delta Electronics DIAView allows network-based attackers to reach configured project databases without credentials, bypassing the prior mitigation issued for CVE-2025-62582. The flaw carries a CVSS 9.8 rating with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the original CVE it incompletely patches has known prior research from Tenable.

Authentication Bypass Diaview
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8676 HIGH PATCH This Week

Bluetooth LE bond downgrade in Silicon Labs Simplicity SDK allows an adjacent attacker to weaken connection security by deleting an existing bond, impersonating the previously bonded peer, and forcing a new pairing under attacker-controlled parameters. The flaw enables compromise of confidentiality, integrity, and availability of BLE communications on devices built with the affected SDK, and no public exploit has been identified at time of analysis.

Authentication Bypass Simplicity Sdk
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25426 MEDIUM This Month

Unauthenticated broken access control in Magepeople Inc.'s Taxi Booking Manager for WooCommerce plugin (versions up to and including 2.0.1) exposes limited information to remote attackers without requiring any credentials or user interaction. The plugin fails to enforce proper authorization checks on one or more endpoints, classified under CWE-862 (Missing Authorization), allowing unauthenticated network requests to access functionality or data that should be restricted. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.03%, indicating low observed exploitation probability at time of analysis.

Authentication Bypass WordPress Taxi Booking Manager For Woocommerce
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24520 MEDIUM This Month

Broken access control in the bPlugins Tiktok Feed WordPress plugin (versions through 1.0.24) permits authenticated low-privileged users to perform actions that should be restricted to higher-privileged roles due to missing server-side authorization checks (CWE-862). Exploitation allows limited integrity impact - an attacker with a basic WordPress account could manipulate plugin-controlled data or settings without proper permission. No public exploit code exists and no active exploitation is confirmed at time of analysis; SSVC and EPSS signals both indicate low urgency.

Authentication Bypass Tiktok Feed
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25444 MEDIUM This Month

Missing authorization checks in the WpBookingly WordPress plugin (versions through 1.2.9) allow authenticated low-privilege users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack and tracked as EUVD-2026-31964, this broken access control flaw (CWE-862) does not require elevated privileges or user interaction, but exploitation is constrained to authenticated sessions. No public exploit code exists and EPSS stands at 0.03% (8th percentile), with SSVC classifying exploitation status as none - making this a low-urgency but legitimate remediation target for WordPress environments with untrusted authenticated users.

Authentication Bypass Wpbookingly
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-35202 PHP LOW PATCH GHSA Monitor

Resource quota bypass in Pterodactyl Panel prior to 1.12.3 allows authenticated users to exceed their assigned database allocation limits by exploiting a broken concurrency guard in the Client API. The `lockForUpdate()` call in `DatabaseController.php` is a non-terminating Laravel query builder call that never issues an actual SQL lock, making it a no-op that enables parallel requests to simultaneously pass the limit check. No public exploit has been identified at time of analysis; with EPSS at 0.04% (12th percentile) and no KEV listing, real-world exploitation risk is currently low but relevant to multi-tenant hosting deployments.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-27331 MEDIUM This Month

Missing authorization controls in the WpTravelly WordPress plugin (versions through 2.1.5) allow any authenticated low-privileged user to exploit incorrectly configured access control security levels, gaining unauthorized access to functionality or data beyond their intended permissions. The flaw is network-accessible, requires no user interaction, and carries a balanced Low-CIA-triad impact per CVSS. No public exploit has been identified at time of analysis, and the EPSS score (0.03%, 10th percentile) suggests very low real-world exploitation probability despite the network-exposed attack surface.

Authentication Bypass Wptravelly
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-3660 CRITICAL PATCH Act Now

Authorization bypass in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows unauthenticated remote attackers to modify server property files and gain unauthorized access to the application. The flaw carries a critical CVSS 9.8 score with full confidentiality, integrity, and availability impact, and IBM has released Interim Fixes addressing it. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%, 10th percentile).

Authentication Bypass IBM Engineering Lifecycle Management
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8890 HIGH This Week

Authentication bypass in code100x CMS Mobile API allows unauthenticated remote attackers to impersonate any enrolled user or administrator by supplying a crafted JSON payload in the 'g' HTTP header alongside an unvalidated 'Auth-Key' header. The middleware shortcuts identity verification whenever an Auth-Key is present without checking its value, letting downstream mobile course endpoints trust attacker-supplied identity claims. Publicly available exploit code exists via the upstream GitHub PR diff, though EPSS probability remains low at 0.08%.

Authentication Bypass Code100X
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-44668 CRITICAL PATCH Act Now

Unauthenticated authorization bypass in FACTION pentesting report framework prior to 1.8.3 allows remote attackers to read, modify, deactivate, and delete any boilerplate report template without credentials. The flaw stems from AccessControlInterceptor invoking actions without session validation, compounded by four BoilerPlateConfig action methods that perform no local auth check. No public exploit identified at time of analysis, though EPSS is low (0.15%) and SSVC rates exploitation as POC with total technical impact.

Authentication Bypass Faction
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47202 CRITICAL PATCH Act Now

Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obtain a valid JWT for any user account, including administrators, given only knowledge of the target username. The flaw stems from improper token validation logic and enables full account takeover without credentials. No public exploit identified at time of analysis, though SSVC rates technical impact as total and automatable.

Authentication Bypass Kavita
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-44776 MEDIUM PATCH This Month

Kavita reading server versions prior to 0.9.0 expose seven download and metadata API endpoints without enforcing library-level access controls, enabling authenticated users to retrieve file contents, file sizes, and chapter metadata from libraries they have not been granted access to. The affected endpoints - /api/Download/volume, /api/Download/chapter, /api/Download/series, /api/Chapter, and corresponding size-check variants - accept resource identifiers (chapterId, volumeId, seriesId) without verifying the requesting user's library membership. A proof-of-concept exists per SSVC classification, though EPSS at 0.04% (11th percentile) reflects minimal observed exploitation activity; the CVE is not listed in CISA KEV.

Authentication Bypass Kavita
NVD GitHub
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-44775 MEDIUM PATCH This Month

Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image across all server libraries to remote attackers without any credentials. The ReaderController.GetImage endpoint is decorated with ASP.NET's [AllowAnonymous] attribute, and while it accepts an apiKey parameter as a nominal access control, that parameter is never validated server-side - rendering it entirely decorative. Sequential integer entity IDs allow trivial full-library enumeration with nothing more than an HTTP client. No public exploit or CISA KEV listing exists at time of analysis, but the zero-friction exploitation path makes any publicly exposed instance a meaningful data-exposure risk.

Authentication Bypass Kavita
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-24190 HIGH PATCH This Week

Local privilege escalation in NVIDIA Display Driver for Windows and Linux allows authenticated low-privilege users to improperly access GPU resources via a kernel mode layer flaw, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service. The issue affects GeForce, RTX/Quadro/NVS, and Tesla product lines across multiple driver branches and carries a CVSS 7.8 (High) score. No public exploit identified at time of analysis, and EPSS probability is very low (0.01%), but the breadth of affected hardware and total technical impact warrant prompt patching.

Nvidia RCE Linux Information Disclosure Microsoft +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7251 CRITICAL CISA Emergency

Hard-coded VNC password in the Eppendorf BioFlo 320 bioprocess control system allows any remote attacker who can reach the device on the network to take full control of its user interface without authentication. The flaw (CWE-259) is rated CVSS 9.3 and carries an SSVC technical impact of 'total' with automatable exploitation, though no public exploit has been identified at time of analysis and EPSS is low at 0.10%.

Authentication Bypass Bioflo 320
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-44730 PyPI HIGH PATCH GHSA This Week

Privilege escalation in OpenCTI prior to 6.9.7 allows an organization admin to gain elevated platform-wide privileges by adding a higher-privileged user from a different organization into their own organization, exploiting incorrect ACL enforcement on the userEdit relationAdd GraphQL mutation. The flaw yields full platform access and exposure of sensitive intelligence data; no public exploit identified at time of analysis and EPSS is very low (0.04%, 11th percentile), but the vendor-confirmed GHSA advisory and trivial attack complexity make this a meaningful tenancy-isolation issue for multi-organization deployments.

Authentication Bypass Opencti
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-48896 HIGH This Week

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent MFA checks due to insufficient state validation during the authentication flow. The flaw (CWE-287) was disclosed by the Joomla! project itself and tracked as EUVD-2026-31890; no public exploit identified at time of analysis and EPSS is very low (0.01%, 2nd percentile), but the integrity impact is high since attackers reaching this path effectively defeat the second authentication factor.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48897 HIGH This Week

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor authentication (MFA) due to insufficient state validation during the login flow. The flaw, tracked as CVE-2026-48897 and reported by the Joomla! project, undermines the integrity protections expected from 2FA and could grant attackers access to accounts whose credentials are already known or guessable. EPSS probability is low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48899 MEDIUM This Month

Privilege escalation in Joomla! CMS via the com_users batch task allows low-privileged authenticated users to bypass access controls and elevate their user group membership or permissions. Affected versions span two major release lines: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0, as confirmed by ENISA EUVD-2026-31880 and the Joomla Security Centre. No public exploit has been identified and EPSS is effectively zero; however, SSVC assesses the technical impact as total, meaning successful exploitation could yield full privilege takeover within the application.

