Authentication Bypass
Monthly
Information disclosure in the BP Better Messages WordPress plugin (versions up to and including 2.14.16) allows remote unauthenticated attackers to read private messaging data belonging to other users by manipulating a user-controlled object identifier (IDOR). The CVSS 3.1 base score is 7.5 with confidentiality-only impact (C:H/I:N/A:N), and there is no public exploit identified at time of analysis. EPSS is very low at 0.03% (10th percentile), indicating no observed widespread exploitation activity.
Authentication bypass in the KiviCare Clinic & Patient Management WordPress plugin (versions through 4.3.0) lets remote unauthenticated attackers abuse the password-recovery flow as an alternate channel to take over user accounts. Because the recovery process can be exploited to gain access without valid credentials, an attacker can compromise clinic accounts and read sensitive data. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed mass-exploitation pressure yet.
Missing authorization in the AWP Classifieds WordPress plugin (versions through 4.4.5) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification and availability disruption of classified listing data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated privileges against any internet-facing WordPress site running the affected plugin. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS at 0.04% (11th percentile) indicates low observed exploitation probability, though the unauthenticated attack surface broadens theoretical exposure.
Insecure Direct Object Reference (IDOR) in the WP Wham Checkout Files Upload for WooCommerce WordPress plugin exposes uploaded checkout files to unauthenticated remote attackers who manipulate user-controlled object keys. All plugin versions through 2.2.5 are affected, with the CVSS vector confirming no authentication or user interaction is required. Despite the straightforward exploit path - flagged as automatable by the SSVC framework - real-world risk is tempered by a very low EPSS score of 0.04% (12th percentile), no public exploit code, and no active exploitation per CISA KEV.
Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know a valid account's distinguished name (DN) impersonate that identity and gain access to the NAS, with high confidentiality, integrity, and availability impact (CVSS 8.1). The flaw stems from an improper check of an exceptional condition (CWE-754) in the single sign-on flow. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 17th percentile), consistent with the high attack complexity Synology assigned.
Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.
Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.
Arbitrary file deletion in the Novarain/Tassos Framework system plugin (plg_system_nrframework) and the suite of Tassos.gr Joomla extensions that bundle it lets remote unauthenticated attackers delete arbitrary files on affected sites. The CVSS 4.0 vector (PR:N/UI:N) and the 'Authentication Bypass' tag indicate no credentials or interaction are needed, and the high integrity/availability impact reflects that deleting core files such as Joomla's configuration.php can lead to denial of service or site takeover. There is no public exploit identified at time of analysis, and EPSS is low (0.07%, 21st percentile) with no CISA KEV listing, indicating no observed exploitation despite the critical 9.3 base score.
Improper access control in ZTE ZXUniPOS NDS-LTE (V24.40.40 and earlier, and V24.30.40CP02 and earlier) lets remote unauthenticated attackers reach functionality that should be permission-gated, allowing them to read and modify system configuration data beyond their authorization. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N) with high confidentiality and integrity impact but no availability impact, and the issue is tagged as an authentication bypass. EPSS is very low at 0.03% (9th percentile) and there is no public exploit identified at time of analysis.
Arbitrary blobstore deletion in BOSH Director allows a compromised, high-privileged BOSH-managed VM to delete any object from the shared Director blobstore by injecting crafted NATS reply messages. All BOSH Director versions prior to v282.1.12 are affected, with the root cause being a complete absence of UUID-format validation, ownership checks, and namespace prefixing in ResourceManager before executing blobstore.delete(). An attacker leveraging this post-compromise path can corrupt or destroy deployment artifacts, compiled packages, and release binaries relied upon by dependent deployments, producing cascading availability failures across the BOSH environment. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms exploitation status as none.
Stored Cross-Site Scripting in the Livemesh Addons for Beaver Builder WordPress plugin (all versions ≤3.9.2) allows authenticated attackers with Subscriber-level access or above to inject persistent malicious scripts via the `labb_admin_ajax` AJAX endpoint. The root flaw is a missing capability check - the handler validates a WordPress nonce (confirming form origin) but never verifies whether the requesting user holds privileges to modify plugin settings, effectively granting any registered user write access to plugin configuration. Injected scripts execute in the browser of administrators who visit the settings page or against any frontend visitor, enabling session hijacking or privilege escalation against admins. No public exploit code or active exploitation has been identified at time of analysis; EPSS is very low at 0.03% (8th percentile).
Stored Cross-Site Scripting in the Livemesh SiteOrigin Widgets WordPress plugin (all versions through 3.9.2) allows any authenticated subscriber-level user to permanently inject malicious scripts into plugin settings via the unprotected `lsow_admin_ajax` AJAX endpoint. The injected payload executes against administrators when they access the plugin settings page, and against any site visitor on the frontend - enabling session hijacking, credential theft, or unauthorized admin actions. No public exploit has been identified at time of analysis and CISA has not added this to the KEV catalog, but the low privilege bar (subscriber) makes it an attractive target on sites with open registration.
Stored Cross-Site Scripting in the WPBakery Page Builder Addons by Livemesh WordPress plugin (all versions through 3.9.4) allows authenticated attackers with as little as Subscriber-level access to permanently inject malicious JavaScript into plugin settings via the unprotected lvca_admin_ajax AJAX endpoint. The injected payload executes both when administrators access the plugin settings page and when any frontend visitor loads affected pages, achieving Changed Scope impact beyond the attacker's own session. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE, though the low authentication bar makes it a realistic risk on WordPress sites with open user registration.
Unauthorized jQuery downgrade in the Enable jQuery Migrate Helper WordPress plugin (all versions ≤1.4.1) allows any authenticated Subscriber-level user to replace the site-wide jQuery 3.7.1 with the legacy 1.12.4-wp release, which carries known security vulnerabilities. The root cause is a missing authorization check in the `downgrade_jquery_version()` function, which validates a nonce but never verifies user capabilities (CWE-862). No public exploit exists and CISA has not added this to KEV; however, the indirect impact is significant because a successful downgrade introduces a vulnerable jQuery version that could serve as a stepping stone for further exploitation of other weaknesses.
Unauthenticated statistics reset in WP Promoter plugin (WordPress, versions ≤1.3) allows any remote attacker to permanently delete promotional bar and popup campaign analytics by exploiting a missing capability check on the reset_stats() function. The function is registered on the wp_ajax_nopriv_wpp-reset_stats action hook - WordPress's mechanism for unauthenticated AJAX access - with no nonce validation, capability check, or authentication enforcement of any kind, making the destructive operation trivially invocable via a single HTTP POST request. No public exploit code has been identified at time of analysis, EPSS is 0.06% (18th percentile), and SSVC rates exploitation as none, indicating no observed active exploitation.
Authentication bypass in the Login with NEAR WordPress plugin (all versions through 0.3.3) lets unauthenticated attackers log in as any existing user - including administrators - whose email matches the deterministic <account>@near.org pattern. The flaw stems from the unauthenticated ajaxLoginWithNear() handler issuing a valid WordPress auth cookie based only on a substring check for '.near', with no signature, challenge-response, or nonce verification. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.10%), but the technical impact is total per CISA SSVC.
Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthenticated attackers log in as any user, including administrators. The flaw is an incomplete fix for CVE-2024-11178: the brute-force lockout was added only to the OTP-generation code path and never checked when an OTP is validated, and the 6-digit codes never expire, so an attacker can exhaustively guess the ~900,000-value OTP space and receive a valid WordPress session cookie. CVSS is 9.8; this is rated unauthenticated (CVSS PR:N) with low attack complexity, but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.
Insecure Direct Object Reference in Yoast SEO for WordPress (all versions through 26.5) allows authenticated Contributor-level users to read SEO metadata from any post on the site - including private posts, drafts, and content owned by other users - by supplying arbitrary post_id values to the Meta Search REST API endpoint. The flaw is a missing object-level authorization check: the plugin verified generic edit capability rather than per-post ownership. No public exploit identified at time of analysis, and EPSS stands at 0.03% (8th percentile), indicating low exploitation interest in the wild.
Parameter smuggling in @hapi/content (the header parser used by the Hapi.js framework) before 6.0.2 lets remote unauthenticated attackers bypass upload security controls by sending duplicate Content-Disposition or Content-Type parameters. Because Content.disposition() kept the last duplicate while Content.type() kept the first, a filename allowlist enforced by a WAF, reverse proxy, or alternate parser that resolves duplicates the opposite way can be evaded (e.g. filename="safe.txt"; filename="shell.php"). No public exploit identified at time of analysis and EPSS is very low (0.05%), but a vendor-released patch (6.0.2) is available and the technique is trivially reproducible.
Broken access control in Yamcs yamcs-core allows any authenticated user to enumerate all user accounts, superuser status, and group memberships via the IAM API. The four endpoints - listUsers, getUser, listGroups, and getGroup - in IamApi.java (lines 125, 180, 357, 372) fail to call ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess), a guard that is correctly applied to write operations like createUser. Affected versions are all releases prior to 5.12.7; a proof-of-concept using a single bearer-token HTTP GET is publicly documented in the GitHub Security Advisory GHSA-p2rj-mrmc-9w29, and no active exploitation (CISA KEV) has been identified at time of analysis.
Kirby CMS's path resolver fails to enforce `pages.access` permission checks when rendering page drafts, allowing authenticated users who lack access to specific page models to view those drafts by knowing the full URL path. Affected installations are those explicitly configured to restrict certain user roles from accessing pages via `pages.access: false` in user or model blueprints - sites where all users may access all pages are unaffected. No public exploit or CISA KEV listing exists at time of analysis, but the impact is information disclosure of unpublished content such as pre-launch product pages or embargoed posts.
Unauthenticated remote code execution in FUXA 1.3.0 (the fuxa-server npm package) lets any network-reachable attacker run arbitrary OS commands on the SCADA/HMI host when secureEnabled is true. The POST /api/runscript endpoint authorizes a request against a stored script's permission, but with test:true it instead compiles and runs attacker-supplied code via Node's Module._compile, so a guest who knows a valid script ID and name (leaked via the unauthenticated GET /api/project endpoint) can execute code with full Node runtime access. Publicly available exploit code exists in the vendor advisory; no CVSS, EPSS, or CISA KEV data is provided.