Authentication Bypass Privilege Escalation Joomla Cms
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-48900 MEDIUM This Month

Improper access control in Joomla! CMS com_scheduler component permits low-privileged authenticated backend users to modify the task types of existing scheduler tasks, an operation that should be restricted to higher-privileged administrators. Affected versions span Joomla! 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0. While no public exploit code exists and CISA KEV has not confirmed active exploitation, the high subsequent-system impact scores (SC:H/SI:H/SA:H) in the CVSS 4.0 vector indicate that tampering with scheduler task types can produce significant integrity and availability consequences beyond the immediately vulnerable component.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-35223 HIGH This Week

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges to access configuration data they should not be permitted to reach, impacting confidentiality, integrity, and availability of the affected site. The flaw spans Joomla 4.0.0-5.4.5 and 6.0.0-6.1.0 and was disclosed by the Joomla! Project itself with a CVSS 4.0 base of 8.6. No public exploit identified at time of analysis and EPSS is very low at 0.04%.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-48904 HIGH This Week

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abuse an improper access check in the com_users group editing webservice endpoint to elevate privileges. The CVSS 4.0 vector indicates network-reachable exploitation without authentication or user interaction, with high impact to integrity but no confidentiality or availability impact. There is no public exploit identified at time of analysis and EPSS is effectively 0%, but the vendor advisory confirms the access-control flaw.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48898 HIGH This Week

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users batch task due to an improper access check (CWE-284). The flaw enables unauthorized modification of user accounts and elevation of privileges across affected installations, with no public exploit identified at time of analysis. EPSS scoring is 0.00% and the vulnerability is not listed in CISA KEV, but the CVSSv4 base score of 8.2 reflects high integrity impact.

Authentication Bypass Privilege Escalation Joomla Cms
NVD VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-47716 PyPI LOW PATCH GHSA Monitor

Cross-project issue state modification in Bugsink prior to 2.2.0 allows authenticated users with access to one project to alter the state of issues belonging to other projects if a valid target issue UUID is known. The bulk action endpoint authorizes based on the project in the URL but applies submitted issue IDs without verifying project membership, creating a project-boundary authorization bypass. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) reflects minimal real-world exploitation probability.

Authentication Bypass Bugsink
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-47715 PyPI LOW PATCH GHSA Monitor

Cross-project event data exposure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read event data - including stacktraces, breadcrumbs, and raw event details - belonging to a separate, unauthorized project. The flaw (CWE-639) exists because issue event views accept a direct event UUID from the URL without verifying that the event belongs to the project in the same URL path. Exploitation is materially constrained by the requirement for both an authenticated session and prior knowledge of a valid target event UUID; no public exploit has been identified and EPSS sits at 0.03% (7th percentile).

Authentication Bypass Bugsink
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-47728 PyPI MEDIUM PATCH GHSA This Month

Cross-project sourcemap and debug-file disclosure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read source context or symbolication-derived data belonging to a separate project on the same instance. The root cause is a missing authorization scope check (CWE-862): debug IDs supplied by clients were resolved globally rather than constrained to the owning project, meaning a deliberate or accidental debug ID collision across projects leaks file metadata. No public exploit code exists and no active exploitation has been identified (CISA KEV: absent, EPSS: 0.03%, 7th percentile), making this a low-urgency but architecturally meaningful information disclosure for multi-project Bugsink deployments.

Authentication Bypass Bugsink
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44314 MEDIUM PATCH This Month

Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to overwrite device image files on the server, bypassing readonly and deviceReadonly access restrictions that all other device mutation paths correctly enforce. Traccar versions prior to 6.13.0 are affected, and the root cause is a missing permissionsService.checkEdit call in the image upload route that is present everywhere else in the mutation surface. A proof-of-concept exists per SSVC data, though EPSS sits at 0.03% (9th percentile), indicating limited real-world exploitation activity to date. The vendor-released fix is available in version 6.13.0.

Authentication Bypass Traccar
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-36221 MEDIUM PATCH This Month

Default manufacturing credentials persisting through installation in IBM Cloud Pak for Data System Cyclops 11.3.0.2 through Interim Fix 002 allow unauthenticated network attackers to bypass authentication and perform unauthorized integrity-impacting actions. The root cause (CWE-1392) reflects a design-phase failure where credentials intended solely for factory/installation use are not forced to rotate before or immediately after deployment. EPSS sits at 0.03% and SSVC records no current exploitation, but the SSVC automatable flag indicates this class of attack is trivially scriptable, making exposed instances a realistic target for opportunistic credential-stuffing against known IBM default password sets. No public exploit identified at time of analysis.

Authentication Bypass IBM Cloud Pak For Data System Cyclops
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9562 MEDIUM POC This Month

Improper access control in sambitraj's STUDENT-MANAGEMENT-SYSTEM exposes multiple Dashboard endpoints to unauthenticated remote attackers, enabling unauthorized read and write operations on student data. The vulnerability, tagged as an authentication bypass (CWE-284), affects all code up to and including commit 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5 and is confirmed by a publicly disclosed exploit via GitHub issue. No public exploit identified at time of analysis for active KEV-level exploitation, however publicly available exploit code exists and the maintainer has not responded to responsible disclosure, leaving the codebase unpatched.

Authentication Bypass Student Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-46620 MEDIUM PATCH NEWS This Month

CSRF protection bypass in e107 CMS prior to 2.3.5 allows unauthenticated remote attackers to perform unauthorized comment moderation actions by tricking an authenticated user into visiting a malicious page. The root flaw is in session_handler::check(), which skips CSRF token validation entirely when no token is submitted, rather than rejecting the tokenless request - effectively making CSRF protection opt-in from the attacker's perspective. A proof-of-concept exists per SSVC data; the vulnerability is not listed in CISA KEV and carries a very low EPSS score of 0.01% (3rd percentile), indicating limited observed exploitation in the wild.

CSRF Authentication Bypass E107
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-43934 MEDIUM PATCH This Month

Broken access control in e107 CMS prior to version 2.3.4 permits any low-privileged authenticated user to overwrite comments authored by other users, including administrators. The server-side updateComment() function in comment_class.php accepted a comment_id from the request and issued an UPDATE SQL query filtered only by that identifier, never verifying that the requesting user owned the targeted comment. A proof-of-concept exploit exists per SSVC data, though EPSS stands at a low 0.03% (8th percentile) and no active exploitation is confirmed in CISA KEV, indicating currently limited in-the-wild activity.

Authentication Bypass E107
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24590 MEDIUM This Month

Unauthenticated access control bypass in VideoWhisper.Com's Paid Videochat Turnkey Site WordPress plugin (versions through 7.3.23) allows remote attackers to access restricted resources without authorization, resulting in partial information disclosure. The plugin (known by slug ppv-live-webcams) fails to enforce authorization checks on one or more endpoints, enabling any unauthenticated network actor to exploit incorrectly configured access control security levels. No public exploit code has been identified and CISA KEV does not list this vulnerability, though SSVC data confirms the attack is automatable, raising the potential for scripted mass scanning.

Authentication Bypass Paid Videochat Turnkey Site
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24638 MEDIUM This Month

Broken access control in the RepairBuddy WordPress plugin (versions through 4.1121) allows authenticated low-privileged users to perform unauthorized actions affecting data integrity. The flaw stems from missing server-side authorization checks (CWE-862), permitting requests to access or modify functionality beyond the caller's intended permission level. No public exploit identified at time of analysis, EPSS sits at the 8th percentile (0.03%), and SSVC marks exploitation as none - placing real-world risk well below what the medium CVSS score of 4.3 might initially suggest.

Authentication Bypass Repairbuddy
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-39655 MEDIUM This Month

Missing authorization in the Mayosis Core WordPress plugin (versions through 5.4.7) by TeconceTheme allows unauthenticated remote attackers to exploit incorrectly configured access control security levels, resulting in unauthorized modification of data (integrity impact). The CVSS vector confirms no authentication or user interaction is required, and the vulnerability is network-exploitable against default configurations. No public exploit code exists and no active exploitation has been confirmed at time of analysis.

Authentication Bypass Mayosis Core
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8046 HIGH PATCH This Week

Privilege escalation through unauthorized account deletion in CODESYS Control runtime products (versions below 3.5.22.20 / 4.21.0.0) allows authenticated low-privileged remote users to delete other accounts, including administrators. Reported by CERT@VDE under advisory VDE-2026-056, with no public exploit identified at time of analysis and a low EPSS score of 0.10% (26th percentile), suggesting limited near-term exploitation likelihood despite the vendor-confirmed authorization flaw.

Authentication Bypass Codesys Control Rte Sl Codesys Control Rte For Beckhoff Cx Sl Codesys Control Win Sl Codesys Hmi Sl +12
NVD VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-9495 npm MEDIUM PATCH This Month

{ prefix: '/:category' })`), enabling complete bypass of whatever protection that middleware was intended to enforce - authentication, authorization, rate limiting, or input sanitization. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is remotely exploitable with no authentication or user interaction required, and SSVC classifies it as automatable. Publicly available exploit code exists per SSVC classification; EPSS is low at 0.09% (25th percentile), suggesting limited widespread exploitation at time of analysis.

Authentication Bypass Koa Router
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-4795 MEDIUM This Month

Missing authorization in Zyxel GS1200v3-series managed switches allows a LAN-based, unauthenticated attacker to read system configuration data from a log file by sending a crafted HTTP request to the device's web interface. All five GS1200v3 models are affected across their current firmware versions. No public exploit has been identified at time of analysis, and both EPSS (0.03%, 11th percentile) and SSVC exploitation status ('none') confirm no observed in-the-wild exploitation, placing this in the category of a real but low-urgency information disclosure risk confined to the local network segment.

Authentication Bypass Zyxel Gs1200 5V3 Firmware Gs1200 8V3 Firmware Gs1200 5Hpv3 Firmware +2
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9517 MEDIUM POC This Month

Improper access control in hemant6488's CodeIgniter-StudentManagementSystem exposes the student addition endpoint at /index.php/students/addStudentView to unauthenticated remote manipulation, enabling read, write, and partial availability impact on student data without credentials. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required from any network, and a publicly available exploit (GitHub issue #5) has been documented. No vendor patch exists and the maintainer has not responded to the coordinated disclosure, leaving all deployed instances unmitigated.

PHP Authentication Bypass Codeigniter Studentmanagementsystem
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-48692 HIGH This Week

Unauthenticated gRPC API exposure in FastNetMon Community Edition through 1.2.9 allows adjacent network attackers to invoke security-critical RPC methods including ExecuteBan and ExecuteUnBan without credentials. The server explicitly uses grpc::InsecureServerCredentials() on port 50052, enabling attackers to blackhole legitimate traffic via BGP announcements, disable active DDoS mitigations, and trigger external script execution via popen(). No public exploit identified at time of analysis, and EPSS is low at 0.03%, but CISA SSVC rates technical impact as total.

Denial Of Service Authentication Bypass N A
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-38587 MEDIUM This Month

IDOR vulnerability across multiple REST API endpoints in ONLYOFFICE DocSpace before 3.2.1 allows authenticated low-privilege users (User or Guest roles) to exfiltrate owner account identifiers and profile data that should be restricted to administrators. The flaw stems from missing object-level authorization checks on API responses, meaning the server returns sensitive records without validating whether the requester holds sufficient privilege to view them. No public exploit code or active exploitation has been identified at time of analysis, and EPSS places this in the 1st percentile for exploitation probability.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32389 MEDIUM PATCH This Month

Missing authorization in the NanoCare WordPress theme (Linethemes) before version 1.2.2 permits low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) confirms network-accessible exploitation requiring only a low-privilege account with no user interaction. No public exploit code exists and no active exploitation has been confirmed; EPSS at 0.04% (11th percentile) and SSVC exploitation status of 'none' indicate this is currently a theoretical rather than actively weaponized risk.

Authentication Bypass Nanocare
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-42763 MEDIUM This Month

Missing Authorization in the SePay Gateway WordPress plugin (versions through 1.1.20) permits any authenticated low-privileged user to retrieve embedded sensitive data without proper access checks. The flaw is classified under CWE-862 and carries a CVSS confidentiality impact of High, meaning payment or configuration secrets stored within the plugin can be exposed to unauthorized parties. No public exploit has been identified at time of analysis, and CISA SSVC rates exploitation as none with non-automatable risk, indicating limited active threat at present.

Authentication Bypass Information Disclosure Sepay Gateway
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42776 MEDIUM This Month

Broken access control in the Sunshine Photo Cart WordPress plugin (versions through 3.6.7) allows authenticated low-privilege users to perform actions beyond their intended authorization level. The root cause is a missing authorization check (CWE-862) that permits exploitation of incorrectly configured access control security levels, resulting in partial confidentiality, integrity, and availability impact. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.03% (10th percentile) and SSVC exploitation status of 'none' indicate low real-world threat at time of analysis.

Authentication Bypass Sunshine Photo Cart
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-45209 HIGH This Week

Information disclosure in the MyCryptoCheckout WordPress plugin (versions up to and including 2.161) allows remote unauthenticated attackers to access protected data due to a missing authorization check. The flaw stems from incorrectly configured access control security levels, enabling exploitation over the network without privileges or user interaction. No public exploit identified at time of analysis, and EPSS scoring (0.03%, 9th percentile) suggests low near-term exploitation likelihood.

Authentication Bypass Mycryptocheckout
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45217 MEDIUM This Month

Authentication bypass in ThemeHigh's Stripe Payment Gateway for WooCommerce (all versions through 5.0.7) allows unauthenticated remote attackers to exploit the plugin's password recovery flow to gain unauthorized access, affecting both data integrity and availability (CVSS 6.5). The flaw is classified as CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin exposes an alternative code path that circumvents normal authentication controls. No public exploit code has been identified at time of analysis, and CISA has not added this to KEV, though SSVC flags the attack as automatable with partial technical impact.

Authentication Bypass WordPress Stripe Payment Gateway For Woocommerce
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-45438 HIGH PATCH This Week

Unauthenticated integrity compromise in WebToffee Smart Coupons for WooCommerce (versions before 2.3.0) allows remote attackers to bypass access controls and modify coupon-related data without authentication. The flaw stems from missing authorization checks (CWE-862) on plugin endpoints, and while no public exploit has been identified at time of analysis, SSVC flags the issue as automatable, meaning mass exploitation tooling could emerge rapidly. EPSS is currently low (0.03%) despite the network-exploitable nature of the bug.

Authentication Bypass WordPress Smart Coupons For Woocommerce
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27357 MEDIUM PATCH This Month

Missing authorization in the WP Search Analytics WordPress plugin (versions before 1.5.0) allows unauthenticated remote attackers to bypass access controls and perform unauthorized write operations against affected WordPress installations. Reported by Patchstack and tracked as EUVD-2026-31761, this broken access control issue (CWE-862) carries a medium CVSS score of 5.3 with no confidentiality or availability impact - only limited integrity impact. No public exploit has been identified and no active exploitation is confirmed, with EPSS placing exploitation probability at 0.03% (8th percentile), making this a low real-world priority despite being automatable per SSVC.

Authentication Bypass Wp Search Analytics
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27398 MEDIUM This Month

Missing authorization in the WP Chill RSVP and Event Management WordPress plugin (versions through 2.7.16) enables unauthenticated remote attackers to perform unauthorized write operations by bypassing access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully remote, zero-complexity, unauthenticated exploitation is possible against default plugin installations. Impact is limited to partial integrity degradation (I:L) with no confidentiality or availability loss; no public exploit has been identified at time of analysis and EPSS is very low at 0.03% (8th percentile).

Authentication Bypass Rsvp And Event Management
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27346 MEDIUM PATCH This Month

Missing authorization controls in the B2BKing WordPress plugin (versions prior to 5.2.10) allow authenticated high-privileged attackers to exploit incorrectly configured access control security levels, resulting in unauthorized data or configuration modification (high integrity impact). No confidentiality or availability impact is indicated by the CVSS vector. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, suggesting limited real-world threat at this time.

Authentication Bypass B2Bking
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-24527 MEDIUM This Month

Missing Authorization in Autoship Cloud for WooCommerce Subscription Products (versions through 2.14.0) allows authenticated low-privileged users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack, this CWE-862 flaw means the plugin fails to verify whether an authenticated user holds the correct capability before executing sensitive operations within the WooCommerce subscription management interface. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) signals negligible automated exploitation activity at this time.