Unauthenticated disclosure of arbitrary industrial tag values in FUXA 1.3.0 lets remote actors read live process data through the /api/getTagValue endpoint. Per the vendor advisory (GHSA-fwcm-rqvw-j3p7), the API mints a signed 'guest' identity when no API key or access token is supplied, and the per-script authorization check fails open when the referenced sourceScriptName points to a non-existent script, so the guest request is treated as authorized. No CISA KEV listing and no weaponized public exploit code were identified, though the advisory documents the exact vulnerable code paths; the flaw is fixed in v1.3.1.
Missing authorization in SourceCodester eDoc Doctor Appointment System 1.0 exposes the /admin/delete-session.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to delete arbitrary appointment sessions without any credential or privilege. The CVSS 4.0 vector confirms network-accessible, zero-complexity exploitation with no authentication required (PR:N), though impact is bounded to low integrity and availability degradation with no confidentiality loss. A publicly available exploit script (poc.sh) on GitHub confirms practical exploitability, though the vulnerability is not currently listed in CISA KEV.
Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause `request.url.path` to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on `request.url` rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through `request.url` is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Improper access control in JeecgBoot's AiragModelController (versions up to 3.9.1) permits any authenticated low-privilege user to invoke the list and queryById API endpoints without proper authorization checks, exposing AI RAG model configuration data restricted to higher-privileged roles. The CVSS vector (PR:L, C:L) confirms this is an authorization bypass rather than a full authentication bypass, limiting impact to confidentiality of AI model metadata. Publicly available exploit code exists (GitHub issue #9599, referenced in the exploit tag), though no CISA KEV listing indicates confirmed widespread active exploitation at time of analysis.
Improper access control in Apple macOS (all versions before Tahoe 26) allows a locally installed application running with standard user privileges to access sensitive user data beyond its authorized scope. The root cause - a faulty permissions enforcement code path - was remediated by removing the vulnerable code entirely in macOS Tahoe 26. No public exploit identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.
Improper access control in Apple macOS allows a locally-executed app to read sensitive user data by exploiting a logic flaw in system-level restrictions. Affected are all macOS versions prior to Tahoe 26, per the CPE data and EUVD-2025-209943. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms exploitation requires no user interaction once an app is running under low privileges, and the confidentiality impact is rated High. No public exploit code exists and this vulnerability is not confirmed actively exploited (CISA KEV).
Improper authorization in Apple macOS allows a locally-installed malicious application to access sensitive user data without proper entitlement checks. Affected releases span three macOS generations: Sequoia (prior to 15.7), Sonoma (prior to 14.8), and the forthcoming Tahoe (prior to 26). The flaw stems from a logic issue in access validation, meaning apps lacking legitimate permissions can bypass gating controls to read protected data. No public exploit code or CISA KEV listing has been identified at time of analysis.
Certificate validation bypass in GnuTLS (as shipped in Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images) lets a remote attacker defeat hostname verification: when a certificate carries an oversized Subject Alternative Name, the library incorrectly abandons SAN matching and falls back to the legacy Common Name field, accepting certificates it should reject. An attacker positioned to intercept traffic can present such a certificate to impersonate a trusted server and conduct spoofing or man-in-the-middle attacks against TLS clients that rely on GnuTLS. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score in the provided data.
Unauthenticated write access to patient electronic health records in epa4all-client 1.2.4 and earlier exposes German Telematik Infrastruktur (ePA 3.0) deployments to unauthorized data manipulation. The REST adapter component ships with no authentication or authorization controls, allowing any adjacent-network caller to write arbitrary documents to any patient EHR accessible via the institution's SMC-B card. No public exploit code has been identified at time of analysis, but the CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and minimal technical complexity once network-adjacent.
Missing authorization in the AA-Team Woocommerce Envato Affiliates WordPress plugin (versions up to and including 1.2.1) lets a low-privileged authenticated user invoke functionality that is not properly gated by access-control checks, most likely modifying plugin settings as indicated by the Patchstack advisory slug. Because the action carries a high integrity impact, an attacker holding even a basic account can tamper with configuration that should be reserved for administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Broken access control in MaxKB 2.8.0 and earlier exposes the OSS file service URL fetch API (`chat/api/oss/get_url`) to cross-application data access by authenticated low-privilege users who supply arbitrary `application_id` values in the URL path. Because the endpoint performs no ownership validation against the requesting session, any authenticated user can retrieve OSS file URLs scoped to applications they do not own, violating multi-tenant isolation. No public exploit code exists and the issue is not listed in CISA KEV; a vendor-released patch is available in version 2.8.1.
Authentication bypass in MaxKB (1Panel-dev) versions prior to 2.9.0 allows remote unauthenticated attackers to invoke webhook trigger endpoints and execute their bound tasks. The flaw stems from the WebhookAuth class unconditionally returning a successful authentication tuple, which Django REST Framework interprets as a valid identity, combined with no backend enforcement of per-trigger token requirements. No public exploit identified at time of analysis, but the trivial nature of the bypass and open-source visibility of the patch make exploitation straightforward for any attacker who can enumerate or guess trigger IDs.
Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/selectDepart, allowing remote attackers to bypass authorization checks tied to department/tenant selection during login. Publicly available exploit code exists per VulDB disclosure, and the vendor has shipped a fix in v3.9.2. No active in-the-wild exploitation has been confirmed (not in CISA KEV), but the public POC and network-reachable attack surface make opportunistic abuse plausible.
Lumiverse's sign-up nonce mechanism prior to version 0.9.7 allows unauthenticated remote attackers to register unauthorized accounts by exploiting a race condition in the `consumeNonce()` function. When an admin's user-creation request fails due to a duplicate email - causing BetterAuth to reject at the validation layer - the nonce is set but never consumed, leaving a 10-second window during which any POST to `/api/auth/sign-up/email` will succeed regardless of the sender. No public exploit code exists and no CISA KEV listing is present; exploitation requires precise timing and the ability to observe or predict an admin's failed duplicate-email attempt, consistent with the CVSS AC:H rating.
Sandbox escape in Lumiverse AI chat application versions prior to 0.9.7 allows remote attackers to execute arbitrary JavaScript in a victim's authenticated session by delivering a malicious theme pack (.lumitheme / .lumiverse-theme). The component override system's Sucrase-transpiled TSX sandbox is bypassed via string concatenation of blocked identifiers and DOM ref traversal to retrieve the real window object, defeating both static source validation and runtime global shadowing. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-rgp6-55rw-5xf4) documents the exact bypass technique.
Unauthorized job worker substitution in oban_web 2.12.0-2.12.4 allows any authenticated low-privileged user to redirect background job execution to arbitrary existing worker modules. The server-side LiveView event handler for 'save-job' in Elixir.Oban.Web.Jobs.DetailComponent omits the can?/2 authorization check that all sibling handlers (cancel, delete, retry) correctly enforce, enabling a user granted only :read_only access to forge a WebSocket event and overwrite a queued job's worker field. No public exploit code exists and SSVC designates exploitation as none, but successful abuse causes Oban to invoke an attacker-chosen worker module on next execution, introducing real integrity risk to automated job pipelines.
Improper access control in JeecgBoot versions up to 3.9.1 allows authenticated low-privileged remote attackers to bypass authorization checks by manipulating the `userIdentity` argument in the SysUser component's `user.getUsername` function at the `/sys/user/login/setting/userEdit` endpoint. A publicly available proof-of-concept exploit exists via GitHub issue #9596, increasing practical risk for any multi-user JeecgBoot deployment where adversaries hold a low-privileged account. Vendor-released patch v3.9.2 is available and explicitly remediates this access control failure alongside several other high-severity issues including RCE and SSRF, indicating a broad security hardening effort in this release cycle.
Unauthenticated remote database access in Delta Electronics DIAView allows network-based attackers to reach configured project databases without credentials, bypassing the prior mitigation issued for CVE-2025-62582. The flaw carries a CVSS 9.8 rating with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the original CVE it incompletely patches has known prior research from Tenable.
Bluetooth LE bond downgrade in Silicon Labs Simplicity SDK allows an adjacent attacker to weaken connection security by deleting an existing bond, impersonating the previously bonded peer, and forcing a new pairing under attacker-controlled parameters. The flaw enables compromise of confidentiality, integrity, and availability of BLE communications on devices built with the affected SDK, and no public exploit has been identified at time of analysis.
Unauthenticated broken access control in Magepeople Inc.'s Taxi Booking Manager for WooCommerce plugin (versions up to and including 2.0.1) exposes limited information to remote attackers without requiring any credentials or user interaction. The plugin fails to enforce proper authorization checks on one or more endpoints, classified under CWE-862 (Missing Authorization), allowing unauthenticated network requests to access functionality or data that should be restricted. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.03%, indicating low observed exploitation probability at time of analysis.
Broken access control in the bPlugins Tiktok Feed WordPress plugin (versions through 1.0.24) permits authenticated low-privileged users to perform actions that should be restricted to higher-privileged roles due to missing server-side authorization checks (CWE-862). Exploitation allows limited integrity impact - an attacker with a basic WordPress account could manipulate plugin-controlled data or settings without proper permission. No public exploit code exists and no active exploitation is confirmed at time of analysis; SSVC and EPSS signals both indicate low urgency.
Missing authorization checks in the WpBookingly WordPress plugin (versions through 1.2.9) allow authenticated low-privilege users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack and tracked as EUVD-2026-31964, this broken access control flaw (CWE-862) does not require elevated privileges or user interaction, but exploitation is constrained to authenticated sessions. No public exploit code exists and EPSS stands at 0.03% (8th percentile), with SSVC classifying exploitation status as none - making this a low-urgency but legitimate remediation target for WordPress environments with untrusted authenticated users.