Authentication Bypass WordPress Autoship Cloud For Woocommerce Subscription Products
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24586 MEDIUM This Month

Missing Authorization in the Newses WordPress theme (Themeansar) through version 2.0.0.77 permits low-privileged authenticated users to exploit incorrectly configured access control security levels, resulting in partial integrity and availability impact. The flaw, reported by Patchstack and tracked under ENISA EUVD-2026-31747, allows an authenticated attacker to perform actions beyond their intended permission scope without proper authorization checks. No public exploit code or active exploitation has been identified at time of analysis, and all available signals - EPSS at 0.04%, SSVC exploitation status of 'none', and Automatable: no - indicate limited real-world threat at this time.

Authentication Bypass Newses
NVD
CVSS 3.1
5.4
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH This Week

Information disclosure in the BP Better Messages WordPress plugin (versions up to and including 2.14.16) allows remote unauthenticated attackers to read private messaging data belonging to other users by manipulating a user-controlled object identifier (IDOR). The CVSS 3.1 base score is 7.5 with confidentiality-only impact (C:H/I:N/A:N), and there is no public exploit identified at time of analysis. EPSS is very low at 0.03% (10th percentile), indicating no observed widespread exploitation activity.

Authentication Bypass
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Authentication bypass in the KiviCare Clinic & Patient Management WordPress plugin (versions through 4.3.0) lets remote unauthenticated attackers abuse the password-recovery flow as an alternate channel to take over user accounts. Because the recovery process can be exploited to gain access without valid credentials, an attacker can compromise clinic accounts and read sensitive data. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed mass-exploitation pressure yet.

Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in the AWP Classifieds WordPress plugin (versions through 4.4.5) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification and availability disruption of classified listing data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated privileges against any internet-facing WordPress site running the affected plugin. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS at 0.04% (11th percentile) indicates low observed exploitation probability, though the unauthenticated attack surface broadens theoretical exposure.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Insecure Direct Object Reference (IDOR) in the WP Wham Checkout Files Upload for WooCommerce WordPress plugin exposes uploaded checkout files to unauthenticated remote attackers who manipulate user-controlled object keys. All plugin versions through 2.2.5 are affected, with the CVSS vector confirming no authentication or user interaction is required. Despite the straightforward exploit path - flagged as automatable by the SSVC framework - real-world risk is tempered by a very low EPSS score of 0.04% (12th percentile), no public exploit code, and no active exploitation per CISA KEV.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know a valid account's distinguished name (DN) impersonate that identity and gain access to the NAS, with high confidentiality, integrity, and availability impact (CVSS 8.1). The flaw stems from an improper check of an exceptional condition (CWE-754) in the single sign-on flow. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 17th percentile), consistent with the high attack complexity Synology assigned.

Synology Authentication Bypass
NVD
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Synology
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Synology
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Arbitrary file deletion in the Novarain/Tassos Framework system plugin (plg_system_nrframework) and the suite of Tassos.gr Joomla extensions that bundle it lets remote unauthenticated attackers delete arbitrary files on affected sites. The CVSS 4.0 vector (PR:N/UI:N) and the 'Authentication Bypass' tag indicate no credentials or interaction are needed, and the high integrity/availability impact reflects that deleting core files such as Joomla's configuration.php can lead to denial of service or site takeover. There is no public exploit identified at time of analysis, and EPSS is low (0.07%, 21st percentile) with no CISA KEV listing, indicating no observed exploitation despite the critical 9.3 base score.

Authentication Bypass Novarain Tassos Framework Plg System Nrframework Convert Forms +7
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Improper access control in ZTE ZXUniPOS NDS-LTE (V24.40.40 and earlier, and V24.30.40CP02 and earlier) lets remote unauthenticated attackers reach functionality that should be permission-gated, allowing them to read and modify system configuration data beyond their authorization. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N) with high confidentiality and integrity impact but no availability impact, and the issue is tagged as an authentication bypass. EPSS is very low at 0.03% (9th percentile) and there is no public exploit identified at time of analysis.

Authentication Bypass Zxunipos Nds Lte
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Arbitrary blobstore deletion in BOSH Director allows a compromised, high-privileged BOSH-managed VM to delete any object from the shared Director blobstore by injecting crafted NATS reply messages. All BOSH Director versions prior to v282.1.12 are affected, with the root cause being a complete absence of UUID-format validation, ownership checks, and namespace prefixing in ResourceManager before executing blobstore.delete(). An attacker leveraging this post-compromise path can corrupt or destroy deployment artifacts, compiled packages, and release binaries relied upon by dependent deployments, producing cascading availability failures across the BOSH environment. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms exploitation status as none.

Authentication Bypass Bosh
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Livemesh Addons for Beaver Builder WordPress plugin (all versions ≤3.9.2) allows authenticated attackers with Subscriber-level access or above to inject persistent malicious scripts via the `labb_admin_ajax` AJAX endpoint. The root flaw is a missing capability check - the handler validates a WordPress nonce (confirming form origin) but never verifies whether the requesting user holds privileges to modify plugin settings, effectively granting any registered user write access to plugin configuration. Injected scripts execute in the browser of administrators who visit the settings page or against any frontend visitor, enabling session hijacking or privilege escalation against admins. No public exploit code or active exploitation has been identified at time of analysis; EPSS is very low at 0.03% (8th percentile).

XSS WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Livemesh SiteOrigin Widgets WordPress plugin (all versions through 3.9.2) allows any authenticated subscriber-level user to permanently inject malicious scripts into plugin settings via the unprotected `lsow_admin_ajax` AJAX endpoint. The injected payload executes against administrators when they access the plugin settings page, and against any site visitor on the frontend - enabling session hijacking, credential theft, or unauthorized admin actions. No public exploit has been identified at time of analysis and CISA has not added this to the KEV catalog, but the low privilege bar (subscriber) makes it an attractive target on sites with open registration.

XSS WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WPBakery Page Builder Addons by Livemesh WordPress plugin (all versions through 3.9.4) allows authenticated attackers with as little as Subscriber-level access to permanently inject malicious JavaScript into plugin settings via the unprotected lvca_admin_ajax AJAX endpoint. The injected payload executes both when administrators access the plugin settings page and when any frontend visitor loads affected pages, achieving Changed Scope impact beyond the attacker's own session. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE, though the low authentication bar makes it a realistic risk on WordPress sites with open user registration.

XSS WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized jQuery downgrade in the Enable jQuery Migrate Helper WordPress plugin (all versions ≤1.4.1) allows any authenticated Subscriber-level user to replace the site-wide jQuery 3.7.1 with the legacy 1.12.4-wp release, which carries known security vulnerabilities. The root cause is a missing authorization check in the `downgrade_jquery_version()` function, which validates a nonce but never verifies user capabilities (CWE-862). No public exploit exists and CISA has not added this to KEV; however, the indirect impact is significant because a successful downgrade introduces a vulnerable jQuery version that could serve as a stepping stone for further exploitation of other weaknesses.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated statistics reset in WP Promoter plugin (WordPress, versions ≤1.3) allows any remote attacker to permanently delete promotional bar and popup campaign analytics by exploiting a missing capability check on the reset_stats() function. The function is registered on the wp_ajax_nopriv_wpp-reset_stats action hook - WordPress's mechanism for unauthenticated AJAX access - with no nonce validation, capability check, or authentication enforcement of any kind, making the destructive operation trivially invocable via a single HTTP POST request. No public exploit code has been identified at time of analysis, EPSS is 0.06% (18th percentile), and SSVC rates exploitation as none, indicating no observed active exploitation.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the Login with NEAR WordPress plugin (all versions through 0.3.3) lets unauthenticated attackers log in as any existing user - including administrators - whose email matches the deterministic <account>@near.org pattern. The flaw stems from the unauthenticated ajaxLoginWithNear() handler issuing a valid WordPress auth cookie based only on a substring check for '.near', with no signature, challenge-response, or nonce verification. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.10%), but the technical impact is total per CISA SSVC.

Microsoft Authentication Bypass WordPress
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthenticated attackers log in as any user, including administrators. The flaw is an incomplete fix for CVE-2024-11178: the brute-force lockout was added only to the OTP-generation code path and never checked when an OTP is validated, and the 6-digit codes never expire, so an attacker can exhaustively guess the ~900,000-value OTP space and receive a valid WordPress session cookie. CVSS is 9.8; this is rated unauthenticated (CVSS PR:N) with low attack complexity, but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in Yoast SEO for WordPress (all versions through 26.5) allows authenticated Contributor-level users to read SEO metadata from any post on the site - including private posts, drafts, and content owned by other users - by supplying arbitrary post_id values to the Meta Search REST API endpoint. The flaw is a missing object-level authorization check: the plugin verified generic edit capability rather than per-post ownership. No public exploit identified at time of analysis, and EPSS stands at 0.03% (8th percentile), indicating low exploitation interest in the wild.

Authentication Bypass WordPress
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Parameter smuggling in @hapi/content (the header parser used by the Hapi.js framework) before 6.0.2 lets remote unauthenticated attackers bypass upload security controls by sending duplicate Content-Disposition or Content-Type parameters. Because Content.disposition() kept the last duplicate while Content.type() kept the first, a filename allowlist enforced by a WAF, reverse proxy, or alternate parser that resolves duplicates the opposite way can be evaded (e.g. filename="safe.txt"; filename="shell.php"). No public exploit identified at time of analysis and EPSS is very low (0.05%), but a vendor-released patch (6.0.2) is available and the technique is trivially reproducible.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Broken access control in Yamcs yamcs-core allows any authenticated user to enumerate all user accounts, superuser status, and group memberships via the IAM API. The four endpoints - listUsers, getUser, listGroups, and getGroup - in IamApi.java (lines 125, 180, 357, 372) fail to call ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess), a guard that is correctly applied to write operations like createUser. Affected versions are all releases prior to 5.12.7; a proof-of-concept using a single bearer-token HTTP GET is publicly documented in the GitHub Security Advisory GHSA-p2rj-mrmc-9w29, and no active exploitation (CISA KEV) has been identified at time of analysis.

Java Authentication Bypass
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Kirby CMS's path resolver fails to enforce `pages.access` permission checks when rendering page drafts, allowing authenticated users who lack access to specific page models to view those drafts by knowing the full URL path. Affected installations are those explicitly configured to restrict certain user roles from accessing pages via `pages.access: false` in user or model blueprints - sites where all users may access all pages are unaffected. No public exploit or CISA KEV listing exists at time of analysis, but the impact is information disclosure of unpublished content such as pre-launch product pages or embargoed posts.

Authentication Bypass
NVD GitHub
EPSS 1%
HIGH PATCH This Week

Unauthenticated remote code execution in FUXA 1.3.0 (the fuxa-server npm package) lets any network-reachable attacker run arbitrary OS commands on the SCADA/HMI host when secureEnabled is true. The POST /api/runscript endpoint authorizes a request against a stored script's permission, but with test:true it instead compiles and runs attacker-supplied code via Node's Module._compile, so a guest who knows a valid script ID and name (leaked via the unauthenticated GET /api/project endpoint) can execute code with full Node runtime access. Publicly available exploit code exists in the vendor advisory; no CVSS, EPSS, or CISA KEV data is provided.

RCE Information Disclosure Node.js +1
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Unauthenticated disclosure of arbitrary industrial tag values in FUXA 1.3.0 lets remote actors read live process data through the /api/getTagValue endpoint. Per the vendor advisory (GHSA-fwcm-rqvw-j3p7), the API mints a signed 'guest' identity when no API key or access token is supplied, and the per-script authorization check fails open when the referenced sourceScriptName points to a non-existent script, so the guest request is treated as authorized. No CISA KEV listing and no weaponized public exploit code were identified, though the advisory documents the exact vulnerable code paths; the flaw is fixed in v1.3.1.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Missing authorization in SourceCodester eDoc Doctor Appointment System 1.0 exposes the /admin/delete-session.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to delete arbitrary appointment sessions without any credential or privilege. The CVSS 4.0 vector confirms network-accessible, zero-complexity exploitation with no authentication required (PR:N), though impact is bounded to low integrity and availability degradation with no confidentiality loss. A publicly available exploit script (poc.sh) on GitHub confirms practical exploitability, though the vulnerability is not currently listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause `request.url.path` to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on `request.url` rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through `request.url` is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Request Smuggling Authentication Bypass Starlette
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Improper access control in JeecgBoot's AiragModelController (versions up to 3.9.1) permits any authenticated low-privilege user to invoke the list and queryById API endpoints without proper authorization checks, exposing AI RAG model configuration data restricted to higher-privileged roles. The CVSS vector (PR:L, C:L) confirms this is an authorization bypass rather than a full authentication bypass, limiting impact to confidentiality of AI model metadata. Publicly available exploit code exists (GitHub issue #9599, referenced in the exploit tag), though no CISA KEV listing indicates confirmed widespread active exploitation at time of analysis.

Authentication Bypass Jeecgboot
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper access control in Apple macOS (all versions before Tahoe 26) allows a locally installed application running with standard user privileges to access sensitive user data beyond its authorized scope. The root cause - a faulty permissions enforcement code path - was remediated by removing the vulnerable code entirely in macOS Tahoe 26. No public exploit identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Apple Authentication Bypass
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper access control in Apple macOS allows a locally-executed app to read sensitive user data by exploiting a logic flaw in system-level restrictions. Affected are all macOS versions prior to Tahoe 26, per the CPE data and EUVD-2025-209943. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms exploitation requires no user interaction once an app is running under low privileges, and the confidentiality impact is rated High. No public exploit code exists and this vulnerability is not confirmed actively exploited (CISA KEV).

Apple Authentication Bypass
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper authorization in Apple macOS allows a locally-installed malicious application to access sensitive user data without proper entitlement checks. Affected releases span three macOS generations: Sequoia (prior to 15.7), Sonoma (prior to 14.8), and the forthcoming Tahoe (prior to 26). The flaw stems from a logic issue in access validation, meaning apps lacking legitimate permissions can bypass gating controls to read protected data. No public exploit code or CISA KEV listing has been identified at time of analysis.

Apple Authentication Bypass
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Certificate validation bypass in GnuTLS (as shipped in Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images) lets a remote attacker defeat hostname verification: when a certificate carries an oversized Subject Alternative Name, the library incorrectly abandons SAN matching and falls back to the legacy Common Name field, accepting certificates it should reject. An attacker positioned to intercept traffic can present such a certificate to impersonate a trusted server and conduct spoofing or man-in-the-middle attacks against TLS clients that rely on GnuTLS. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score in the provided data.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +5
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated write access to patient electronic health records in epa4all-client 1.2.4 and earlier exposes German Telematik Infrastruktur (ePA 3.0) deployments to unauthorized data manipulation. The REST adapter component ships with no authentication or authorization controls, allowing any adjacent-network caller to write arbitrary documents to any patient EHR accessible via the institution's SMC-B card. No public exploit code has been identified at time of analysis, but the CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and minimal technical complexity once network-adjacent.

Authentication Bypass Docker Java
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Missing authorization in the AA-Team Woocommerce Envato Affiliates WordPress plugin (versions up to and including 1.2.1) lets a low-privileged authenticated user invoke functionality that is not properly gated by access-control checks, most likely modifying plugin settings as indicated by the Patchstack advisory slug. Because the action carries a high integrity impact, an attacker holding even a basic account can tamper with configuration that should be reserved for administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Broken access control in MaxKB 2.8.0 and earlier exposes the OSS file service URL fetch API (`chat/api/oss/get_url`) to cross-application data access by authenticated low-privilege users who supply arbitrary `application_id` values in the URL path. Because the endpoint performs no ownership validation against the requesting session, any authenticated user can retrieve OSS file URLs scoped to applications they do not own, violating multi-tenant isolation. No public exploit code exists and the issue is not listed in CISA KEV; a vendor-released patch is available in version 2.8.1.

Authentication Bypass Maxkb
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authentication bypass in MaxKB (1Panel-dev) versions prior to 2.9.0 allows remote unauthenticated attackers to invoke webhook trigger endpoints and execute their bound tasks. The flaw stems from the WebhookAuth class unconditionally returning a successful authentication tuple, which Django REST Framework interprets as a valid identity, combined with no backend enforcement of per-trigger token requirements. No public exploit identified at time of analysis, but the trivial nature of the bypass and open-source visibility of the patch make exploitation straightforward for any attacker who can enumerate or guess trigger IDs.

Python Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/selectDepart, allowing remote attackers to bypass authorization checks tied to department/tenant selection during login. Publicly available exploit code exists per VulDB disclosure, and the vendor has shipped a fix in v3.9.2. No active in-the-wild exploitation has been confirmed (not in CISA KEV), but the public POC and network-reachable attack surface make opportunistic abuse plausible.

Authentication Bypass Jeecgboot
NVD VulDB GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Lumiverse's sign-up nonce mechanism prior to version 0.9.7 allows unauthenticated remote attackers to register unauthorized accounts by exploiting a race condition in the `consumeNonce()` function. When an admin's user-creation request fails due to a duplicate email - causing BetterAuth to reject at the validation layer - the nonce is set but never consumed, leaving a 10-second window during which any POST to `/api/auth/sign-up/email` will succeed regardless of the sender. No public exploit code exists and no CISA KEV listing is present; exploitation requires precise timing and the ability to observe or predict an admin's failed duplicate-email attempt, consistent with the CVSS AC:H rating.