Resource quota bypass in Pterodactyl Panel prior to 1.12.3 allows authenticated users to exceed their assigned database allocation limits by exploiting a broken concurrency guard in the Client API. The `lockForUpdate()` call in `DatabaseController.php` is a non-terminating Laravel query builder call that never issues an actual SQL lock, making it a no-op that enables parallel requests to simultaneously pass the limit check. No public exploit has been identified at time of analysis; with EPSS at 0.04% (12th percentile) and no KEV listing, real-world exploitation risk is currently low but relevant to multi-tenant hosting deployments.
Missing authorization controls in the WpTravelly WordPress plugin (versions through 2.1.5) allow any authenticated low-privileged user to exploit incorrectly configured access control security levels, gaining unauthorized access to functionality or data beyond their intended permissions. The flaw is network-accessible, requires no user interaction, and carries a balanced Low-CIA-triad impact per CVSS. No public exploit has been identified at time of analysis, and the EPSS score (0.03%, 10th percentile) suggests very low real-world exploitation probability despite the network-exposed attack surface.
Authorization bypass in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows unauthenticated remote attackers to modify server property files and gain unauthorized access to the application. The flaw carries a critical CVSS 9.8 score with full confidentiality, integrity, and availability impact, and IBM has released Interim Fixes addressing it. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%, 10th percentile).
Authentication bypass in code100x CMS Mobile API allows unauthenticated remote attackers to impersonate any enrolled user or administrator by supplying a crafted JSON payload in the 'g' HTTP header alongside an unvalidated 'Auth-Key' header. The middleware shortcuts identity verification whenever an Auth-Key is present without checking its value, letting downstream mobile course endpoints trust attacker-supplied identity claims. Publicly available exploit code exists via the upstream GitHub PR diff, though EPSS probability remains low at 0.08%.
Unauthenticated authorization bypass in FACTION pentesting report framework prior to 1.8.3 allows remote attackers to read, modify, deactivate, and delete any boilerplate report template without credentials. The flaw stems from AccessControlInterceptor invoking actions without session validation, compounded by four BoilerPlateConfig action methods that perform no local auth check. No public exploit identified at time of analysis, though EPSS is low (0.15%) and SSVC rates exploitation as POC with total technical impact.
Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obtain a valid JWT for any user account, including administrators, given only knowledge of the target username. The flaw stems from improper token validation logic and enables full account takeover without credentials. No public exploit identified at time of analysis, though SSVC rates technical impact as total and automatable.
Kavita reading server versions prior to 0.9.0 expose seven download and metadata API endpoints without enforcing library-level access controls, enabling authenticated users to retrieve file contents, file sizes, and chapter metadata from libraries they have not been granted access to. The affected endpoints - /api/Download/volume, /api/Download/chapter, /api/Download/series, /api/Chapter, and corresponding size-check variants - accept resource identifiers (chapterId, volumeId, seriesId) without verifying the requesting user's library membership. A proof-of-concept exists per SSVC classification, though EPSS at 0.04% (11th percentile) reflects minimal observed exploitation activity; the CVE is not listed in CISA KEV.
Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image across all server libraries to remote attackers without any credentials. The ReaderController.GetImage endpoint is decorated with ASP.NET's [AllowAnonymous] attribute, and while it accepts an apiKey parameter as a nominal access control, that parameter is never validated server-side - rendering it entirely decorative. Sequential integer entity IDs allow trivial full-library enumeration with nothing more than an HTTP client. No public exploit or CISA KEV listing exists at time of analysis, but the zero-friction exploitation path makes any publicly exposed instance a meaningful data-exposure risk.
Local privilege escalation in NVIDIA Display Driver for Windows and Linux allows authenticated low-privilege users to improperly access GPU resources via a kernel mode layer flaw, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service. The issue affects GeForce, RTX/Quadro/NVS, and Tesla product lines across multiple driver branches and carries a CVSS 7.8 (High) score. No public exploit identified at time of analysis, and EPSS probability is very low (0.01%), but the breadth of affected hardware and total technical impact warrant prompt patching.
Hard-coded VNC password in the Eppendorf BioFlo 320 bioprocess control system allows any remote attacker who can reach the device on the network to take full control of its user interface without authentication. The flaw (CWE-259) is rated CVSS 9.3 and carries an SSVC technical impact of 'total' with automatable exploitation, though no public exploit has been identified at time of analysis and EPSS is low at 0.10%.
Privilege escalation in OpenCTI prior to 6.9.7 allows an organization admin to gain elevated platform-wide privileges by adding a higher-privileged user from a different organization into their own organization, exploiting incorrect ACL enforcement on the userEdit relationAdd GraphQL mutation. The flaw yields full platform access and exposure of sensitive intelligence data; no public exploit identified at time of analysis and EPSS is very low (0.04%, 11th percentile), but the vendor-confirmed GHSA advisory and trivial attack complexity make this a meaningful tenancy-isolation issue for multi-organization deployments.
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent MFA checks due to insufficient state validation during the authentication flow. The flaw (CWE-287) was disclosed by the Joomla! project itself and tracked as EUVD-2026-31890; no public exploit identified at time of analysis and EPSS is very low (0.01%, 2nd percentile), but the integrity impact is high since attackers reaching this path effectively defeat the second authentication factor.
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor authentication (MFA) due to insufficient state validation during the login flow. The flaw, tracked as CVE-2026-48897 and reported by the Joomla! project, undermines the integrity protections expected from 2FA and could grant attackers access to accounts whose credentials are already known or guessable. EPSS probability is low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.
Privilege escalation in Joomla! CMS via the com_users batch task allows low-privileged authenticated users to bypass access controls and elevate their user group membership or permissions. Affected versions span two major release lines: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0, as confirmed by ENISA EUVD-2026-31880 and the Joomla Security Centre. No public exploit has been identified and EPSS is effectively zero; however, SSVC assesses the technical impact as total, meaning successful exploitation could yield full privilege takeover within the application.
Improper access control in Joomla! CMS com_scheduler component permits low-privileged authenticated backend users to modify the task types of existing scheduler tasks, an operation that should be restricted to higher-privileged administrators. Affected versions span Joomla! 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0. While no public exploit code exists and CISA KEV has not confirmed active exploitation, the high subsequent-system impact scores (SC:H/SI:H/SA:H) in the CVSS 4.0 vector indicate that tampering with scheduler task types can produce significant integrity and availability consequences beyond the immediately vulnerable component.
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges to access configuration data they should not be permitted to reach, impacting confidentiality, integrity, and availability of the affected site. The flaw spans Joomla 4.0.0-5.4.5 and 6.0.0-6.1.0 and was disclosed by the Joomla! Project itself with a CVSS 4.0 base of 8.6. No public exploit identified at time of analysis and EPSS is very low at 0.04%.
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abuse an improper access check in the com_users group editing webservice endpoint to elevate privileges. The CVSS 4.0 vector indicates network-reachable exploitation without authentication or user interaction, with high impact to integrity but no confidentiality or availability impact. There is no public exploit identified at time of analysis and EPSS is effectively 0%, but the vendor advisory confirms the access-control flaw.
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users batch task due to an improper access check (CWE-284). The flaw enables unauthorized modification of user accounts and elevation of privileges across affected installations, with no public exploit identified at time of analysis. EPSS scoring is 0.00% and the vulnerability is not listed in CISA KEV, but the CVSSv4 base score of 8.2 reflects high integrity impact.
Cross-project issue state modification in Bugsink prior to 2.2.0 allows authenticated users with access to one project to alter the state of issues belonging to other projects if a valid target issue UUID is known. The bulk action endpoint authorizes based on the project in the URL but applies submitted issue IDs without verifying project membership, creating a project-boundary authorization bypass. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) reflects minimal real-world exploitation probability.
Cross-project event data exposure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read event data - including stacktraces, breadcrumbs, and raw event details - belonging to a separate, unauthorized project. The flaw (CWE-639) exists because issue event views accept a direct event UUID from the URL without verifying that the event belongs to the project in the same URL path. Exploitation is materially constrained by the requirement for both an authenticated session and prior knowledge of a valid target event UUID; no public exploit has been identified and EPSS sits at 0.03% (7th percentile).
Cross-project sourcemap and debug-file disclosure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read source context or symbolication-derived data belonging to a separate project on the same instance. The root cause is a missing authorization scope check (CWE-862): debug IDs supplied by clients were resolved globally rather than constrained to the owning project, meaning a deliberate or accidental debug ID collision across projects leaks file metadata. No public exploit code exists and no active exploitation has been identified (CISA KEV: absent, EPSS: 0.03%, 7th percentile), making this a low-urgency but architecturally meaningful information disclosure for multi-project Bugsink deployments.
Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to overwrite device image files on the server, bypassing readonly and deviceReadonly access restrictions that all other device mutation paths correctly enforce. Traccar versions prior to 6.13.0 are affected, and the root cause is a missing permissionsService.checkEdit call in the image upload route that is present everywhere else in the mutation surface. A proof-of-concept exists per SSVC data, though EPSS sits at 0.03% (9th percentile), indicating limited real-world exploitation activity to date. The vendor-released fix is available in version 6.13.0.
Default manufacturing credentials persisting through installation in IBM Cloud Pak for Data System Cyclops 11.3.0.2 through Interim Fix 002 allow unauthenticated network attackers to bypass authentication and perform unauthorized integrity-impacting actions. The root cause (CWE-1392) reflects a design-phase failure where credentials intended solely for factory/installation use are not forced to rotate before or immediately after deployment. EPSS sits at 0.03% and SSVC records no current exploitation, but the SSVC automatable flag indicates this class of attack is trivially scriptable, making exposed instances a realistic target for opportunistic credential-stuffing against known IBM default password sets. No public exploit identified at time of analysis.
Improper access control in sambitraj's STUDENT-MANAGEMENT-SYSTEM exposes multiple Dashboard endpoints to unauthenticated remote attackers, enabling unauthorized read and write operations on student data. The vulnerability, tagged as an authentication bypass (CWE-284), affects all code up to and including commit 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5 and is confirmed by a publicly disclosed exploit via GitHub issue. No public exploit identified at time of analysis for active KEV-level exploitation, however publicly available exploit code exists and the maintainer has not responded to responsible disclosure, leaving the codebase unpatched.