Race Condition Authentication Bypass Lumiverse
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Sandbox escape in Lumiverse AI chat application versions prior to 0.9.7 allows remote attackers to execute arbitrary JavaScript in a victim's authenticated session by delivering a malicious theme pack (.lumitheme / .lumiverse-theme). The component override system's Sucrase-transpiled TSX sandbox is bypassed via string concatenation of blocked identifiers and DOM ref traversal to retrieve the real window object, defeating both static source validation and runtime global shadowing. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-rgp6-55rw-5xf4) documents the exact bypass technique.

Authentication Bypass Lumiverse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthorized job worker substitution in oban_web 2.12.0-2.12.4 allows any authenticated low-privileged user to redirect background job execution to arbitrary existing worker modules. The server-side LiveView event handler for 'save-job' in Elixir.Oban.Web.Jobs.DetailComponent omits the can?/2 authorization check that all sibling handlers (cancel, delete, retry) correctly enforce, enabling a user granted only :read_only access to forge a WebSocket event and overwrite a queued job's worker field. No public exploit code exists and SSVC designates exploitation as none, but successful abuse causes Oban to invoke an attacker-chosen worker module on next execution, introducing real integrity risk to automated job pipelines.

Authentication Bypass Oban Web
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Improper access control in JeecgBoot versions up to 3.9.1 allows authenticated low-privileged remote attackers to bypass authorization checks by manipulating the `userIdentity` argument in the SysUser component's `user.getUsername` function at the `/sys/user/login/setting/userEdit` endpoint. A publicly available proof-of-concept exploit exists via GitHub issue #9596, increasing practical risk for any multi-user JeecgBoot deployment where adversaries hold a low-privileged account. Vendor-released patch v3.9.2 is available and explicitly remediates this access control failure alongside several other high-severity issues including RCE and SSRF, indicating a broad security hardening effort in this release cycle.

Authentication Bypass Jeecgboot
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote database access in Delta Electronics DIAView allows network-based attackers to reach configured project databases without credentials, bypassing the prior mitigation issued for CVE-2025-62582. The flaw carries a CVSS 9.8 rating with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the original CVE it incompletely patches has known prior research from Tenable.

Authentication Bypass Diaview
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Bluetooth LE bond downgrade in Silicon Labs Simplicity SDK allows an adjacent attacker to weaken connection security by deleting an existing bond, impersonating the previously bonded peer, and forcing a new pairing under attacker-controlled parameters. The flaw enables compromise of confidentiality, integrity, and availability of BLE communications on devices built with the affected SDK, and no public exploit has been identified at time of analysis.

Authentication Bypass Simplicity Sdk
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated broken access control in Magepeople Inc.'s Taxi Booking Manager for WooCommerce plugin (versions up to and including 2.0.1) exposes limited information to remote attackers without requiring any credentials or user interaction. The plugin fails to enforce proper authorization checks on one or more endpoints, classified under CWE-862 (Missing Authorization), allowing unauthenticated network requests to access functionality or data that should be restricted. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.03%, indicating low observed exploitation probability at time of analysis.

Authentication Bypass WordPress Taxi Booking Manager For Woocommerce
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in the bPlugins Tiktok Feed WordPress plugin (versions through 1.0.24) permits authenticated low-privileged users to perform actions that should be restricted to higher-privileged roles due to missing server-side authorization checks (CWE-862). Exploitation allows limited integrity impact - an attacker with a basic WordPress account could manipulate plugin-controlled data or settings without proper permission. No public exploit code exists and no active exploitation is confirmed at time of analysis; SSVC and EPSS signals both indicate low urgency.

Authentication Bypass Tiktok Feed
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization checks in the WpBookingly WordPress plugin (versions through 1.2.9) allow authenticated low-privilege users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack and tracked as EUVD-2026-31964, this broken access control flaw (CWE-862) does not require elevated privileges or user interaction, but exploitation is constrained to authenticated sessions. No public exploit code exists and EPSS stands at 0.03% (8th percentile), with SSVC classifying exploitation status as none - making this a low-urgency but legitimate remediation target for WordPress environments with untrusted authenticated users.

Authentication Bypass Wpbookingly
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Resource quota bypass in Pterodactyl Panel prior to 1.12.3 allows authenticated users to exceed their assigned database allocation limits by exploiting a broken concurrency guard in the Client API. The `lockForUpdate()` call in `DatabaseController.php` is a non-terminating Laravel query builder call that never issues an actual SQL lock, making it a no-op that enables parallel requests to simultaneously pass the limit check. No public exploit has been identified at time of analysis; with EPSS at 0.04% (12th percentile) and no KEV listing, real-world exploitation risk is currently low but relevant to multi-tenant hosting deployments.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Missing authorization controls in the WpTravelly WordPress plugin (versions through 2.1.5) allow any authenticated low-privileged user to exploit incorrectly configured access control security levels, gaining unauthorized access to functionality or data beyond their intended permissions. The flaw is network-accessible, requires no user interaction, and carries a balanced Low-CIA-triad impact per CVSS. No public exploit has been identified at time of analysis, and the EPSS score (0.03%, 10th percentile) suggests very low real-world exploitation probability despite the network-exposed attack surface.

Authentication Bypass Wptravelly
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authorization bypass in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows unauthenticated remote attackers to modify server property files and gain unauthorized access to the application. The flaw carries a critical CVSS 9.8 score with full confidentiality, integrity, and availability impact, and IBM has released Interim Fixes addressing it. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%, 10th percentile).

Authentication Bypass IBM Engineering Lifecycle Management
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in code100x CMS Mobile API allows unauthenticated remote attackers to impersonate any enrolled user or administrator by supplying a crafted JSON payload in the 'g' HTTP header alongside an unvalidated 'Auth-Key' header. The middleware shortcuts identity verification whenever an Auth-Key is present without checking its value, letting downstream mobile course endpoints trust attacker-supplied identity claims. Publicly available exploit code exists via the upstream GitHub PR diff, though EPSS probability remains low at 0.08%.

Authentication Bypass Code100X
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated authorization bypass in FACTION pentesting report framework prior to 1.8.3 allows remote attackers to read, modify, deactivate, and delete any boilerplate report template without credentials. The flaw stems from AccessControlInterceptor invoking actions without session validation, compounded by four BoilerPlateConfig action methods that perform no local auth check. No public exploit identified at time of analysis, though EPSS is low (0.15%) and SSVC rates exploitation as POC with total technical impact.

Authentication Bypass Faction
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obtain a valid JWT for any user account, including administrators, given only knowledge of the target username. The flaw stems from improper token validation logic and enables full account takeover without credentials. No public exploit identified at time of analysis, though SSVC rates technical impact as total and automatable.

Authentication Bypass Kavita
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Kavita reading server versions prior to 0.9.0 expose seven download and metadata API endpoints without enforcing library-level access controls, enabling authenticated users to retrieve file contents, file sizes, and chapter metadata from libraries they have not been granted access to. The affected endpoints - /api/Download/volume, /api/Download/chapter, /api/Download/series, /api/Chapter, and corresponding size-check variants - accept resource identifiers (chapterId, volumeId, seriesId) without verifying the requesting user's library membership. A proof-of-concept exists per SSVC classification, though EPSS at 0.04% (11th percentile) reflects minimal observed exploitation activity; the CVE is not listed in CISA KEV.

Authentication Bypass Kavita
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image across all server libraries to remote attackers without any credentials. The ReaderController.GetImage endpoint is decorated with ASP.NET's [AllowAnonymous] attribute, and while it accepts an apiKey parameter as a nominal access control, that parameter is never validated server-side - rendering it entirely decorative. Sequential integer entity IDs allow trivial full-library enumeration with nothing more than an HTTP client. No public exploit or CISA KEV listing exists at time of analysis, but the zero-friction exploitation path makes any publicly exposed instance a meaningful data-exposure risk.

Authentication Bypass Kavita
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in NVIDIA Display Driver for Windows and Linux allows authenticated low-privilege users to improperly access GPU resources via a kernel mode layer flaw, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service. The issue affects GeForce, RTX/Quadro/NVS, and Tesla product lines across multiple driver branches and carries a CVSS 7.8 (High) score. No public exploit identified at time of analysis, and EPSS probability is very low (0.01%), but the breadth of affected hardware and total technical impact warrant prompt patching.

Nvidia RCE Linux +4
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Emergency

Hard-coded VNC password in the Eppendorf BioFlo 320 bioprocess control system allows any remote attacker who can reach the device on the network to take full control of its user interface without authentication. The flaw (CWE-259) is rated CVSS 9.3 and carries an SSVC technical impact of 'total' with automatable exploitation, though no public exploit has been identified at time of analysis and EPSS is low at 0.10%.

Authentication Bypass Bioflo 320
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in OpenCTI prior to 6.9.7 allows an organization admin to gain elevated platform-wide privileges by adding a higher-privileged user from a different organization into their own organization, exploiting incorrect ACL enforcement on the userEdit relationAdd GraphQL mutation. The flaw yields full platform access and exposure of sensitive intelligence data; no public exploit identified at time of analysis and EPSS is very low (0.04%, 11th percentile), but the vendor-confirmed GHSA advisory and trivial attack complexity make this a meaningful tenancy-isolation issue for multi-organization deployments.

Authentication Bypass Opencti
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent MFA checks due to insufficient state validation during the authentication flow. The flaw (CWE-287) was disclosed by the Joomla! project itself and tracked as EUVD-2026-31890; no public exploit identified at time of analysis and EPSS is very low (0.01%, 2nd percentile), but the integrity impact is high since attackers reaching this path effectively defeat the second authentication factor.

Authentication Bypass Joomla Cms
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor authentication (MFA) due to insufficient state validation during the login flow. The flaw, tracked as CVE-2026-48897 and reported by the Joomla! project, undermines the integrity protections expected from 2FA and could grant attackers access to accounts whose credentials are already known or guessable. EPSS probability is low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.

Authentication Bypass Joomla Cms
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Privilege escalation in Joomla! CMS via the com_users batch task allows low-privileged authenticated users to bypass access controls and elevate their user group membership or permissions. Affected versions span two major release lines: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0, as confirmed by ENISA EUVD-2026-31880 and the Joomla Security Centre. No public exploit has been identified and EPSS is effectively zero; however, SSVC assesses the technical impact as total, meaning successful exploitation could yield full privilege takeover within the application.

Authentication Bypass Privilege Escalation Joomla Cms
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Improper access control in Joomla! CMS com_scheduler component permits low-privileged authenticated backend users to modify the task types of existing scheduler tasks, an operation that should be restricted to higher-privileged administrators. Affected versions span Joomla! 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0. While no public exploit code exists and CISA KEV has not confirmed active exploitation, the high subsequent-system impact scores (SC:H/SI:H/SA:H) in the CVSS 4.0 vector indicate that tampering with scheduler task types can produce significant integrity and availability consequences beyond the immediately vulnerable component.

Authentication Bypass Joomla Cms
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges to access configuration data they should not be permitted to reach, impacting confidentiality, integrity, and availability of the affected site. The flaw spans Joomla 4.0.0-5.4.5 and 6.0.0-6.1.0 and was disclosed by the Joomla! Project itself with a CVSS 4.0 base of 8.6. No public exploit identified at time of analysis and EPSS is very low at 0.04%.

Authentication Bypass Joomla Cms
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abuse an improper access check in the com_users group editing webservice endpoint to elevate privileges. The CVSS 4.0 vector indicates network-reachable exploitation without authentication or user interaction, with high impact to integrity but no confidentiality or availability impact. There is no public exploit identified at time of analysis and EPSS is effectively 0%, but the vendor advisory confirms the access-control flaw.

Authentication Bypass Joomla Cms
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users batch task due to an improper access check (CWE-284). The flaw enables unauthorized modification of user accounts and elevation of privileges across affected installations, with no public exploit identified at time of analysis. EPSS scoring is 0.00% and the vulnerability is not listed in CISA KEV, but the CVSSv4 base score of 8.2 reflects high integrity impact.

Authentication Bypass Privilege Escalation Joomla Cms
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Cross-project issue state modification in Bugsink prior to 2.2.0 allows authenticated users with access to one project to alter the state of issues belonging to other projects if a valid target issue UUID is known. The bulk action endpoint authorizes based on the project in the URL but applies submitted issue IDs without verifying project membership, creating a project-boundary authorization bypass. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) reflects minimal real-world exploitation probability.

Authentication Bypass Bugsink
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Cross-project event data exposure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read event data - including stacktraces, breadcrumbs, and raw event details - belonging to a separate, unauthorized project. The flaw (CWE-639) exists because issue event views accept a direct event UUID from the URL without verifying that the event belongs to the project in the same URL path. Exploitation is materially constrained by the requirement for both an authenticated session and prior knowledge of a valid target event UUID; no public exploit has been identified and EPSS sits at 0.03% (7th percentile).

Authentication Bypass Bugsink
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-project sourcemap and debug-file disclosure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read source context or symbolication-derived data belonging to a separate project on the same instance. The root cause is a missing authorization scope check (CWE-862): debug IDs supplied by clients were resolved globally rather than constrained to the owning project, meaning a deliberate or accidental debug ID collision across projects leaks file metadata. No public exploit code exists and no active exploitation has been identified (CISA KEV: absent, EPSS: 0.03%, 7th percentile), making this a low-urgency but architecturally meaningful information disclosure for multi-project Bugsink deployments.

Authentication Bypass Bugsink
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to overwrite device image files on the server, bypassing readonly and deviceReadonly access restrictions that all other device mutation paths correctly enforce. Traccar versions prior to 6.13.0 are affected, and the root cause is a missing permissionsService.checkEdit call in the image upload route that is present everywhere else in the mutation surface. A proof-of-concept exists per SSVC data, though EPSS sits at 0.03% (9th percentile), indicating limited real-world exploitation activity to date. The vendor-released fix is available in version 6.13.0.

Authentication Bypass Traccar
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Default manufacturing credentials persisting through installation in IBM Cloud Pak for Data System Cyclops 11.3.0.2 through Interim Fix 002 allow unauthenticated network attackers to bypass authentication and perform unauthorized integrity-impacting actions. The root cause (CWE-1392) reflects a design-phase failure where credentials intended solely for factory/installation use are not forced to rotate before or immediately after deployment. EPSS sits at 0.03% and SSVC records no current exploitation, but the SSVC automatable flag indicates this class of attack is trivially scriptable, making exposed instances a realistic target for opportunistic credential-stuffing against known IBM default password sets. No public exploit identified at time of analysis.

Authentication Bypass IBM Cloud Pak For Data System Cyclops
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper access control in sambitraj's STUDENT-MANAGEMENT-SYSTEM exposes multiple Dashboard endpoints to unauthenticated remote attackers, enabling unauthorized read and write operations on student data. The vulnerability, tagged as an authentication bypass (CWE-284), affects all code up to and including commit 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5 and is confirmed by a publicly disclosed exploit via GitHub issue. No public exploit identified at time of analysis for active KEV-level exploitation, however publicly available exploit code exists and the maintainer has not responded to responsible disclosure, leaving the codebase unpatched.

Authentication Bypass Student Management System
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

CSRF protection bypass in e107 CMS prior to 2.3.5 allows unauthenticated remote attackers to perform unauthorized comment moderation actions by tricking an authenticated user into visiting a malicious page. The root flaw is in session_handler::check(), which skips CSRF token validation entirely when no token is submitted, rather than rejecting the tokenless request - effectively making CSRF protection opt-in from the attacker's perspective. A proof-of-concept exists per SSVC data; the vulnerability is not listed in CISA KEV and carries a very low EPSS score of 0.01% (3rd percentile), indicating limited observed exploitation in the wild.

CSRF Authentication Bypass E107
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Broken access control in e107 CMS prior to version 2.3.4 permits any low-privileged authenticated user to overwrite comments authored by other users, including administrators. The server-side updateComment() function in comment_class.php accepted a comment_id from the request and issued an UPDATE SQL query filtered only by that identifier, never verifying that the requesting user owned the targeted comment. A proof-of-concept exploit exists per SSVC data, though EPSS stands at a low 0.03% (8th percentile) and no active exploitation is confirmed in CISA KEV, indicating currently limited in-the-wild activity.

Authentication Bypass E107
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated access control bypass in VideoWhisper.Com's Paid Videochat Turnkey Site WordPress plugin (versions through 7.3.23) allows remote attackers to access restricted resources without authorization, resulting in partial information disclosure. The plugin (known by slug ppv-live-webcams) fails to enforce authorization checks on one or more endpoints, enabling any unauthenticated network actor to exploit incorrectly configured access control security levels. No public exploit code has been identified and CISA KEV does not list this vulnerability, though SSVC data confirms the attack is automatable, raising the potential for scripted mass scanning.

Authentication Bypass Paid Videochat Turnkey Site
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in the RepairBuddy WordPress plugin (versions through 4.1121) allows authenticated low-privileged users to perform unauthorized actions affecting data integrity. The flaw stems from missing server-side authorization checks (CWE-862), permitting requests to access or modify functionality beyond the caller's intended permission level. No public exploit identified at time of analysis, EPSS sits at the 8th percentile (0.03%), and SSVC marks exploitation as none - placing real-world risk well below what the medium CVSS score of 4.3 might initially suggest.