CSRF protection bypass in e107 CMS prior to 2.3.5 allows unauthenticated remote attackers to perform unauthorized comment moderation actions by tricking an authenticated user into visiting a malicious page. The root flaw is in session_handler::check(), which skips CSRF token validation entirely when no token is submitted, rather than rejecting the tokenless request - effectively making CSRF protection opt-in from the attacker's perspective. A proof-of-concept exists per SSVC data; the vulnerability is not listed in CISA KEV and carries a very low EPSS score of 0.01% (3rd percentile), indicating limited observed exploitation in the wild.
Broken access control in e107 CMS prior to version 2.3.4 permits any low-privileged authenticated user to overwrite comments authored by other users, including administrators. The server-side updateComment() function in comment_class.php accepted a comment_id from the request and issued an UPDATE SQL query filtered only by that identifier, never verifying that the requesting user owned the targeted comment. A proof-of-concept exploit exists per SSVC data, though EPSS stands at a low 0.03% (8th percentile) and no active exploitation is confirmed in CISA KEV, indicating currently limited in-the-wild activity.
Unauthenticated access control bypass in VideoWhisper.Com's Paid Videochat Turnkey Site WordPress plugin (versions through 7.3.23) allows remote attackers to access restricted resources without authorization, resulting in partial information disclosure. The plugin (known by slug ppv-live-webcams) fails to enforce authorization checks on one or more endpoints, enabling any unauthenticated network actor to exploit incorrectly configured access control security levels. No public exploit code has been identified and CISA KEV does not list this vulnerability, though SSVC data confirms the attack is automatable, raising the potential for scripted mass scanning.
Broken access control in the RepairBuddy WordPress plugin (versions through 4.1121) allows authenticated low-privileged users to perform unauthorized actions affecting data integrity. The flaw stems from missing server-side authorization checks (CWE-862), permitting requests to access or modify functionality beyond the caller's intended permission level. No public exploit identified at time of analysis, EPSS sits at the 8th percentile (0.03%), and SSVC marks exploitation as none - placing real-world risk well below what the medium CVSS score of 4.3 might initially suggest.
Missing authorization in the Mayosis Core WordPress plugin (versions through 5.4.7) by TeconceTheme allows unauthenticated remote attackers to exploit incorrectly configured access control security levels, resulting in unauthorized modification of data (integrity impact). The CVSS vector confirms no authentication or user interaction is required, and the vulnerability is network-exploitable against default configurations. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Privilege escalation through unauthorized account deletion in CODESYS Control runtime products (versions below 3.5.22.20 / 4.21.0.0) allows authenticated low-privileged remote users to delete other accounts, including administrators. Reported by CERT@VDE under advisory VDE-2026-056, with no public exploit identified at time of analysis and a low EPSS score of 0.10% (26th percentile), suggesting limited near-term exploitation likelihood despite the vendor-confirmed authorization flaw.
{ prefix: '/:category' })`), enabling complete bypass of whatever protection that middleware was intended to enforce - authentication, authorization, rate limiting, or input sanitization. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is remotely exploitable with no authentication or user interaction required, and SSVC classifies it as automatable. Publicly available exploit code exists per SSVC classification; EPSS is low at 0.09% (25th percentile), suggesting limited widespread exploitation at time of analysis.
Missing authorization in Zyxel GS1200v3-series managed switches allows a LAN-based, unauthenticated attacker to read system configuration data from a log file by sending a crafted HTTP request to the device's web interface. All five GS1200v3 models are affected across their current firmware versions. No public exploit has been identified at time of analysis, and both EPSS (0.03%, 11th percentile) and SSVC exploitation status ('none') confirm no observed in-the-wild exploitation, placing this in the category of a real but low-urgency information disclosure risk confined to the local network segment.
Improper access control in hemant6488's CodeIgniter-StudentManagementSystem exposes the student addition endpoint at /index.php/students/addStudentView to unauthenticated remote manipulation, enabling read, write, and partial availability impact on student data without credentials. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required from any network, and a publicly available exploit (GitHub issue #5) has been documented. No vendor patch exists and the maintainer has not responded to the coordinated disclosure, leaving all deployed instances unmitigated.
Unauthenticated gRPC API exposure in FastNetMon Community Edition through 1.2.9 allows adjacent network attackers to invoke security-critical RPC methods including ExecuteBan and ExecuteUnBan without credentials. The server explicitly uses grpc::InsecureServerCredentials() on port 50052, enabling attackers to blackhole legitimate traffic via BGP announcements, disable active DDoS mitigations, and trigger external script execution via popen(). No public exploit identified at time of analysis, and EPSS is low at 0.03%, but CISA SSVC rates technical impact as total.
IDOR vulnerability across multiple REST API endpoints in ONLYOFFICE DocSpace before 3.2.1 allows authenticated low-privilege users (User or Guest roles) to exfiltrate owner account identifiers and profile data that should be restricted to administrators. The flaw stems from missing object-level authorization checks on API responses, meaning the server returns sensitive records without validating whether the requester holds sufficient privilege to view them. No public exploit code or active exploitation has been identified at time of analysis, and EPSS places this in the 1st percentile for exploitation probability.
Missing authorization in the NanoCare WordPress theme (Linethemes) before version 1.2.2 permits low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) confirms network-accessible exploitation requiring only a low-privilege account with no user interaction. No public exploit code exists and no active exploitation has been confirmed; EPSS at 0.04% (11th percentile) and SSVC exploitation status of 'none' indicate this is currently a theoretical rather than actively weaponized risk.
Missing Authorization in the SePay Gateway WordPress plugin (versions through 1.1.20) permits any authenticated low-privileged user to retrieve embedded sensitive data without proper access checks. The flaw is classified under CWE-862 and carries a CVSS confidentiality impact of High, meaning payment or configuration secrets stored within the plugin can be exposed to unauthorized parties. No public exploit has been identified at time of analysis, and CISA SSVC rates exploitation as none with non-automatable risk, indicating limited active threat at present.
Broken access control in the Sunshine Photo Cart WordPress plugin (versions through 3.6.7) allows authenticated low-privilege users to perform actions beyond their intended authorization level. The root cause is a missing authorization check (CWE-862) that permits exploitation of incorrectly configured access control security levels, resulting in partial confidentiality, integrity, and availability impact. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.03% (10th percentile) and SSVC exploitation status of 'none' indicate low real-world threat at time of analysis.
Information disclosure in the MyCryptoCheckout WordPress plugin (versions up to and including 2.161) allows remote unauthenticated attackers to access protected data due to a missing authorization check. The flaw stems from incorrectly configured access control security levels, enabling exploitation over the network without privileges or user interaction. No public exploit identified at time of analysis, and EPSS scoring (0.03%, 9th percentile) suggests low near-term exploitation likelihood.
Authentication bypass in ThemeHigh's Stripe Payment Gateway for WooCommerce (all versions through 5.0.7) allows unauthenticated remote attackers to exploit the plugin's password recovery flow to gain unauthorized access, affecting both data integrity and availability (CVSS 6.5). The flaw is classified as CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin exposes an alternative code path that circumvents normal authentication controls. No public exploit code has been identified at time of analysis, and CISA has not added this to KEV, though SSVC flags the attack as automatable with partial technical impact.
Unauthenticated integrity compromise in WebToffee Smart Coupons for WooCommerce (versions before 2.3.0) allows remote attackers to bypass access controls and modify coupon-related data without authentication. The flaw stems from missing authorization checks (CWE-862) on plugin endpoints, and while no public exploit has been identified at time of analysis, SSVC flags the issue as automatable, meaning mass exploitation tooling could emerge rapidly. EPSS is currently low (0.03%) despite the network-exploitable nature of the bug.
Missing authorization in the WP Search Analytics WordPress plugin (versions before 1.5.0) allows unauthenticated remote attackers to bypass access controls and perform unauthorized write operations against affected WordPress installations. Reported by Patchstack and tracked as EUVD-2026-31761, this broken access control issue (CWE-862) carries a medium CVSS score of 5.3 with no confidentiality or availability impact - only limited integrity impact. No public exploit has been identified and no active exploitation is confirmed, with EPSS placing exploitation probability at 0.03% (8th percentile), making this a low real-world priority despite being automatable per SSVC.
Missing authorization in the WP Chill RSVP and Event Management WordPress plugin (versions through 2.7.16) enables unauthenticated remote attackers to perform unauthorized write operations by bypassing access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully remote, zero-complexity, unauthenticated exploitation is possible against default plugin installations. Impact is limited to partial integrity degradation (I:L) with no confidentiality or availability loss; no public exploit has been identified at time of analysis and EPSS is very low at 0.03% (8th percentile).
Missing authorization controls in the B2BKing WordPress plugin (versions prior to 5.2.10) allow authenticated high-privileged attackers to exploit incorrectly configured access control security levels, resulting in unauthorized data or configuration modification (high integrity impact). No confidentiality or availability impact is indicated by the CVSS vector. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, suggesting limited real-world threat at this time.
Missing Authorization in Autoship Cloud for WooCommerce Subscription Products (versions through 2.14.0) allows authenticated low-privileged users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack, this CWE-862 flaw means the plugin fails to verify whether an authenticated user holds the correct capability before executing sensitive operations within the WooCommerce subscription management interface. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) signals negligible automated exploitation activity at this time.
Missing Authorization in the Newses WordPress theme (Themeansar) through version 2.0.0.77 permits low-privileged authenticated users to exploit incorrectly configured access control security levels, resulting in partial integrity and availability impact. The flaw, reported by Patchstack and tracked under ENISA EUVD-2026-31747, allows an authenticated attacker to perform actions beyond their intended permission scope without proper authorization checks. No public exploit code or active exploitation has been identified at time of analysis, and all available signals - EPSS at 0.04%, SSVC exploitation status of 'none', and Automatable: no - indicate limited real-world threat at this time.
Information disclosure in the BP Better Messages WordPress plugin (versions up to and including 2.14.16) allows remote unauthenticated attackers to read private messaging data belonging to other users by manipulating a user-controlled object identifier (IDOR). The CVSS 3.1 base score is 7.5 with confidentiality-only impact (C:H/I:N/A:N), and there is no public exploit identified at time of analysis. EPSS is very low at 0.03% (10th percentile), indicating no observed widespread exploitation activity.
Authentication bypass in the KiviCare Clinic & Patient Management WordPress plugin (versions through 4.3.0) lets remote unauthenticated attackers abuse the password-recovery flow as an alternate channel to take over user accounts. Because the recovery process can be exploited to gain access without valid credentials, an attacker can compromise clinic accounts and read sensitive data. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed mass-exploitation pressure yet.
Missing authorization in the AWP Classifieds WordPress plugin (versions through 4.4.5) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification and availability disruption of classified listing data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated privileges against any internet-facing WordPress site running the affected plugin. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS at 0.04% (11th percentile) indicates low observed exploitation probability, though the unauthenticated attack surface broadens theoretical exposure.
Insecure Direct Object Reference (IDOR) in the WP Wham Checkout Files Upload for WooCommerce WordPress plugin exposes uploaded checkout files to unauthenticated remote attackers who manipulate user-controlled object keys. All plugin versions through 2.2.5 are affected, with the CVSS vector confirming no authentication or user interaction is required. Despite the straightforward exploit path - flagged as automatable by the SSVC framework - real-world risk is tempered by a very low EPSS score of 0.04% (12th percentile), no public exploit code, and no active exploitation per CISA KEV.
Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know a valid account's distinguished name (DN) impersonate that identity and gain access to the NAS, with high confidentiality, integrity, and availability impact (CVSS 8.1). The flaw stems from an improper check of an exceptional condition (CWE-754) in the single sign-on flow. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 17th percentile), consistent with the high attack complexity Synology assigned.
Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.
Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.
Arbitrary file deletion in the Novarain/Tassos Framework system plugin (plg_system_nrframework) and the suite of Tassos.gr Joomla extensions that bundle it lets remote unauthenticated attackers delete arbitrary files on affected sites. The CVSS 4.0 vector (PR:N/UI:N) and the 'Authentication Bypass' tag indicate no credentials or interaction are needed, and the high integrity/availability impact reflects that deleting core files such as Joomla's configuration.php can lead to denial of service or site takeover. There is no public exploit identified at time of analysis, and EPSS is low (0.07%, 21st percentile) with no CISA KEV listing, indicating no observed exploitation despite the critical 9.3 base score.
Improper access control in ZTE ZXUniPOS NDS-LTE (V24.40.40 and earlier, and V24.30.40CP02 and earlier) lets remote unauthenticated attackers reach functionality that should be permission-gated, allowing them to read and modify system configuration data beyond their authorization. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N) with high confidentiality and integrity impact but no availability impact, and the issue is tagged as an authentication bypass. EPSS is very low at 0.03% (9th percentile) and there is no public exploit identified at time of analysis.
Arbitrary blobstore deletion in BOSH Director allows a compromised, high-privileged BOSH-managed VM to delete any object from the shared Director blobstore by injecting crafted NATS reply messages. All BOSH Director versions prior to v282.1.12 are affected, with the root cause being a complete absence of UUID-format validation, ownership checks, and namespace prefixing in ResourceManager before executing blobstore.delete(). An attacker leveraging this post-compromise path can corrupt or destroy deployment artifacts, compiled packages, and release binaries relied upon by dependent deployments, producing cascading availability failures across the BOSH environment. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms exploitation status as none.
Stored Cross-Site Scripting in the Livemesh Addons for Beaver Builder WordPress plugin (all versions ≤3.9.2) allows authenticated attackers with Subscriber-level access or above to inject persistent malicious scripts via the `labb_admin_ajax` AJAX endpoint. The root flaw is a missing capability check - the handler validates a WordPress nonce (confirming form origin) but never verifies whether the requesting user holds privileges to modify plugin settings, effectively granting any registered user write access to plugin configuration. Injected scripts execute in the browser of administrators who visit the settings page or against any frontend visitor, enabling session hijacking or privilege escalation against admins. No public exploit code or active exploitation has been identified at time of analysis; EPSS is very low at 0.03% (8th percentile).
Stored Cross-Site Scripting in the Livemesh SiteOrigin Widgets WordPress plugin (all versions through 3.9.2) allows any authenticated subscriber-level user to permanently inject malicious scripts into plugin settings via the unprotected `lsow_admin_ajax` AJAX endpoint. The injected payload executes against administrators when they access the plugin settings page, and against any site visitor on the frontend - enabling session hijacking, credential theft, or unauthorized admin actions. No public exploit has been identified at time of analysis and CISA has not added this to the KEV catalog, but the low privilege bar (subscriber) makes it an attractive target on sites with open registration.
Stored Cross-Site Scripting in the WPBakery Page Builder Addons by Livemesh WordPress plugin (all versions through 3.9.4) allows authenticated attackers with as little as Subscriber-level access to permanently inject malicious JavaScript into plugin settings via the unprotected lvca_admin_ajax AJAX endpoint. The injected payload executes both when administrators access the plugin settings page and when any frontend visitor loads affected pages, achieving Changed Scope impact beyond the attacker's own session. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE, though the low authentication bar makes it a realistic risk on WordPress sites with open user registration.
Unauthorized jQuery downgrade in the Enable jQuery Migrate Helper WordPress plugin (all versions ≤1.4.1) allows any authenticated Subscriber-level user to replace the site-wide jQuery 3.7.1 with the legacy 1.12.4-wp release, which carries known security vulnerabilities. The root cause is a missing authorization check in the `downgrade_jquery_version()` function, which validates a nonce but never verifies user capabilities (CWE-862). No public exploit exists and CISA has not added this to KEV; however, the indirect impact is significant because a successful downgrade introduces a vulnerable jQuery version that could serve as a stepping stone for further exploitation of other weaknesses.
Unauthenticated statistics reset in WP Promoter plugin (WordPress, versions ≤1.3) allows any remote attacker to permanently delete promotional bar and popup campaign analytics by exploiting a missing capability check on the reset_stats() function. The function is registered on the wp_ajax_nopriv_wpp-reset_stats action hook - WordPress's mechanism for unauthenticated AJAX access - with no nonce validation, capability check, or authentication enforcement of any kind, making the destructive operation trivially invocable via a single HTTP POST request. No public exploit code has been identified at time of analysis, EPSS is 0.06% (18th percentile), and SSVC rates exploitation as none, indicating no observed active exploitation.
Authentication bypass in the Login with NEAR WordPress plugin (all versions through 0.3.3) lets unauthenticated attackers log in as any existing user - including administrators - whose email matches the deterministic <account>@near.org pattern. The flaw stems from the unauthenticated ajaxLoginWithNear() handler issuing a valid WordPress auth cookie based only on a substring check for '.near', with no signature, challenge-response, or nonce verification. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.10%), but the technical impact is total per CISA SSVC.
Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthenticated attackers log in as any user, including administrators. The flaw is an incomplete fix for CVE-2024-11178: the brute-force lockout was added only to the OTP-generation code path and never checked when an OTP is validated, and the 6-digit codes never expire, so an attacker can exhaustively guess the ~900,000-value OTP space and receive a valid WordPress session cookie. CVSS is 9.8; this is rated unauthenticated (CVSS PR:N) with low attack complexity, but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.
Insecure Direct Object Reference in Yoast SEO for WordPress (all versions through 26.5) allows authenticated Contributor-level users to read SEO metadata from any post on the site - including private posts, drafts, and content owned by other users - by supplying arbitrary post_id values to the Meta Search REST API endpoint. The flaw is a missing object-level authorization check: the plugin verified generic edit capability rather than per-post ownership. No public exploit identified at time of analysis, and EPSS stands at 0.03% (8th percentile), indicating low exploitation interest in the wild.
Parameter smuggling in @hapi/content (the header parser used by the Hapi.js framework) before 6.0.2 lets remote unauthenticated attackers bypass upload security controls by sending duplicate Content-Disposition or Content-Type parameters. Because Content.disposition() kept the last duplicate while Content.type() kept the first, a filename allowlist enforced by a WAF, reverse proxy, or alternate parser that resolves duplicates the opposite way can be evaded (e.g. filename="safe.txt"; filename="shell.php"). No public exploit identified at time of analysis and EPSS is very low (0.05%), but a vendor-released patch (6.0.2) is available and the technique is trivially reproducible.
Broken access control in Yamcs yamcs-core allows any authenticated user to enumerate all user accounts, superuser status, and group memberships via the IAM API. The four endpoints - listUsers, getUser, listGroups, and getGroup - in IamApi.java (lines 125, 180, 357, 372) fail to call ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess), a guard that is correctly applied to write operations like createUser. Affected versions are all releases prior to 5.12.7; a proof-of-concept using a single bearer-token HTTP GET is publicly documented in the GitHub Security Advisory GHSA-p2rj-mrmc-9w29, and no active exploitation (CISA KEV) has been identified at time of analysis.
Kirby CMS's path resolver fails to enforce `pages.access` permission checks when rendering page drafts, allowing authenticated users who lack access to specific page models to view those drafts by knowing the full URL path. Affected installations are those explicitly configured to restrict certain user roles from accessing pages via `pages.access: false` in user or model blueprints - sites where all users may access all pages are unaffected. No public exploit or CISA KEV listing exists at time of analysis, but the impact is information disclosure of unpublished content such as pre-launch product pages or embargoed posts.
Unauthenticated remote code execution in FUXA 1.3.0 (the fuxa-server npm package) lets any network-reachable attacker run arbitrary OS commands on the SCADA/HMI host when secureEnabled is true. The POST /api/runscript endpoint authorizes a request against a stored script's permission, but with test:true it instead compiles and runs attacker-supplied code via Node's Module._compile, so a guest who knows a valid script ID and name (leaked via the unauthenticated GET /api/project endpoint) can execute code with full Node runtime access. Publicly available exploit code exists in the vendor advisory; no CVSS, EPSS, or CISA KEV data is provided.
Unauthenticated disclosure of arbitrary industrial tag values in FUXA 1.3.0 lets remote actors read live process data through the /api/getTagValue endpoint. Per the vendor advisory (GHSA-fwcm-rqvw-j3p7), the API mints a signed 'guest' identity when no API key or access token is supplied, and the per-script authorization check fails open when the referenced sourceScriptName points to a non-existent script, so the guest request is treated as authorized. No CISA KEV listing and no weaponized public exploit code were identified, though the advisory documents the exact vulnerable code paths; the flaw is fixed in v1.3.1.
Missing authorization in SourceCodester eDoc Doctor Appointment System 1.0 exposes the /admin/delete-session.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to delete arbitrary appointment sessions without any credential or privilege. The CVSS 4.0 vector confirms network-accessible, zero-complexity exploitation with no authentication required (PR:N), though impact is bounded to low integrity and availability degradation with no confidentiality loss. A publicly available exploit script (poc.sh) on GitHub confirms practical exploitability, though the vulnerability is not currently listed in CISA KEV.
Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause `request.url.path` to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on `request.url` rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through `request.url` is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Improper access control in JeecgBoot's AiragModelController (versions up to 3.9.1) permits any authenticated low-privilege user to invoke the list and queryById API endpoints without proper authorization checks, exposing AI RAG model configuration data restricted to higher-privileged roles. The CVSS vector (PR:L, C:L) confirms this is an authorization bypass rather than a full authentication bypass, limiting impact to confidentiality of AI model metadata. Publicly available exploit code exists (GitHub issue #9599, referenced in the exploit tag), though no CISA KEV listing indicates confirmed widespread active exploitation at time of analysis.
Improper access control in Apple macOS (all versions before Tahoe 26) allows a locally installed application running with standard user privileges to access sensitive user data beyond its authorized scope. The root cause - a faulty permissions enforcement code path - was remediated by removing the vulnerable code entirely in macOS Tahoe 26. No public exploit identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.
Improper access control in Apple macOS allows a locally-executed app to read sensitive user data by exploiting a logic flaw in system-level restrictions. Affected are all macOS versions prior to Tahoe 26, per the CPE data and EUVD-2025-209943. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms exploitation requires no user interaction once an app is running under low privileges, and the confidentiality impact is rated High. No public exploit code exists and this vulnerability is not confirmed actively exploited (CISA KEV).
Improper authorization in Apple macOS allows a locally-installed malicious application to access sensitive user data without proper entitlement checks. Affected releases span three macOS generations: Sequoia (prior to 15.7), Sonoma (prior to 14.8), and the forthcoming Tahoe (prior to 26). The flaw stems from a logic issue in access validation, meaning apps lacking legitimate permissions can bypass gating controls to read protected data. No public exploit code or CISA KEV listing has been identified at time of analysis.
Certificate validation bypass in GnuTLS (as shipped in Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images) lets a remote attacker defeat hostname verification: when a certificate carries an oversized Subject Alternative Name, the library incorrectly abandons SAN matching and falls back to the legacy Common Name field, accepting certificates it should reject. An attacker positioned to intercept traffic can present such a certificate to impersonate a trusted server and conduct spoofing or man-in-the-middle attacks against TLS clients that rely on GnuTLS. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score in the provided data.
Unauthenticated write access to patient electronic health records in epa4all-client 1.2.4 and earlier exposes German Telematik Infrastruktur (ePA 3.0) deployments to unauthorized data manipulation. The REST adapter component ships with no authentication or authorization controls, allowing any adjacent-network caller to write arbitrary documents to any patient EHR accessible via the institution's SMC-B card. No public exploit code has been identified at time of analysis, but the CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and minimal technical complexity once network-adjacent.
Missing authorization in the AA-Team Woocommerce Envato Affiliates WordPress plugin (versions up to and including 1.2.1) lets a low-privileged authenticated user invoke functionality that is not properly gated by access-control checks, most likely modifying plugin settings as indicated by the Patchstack advisory slug. Because the action carries a high integrity impact, an attacker holding even a basic account can tamper with configuration that should be reserved for administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Broken access control in MaxKB 2.8.0 and earlier exposes the OSS file service URL fetch API (`chat/api/oss/get_url`) to cross-application data access by authenticated low-privilege users who supply arbitrary `application_id` values in the URL path. Because the endpoint performs no ownership validation against the requesting session, any authenticated user can retrieve OSS file URLs scoped to applications they do not own, violating multi-tenant isolation. No public exploit code exists and the issue is not listed in CISA KEV; a vendor-released patch is available in version 2.8.1.
Authentication bypass in MaxKB (1Panel-dev) versions prior to 2.9.0 allows remote unauthenticated attackers to invoke webhook trigger endpoints and execute their bound tasks. The flaw stems from the WebhookAuth class unconditionally returning a successful authentication tuple, which Django REST Framework interprets as a valid identity, combined with no backend enforcement of per-trigger token requirements. No public exploit identified at time of analysis, but the trivial nature of the bypass and open-source visibility of the patch make exploitation straightforward for any attacker who can enumerate or guess trigger IDs.
Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/selectDepart, allowing remote attackers to bypass authorization checks tied to department/tenant selection during login. Publicly available exploit code exists per VulDB disclosure, and the vendor has shipped a fix in v3.9.2. No active in-the-wild exploitation has been confirmed (not in CISA KEV), but the public POC and network-reachable attack surface make opportunistic abuse plausible.
Lumiverse's sign-up nonce mechanism prior to version 0.9.7 allows unauthenticated remote attackers to register unauthorized accounts by exploiting a race condition in the `consumeNonce()` function. When an admin's user-creation request fails due to a duplicate email - causing BetterAuth to reject at the validation layer - the nonce is set but never consumed, leaving a 10-second window during which any POST to `/api/auth/sign-up/email` will succeed regardless of the sender. No public exploit code exists and no CISA KEV listing is present; exploitation requires precise timing and the ability to observe or predict an admin's failed duplicate-email attempt, consistent with the CVSS AC:H rating.
Sandbox escape in Lumiverse AI chat application versions prior to 0.9.7 allows remote attackers to execute arbitrary JavaScript in a victim's authenticated session by delivering a malicious theme pack (.lumitheme / .lumiverse-theme). The component override system's Sucrase-transpiled TSX sandbox is bypassed via string concatenation of blocked identifiers and DOM ref traversal to retrieve the real window object, defeating both static source validation and runtime global shadowing. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-rgp6-55rw-5xf4) documents the exact bypass technique.
Unauthorized job worker substitution in oban_web 2.12.0-2.12.4 allows any authenticated low-privileged user to redirect background job execution to arbitrary existing worker modules. The server-side LiveView event handler for 'save-job' in Elixir.Oban.Web.Jobs.DetailComponent omits the can?/2 authorization check that all sibling handlers (cancel, delete, retry) correctly enforce, enabling a user granted only :read_only access to forge a WebSocket event and overwrite a queued job's worker field. No public exploit code exists and SSVC designates exploitation as none, but successful abuse causes Oban to invoke an attacker-chosen worker module on next execution, introducing real integrity risk to automated job pipelines.
Improper access control in JeecgBoot versions up to 3.9.1 allows authenticated low-privileged remote attackers to bypass authorization checks by manipulating the `userIdentity` argument in the SysUser component's `user.getUsername` function at the `/sys/user/login/setting/userEdit` endpoint. A publicly available proof-of-concept exploit exists via GitHub issue #9596, increasing practical risk for any multi-user JeecgBoot deployment where adversaries hold a low-privileged account. Vendor-released patch v3.9.2 is available and explicitly remediates this access control failure alongside several other high-severity issues including RCE and SSRF, indicating a broad security hardening effort in this release cycle.
Unauthenticated remote database access in Delta Electronics DIAView allows network-based attackers to reach configured project databases without credentials, bypassing the prior mitigation issued for CVE-2025-62582. The flaw carries a CVSS 9.8 rating with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the original CVE it incompletely patches has known prior research from Tenable.
Bluetooth LE bond downgrade in Silicon Labs Simplicity SDK allows an adjacent attacker to weaken connection security by deleting an existing bond, impersonating the previously bonded peer, and forcing a new pairing under attacker-controlled parameters. The flaw enables compromise of confidentiality, integrity, and availability of BLE communications on devices built with the affected SDK, and no public exploit has been identified at time of analysis.
Unauthenticated broken access control in Magepeople Inc.'s Taxi Booking Manager for WooCommerce plugin (versions up to and including 2.0.1) exposes limited information to remote attackers without requiring any credentials or user interaction. The plugin fails to enforce proper authorization checks on one or more endpoints, classified under CWE-862 (Missing Authorization), allowing unauthenticated network requests to access functionality or data that should be restricted. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.03%, indicating low observed exploitation probability at time of analysis.
Broken access control in the bPlugins Tiktok Feed WordPress plugin (versions through 1.0.24) permits authenticated low-privileged users to perform actions that should be restricted to higher-privileged roles due to missing server-side authorization checks (CWE-862). Exploitation allows limited integrity impact - an attacker with a basic WordPress account could manipulate plugin-controlled data or settings without proper permission. No public exploit code exists and no active exploitation is confirmed at time of analysis; SSVC and EPSS signals both indicate low urgency.
Missing authorization checks in the WpBookingly WordPress plugin (versions through 1.2.9) allow authenticated low-privilege users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack and tracked as EUVD-2026-31964, this broken access control flaw (CWE-862) does not require elevated privileges or user interaction, but exploitation is constrained to authenticated sessions. No public exploit code exists and EPSS stands at 0.03% (8th percentile), with SSVC classifying exploitation status as none - making this a low-urgency but legitimate remediation target for WordPress environments with untrusted authenticated users.
Resource quota bypass in Pterodactyl Panel prior to 1.12.3 allows authenticated users to exceed their assigned database allocation limits by exploiting a broken concurrency guard in the Client API. The `lockForUpdate()` call in `DatabaseController.php` is a non-terminating Laravel query builder call that never issues an actual SQL lock, making it a no-op that enables parallel requests to simultaneously pass the limit check. No public exploit has been identified at time of analysis; with EPSS at 0.04% (12th percentile) and no KEV listing, real-world exploitation risk is currently low but relevant to multi-tenant hosting deployments.
Missing authorization controls in the WpTravelly WordPress plugin (versions through 2.1.5) allow any authenticated low-privileged user to exploit incorrectly configured access control security levels, gaining unauthorized access to functionality or data beyond their intended permissions. The flaw is network-accessible, requires no user interaction, and carries a balanced Low-CIA-triad impact per CVSS. No public exploit has been identified at time of analysis, and the EPSS score (0.03%, 10th percentile) suggests very low real-world exploitation probability despite the network-exposed attack surface.
Authorization bypass in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows unauthenticated remote attackers to modify server property files and gain unauthorized access to the application. The flaw carries a critical CVSS 9.8 score with full confidentiality, integrity, and availability impact, and IBM has released Interim Fixes addressing it. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%, 10th percentile).
Authentication bypass in code100x CMS Mobile API allows unauthenticated remote attackers to impersonate any enrolled user or administrator by supplying a crafted JSON payload in the 'g' HTTP header alongside an unvalidated 'Auth-Key' header. The middleware shortcuts identity verification whenever an Auth-Key is present without checking its value, letting downstream mobile course endpoints trust attacker-supplied identity claims. Publicly available exploit code exists via the upstream GitHub PR diff, though EPSS probability remains low at 0.08%.
Unauthenticated authorization bypass in FACTION pentesting report framework prior to 1.8.3 allows remote attackers to read, modify, deactivate, and delete any boilerplate report template without credentials. The flaw stems from AccessControlInterceptor invoking actions without session validation, compounded by four BoilerPlateConfig action methods that perform no local auth check. No public exploit identified at time of analysis, though EPSS is low (0.15%) and SSVC rates exploitation as POC with total technical impact.
Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obtain a valid JWT for any user account, including administrators, given only knowledge of the target username. The flaw stems from improper token validation logic and enables full account takeover without credentials. No public exploit identified at time of analysis, though SSVC rates technical impact as total and automatable.
Kavita reading server versions prior to 0.9.0 expose seven download and metadata API endpoints without enforcing library-level access controls, enabling authenticated users to retrieve file contents, file sizes, and chapter metadata from libraries they have not been granted access to. The affected endpoints - /api/Download/volume, /api/Download/chapter, /api/Download/series, /api/Chapter, and corresponding size-check variants - accept resource identifiers (chapterId, volumeId, seriesId) without verifying the requesting user's library membership. A proof-of-concept exists per SSVC classification, though EPSS at 0.04% (11th percentile) reflects minimal observed exploitation activity; the CVE is not listed in CISA KEV.
Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image across all server libraries to remote attackers without any credentials. The ReaderController.GetImage endpoint is decorated with ASP.NET's [AllowAnonymous] attribute, and while it accepts an apiKey parameter as a nominal access control, that parameter is never validated server-side - rendering it entirely decorative. Sequential integer entity IDs allow trivial full-library enumeration with nothing more than an HTTP client. No public exploit or CISA KEV listing exists at time of analysis, but the zero-friction exploitation path makes any publicly exposed instance a meaningful data-exposure risk.
Local privilege escalation in NVIDIA Display Driver for Windows and Linux allows authenticated low-privilege users to improperly access GPU resources via a kernel mode layer flaw, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service. The issue affects GeForce, RTX/Quadro/NVS, and Tesla product lines across multiple driver branches and carries a CVSS 7.8 (High) score. No public exploit identified at time of analysis, and EPSS probability is very low (0.01%), but the breadth of affected hardware and total technical impact warrant prompt patching.
Hard-coded VNC password in the Eppendorf BioFlo 320 bioprocess control system allows any remote attacker who can reach the device on the network to take full control of its user interface without authentication. The flaw (CWE-259) is rated CVSS 9.3 and carries an SSVC technical impact of 'total' with automatable exploitation, though no public exploit has been identified at time of analysis and EPSS is low at 0.10%.
Privilege escalation in OpenCTI prior to 6.9.7 allows an organization admin to gain elevated platform-wide privileges by adding a higher-privileged user from a different organization into their own organization, exploiting incorrect ACL enforcement on the userEdit relationAdd GraphQL mutation. The flaw yields full platform access and exposure of sensitive intelligence data; no public exploit identified at time of analysis and EPSS is very low (0.04%, 11th percentile), but the vendor-confirmed GHSA advisory and trivial attack complexity make this a meaningful tenancy-isolation issue for multi-organization deployments.
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent MFA checks due to insufficient state validation during the authentication flow. The flaw (CWE-287) was disclosed by the Joomla! project itself and tracked as EUVD-2026-31890; no public exploit identified at time of analysis and EPSS is very low (0.01%, 2nd percentile), but the integrity impact is high since attackers reaching this path effectively defeat the second authentication factor.
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor authentication (MFA) due to insufficient state validation during the login flow. The flaw, tracked as CVE-2026-48897 and reported by the Joomla! project, undermines the integrity protections expected from 2FA and could grant attackers access to accounts whose credentials are already known or guessable. EPSS probability is low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.
Privilege escalation in Joomla! CMS via the com_users batch task allows low-privileged authenticated users to bypass access controls and elevate their user group membership or permissions. Affected versions span two major release lines: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0, as confirmed by ENISA EUVD-2026-31880 and the Joomla Security Centre. No public exploit has been identified and EPSS is effectively zero; however, SSVC assesses the technical impact as total, meaning successful exploitation could yield full privilege takeover within the application.
Improper access control in Joomla! CMS com_scheduler component permits low-privileged authenticated backend users to modify the task types of existing scheduler tasks, an operation that should be restricted to higher-privileged administrators. Affected versions span Joomla! 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0. While no public exploit code exists and CISA KEV has not confirmed active exploitation, the high subsequent-system impact scores (SC:H/SI:H/SA:H) in the CVSS 4.0 vector indicate that tampering with scheduler task types can produce significant integrity and availability consequences beyond the immediately vulnerable component.
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges to access configuration data they should not be permitted to reach, impacting confidentiality, integrity, and availability of the affected site. The flaw spans Joomla 4.0.0-5.4.5 and 6.0.0-6.1.0 and was disclosed by the Joomla! Project itself with a CVSS 4.0 base of 8.6. No public exploit identified at time of analysis and EPSS is very low at 0.04%.
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abuse an improper access check in the com_users group editing webservice endpoint to elevate privileges. The CVSS 4.0 vector indicates network-reachable exploitation without authentication or user interaction, with high impact to integrity but no confidentiality or availability impact. There is no public exploit identified at time of analysis and EPSS is effectively 0%, but the vendor advisory confirms the access-control flaw.
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users batch task due to an improper access check (CWE-284). The flaw enables unauthorized modification of user accounts and elevation of privileges across affected installations, with no public exploit identified at time of analysis. EPSS scoring is 0.00% and the vulnerability is not listed in CISA KEV, but the CVSSv4 base score of 8.2 reflects high integrity impact.
Cross-project issue state modification in Bugsink prior to 2.2.0 allows authenticated users with access to one project to alter the state of issues belonging to other projects if a valid target issue UUID is known. The bulk action endpoint authorizes based on the project in the URL but applies submitted issue IDs without verifying project membership, creating a project-boundary authorization bypass. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) reflects minimal real-world exploitation probability.
Cross-project event data exposure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read event data - including stacktraces, breadcrumbs, and raw event details - belonging to a separate, unauthorized project. The flaw (CWE-639) exists because issue event views accept a direct event UUID from the URL without verifying that the event belongs to the project in the same URL path. Exploitation is materially constrained by the requirement for both an authenticated session and prior knowledge of a valid target event UUID; no public exploit has been identified and EPSS sits at 0.03% (7th percentile).
Cross-project sourcemap and debug-file disclosure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read source context or symbolication-derived data belonging to a separate project on the same instance. The root cause is a missing authorization scope check (CWE-862): debug IDs supplied by clients were resolved globally rather than constrained to the owning project, meaning a deliberate or accidental debug ID collision across projects leaks file metadata. No public exploit code exists and no active exploitation has been identified (CISA KEV: absent, EPSS: 0.03%, 7th percentile), making this a low-urgency but architecturally meaningful information disclosure for multi-project Bugsink deployments.
Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to overwrite device image files on the server, bypassing readonly and deviceReadonly access restrictions that all other device mutation paths correctly enforce. Traccar versions prior to 6.13.0 are affected, and the root cause is a missing permissionsService.checkEdit call in the image upload route that is present everywhere else in the mutation surface. A proof-of-concept exists per SSVC data, though EPSS sits at 0.03% (9th percentile), indicating limited real-world exploitation activity to date. The vendor-released fix is available in version 6.13.0.
Default manufacturing credentials persisting through installation in IBM Cloud Pak for Data System Cyclops 11.3.0.2 through Interim Fix 002 allow unauthenticated network attackers to bypass authentication and perform unauthorized integrity-impacting actions. The root cause (CWE-1392) reflects a design-phase failure where credentials intended solely for factory/installation use are not forced to rotate before or immediately after deployment. EPSS sits at 0.03% and SSVC records no current exploitation, but the SSVC automatable flag indicates this class of attack is trivially scriptable, making exposed instances a realistic target for opportunistic credential-stuffing against known IBM default password sets. No public exploit identified at time of analysis.
Improper access control in sambitraj's STUDENT-MANAGEMENT-SYSTEM exposes multiple Dashboard endpoints to unauthenticated remote attackers, enabling unauthorized read and write operations on student data. The vulnerability, tagged as an authentication bypass (CWE-284), affects all code up to and including commit 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5 and is confirmed by a publicly disclosed exploit via GitHub issue. No public exploit identified at time of analysis for active KEV-level exploitation, however publicly available exploit code exists and the maintainer has not responded to responsible disclosure, leaving the codebase unpatched.
CSRF protection bypass in e107 CMS prior to 2.3.5 allows unauthenticated remote attackers to perform unauthorized comment moderation actions by tricking an authenticated user into visiting a malicious page. The root flaw is in session_handler::check(), which skips CSRF token validation entirely when no token is submitted, rather than rejecting the tokenless request - effectively making CSRF protection opt-in from the attacker's perspective. A proof-of-concept exists per SSVC data; the vulnerability is not listed in CISA KEV and carries a very low EPSS score of 0.01% (3rd percentile), indicating limited observed exploitation in the wild.
Broken access control in e107 CMS prior to version 2.3.4 permits any low-privileged authenticated user to overwrite comments authored by other users, including administrators. The server-side updateComment() function in comment_class.php accepted a comment_id from the request and issued an UPDATE SQL query filtered only by that identifier, never verifying that the requesting user owned the targeted comment. A proof-of-concept exploit exists per SSVC data, though EPSS stands at a low 0.03% (8th percentile) and no active exploitation is confirmed in CISA KEV, indicating currently limited in-the-wild activity.
Unauthenticated access control bypass in VideoWhisper.Com's Paid Videochat Turnkey Site WordPress plugin (versions through 7.3.23) allows remote attackers to access restricted resources without authorization, resulting in partial information disclosure. The plugin (known by slug ppv-live-webcams) fails to enforce authorization checks on one or more endpoints, enabling any unauthenticated network actor to exploit incorrectly configured access control security levels. No public exploit code has been identified and CISA KEV does not list this vulnerability, though SSVC data confirms the attack is automatable, raising the potential for scripted mass scanning.
Broken access control in the RepairBuddy WordPress plugin (versions through 4.1121) allows authenticated low-privileged users to perform unauthorized actions affecting data integrity. The flaw stems from missing server-side authorization checks (CWE-862), permitting requests to access or modify functionality beyond the caller's intended permission level. No public exploit identified at time of analysis, EPSS sits at the 8th percentile (0.03%), and SSVC marks exploitation as none - placing real-world risk well below what the medium CVSS score of 4.3 might initially suggest.
Missing authorization in the Mayosis Core WordPress plugin (versions through 5.4.7) by TeconceTheme allows unauthenticated remote attackers to exploit incorrectly configured access control security levels, resulting in unauthorized modification of data (integrity impact). The CVSS vector confirms no authentication or user interaction is required, and the vulnerability is network-exploitable against default configurations. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Privilege escalation through unauthorized account deletion in CODESYS Control runtime products (versions below 3.5.22.20 / 4.21.0.0) allows authenticated low-privileged remote users to delete other accounts, including administrators. Reported by CERT@VDE under advisory VDE-2026-056, with no public exploit identified at time of analysis and a low EPSS score of 0.10% (26th percentile), suggesting limited near-term exploitation likelihood despite the vendor-confirmed authorization flaw.
{ prefix: '/:category' })`), enabling complete bypass of whatever protection that middleware was intended to enforce - authentication, authorization, rate limiting, or input sanitization. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is remotely exploitable with no authentication or user interaction required, and SSVC classifies it as automatable. Publicly available exploit code exists per SSVC classification; EPSS is low at 0.09% (25th percentile), suggesting limited widespread exploitation at time of analysis.
Missing authorization in Zyxel GS1200v3-series managed switches allows a LAN-based, unauthenticated attacker to read system configuration data from a log file by sending a crafted HTTP request to the device's web interface. All five GS1200v3 models are affected across their current firmware versions. No public exploit has been identified at time of analysis, and both EPSS (0.03%, 11th percentile) and SSVC exploitation status ('none') confirm no observed in-the-wild exploitation, placing this in the category of a real but low-urgency information disclosure risk confined to the local network segment.
Improper access control in hemant6488's CodeIgniter-StudentManagementSystem exposes the student addition endpoint at /index.php/students/addStudentView to unauthenticated remote manipulation, enabling read, write, and partial availability impact on student data without credentials. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required from any network, and a publicly available exploit (GitHub issue #5) has been documented. No vendor patch exists and the maintainer has not responded to the coordinated disclosure, leaving all deployed instances unmitigated.
Unauthenticated gRPC API exposure in FastNetMon Community Edition through 1.2.9 allows adjacent network attackers to invoke security-critical RPC methods including ExecuteBan and ExecuteUnBan without credentials. The server explicitly uses grpc::InsecureServerCredentials() on port 50052, enabling attackers to blackhole legitimate traffic via BGP announcements, disable active DDoS mitigations, and trigger external script execution via popen(). No public exploit identified at time of analysis, and EPSS is low at 0.03%, but CISA SSVC rates technical impact as total.
IDOR vulnerability across multiple REST API endpoints in ONLYOFFICE DocSpace before 3.2.1 allows authenticated low-privilege users (User or Guest roles) to exfiltrate owner account identifiers and profile data that should be restricted to administrators. The flaw stems from missing object-level authorization checks on API responses, meaning the server returns sensitive records without validating whether the requester holds sufficient privilege to view them. No public exploit code or active exploitation has been identified at time of analysis, and EPSS places this in the 1st percentile for exploitation probability.
Missing authorization in the NanoCare WordPress theme (Linethemes) before version 1.2.2 permits low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) confirms network-accessible exploitation requiring only a low-privilege account with no user interaction. No public exploit code exists and no active exploitation has been confirmed; EPSS at 0.04% (11th percentile) and SSVC exploitation status of 'none' indicate this is currently a theoretical rather than actively weaponized risk.
Missing Authorization in the SePay Gateway WordPress plugin (versions through 1.1.20) permits any authenticated low-privileged user to retrieve embedded sensitive data without proper access checks. The flaw is classified under CWE-862 and carries a CVSS confidentiality impact of High, meaning payment or configuration secrets stored within the plugin can be exposed to unauthorized parties. No public exploit has been identified at time of analysis, and CISA SSVC rates exploitation as none with non-automatable risk, indicating limited active threat at present.
Broken access control in the Sunshine Photo Cart WordPress plugin (versions through 3.6.7) allows authenticated low-privilege users to perform actions beyond their intended authorization level. The root cause is a missing authorization check (CWE-862) that permits exploitation of incorrectly configured access control security levels, resulting in partial confidentiality, integrity, and availability impact. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.03% (10th percentile) and SSVC exploitation status of 'none' indicate low real-world threat at time of analysis.
Information disclosure in the MyCryptoCheckout WordPress plugin (versions up to and including 2.161) allows remote unauthenticated attackers to access protected data due to a missing authorization check. The flaw stems from incorrectly configured access control security levels, enabling exploitation over the network without privileges or user interaction. No public exploit identified at time of analysis, and EPSS scoring (0.03%, 9th percentile) suggests low near-term exploitation likelihood.
Authentication bypass in ThemeHigh's Stripe Payment Gateway for WooCommerce (all versions through 5.0.7) allows unauthenticated remote attackers to exploit the plugin's password recovery flow to gain unauthorized access, affecting both data integrity and availability (CVSS 6.5). The flaw is classified as CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin exposes an alternative code path that circumvents normal authentication controls. No public exploit code has been identified at time of analysis, and CISA has not added this to KEV, though SSVC flags the attack as automatable with partial technical impact.
Unauthenticated integrity compromise in WebToffee Smart Coupons for WooCommerce (versions before 2.3.0) allows remote attackers to bypass access controls and modify coupon-related data without authentication. The flaw stems from missing authorization checks (CWE-862) on plugin endpoints, and while no public exploit has been identified at time of analysis, SSVC flags the issue as automatable, meaning mass exploitation tooling could emerge rapidly. EPSS is currently low (0.03%) despite the network-exploitable nature of the bug.
Missing authorization in the WP Search Analytics WordPress plugin (versions before 1.5.0) allows unauthenticated remote attackers to bypass access controls and perform unauthorized write operations against affected WordPress installations. Reported by Patchstack and tracked as EUVD-2026-31761, this broken access control issue (CWE-862) carries a medium CVSS score of 5.3 with no confidentiality or availability impact - only limited integrity impact. No public exploit has been identified and no active exploitation is confirmed, with EPSS placing exploitation probability at 0.03% (8th percentile), making this a low real-world priority despite being automatable per SSVC.
Missing authorization in the WP Chill RSVP and Event Management WordPress plugin (versions through 2.7.16) enables unauthenticated remote attackers to perform unauthorized write operations by bypassing access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully remote, zero-complexity, unauthenticated exploitation is possible against default plugin installations. Impact is limited to partial integrity degradation (I:L) with no confidentiality or availability loss; no public exploit has been identified at time of analysis and EPSS is very low at 0.03% (8th percentile).
Missing authorization controls in the B2BKing WordPress plugin (versions prior to 5.2.10) allow authenticated high-privileged attackers to exploit incorrectly configured access control security levels, resulting in unauthorized data or configuration modification (high integrity impact). No confidentiality or availability impact is indicated by the CVSS vector. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, suggesting limited real-world threat at this time.
Missing Authorization in Autoship Cloud for WooCommerce Subscription Products (versions through 2.14.0) allows authenticated low-privileged users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack, this CWE-862 flaw means the plugin fails to verify whether an authenticated user holds the correct capability before executing sensitive operations within the WooCommerce subscription management interface. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) signals negligible automated exploitation activity at this time.
Missing Authorization in the Newses WordPress theme (Themeansar) through version 2.0.0.77 permits low-privileged authenticated users to exploit incorrectly configured access control security levels, resulting in partial integrity and availability impact. The flaw, reported by Patchstack and tracked under ENISA EUVD-2026-31747, allows an authenticated attacker to perform actions beyond their intended permission scope without proper authorization checks. No public exploit code or active exploitation has been identified at time of analysis, and all available signals - EPSS at 0.04%, SSVC exploitation status of 'none', and Automatable: no - indicate limited real-world threat at this time.