Authentication Bypass Repairbuddy
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in the Mayosis Core WordPress plugin (versions through 5.4.7) by TeconceTheme allows unauthenticated remote attackers to exploit incorrectly configured access control security levels, resulting in unauthorized modification of data (integrity impact). The CVSS vector confirms no authentication or user interaction is required, and the vulnerability is network-exploitable against default configurations. No public exploit code exists and no active exploitation has been confirmed at time of analysis.

Authentication Bypass Mayosis Core
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation through unauthorized account deletion in CODESYS Control runtime products (versions below 3.5.22.20 / 4.21.0.0) allows authenticated low-privileged remote users to delete other accounts, including administrators. Reported by CERT@VDE under advisory VDE-2026-056, with no public exploit identified at time of analysis and a low EPSS score of 0.10% (26th percentile), suggesting limited near-term exploitation likelihood despite the vendor-confirmed authorization flaw.

Authentication Bypass Codesys Control Rte Sl Codesys Control Rte For Beckhoff Cx Sl +14
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

{ prefix: '/:category' })`), enabling complete bypass of whatever protection that middleware was intended to enforce - authentication, authorization, rate limiting, or input sanitization. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is remotely exploitable with no authentication or user interaction required, and SSVC classifies it as automatable. Publicly available exploit code exists per SSVC classification; EPSS is low at 0.09% (25th percentile), suggesting limited widespread exploitation at time of analysis.

Authentication Bypass Koa Router
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in Zyxel GS1200v3-series managed switches allows a LAN-based, unauthenticated attacker to read system configuration data from a log file by sending a crafted HTTP request to the device's web interface. All five GS1200v3 models are affected across their current firmware versions. No public exploit has been identified at time of analysis, and both EPSS (0.03%, 11th percentile) and SSVC exploitation status ('none') confirm no observed in-the-wild exploitation, placing this in the category of a real but low-urgency information disclosure risk confined to the local network segment.

Authentication Bypass Zyxel Gs1200 5V3 Firmware +4
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper access control in hemant6488's CodeIgniter-StudentManagementSystem exposes the student addition endpoint at /index.php/students/addStudentView to unauthenticated remote manipulation, enabling read, write, and partial availability impact on student data without credentials. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required from any network, and a publicly available exploit (GitHub issue #5) has been documented. No vendor patch exists and the maintainer has not responded to the coordinated disclosure, leaving all deployed instances unmitigated.

PHP Authentication Bypass Codeigniter Studentmanagementsystem
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated gRPC API exposure in FastNetMon Community Edition through 1.2.9 allows adjacent network attackers to invoke security-critical RPC methods including ExecuteBan and ExecuteUnBan without credentials. The server explicitly uses grpc::InsecureServerCredentials() on port 50052, enabling attackers to blackhole legitimate traffic via BGP announcements, disable active DDoS mitigations, and trigger external script execution via popen(). No public exploit identified at time of analysis, and EPSS is low at 0.03%, but CISA SSVC rates technical impact as total.

Denial Of Service Authentication Bypass N A
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

IDOR vulnerability across multiple REST API endpoints in ONLYOFFICE DocSpace before 3.2.1 allows authenticated low-privilege users (User or Guest roles) to exfiltrate owner account identifiers and profile data that should be restricted to administrators. The flaw stems from missing object-level authorization checks on API responses, meaning the server returns sensitive records without validating whether the requester holds sufficient privilege to view them. No public exploit code or active exploitation has been identified at time of analysis, and EPSS places this in the 1st percentile for exploitation probability.

Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Missing authorization in the NanoCare WordPress theme (Linethemes) before version 1.2.2 permits low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) confirms network-accessible exploitation requiring only a low-privilege account with no user interaction. No public exploit code exists and no active exploitation has been confirmed; EPSS at 0.04% (11th percentile) and SSVC exploitation status of 'none' indicate this is currently a theoretical rather than actively weaponized risk.

Authentication Bypass Nanocare
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization in the SePay Gateway WordPress plugin (versions through 1.1.20) permits any authenticated low-privileged user to retrieve embedded sensitive data without proper access checks. The flaw is classified under CWE-862 and carries a CVSS confidentiality impact of High, meaning payment or configuration secrets stored within the plugin can be exposed to unauthorized parties. No public exploit has been identified at time of analysis, and CISA SSVC rates exploitation as none with non-automatable risk, indicating limited active threat at present.

Authentication Bypass Information Disclosure Sepay Gateway
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Broken access control in the Sunshine Photo Cart WordPress plugin (versions through 3.6.7) allows authenticated low-privilege users to perform actions beyond their intended authorization level. The root cause is a missing authorization check (CWE-862) that permits exploitation of incorrectly configured access control security levels, resulting in partial confidentiality, integrity, and availability impact. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.03% (10th percentile) and SSVC exploitation status of 'none' indicate low real-world threat at time of analysis.

Authentication Bypass Sunshine Photo Cart
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Information disclosure in the MyCryptoCheckout WordPress plugin (versions up to and including 2.161) allows remote unauthenticated attackers to access protected data due to a missing authorization check. The flaw stems from incorrectly configured access control security levels, enabling exploitation over the network without privileges or user interaction. No public exploit identified at time of analysis, and EPSS scoring (0.03%, 9th percentile) suggests low near-term exploitation likelihood.

Authentication Bypass Mycryptocheckout
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Authentication bypass in ThemeHigh's Stripe Payment Gateway for WooCommerce (all versions through 5.0.7) allows unauthenticated remote attackers to exploit the plugin's password recovery flow to gain unauthorized access, affecting both data integrity and availability (CVSS 6.5). The flaw is classified as CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin exposes an alternative code path that circumvents normal authentication controls. No public exploit code has been identified at time of analysis, and CISA has not added this to KEV, though SSVC flags the attack as automatable with partial technical impact.

Authentication Bypass WordPress Stripe Payment Gateway For Woocommerce
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated integrity compromise in WebToffee Smart Coupons for WooCommerce (versions before 2.3.0) allows remote attackers to bypass access controls and modify coupon-related data without authentication. The flaw stems from missing authorization checks (CWE-862) on plugin endpoints, and while no public exploit has been identified at time of analysis, SSVC flags the issue as automatable, meaning mass exploitation tooling could emerge rapidly. EPSS is currently low (0.03%) despite the network-exploitable nature of the bug.

Authentication Bypass WordPress Smart Coupons For Woocommerce
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing authorization in the WP Search Analytics WordPress plugin (versions before 1.5.0) allows unauthenticated remote attackers to bypass access controls and perform unauthorized write operations against affected WordPress installations. Reported by Patchstack and tracked as EUVD-2026-31761, this broken access control issue (CWE-862) carries a medium CVSS score of 5.3 with no confidentiality or availability impact - only limited integrity impact. No public exploit has been identified and no active exploitation is confirmed, with EPSS placing exploitation probability at 0.03% (8th percentile), making this a low real-world priority despite being automatable per SSVC.

Authentication Bypass Wp Search Analytics
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in the WP Chill RSVP and Event Management WordPress plugin (versions through 2.7.16) enables unauthenticated remote attackers to perform unauthorized write operations by bypassing access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully remote, zero-complexity, unauthenticated exploitation is possible against default plugin installations. Impact is limited to partial integrity degradation (I:L) with no confidentiality or availability loss; no public exploit has been identified at time of analysis and EPSS is very low at 0.03% (8th percentile).

Authentication Bypass Rsvp And Event Management
NVD
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Missing authorization controls in the B2BKing WordPress plugin (versions prior to 5.2.10) allow authenticated high-privileged attackers to exploit incorrectly configured access control security levels, resulting in unauthorized data or configuration modification (high integrity impact). No confidentiality or availability impact is indicated by the CVSS vector. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, suggesting limited real-world threat at this time.

Authentication Bypass B2Bking
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing Authorization in Autoship Cloud for WooCommerce Subscription Products (versions through 2.14.0) allows authenticated low-privileged users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack, this CWE-862 flaw means the plugin fails to verify whether an authenticated user holds the correct capability before executing sensitive operations within the WooCommerce subscription management interface. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) signals negligible automated exploitation activity at this time.

Authentication Bypass WordPress Autoship Cloud For Woocommerce Subscription Products
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing Authorization in the Newses WordPress theme (Themeansar) through version 2.0.0.77 permits low-privileged authenticated users to exploit incorrectly configured access control security levels, resulting in partial integrity and availability impact. The flaw, reported by Patchstack and tracked under ENISA EUVD-2026-31747, allows an authenticated attacker to perform actions beyond their intended permission scope without proper authorization checks. No public exploit code or active exploitation has been identified at time of analysis, and all available signals - EPSS at 0.04%, SSVC exploitation status of 'none', and Automatable: no - indicate limited real-world threat at this time.

Authentication Bypass Newses
NVD
Prev Page 33 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy