Skip to main content

Authentication Bypass

31268 CVEs technique

Monthly

CVE-2026-24592 MEDIUM This Month

Missing authorization in the Auto Affiliate Links WordPress plugin (all versions through 6.8.8.3) allows unauthenticated remote attackers to bypass access control checks and perform unauthorized write operations against affiliate link configurations. The vulnerability is classified as broken access control (CWE-862) and was reported by Patchstack. No public exploit code exists and no active exploitation has been confirmed - EPSS sits at 0.03% (8th percentile) and SSVC exploitation status is 'none' - indicating negligible real-world threat activity at time of analysis despite the attack being fully automatable with no authentication required.

Authentication Bypass Auto Affiliate Links
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24582 MEDIUM This Month

FlexTable WordPress plugin (versions up to and including 3.24.0) by WPPOOL contains a missing authorization vulnerability enabling low-privileged authenticated users to perform restricted plugin actions beyond their intended access level, resulting in limited but unauthorized integrity modifications. The flaw stems from CWE-862 (Missing Authorization), where plugin endpoints fail to verify that an authenticated user holds the required WordPress capability before executing privileged operations. No public exploit code exists and this vulnerability is not in the CISA Known Exploited Vulnerabilities catalog; EPSS scoring at 0.03% (8th percentile) confirms negligible likelihood of broad exploitation at this time.

Authentication Bypass Flextable
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24545 MEDIUM This Month

Missing authorization in the QR Redirector WordPress plugin (versions through 2.0.3) exposes redirect management functionality to authenticated low-privileged users who lack the appropriate capability checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms any authenticated WordPress user - including subscribers or contributors - can exploit this flaw remotely without user interaction. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) and SSVC exploitation status of 'none' place this at low operational priority for most environments.

Authentication Bypass Qr Redirector
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24546 MEDIUM This Month

Unauthenticated information disclosure in the GamiPress WordPress plugin (versions through 7.6.3) allows remote attackers to read restricted data by exploiting missing authorization checks on plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no credentials or user interaction are required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code or active exploitation has been identified at time of analysis, and an EPSS score of 0.03% (8th percentile) reflects low real-world exploitation probability.

Authentication Bypass Gamipress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-48847 LOW PATCH Monitor

Pre-authentication arbitrary file deletion in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) is achievable by unauthenticated network attackers via session poisoning of Redis or Memcache storage backends. The root cause (CWE-669: Incorrect Resource Transfer Between Spheres) lies in the application improperly trusting session data read from an external cache tier, allowing crafted entries to bypass pre-authentication controls and trigger file deletion operations. No public exploit has been identified at time of analysis, and EPSS stands at 0.06%, though Roundcube installations are historically targeted by espionage-motivated threat actors and patching is strongly recommended.

Authentication Bypass Redis Webmail
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-9484 LOW POC Monitor

Improper authorization in SourceCodester Student Grades Management System 1.0 allows authenticated remote attackers to manipulate the classroom_id parameter within classroom.php to access or modify classroom enrollment data beyond their authorized scope. The vulnerability affects the getClassroomStudents and removeStudentFromClassroom functions, enabling unauthorized listing of enrolled students or removal of students from classrooms the attacker does not administer. A publicly available proof-of-concept exploit exists on GitHub, though EPSS places exploitation probability at just 0.04% (13th percentile), and the vulnerability is not currently listed in the CISA KEV catalog.

PHP Authentication Bypass Student Grades Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9483 LOW POC Monitor

Improper authorization in SourceCodester Student Grades Management System 1.0 permits authenticated remote attackers to access or manipulate grade records belonging to other students by tampering with the student_id parameter in grades.php. The flaw (CWE-285) reflects a failure to enforce object-level authorization, allowing a low-privileged user to cross access boundaries to other students' data. A publicly available proof-of-concept exists on GitHub, though EPSS sits at 0.04% (11th percentile) and SSVC classifies exploitation as none, indicating no evidence of active exploitation in the wild despite the POC.

PHP Authentication Bypass Student Grades Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2018-25361 HIGH POC This Week

Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local attackers to remove passcodes by injecting pre-encrypted database entries using a constant encryption. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Soroush Messenger
NVD Exploit-DB VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-9058 CRITICAL PATCH Act Now

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.

Authentication Bypass Szafir Sdk
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-46745 PyPI MEDIUM PATCH This Month

LDAP filter injection in Apache Airflow FAB Auth Manager (apache-airflow-providers-fab < 3.6.4) enables unauthenticated remote attackers to manipulate LDAP query logic by embedding special characters in login credentials, resulting in directory data exfiltration or authentication bypass. The vulnerability is confirmed by source code evidence: the `_search_ldap` and `_ldap_get_nested_groups` methods in `override.py` directly interpolated user-supplied input into LDAP filter strings without sanitization. No public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, but the SSVC framework marks it as automatable, meaning exploitation can be scripted at scale against exposed Airflow instances using LDAP auth.

Authentication Bypass LDAP Apache Code Injection Apache Airflow Fab Provider
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-40127 MEDIUM PATCH This Month

OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This issue was fixed in OutSystems Lifetime version 11.28.2.3955

Authentication Bypass Lifetime
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-9274 MEDIUM This Month

This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. Successful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.

Authentication Bypass Wi Fi Camera Cp E38Q Cp E48Q Cp E25Q Cp E35Q Cp E45Q Cp E28Q Cp E21Q Cp E31Q Cp E41Q Cp E24Q Cp Z43Q Cp E34Q Cp E44Q Cp T31Q Cp V48Q Cp V41Q Cp Z45Q
NVD
CVSS 4.0
5.2
EPSS
0.0%
CVE-2026-2651 PyPI CRITICAL PATCH GHSA Act Now

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode enabled to abuse unprotected multipart upload (MPU) endpoints under /mlflow-artifacts/mpu/* and tamper with models owned by other users, enabling model supply chain poisoning and arbitrary code execution when poisoned models are deserialized. The SSVC framework classifies this as having a public proof-of-concept with total technical impact, though EPSS exploitation probability is currently only 0.05% (16th percentile) and no public exploit identified at time of analysis as actively weaponized.

Authentication Bypass RCE Mlflow Mlflow
NVD GitHub
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-9412 LOW POC Monitor

Improper access control across multiple backend endpoints in SourceCodester Indian Invoicing System 1.0 permits authenticated low-privilege users to reach restricted functionality beyond their authorization level. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms remote exploitation requiring only low-level credentials, with confidentiality, integrity, and availability all assessed at low impact across the vulnerable system. A publicly available proof-of-concept exploit exists (hosted on GitHub), though EPSS remains at 0.04% (11th percentile) and the vulnerability is not in the CISA KEV catalog, indicating no confirmed widespread exploitation at time of analysis.

Authentication Bypass Indian Invoicing System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9410 LOW POC Monitor

Improper authorization in Sushmi-pal Invoice-System (up to commit a0a3faa16dee2621b231ae227333f5761607283b) enables authenticated low-privileged users to manipulate the `ID` parameter on the `/profile` endpoint to access or modify profile records belonging to other users - a classic horizontal privilege escalation pattern. The CVSS 4.0 score is 2.1 (Low), reflecting constrained integrity-only impact with no confidentiality or availability consequence, and a proof-of-concept exploit has been publicly disclosed on GitHub. No patch exists; the vendor did not respond to responsible disclosure, and no public exploit is confirmed in CISA KEV.

Authentication Bypass Invoice System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9409 LOW POC Monitor

Improper authorization in Sushmi-pal Invoice-System exposes its User Management Handler to privilege escalation by authenticated remote attackers who manipulate the `role` argument on the `/user` endpoint. Affected instances include all code up to commit a0a3faa16dee2621b231ae227333f5761607283b; the project uses a rolling release model with no discrete versioning. A publicly available proof-of-concept exploit exists on GitHub, though EPSS sits at just 0.03% and SSVC rates the attack as non-automatable with only partial technical impact - no confirmed active exploitation (CISA KEV) has been identified.

Authentication Bypass Invoice System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9398 LOW Monitor

Unauthenticated capture-replay authentication bypass in the Besen BS20 EV Charging Station (firmware up to 20260426) exposes the device's BLE/WiFi interface to unauthorized command injection. An attacker physically adjacent to the charger can intercept and replay wireless authentication tokens to issue tampered charging commands without valid credentials. No patch has been released as of the analysis date; the vendor acknowledged the report in April 2026 and confirmed they are reviewing it. Publicly available proof-of-concept code exists (CVSS E:P), though exploitation probability remains very low (EPSS 0.03%, 11th percentile), consistent with the high attack complexity and adjacent-only access requirement.

Authentication Bypass Bs20 Ev Charging Station
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-9397 HIGH PATCH This Week

Improper authorization in the OTA Update Installation Handler of Besen BS20 EV Charging Station versions up to 20260426 allows remote attackers to install spoofed firmware updates on affected charging stations. The flaw is network-reachable with no authentication required, but exploitation carries high attack complexity (CVSS 4.0 8.2), and publicly available exploit code exists via the original researcher disclosure on GitHub. EPSS rates exploitation probability at only 0.04% (12th percentile), and CISA SSVC flags exploitation status as 'none' despite the public proof-of-concept.

Authentication Bypass Bs20 Ev Charging Station
NVD VulDB GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-9376 LOW POC Monitor

Improper authorization in JPress versions 1.0.0 through 1.0.3 allows any authenticated low-privilege user to manipulate the `id` and `userId` parameters at the `/ucenter/article/doWriteSave` UCenter endpoint, potentially reading or overwriting article data belonging to other users. Publicly available exploit code exists (disclosed via GitHub issue #194), though EPSS sits at 0.03% (10th percentile) and SSVC classifies current exploitation status as 'none,' indicating limited real-world uptake despite the public disclosure. The vendor has not responded to responsible disclosure and no patch has been released.

Authentication Bypass Jpress
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9373 MEDIUM This Month

Improper authentication in JeecgBoot 3.9.1 OpenAPI endpoint allows remote attackers to bypass authentication checks and perform unauthorized actions, though exploitation is rated difficult due to high attack complexity. No public exploit code has been identified and no vendor response has been received. With CVSS 3.7 (Low severity) and AV:N/AC:H/PR:N parameters, the vulnerability poses limited immediate risk but requires monitoring given the authentication bypass nature and remote attack vector.

Authentication Bypass Jeecgboot
NVD VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-9371 LOW POC Monitor

Missing authentication in Vane up to 1.12.1 allows remote attackers to bypass intended access controls on API route.ts endpoints, potentially exposing or manipulating API functionality without credentials. Publicly available exploit code exists (GitHub issue #1123), though CVSS rates attack complexity as high (AC:H) with difficult exploitation, resulting in limited confidentiality, integrity, and availability impact (C:L/I:L/A:L). EPSS data not provided. Not listed in CISA KEV. Vendor (ItzCrazyKns) reportedly plans to implement basic authentication as remediation.

Authentication Bypass Vane
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-9350 MEDIUM POC This Month

Missing authorization in NousResearch hermes-agent versions up to 2026.4.16 allows remote attackers to bypass authentication checks in the Batch Runner component, potentially executing unauthorized commands. The vulnerability affects the check_all_command_guards function in tools/approval.py and can be exploited without authentication. Publicly available exploit code exists, though the vulnerability is not yet confirmed in CISA KEV.

Authentication Bypass Hermes Agent
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2018-25353 HIGH POC This Week

Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Authentication Bypass Redaxo Cms Mediapool
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-9306 LOW POC Monitor

Authorization bypass in QuantumNous new-api versions up to 0.12.1 allows remote attackers to access Midjourney image relay endpoints without proper authentication. The vulnerability resides in RelayMidjourneyImage and GetByOnlyMJId functions within relay-router.go. Despite high attack complexity (CVSS AC:H) and CVSS score of only 3.7, a publicly available proof-of-concept exploit exists (disclosed via GitHub Gist), reducing the technical barrier. The vendor did not respond to early disclosure attempts. EPSS data not provided, but the combination of public exploit and unauthenticated network access (PR:N) warrants attention for organizations using this API gateway for Midjourney integration.

Authentication Bypass New Api
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-9284 HIGH This Week

Unauthorized order manipulation and information disclosure in the WooCommerce PayPal Payments WordPress plugin (versions through 4.0.1) allows remote unauthenticated attackers to abuse two WC-AJAX endpoints (ppc-create-order and ppc-get-order) that lack authorization checks. By chaining these endpoints, an attacker can create a PayPal order against any victim's WooCommerce order ID and then retrieve full PayPal order details including payer information and shipping data. No public exploit identified at time of analysis, but the plugin's broad e-commerce deployment and trivial attack complexity make this a credible target.

WordPress Information Disclosure Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-47125 Go HIGH PATCH GHSA This Week

Privilege escalation in Arcane Docker management platform (backend <= 1.19.1) allows any authenticated non-admin user to overwrite the system-wide .env.global file via the PUT /api/environments/{id}/templates/variables endpoint, which lacks the checkAdmin() guard applied to every other admin-sensitive handler. Because global variables are merged into every project's compose file at deploy time, an attacker can redirect image pulls to a malicious registry to achieve cross-tenant supply-chain code execution on the Docker host, steal credentials from other users' deployments, or break every project on the instance. No public exploit identified at time of analysis, but the GHSA advisory documents the exact vulnerable code path.

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-47120 Go HIGH PATCH GHSA This Week

Privilege escalation in Nezha Monitoring (>= 1.4.0, < 1.14.15-0.20260517022419-d7526351cf97) lets an authenticated RoleMember invoke arbitrary cron tasks owned by other users - including admins - by referencing their task IDs in an alert rule's FailTriggerTasks/RecoverTriggerTasks fields. When the attacker's alert trips, the admin's cron command fans out to every connected agent, yielding cross-tenant command execution across the entire monitored fleet. EPSS is very low (0.04%), no public exploit identified at time of analysis beyond the PoC embedded in the GHSA advisory, and the vendor has shipped a patched commit.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46717 Go HIGH PATCH GHSA This Week

Server-side request forgery in Nezha Monitoring dashboard (versions >=1.4.0, <1.14.15-0.20260517022419-d06d539d34c1) allows authenticated low-privilege RoleMember accounts to issue arbitrary HTTP requests to intranet targets via the POST /api/v1/notification and PATCH /api/v1/notification/:id endpoints, with full unbounded response bodies reflected back through error messages. Publicly available exploit code exists in the GHSA advisory, though EPSS is 0.03% (9th percentile) suggesting low mass-exploitation likelihood against this niche server-monitoring tool. Root cause is a missing adminHandler authorization gate combined with a notification webhook tester that ignores private/loopback CIDRs and lacks an io.LimitReader.

Authentication Bypass SSRF
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-42901 CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain elevated privileges across tenant boundaries (scope-changed). The CVSS 10.0 rating reflects maximum impact across confidentiality, integrity, and availability with no authentication or user interaction required, though no public exploit has been identified at time of analysis and EPSS data is not provided.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-33843 CRITICAL PATCH NO ACTION HOSTED Monitor

Authentication bypass in Microsoft Azure Active Directory B2C (now part of Microsoft Entra) allows remote unauthenticated attackers to elevate privileges by reaching protected functionality through an alternate code path. The CVSS 9.1 vector (AV:N/AC:L/PR:N/UI:N) reflects network-reachable exploitation with no privileges and no user interaction, yielding high confidentiality and integrity impact against tenants relying on Azure AD B2C for identity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the unauthenticated-network profile and Microsoft self-reporting make this a high-priority advisory for any tenant using B2C.

Microsoft Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-47280 CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authentication and gain elevated privileges across the cloud control plane. The flaw carries a maximum CVSS score of 10.0 due to a scope change combined with full confidentiality, integrity, and availability impact, and although Microsoft has released a fix there is no public exploit identified at time of analysis. Given ARM is the central management layer for nearly all Azure resources, successful exploitation could have broad tenant-wide consequences.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-35430 HIGH PATCH This Week

Privilege escalation in Microsoft Azure Privileged Identity Management (PIM) allows an authenticated attacker to bypass authorization checks by manipulating a user-controlled key, escalating privileges over the network. The flaw stems from an Insecure Direct Object Reference (IDOR) pattern (CWE-639) where the service trusts a client-supplied identifier when making authorization decisions. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Microsoft Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41076 HIGH PATCH This Week

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows remote attackers to log in as any LDAP-backed user without valid credentials when RT is configured with LDAP or Active Directory authentication and the LDAP server accepts unauthenticated bind requests. The flaw, fixed in RT 5.0.10 and 6.0.3 released 2026-05-20, carries a CVSS 8.1 and has no public exploit identified at time of analysis, but the trivial nature of the bypass against vulnerable LDAP policies makes it high-priority for any RT deployment using directory-based auth.

Authentication Bypass Rt
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-39969 MEDIUM This Month

Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to unauthenticated webhook spoofing by any network-accessible attacker. The endpoint POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook ignores the x-hub-signature-256 header that Meta includes with every legitimate delivery, and because both path parameters are semi-public by design - appearing in web server access logs and Meta's webhook configuration dashboard - the attack surface is readily discoverable. Successful exploitation allows an attacker to trigger arbitrary bot automation flows, consume API resources, and abuse external service integrations using the workspace owner's stored credentials. No public exploit identified at time of analysis; vendor-released patch available in version 3.17.0.

Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39967 LOW Monitor

Cross-typebot result data leakage in Typebot versions 3.15.2 and prior allows an authenticated user to read session variables, prior answers, and PII from a different typebot by supplying a foreign resultId to the startChat endpoint. The bot engine's findResult query omits typebotId from its database filter (CWE-639 IDOR), so any valid result record is returned regardless of which typebot owns it. If the attacker possesses a valid CUID2 resultId from another typebot and that typebot has rememberUser enabled, they can read the original user's names, emails, phone numbers, and other session variables exposed through matching variable names. No public exploit has been identified at time of analysis; vendor-released patch is available in version 3.16.0.

Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-6406 HIGH PATCH This Week

Enhanced Container Isolation (ECI) bypass in Docker Desktop allows a local low-privileged user with Docker CLI access to mount the Docker Engine socket into a container by invoking the --use-api-socket flag, granting full Docker Engine control and exposure of registry credentials. The flaw stems from the API proxy inspecting only HostConfig.Binds while the flag routes the mount through HostConfig.Mounts, slipping past ECI policy. No public exploit identified at time of analysis, but the issue was reported by Docker itself and disclosed via ZDI (ZDI-26-299).

Authentication Bypass Docker
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-39968 HIGH This Week

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access credentials from arbitrary workspaces via the preview chat endpoint. The bot-engine's getCredentials() utility uses a falsy check on workspaceId, so supplying an empty string bypasses ownership validation entirely, enabling credential theft, external service abuse, and data breach. This is an incomplete fix for the prior advisory GHSA-4xc5-wfwc-jw47, and no public exploit has been identified at time of analysis though the patch commit is public.

Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-39966 MEDIUM This Month

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a broken authorization check in the getLinkedTypebots API endpoint, constituting a classic IDOR. The root cause is a JavaScript async/await misuse: Array.filter() is synchronous, so passing it an async callback causes every bot to pass the filter - the isReadTypebotForbidden predicate is never actually evaluated. Sensitive data leaked includes embedded credentials, API keys, PII stored as variables, webhook URLs, and integration configurations from any other user's private workspace bots. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the exposure of hardcoded secrets elevates practical risk significantly beyond the 6.5 CVSS score suggests.

Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46715 PyPI MEDIUM PATCH GHSA This Month

Session freshness bypass in Flask-Security-Too 5.8.0 allows an attacker who controls a stale authenticated victim session to satisfy the victim session's reauthentication requirement using their own OAuth identity, not the victim's. The flaw in `oauth_glue.py` causes `oauth_verify_response()` to update `session["fs_paa"]` (the freshness timestamp) without verifying that the OAuth-resolved user matches the currently authenticated session user. Exploitation was confirmed via a detailed proof-of-concept that successfully changed a victim user's username through the built-in `/change-username` route after bypassing the freshness gate. Publicly available exploit code exists; no CISA KEV listing at time of analysis.

Python CSRF Authentication Bypass Suse
NVD GitHub
EPSS
0.0%
CVE-2026-32253 CRITICAL Act Now

Authentication bypass in LizardByte Sunshine self-hosted game stream host (versions prior to 2026.516.143833) allows remote unauthenticated attackers to bypass client-certificate authentication and access protected HTTPS endpoints. The custom OpenSSL verification callback in src/crypto.cpp incorrectly treats several certificate validation errors as successful verification, enabling untrusted certificates to pass authentication. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects trivial network-based exploitation against default deployments.

OpenSSL Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-33712 CRITICAL Act Now

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers to abuse the preview chat endpoint to make arbitrary internal HTTP requests from the server. The flaw stems from the isolated-vm sandbox's fetch function calling Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects HTTP Request blocks, bypassing mitigations added after GHSA-8gq9-rw7v-3jpr. No public exploit identified at time of analysis, but the CVSS 10.0 (Critical) score with scope-changed impact indicates severe risk for both self-hosted and hosted deployments.

Node.js Authentication Bypass SSRF Typebot Io
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-9255 HIGH PATCH This Week

Authorization bypass in AWS Kiro CLI versions prior to 1.28.0 allows a local attacker to invoke arbitrary tools, including shell commands, without triggering the user approval prompt by piping crafted content through stdin. Reported by Amazon (AMZN) and tagged as an Authentication Bypass, this issue has a vendor-released fix in 1.28.0; publicly available exploit code exists is not indicated, and the SSVC framework currently records no observed exploitation despite a Total technical impact rating.

Authentication Bypass Kiro Cli
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-28735 Go MEDIUM PATCH This Month

OAuth scope validation bypass in Mattermost's GitHub integration allows authenticated users to escalate repository access beyond what was originally authorized. By manipulating the scope parameter in the GitHub OAuth authorization URL before the callback is processed, a low-privileged Mattermost user can obtain a GitHub token with broader permissions - including access to private repositories - than the application intended to grant. Affecting versions across four active release branches (10.11.x through 11.6.x), this is no public exploit identified at time of analysis and is not listed in CISA KEV, but the low complexity and authentication-only barrier make it a realistic insider or compromised-account risk.

Authentication Bypass Mattermost
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-28444 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read execution logs belonging to other workspaces by supplying an arbitrary victim resultId alongside their own authorized typebotId. The endpoint authorizes the caller by typebotId but fetches log records by resultId alone, skipping cross-ownership validation that all peer endpoints in the same router correctly enforce. Exploitation exposes sensitive runtime data including HTTP response bodies, AI model outputs, and webhook payloads. No public exploit or CISA KEV listing has been identified at time of analysis, but the straightforward nature of the IDOR - requiring only a valid session and a guessed or enumerated resultId - makes unauthorized data access realistic for any authenticated platform user.

Information Disclosure Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9251 This Week

Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Authentication Bypass Server
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-5171 Monitor

Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Authentication Bypass Server
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9246 This Week

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Hashicorp Authentication Bypass Server
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9224 This Week

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Authentication Bypass Server
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9248 Monitor

Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Hashicorp Authentication Bypass Server
NVD
CVSS 3.1
2.6
EPSS
0.0%
CVE-2026-9223 Monitor

Missing authorization in the vault import feature in Devolutions Server  2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.

Hashicorp Authentication Bypass Server
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9047 Monitor

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0

Authentication Bypass Server
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2022-34363 MEDIUM PATCH This Month

Dell Unisphere for PowerMax vApp version prior to 10.0.0.2, contains an authorization bypass vulnerability in the Unisphere for VMAX application running in vApp. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Dell Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2022-31231 MEDIUM PATCH This Month

Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management (IAM) module. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Dell Authentication Bypass Ecs
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-8347 PHP LOW PATCH Monitor

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog.  This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
2.3
EPSS
0.0%
CVE-2025-32751 MEDIUM PATCH This Month

Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-privileged local users, resulting in unauthorized disclosure of confidential data with high confidentiality impact per CVSS. Affected deployments span both the Appliance and Rack form factors of the platform. No public exploit code has been identified at time of analysis and CISA KEV does not list this vulnerability, though the CWE-922 root cause and the 'Authentication Bypass' tag suggest the exposed data may include credentials or tokens that could enable downstream privilege escalation or lateral movement.

Dell Authentication Bypass Powerflex Manager Appliance Powerflex Manager Rack Powerflex Manager
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46371 LOW PATCH Monitor

Broken or risky cryptographic algorithm use in Dell PowerFlex Manager's SSH component (versions ≤4.6.2) allows a locally authenticated low-privileged attacker to bypass SSH protection mechanisms, affecting both Appliance and Rack form factors. The CVSS vector (AV:L/AC:H/PR:L) reflects significant exploitation barriers: physical or logical local access is required, attack complexity is high, and impact is limited to partial confidentiality and integrity loss with no availability impact. Dell has published dual advisories (DSA-2025-434 for Appliance, DSA-2025-435 for Rack); no public exploit or CISA KEV listing exists at time of analysis.

Dell Authentication Bypass Powerflex Manager Appliance Powerflex Manager Rack Powerflex Manager
NVD
CVSS 3.1
3.6
EPSS
0.0%
CVE-2025-32746 MEDIUM PATCH This Month

Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentials, keys, or configuration secrets to any attacker with local OS-level access to the appliance - no PowerFlex Manager authentication required. The CVSS vector (AV:L/AC:L/PR:N/UI:N) confirms the attacker needs only local system access, not application credentials, to retrieve the improperly protected data. No public exploit identified at time of analysis and no CISA KEV listing; however, the 'Authentication Bypass' tag in the intelligence data suggests the exposed sensitive material may itself enable downstream privilege escalation or authentication bypass against PowerFlex or its managed infrastructure.

Dell Authentication Bypass Powerflex Manager Appliance Powerflex Manager Rack Powerflex Manager
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-3473 Go MEDIUM PATCH GHSA This Month

File ownership and access control enforcement is absent in the Boards API across four release branches of Mattermost, allowing any authenticated user to access and download files belonging to other users or teams by submitting crafted API requests containing valid file IDs. Affected deployments span versions 10.11.x through 11.6.x per EUVD-2026-31429 and vendor advisory MMSA-2026-00620. CVSS scores this at 5.9 (Medium) reflecting high attack complexity due to the file ID prerequisite; no public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-8381 MEDIUM PATCH This Month

Broken access control in TeamViewer DEX Platform (On-Premises) before version 9.2 allows authenticated low-privileged users to invoke administrative API endpoints and access sensitive resources outside their authorized scope. The root cause is CWE-862 (Missing Authorization) - backend API endpoints omit proper role-based authorization checks despite confirming user identity. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, but the network-accessible attack vector and low complexity make exploitation straightforward for any user holding valid platform credentials.

Authentication Bypass Dex On Premises
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-8679 HIGH POC This Week

Unauthorized playlist data disclosure in the AudioIgniter WordPress plugin (≤2.0.2) allows remote unauthenticated attackers to retrieve track metadata for non-public playlists via the /audioigniter/playlist/{id}/ rewrite endpoint. The handle_playlist_endpoint() function validates only post_type, omitting authentication, capability, and post_status checks, so draft, private, pending, and trashed playlists are reachable by ID enumeration. No public exploit identified at time of analysis; the issue is fixed in version 2.0.3 per the vendor commit.

WordPress Authentication Bypass Audioigniter Music Player
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8684 MEDIUM This Month

Authorization bypass in MotoPress Hotel Booking plugin for WordPress (all versions through 6.0.1) allows unauthenticated remote attackers to overwrite or delete internal booking notes for any reservation by supplying an arbitrary booking ID. The root cause is a nonce that is unconditionally output into every public page's HTML via wp_localize_script under MPHB._data.nonces, meaning any site visitor - without an account or any prior interaction - can obtain a valid nonce and invoke the update-booking-notes AJAX action against any booking. No public exploit code has been identified at time of analysis, but the trivially accessible nonce makes this effectively zero-friction to abuse.

WordPress Authentication Bypass Motopress Hotel Booking
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-9011 HIGH This Week

Unauthorized data disclosure in the Ditty - Responsive News Tickers, Sliders, and Lists WordPress plugin (versions 0 through 3.1.65) allows unauthenticated remote attackers to retrieve the full contents of non-public Ditty entries - including drafts, pending, scheduled, and disabled posts - by enumerating integer post IDs against the ditty_init AJAX endpoint. The flaw stems from the init_ajax() handler omitting the 'publish' post status check that its non-AJAX counterpart performs, exposing content administrators deliberately withheld from public view. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

WordPress Authentication Bypass Ditty Responsive News Tickers Sliders And Lists
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8692 MEDIUM This Month

Authorization bypass in the Vedrixa Forms WordPress plugin (all versions through 1.1.1) permits authenticated attackers with subscriber-level access to overwrite the structure of any registration form by writing attacker-controlled data directly to the plugin's FORMS database table. The root cause is a missing authorization check on the form-saving AJAX handler, compounded by the fact that the required ajax-nonce is publicly exposed via wp_localize_script() on any page rendering a form shortcode - meaning any authenticated visitor can harvest the nonce without elevated privileges. The vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis; however, on open-registration WordPress sites the subscriber-level barrier is trivially bypassed.

WordPress Authentication Bypass Vedrixa Forms User Registration Form Signup Form Drag Drop Form Builder
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2518 MEDIUM This Month

Missing authorization controls in the FastX WordPress theme allow authenticated Subscriber-level users to install and activate the PostX plugin without administrative approval. The vulnerability exists in two AJAX callback functions - 'ultp_install_callback' and 'ultp_activate_callback' - which fail to verify whether the requesting user holds sufficient capabilities before executing privileged plugin management operations. All versions up to and including 1.0.2 are affected per WPXPO's theme codebase on themes.trac.wordpress.org. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7249 MEDIUM This Month

Unauthorized modification of weather display settings in the Location Weather WordPress plugin (versions ≤3.0.2) is achievable by any authenticated user with Contributor-level access or above, due to missing capability checks on the administrative functions `splw_update_block_options()` and `lwp_clean_weather_transients()`. Affected sites expose the protective nonce to all authenticated sessions via `wp_localize_script()` on the `init` hook, neutralizing what would otherwise be a secondary CSRF defense and making exploitation straightforward for any logged-in user. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; real-world impact is limited to disruption of weather widget display and cache integrity rather than data theft or code execution.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46595 Go CRITICAL PATCH GHSA Act Now

Authorization bypass in the Go golang.org/x/crypto/ssh package before version 0.52.0 allows remote attackers to circumvent source-address restrictions when SSH server configurations use callback authentication types other than public key. This is an incomplete-fix follow-up to CVE-2024-45337, which only addressed the public-key callback path while leaving other callback types vulnerable to the same source-address validation skip. No public exploit identified at time of analysis, EPSS is very low at 0.02%, and SSVC indicates no observed exploitation though the issue is automatable with partial technical impact.

Authentication Bypass Golang Org X Crypto Ssh
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-39831 Go CRITICAL PATCH GHSA Act Now

Authentication bypass in the Go x/crypto/ssh library (versions before 0.52.0) allows SSH servers to accept FIDO/U2F security key signatures that were generated without the required physical user touch. The Verify() method for sk-ecdsa-sha2-nistp256@openssh.com and sk-ssh-ed25519@openssh.com key types failed to check the User Presence flag, enabling unattended use of stolen or relayed hardware-token signatures. No public exploit identified at time of analysis and EPSS is very low (0.01%), but SSVC rates technical impact as total with automatable exploitation.

SSH Authentication Bypass Golang Org X Crypto Ssh Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-39833 Go CRITICAL PATCH GHSA Act Now

Authentication bypass in Go's golang.org/x/crypto/ssh/agent in-memory keyring (versions before 0.52.0) allows SSH key signing operations to proceed without the intended ConfirmBeforeUse user confirmation prompt. Applications that relied on this constraint to gate sensitive signing actions effectively had no protection, with no error returned to indicate the constraint was silently ignored. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total.

Authentication Bypass Golang Org X Crypto Ssh Agent Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34908 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments.

Ubiquiti Authentication Bypass Unifi Os Server Udm Udm Pro +28
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.0%
Threat
5.0
CVE-2026-46695 LIB CRITICAL PATCH GHSA Act Now

Sandbox escape in Boxlite versions prior to 0.9.0 lets untrusted code running inside the lightweight VM remount host-shared virtiofs directories from read-only to read-write, enabling arbitrary writes to host files that operators believed were protected. Because the container is granted all 41 Linux capabilities (including CAP_SYS_ADMIN), a trivial 'mount -o remount,rw' bypasses the client-side MS_RDONLY enforcement, and in AI-agent deployments this leads to host code execution by tampering with mounted code, virtualenvs, or credentials. Publicly available exploit code exists (working PoC published in the GHSA advisory) and the issue carries a CVSS 10.0 with scope change; no public exploit identified at time of analysis in CISA KEV.

Node.js Docker Authentication Bypass RCE Python
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-46680 Go HIGH PATCH GHSA This Week

runAsNonRoot bypass in containerd allows crafted container images to execute as UID 0 despite Kubernetes security policies designed to prevent root execution. The flaw stems from containerd treating numeric USER directives that overflow a 32-bit integer as usernames, and if the image's /etc/passwd maps that string to root, the container runs as root. No public exploit identified at time of analysis, but the issue was responsibly disclosed by Lei Wang (@ssst0n3) and fixed in multiple containerd release branches.

Memory Corruption Kubernetes Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-46645 PyPI MEDIUM PATCH GHSA This Month

Authorization bypass in sqladmin (pip package, versions <= 0.25.0) allows authenticated-but-unauthorized users to query restricted model data through the `ajax_lookup` endpoint, silently circumventing any `is_accessible()` access control overrides that developers have implemented. Every other admin endpoint (`list`, `create`, `edit`, `delete`, `details`, `export`) enforces both the login requirement and the `is_accessible()` model-level authorization hook - the `ajax_lookup` endpoint at `GET /{identity}/ajax/lookup` enforced neither prior to patching. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46639 PHP HIGH PATCH GHSA This Week

Sandbox escape in Twig 3.24.0 through 3.25.x lets an attacker with write access to a sandboxed template read arbitrary public properties and invoke any public getter on objects exposed to the template, bypassing the SandboxExtension's SecurityPolicy allowlists. The flaw exists because the object-destructuring compiler hardcodes the $sandboxed flag to false when emitting CoreExtension::getAttribute() calls, so policy checks never run for destructuring expressions whenever the {% do %} tag is permitted. No public exploit identified at time of analysis, but the issue was responsibly disclosed with vendor-confirmed root cause and an upstream patch.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-46635 PHP MEDIUM PATCH GHSA This Month

Twig's sandbox security policy is bypassed via the `column` filter when processing arrays of PHP objects, allowing an untrusted template author to read any public or magic property of any object reachable in the render context - completely circumventing the `SecurityPolicy`'s `allowedProperties` restrictions. All twig/twig versions prior to 3.26.0 are affected when sandbox mode is active and untrusted authors have `column` in their `allowedFilters`. This is a structural variant of CVE-2024-51755 that the prior ArrayAccess-focused fix left uncovered; no public exploit has been identified at time of analysis, and the fix is confirmed in Twig 3.26.0.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-7887 PHP LOW PATCH Monitor

OAuth 2.0 Authorization Code handler in Concrete CMS 9.5.0 and earlier fails to enforce account status checks, allowing users with suspended, banned, or terminated accounts (uIsActive=0) to complete OAuth flows and receive valid API tokens. Deployments using OAuth 2.0 as an authentication mechanism are affected, with the primary real-world impact being unauthorized continued access by deprovisioned users - such as terminated employees or revoked contractors - who retain OAuth credentials. With a CVSS v4.0 score of 2.3, no CISA KEV listing, and no public exploit identified at time of analysis, this is a low-severity issue with narrow scope but meaningful identity governance implications for organizations relying on CMS-level account suspension as a deprovisioning control.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-7886 PHP LOW PATCH Monitor

Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and below allows authenticated users with conversation posting rights to bypass the file permission system and reference arbitrary files from the CMS file manager. The AddMessage and UpdateMessage conversation controllers accept user-supplied integer attachment IDs and load file objects directly via the ORM without invoking the canViewFile() permission check, enabling unauthorized read and limited write access to files across the system. No public exploit code has been identified at time of analysis, and the ConcreteCMS security team assessed this as a low-severity issue (CVSS 4.0: 2.3), but sites storing sensitive private files are at meaningful risk if those files are served from within the webroot.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-8350 PHP HIGH PATCH GHSA This Week

Privilege escalation in Concrete CMS 9.5.0 and earlier allows authenticated users with access to the bulk user assignment dashboard to add arbitrary accounts to the Administrators group and remove existing admins, effectively hijacking site control. The flaw stems from missing authorization checks in bulk_user_assignment.php and was disclosed with a vendor-assigned CVSS v4.0 score of 7.5. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

PHP Authentication Bypass Privilege Escalation
NVD
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-8204 PHP MEDIUM PATCH This Month

Cross-calendar data disclosure in Concrete CMS 9.5.0 and below exposes private calendar event data to unauthenticated remote attackers via an authorization bypass (CWE-639) in the Calendar Event Frontend Dialog. A publicly accessible calendar block serves as a required pivot point, allowing attackers to reference and retrieve event data from private calendars within the same installation. No public exploit has been identified at time of analysis; the vendor assigned a CVSS 4.0 score of 6.3, reflecting constrained confidentiality impact and a prerequisite attack condition (AT:P).

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-47102 PyPI HIGH PATCH GHSA This Week

Privilege escalation in LiteLLM prior to 1.83.10 allows any authenticated user with access to the /user/update endpoint to elevate themselves to proxy_admin by including a user_role field in a self-update request. The endpoint enforces ownership (users can only update their own account) but fails to restrict which fields are mutable, granting full administrative control over users, teams, keys, models, and prompt history. Publicly available exploit code exists via a published huntr.com bounty writeup and gist PoC, though no public exploit identified as actively used in the wild at time of analysis.

Authentication Bypass Litellm
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-47101 PyPI HIGH PATCH GHSA This Week

Privilege escalation in LiteLLM proxy versions prior to 1.83.14 allows an authenticated internal_user to elevate to proxy_admin by generating an API key with an attacker-controlled allowed_routes field that grants access to admin-only endpoints. Because the key-generation handler did not verify that the requested routes fell within the caller's own role permissions, the resulting key successfully reaches admin routes and bypasses role-based access control. Publicly available exploit code exists via a Huntr bounty disclosure and gist, and the upstream commits are merged in the v1.83.14-stable release.

Authentication Bypass Privilege Escalation Litellm
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-8327 PHP MEDIUM PATCH This Month

Concrete CMS versions below 9.5.0 expose authenticated users to two related privilege-abuse primitives via a mass assignment flaw: password replacement without the current password, and disabling per-user IP-pinning that guards against session hijacking. The user-profile edit controller forwards the entire raw POST body to UserInfo::update() with no field whitelist, allowing any registered user to inject arbitrary model attributes - including the password field and session-security settings - into their own profile update. No public exploit code has been identified at time of analysis, but the attack is low-complexity and network-accessible for any authenticated user.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-8337 PHP MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Concrete CMS versions up to and including 9.5.0 enables unauthenticated remote attackers to cast fraudulent votes in restricted private surveys by submitting a private survey's optionID through the publicly accessible voting endpoint. The vulnerability is configuration-dependent - exploitation requires the target site to simultaneously host both public and private surveys - which the CVSS v4.0 vector encodes as AT:P (Attack Requirements: Present), moderately lowering the practical risk surface compared to a universally exploitable flaw. No public exploit code or active exploitation has been identified at time of analysis. Impact is limited to integrity: survey result manipulation with no confidentiality or availability consequence.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-8240 PHP MEDIUM PATCH This Month

Unauthenticated page metadata disclosure in Concrete CMS 9.5.0 and below exposes private, draft, and restricted page details - including title, URL path, description, and author - to any remote attacker on sites with summary templates configured. The flaw stems from improper access control (CWE-284) where the summary template rendering pipeline bypasses page visibility restrictions entirely, making sensitive page structure visible without any credential. No active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis; the CVSS v4.0 score of 6.3 with AT:P reflects that exploitation depends on a non-universal template configuration being present.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-7881 PHP MEDIUM PATCH This Month

Unauthorized access to all Express form submissions is possible in Concrete CMS 9.5.0 and below through an Insecure Direct Object Reference (IDOR) in the Express Entry Detail block, exploitable by unauthenticated remote attackers who manipulate the exEntryID parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) confirms network-accessible, unauthenticated exploitation, though the AT:P metric indicates a specific deployment precondition - the Express Entry Detail block must be in active use. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available in the 9.5.1 release.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-7879 PHP MEDIUM PATCH This Month

Unauthorized file download in Concrete CMS 9.5.0 and below exposes permission-restricted files via a broken authorization check in the file download controller. The submit_password() method in download_file.php processes file access without enforcing the view_file permission gate, producing two exploitable paths: any unauthenticated network actor can retrieve files that carry no password protection, and any actor who possesses a file's password can retrieve that file regardless of whether their account holds view_file permission. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

PHP Authentication Bypass Concrete Cms
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-8238 PHP MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier exposes the full content of any conversation message through an unauthenticated frontend API endpoint, including messages from restricted pages, member-only areas, and the moderation queue. Unauthenticated remote attackers can enumerate message records and harvest file attachment download URLs by querying `/ccm/frontend/conversations/message_page` without credentials. No public exploit code has been identified and no CISA KEV listing exists; however, the network-accessible unauthenticated attack vector (PR:N, AV:N) makes patching a priority for any public-facing installation using the Conversations feature.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-8237 PHP MEDIUM PATCH This Month

Unauthenticated information disclosure in Concrete CMS 9.5.0 and earlier allows remote attackers to enumerate all conversation messages - including content from restricted pages, member-only areas, and the moderation queue - by exploiting a missing authorization check on the `/ccm/frontend/conversations/message_detail` endpoint. File attachment download URLs are also exposed, compounding the data leakage risk. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the attack requires no credentials and no user interaction, making bulk enumeration trivial once the conversations feature is confirmed active.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-8239 PHP MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier allows unauthenticated remote attackers to enumerate arbitrary conversation message IDs via the `/ccm/frontend/conversations/get_rating` endpoint, confirming message existence and leaking rating scores. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:L) indicates no authentication is required but a prerequisite condition must be met - likely the Conversations module being enabled and publicly reachable. No public exploit has been identified and this CVE is not listed in CISA KEV, placing it in the low-priority tier despite its network-accessible nature.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-8236 PHP MEDIUM PATCH This Month

Unauthenticated information disclosure in Concrete CMS 9.5.0 and below allows any network-accessible attacker to enumerate internal site structure data - including page IDs, version numbers, and URL paths - by sending GET requests to the /ccm/system/dialogs/file/usage/{fID} endpoint without any credentials. The flaw combines CWE-862 (Missing Authorization) with a classic IDOR pattern on an integer file ID parameter, and is scored CVSS 4.0 at 6.3 (Medium) by the vendor with PR:N and AC:L, though the AT:P metric indicates that valid file IDs must exist for meaningful data to be returned. No public exploit code and no CISA KEV listing exist at time of analysis.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-46552 npm MEDIUM PATCH GHSA This Month

Improper authorization in NocoDB (npm/nocodb ≤ 0.301.3) allows unauthenticated network attackers holding only a shared-base UUID to enumerate base members and inject arbitrary email addresses as permanent authenticated base members. The invited account redeems the invite through the normal signup flow, obtains a persistent JWT scoped to the target base, and retains that access even after the base owner revokes the shared link - effectively converting ephemeral anonymous share access into durable authenticated membership. No public exploit code has been identified and there is no CISA KEV listing at time of analysis, but the absence of a released patch and the trivial exploitation prerequisites materially elevate operational risk beyond what the CVSS 5.8 score alone implies.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in the Auto Affiliate Links WordPress plugin (all versions through 6.8.8.3) allows unauthenticated remote attackers to bypass access control checks and perform unauthorized write operations against affiliate link configurations. The vulnerability is classified as broken access control (CWE-862) and was reported by Patchstack. No public exploit code exists and no active exploitation has been confirmed - EPSS sits at 0.03% (8th percentile) and SSVC exploitation status is 'none' - indicating negligible real-world threat activity at time of analysis despite the attack being fully automatable with no authentication required.

Authentication Bypass Auto Affiliate Links
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

FlexTable WordPress plugin (versions up to and including 3.24.0) by WPPOOL contains a missing authorization vulnerability enabling low-privileged authenticated users to perform restricted plugin actions beyond their intended access level, resulting in limited but unauthorized integrity modifications. The flaw stems from CWE-862 (Missing Authorization), where plugin endpoints fail to verify that an authenticated user holds the required WordPress capability before executing privileged operations. No public exploit code exists and this vulnerability is not in the CISA Known Exploited Vulnerabilities catalog; EPSS scoring at 0.03% (8th percentile) confirms negligible likelihood of broad exploitation at this time.

Authentication Bypass Flextable
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the QR Redirector WordPress plugin (versions through 2.0.3) exposes redirect management functionality to authenticated low-privileged users who lack the appropriate capability checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms any authenticated WordPress user - including subscribers or contributors - can exploit this flaw remotely without user interaction. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) and SSVC exploitation status of 'none' place this at low operational priority for most environments.

Authentication Bypass Qr Redirector
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated information disclosure in the GamiPress WordPress plugin (versions through 7.6.3) allows remote attackers to read restricted data by exploiting missing authorization checks on plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no credentials or user interaction are required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code or active exploitation has been identified at time of analysis, and an EPSS score of 0.03% (8th percentile) reflects low real-world exploitation probability.

Authentication Bypass Gamipress
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Pre-authentication arbitrary file deletion in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) is achievable by unauthenticated network attackers via session poisoning of Redis or Memcache storage backends. The root cause (CWE-669: Incorrect Resource Transfer Between Spheres) lies in the application improperly trusting session data read from an external cache tier, allowing crafted entries to bypass pre-authentication controls and trigger file deletion operations. No public exploit has been identified at time of analysis, and EPSS stands at 0.06%, though Roundcube installations are historically targeted by espionage-motivated threat actors and patching is strongly recommended.

Authentication Bypass Redis Webmail
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in SourceCodester Student Grades Management System 1.0 allows authenticated remote attackers to manipulate the classroom_id parameter within classroom.php to access or modify classroom enrollment data beyond their authorized scope. The vulnerability affects the getClassroomStudents and removeStudentFromClassroom functions, enabling unauthorized listing of enrolled students or removal of students from classrooms the attacker does not administer. A publicly available proof-of-concept exploit exists on GitHub, though EPSS places exploitation probability at just 0.04% (13th percentile), and the vulnerability is not currently listed in the CISA KEV catalog.

PHP Authentication Bypass Student Grades Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in SourceCodester Student Grades Management System 1.0 permits authenticated remote attackers to access or manipulate grade records belonging to other students by tampering with the student_id parameter in grades.php. The flaw (CWE-285) reflects a failure to enforce object-level authorization, allowing a low-privileged user to cross access boundaries to other students' data. A publicly available proof-of-concept exists on GitHub, though EPSS sits at 0.04% (11th percentile) and SSVC classifies exploitation as none, indicating no evidence of active exploitation in the wild despite the POC.

PHP Authentication Bypass Student Grades Management System
NVD VulDB GitHub
EPSS 0% CVSS 7.0
HIGH POC This Week

Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local attackers to remove passcodes by injecting pre-encrypted database entries using a constant encryption. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Soroush Messenger
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.

Authentication Bypass Szafir Sdk
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

LDAP filter injection in Apache Airflow FAB Auth Manager (apache-airflow-providers-fab < 3.6.4) enables unauthenticated remote attackers to manipulate LDAP query logic by embedding special characters in login credentials, resulting in directory data exfiltration or authentication bypass. The vulnerability is confirmed by source code evidence: the `_search_ldap` and `_ldap_get_nested_groups` methods in `override.py` directly interpolated user-supplied input into LDAP filter strings without sanitization. No public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, but the SSVC framework marks it as automatable, meaning exploitation can be scripted at scale against exposed Airflow instances using LDAP auth.

Authentication Bypass LDAP Apache +2
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This issue was fixed in OutSystems Lifetime version 11.28.2.3955

Authentication Bypass Lifetime
NVD
EPSS 0% CVSS 5.2
MEDIUM This Month

This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. Successful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.

Authentication Bypass Wi Fi Camera Cp E38Q Cp E48Q Cp E25Q Cp E35Q Cp E45Q Cp E28Q Cp E21Q Cp E31Q Cp E41Q Cp E24Q Cp Z43Q Cp E34Q Cp E44Q Cp T31Q Cp V48Q Cp V41Q Cp Z45Q
NVD
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode enabled to abuse unprotected multipart upload (MPU) endpoints under /mlflow-artifacts/mpu/* and tamper with models owned by other users, enabling model supply chain poisoning and arbitrary code execution when poisoned models are deserialized. The SSVC framework classifies this as having a public proof-of-concept with total technical impact, though EPSS exploitation probability is currently only 0.05% (16th percentile) and no public exploit identified at time of analysis as actively weaponized.

Authentication Bypass RCE Mlflow Mlflow
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper access control across multiple backend endpoints in SourceCodester Indian Invoicing System 1.0 permits authenticated low-privilege users to reach restricted functionality beyond their authorization level. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms remote exploitation requiring only low-level credentials, with confidentiality, integrity, and availability all assessed at low impact across the vulnerable system. A publicly available proof-of-concept exploit exists (hosted on GitHub), though EPSS remains at 0.04% (11th percentile) and the vulnerability is not in the CISA KEV catalog, indicating no confirmed widespread exploitation at time of analysis.

Authentication Bypass Indian Invoicing System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Sushmi-pal Invoice-System (up to commit a0a3faa16dee2621b231ae227333f5761607283b) enables authenticated low-privileged users to manipulate the `ID` parameter on the `/profile` endpoint to access or modify profile records belonging to other users - a classic horizontal privilege escalation pattern. The CVSS 4.0 score is 2.1 (Low), reflecting constrained integrity-only impact with no confidentiality or availability consequence, and a proof-of-concept exploit has been publicly disclosed on GitHub. No patch exists; the vendor did not respond to responsible disclosure, and no public exploit is confirmed in CISA KEV.

Authentication Bypass Invoice System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Sushmi-pal Invoice-System exposes its User Management Handler to privilege escalation by authenticated remote attackers who manipulate the `role` argument on the `/user` endpoint. Affected instances include all code up to commit a0a3faa16dee2621b231ae227333f5761607283b; the project uses a rolling release model with no discrete versioning. A publicly available proof-of-concept exploit exists on GitHub, though EPSS sits at just 0.03% and SSVC rates the attack as non-automatable with only partial technical impact - no confirmed active exploitation (CISA KEV) has been identified.

Authentication Bypass Invoice System
NVD VulDB GitHub
EPSS 0% CVSS 1.3
LOW Monitor

Unauthenticated capture-replay authentication bypass in the Besen BS20 EV Charging Station (firmware up to 20260426) exposes the device's BLE/WiFi interface to unauthorized command injection. An attacker physically adjacent to the charger can intercept and replay wireless authentication tokens to issue tampered charging commands without valid credentials. No patch has been released as of the analysis date; the vendor acknowledged the report in April 2026 and confirmed they are reviewing it. Publicly available proof-of-concept code exists (CVSS E:P), though exploitation probability remains very low (EPSS 0.03%, 11th percentile), consistent with the high attack complexity and adjacent-only access requirement.

Authentication Bypass Bs20 Ev Charging Station
NVD VulDB GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Improper authorization in the OTA Update Installation Handler of Besen BS20 EV Charging Station versions up to 20260426 allows remote attackers to install spoofed firmware updates on affected charging stations. The flaw is network-reachable with no authentication required, but exploitation carries high attack complexity (CVSS 4.0 8.2), and publicly available exploit code exists via the original researcher disclosure on GitHub. EPSS rates exploitation probability at only 0.04% (12th percentile), and CISA SSVC flags exploitation status as 'none' despite the public proof-of-concept.

Authentication Bypass Bs20 Ev Charging Station
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in JPress versions 1.0.0 through 1.0.3 allows any authenticated low-privilege user to manipulate the `id` and `userId` parameters at the `/ucenter/article/doWriteSave` UCenter endpoint, potentially reading or overwriting article data belonging to other users. Publicly available exploit code exists (disclosed via GitHub issue #194), though EPSS sits at 0.03% (10th percentile) and SSVC classifies current exploitation status as 'none,' indicating limited real-world uptake despite the public disclosure. The vendor has not responded to responsible disclosure and no patch has been released.

Authentication Bypass Jpress
NVD VulDB GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Improper authentication in JeecgBoot 3.9.1 OpenAPI endpoint allows remote attackers to bypass authentication checks and perform unauthorized actions, though exploitation is rated difficult due to high attack complexity. No public exploit code has been identified and no vendor response has been received. With CVSS 3.7 (Low severity) and AV:N/AC:H/PR:N parameters, the vulnerability poses limited immediate risk but requires monitoring given the authentication bypass nature and remote attack vector.

Authentication Bypass Jeecgboot
NVD VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Missing authentication in Vane up to 1.12.1 allows remote attackers to bypass intended access controls on API route.ts endpoints, potentially exposing or manipulating API functionality without credentials. Publicly available exploit code exists (GitHub issue #1123), though CVSS rates attack complexity as high (AC:H) with difficult exploitation, resulting in limited confidentiality, integrity, and availability impact (C:L/I:L/A:L). EPSS data not provided. Not listed in CISA KEV. Vendor (ItzCrazyKns) reportedly plans to implement basic authentication as remediation.

Authentication Bypass Vane
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Missing authorization in NousResearch hermes-agent versions up to 2026.4.16 allows remote attackers to bypass authentication checks in the Batch Runner component, potentially executing unauthorized commands. The vulnerability affects the check_all_command_guards function in tools/approval.py and can be exploited without authentication. Publicly available exploit code exists, though the vulnerability is not yet confirmed in CISA KEV.

Authentication Bypass Hermes Agent
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Authentication Bypass +1
NVD Exploit-DB
EPSS 0% CVSS 2.9
LOW POC Monitor

Authorization bypass in QuantumNous new-api versions up to 0.12.1 allows remote attackers to access Midjourney image relay endpoints without proper authentication. The vulnerability resides in RelayMidjourneyImage and GetByOnlyMJId functions within relay-router.go. Despite high attack complexity (CVSS AC:H) and CVSS score of only 3.7, a publicly available proof-of-concept exploit exists (disclosed via GitHub Gist), reducing the technical barrier. The vendor did not respond to early disclosure attempts. EPSS data not provided, but the combination of public exploit and unauthenticated network access (PR:N) warrants attention for organizations using this API gateway for Midjourney integration.

Authentication Bypass New Api
NVD VulDB GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Unauthorized order manipulation and information disclosure in the WooCommerce PayPal Payments WordPress plugin (versions through 4.0.1) allows remote unauthenticated attackers to abuse two WC-AJAX endpoints (ppc-create-order and ppc-get-order) that lack authorization checks. By chaining these endpoints, an attacker can create a PayPal order against any victim's WooCommerce order ID and then retrieve full PayPal order details including payer information and shipping data. No public exploit identified at time of analysis, but the plugin's broad e-commerce deployment and trivial attack complexity make this a credible target.

WordPress Information Disclosure Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Arcane Docker management platform (backend <= 1.19.1) allows any authenticated non-admin user to overwrite the system-wide .env.global file via the PUT /api/environments/{id}/templates/variables endpoint, which lacks the checkAdmin() guard applied to every other admin-sensitive handler. Because global variables are merged into every project's compose file at deploy time, an attacker can redirect image pulls to a malicious registry to achieve cross-tenant supply-chain code execution on the Docker host, steal credentials from other users' deployments, or break every project on the instance. No public exploit identified at time of analysis, but the GHSA advisory documents the exact vulnerable code path.

Authentication Bypass Docker
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation in Nezha Monitoring (>= 1.4.0, < 1.14.15-0.20260517022419-d7526351cf97) lets an authenticated RoleMember invoke arbitrary cron tasks owned by other users - including admins - by referencing their task IDs in an alert rule's FailTriggerTasks/RecoverTriggerTasks fields. When the attacker's alert trips, the admin's cron command fans out to every connected agent, yielding cross-tenant command execution across the entire monitored fleet. EPSS is very low (0.04%), no public exploit identified at time of analysis beyond the PoC embedded in the GHSA advisory, and the vendor has shipped a patched commit.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-side request forgery in Nezha Monitoring dashboard (versions >=1.4.0, <1.14.15-0.20260517022419-d06d539d34c1) allows authenticated low-privilege RoleMember accounts to issue arbitrary HTTP requests to intranet targets via the POST /api/v1/notification and PATCH /api/v1/notification/:id endpoints, with full unbounded response bodies reflected back through error messages. Publicly available exploit code exists in the GHSA advisory, though EPSS is 0.03% (9th percentile) suggesting low mass-exploitation likelihood against this niche server-monitoring tool. Root cause is a missing adminHandler authorization gate combined with a notification webhook tester that ignores private/loopback CIDRs and lacks an io.LimitReader.

Authentication Bypass SSRF
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain elevated privileges across tenant boundaries (scope-changed). The CVSS 10.0 rating reflects maximum impact across confidentiality, integrity, and availability with no authentication or user interaction required, though no public exploit has been identified at time of analysis and EPSS data is not provided.

Microsoft Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH NO ACTION HOSTED Monitor

Authentication bypass in Microsoft Azure Active Directory B2C (now part of Microsoft Entra) allows remote unauthenticated attackers to elevate privileges by reaching protected functionality through an alternate code path. The CVSS 9.1 vector (AV:N/AC:L/PR:N/UI:N) reflects network-reachable exploitation with no privileges and no user interaction, yielding high confidentiality and integrity impact against tenants relying on Azure AD B2C for identity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the unauthenticated-network profile and Microsoft self-reporting make this a high-priority advisory for any tenant using B2C.

Microsoft Authentication Bypass
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authentication and gain elevated privileges across the cloud control plane. The flaw carries a maximum CVSS score of 10.0 due to a scope change combined with full confidentiality, integrity, and availability impact, and although Microsoft has released a fix there is no public exploit identified at time of analysis. Given ARM is the central management layer for nearly all Azure resources, successful exploitation could have broad tenant-wide consequences.

Microsoft Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Microsoft Azure Privileged Identity Management (PIM) allows an authenticated attacker to bypass authorization checks by manipulating a user-controlled key, escalating privileges over the network. The flaw stems from an Insecure Direct Object Reference (IDOR) pattern (CWE-639) where the service trusts a client-supplied identifier when making authorization decisions. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Microsoft Authentication Bypass
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows remote attackers to log in as any LDAP-backed user without valid credentials when RT is configured with LDAP or Active Directory authentication and the LDAP server accepts unauthenticated bind requests. The flaw, fixed in RT 5.0.10 and 6.0.3 released 2026-05-20, carries a CVSS 8.1 and has no public exploit identified at time of analysis, but the trivial nature of the bypass against vulnerable LDAP policies makes it high-priority for any RT deployment using directory-based auth.

Authentication Bypass Rt
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to unauthenticated webhook spoofing by any network-accessible attacker. The endpoint POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook ignores the x-hub-signature-256 header that Meta includes with every legitimate delivery, and because both path parameters are semi-public by design - appearing in web server access logs and Meta's webhook configuration dashboard - the attack surface is readily discoverable. Successful exploitation allows an attacker to trigger arbitrary bot automation flows, consume API resources, and abuse external service integrations using the workspace owner's stored credentials. No public exploit identified at time of analysis; vendor-released patch available in version 3.17.0.

Authentication Bypass Typebot Io
NVD GitHub
EPSS 0% CVSS 3.1
LOW Monitor

Cross-typebot result data leakage in Typebot versions 3.15.2 and prior allows an authenticated user to read session variables, prior answers, and PII from a different typebot by supplying a foreign resultId to the startChat endpoint. The bot engine's findResult query omits typebotId from its database filter (CWE-639 IDOR), so any valid result record is returned regardless of which typebot owns it. If the attacker possesses a valid CUID2 resultId from another typebot and that typebot has rememberUser enabled, they can read the original user's names, emails, phone numbers, and other session variables exposed through matching variable names. No public exploit has been identified at time of analysis; vendor-released patch is available in version 3.16.0.

Authentication Bypass Typebot Io
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Enhanced Container Isolation (ECI) bypass in Docker Desktop allows a local low-privileged user with Docker CLI access to mount the Docker Engine socket into a container by invoking the --use-api-socket flag, granting full Docker Engine control and exposure of registry credentials. The flaw stems from the API proxy inspecting only HostConfig.Binds while the flag routes the mount through HostConfig.Mounts, slipping past ECI policy. No public exploit identified at time of analysis, but the issue was reported by Docker itself and disclosed via ZDI (ZDI-26-299).

Authentication Bypass Docker
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access credentials from arbitrary workspaces via the preview chat endpoint. The bot-engine's getCredentials() utility uses a falsy check on workspaceId, so supplying an empty string bypasses ownership validation entirely, enabling credential theft, external service abuse, and data breach. This is an incomplete fix for the prior advisory GHSA-4xc5-wfwc-jw47, and no public exploit has been identified at time of analysis though the patch commit is public.

Authentication Bypass Typebot Io
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a broken authorization check in the getLinkedTypebots API endpoint, constituting a classic IDOR. The root cause is a JavaScript async/await misuse: Array.filter() is synchronous, so passing it an async callback causes every bot to pass the filter - the isReadTypebotForbidden predicate is never actually evaluated. Sensitive data leaked includes embedded credentials, API keys, PII stored as variables, webhook URLs, and integration configurations from any other user's private workspace bots. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the exposure of hardcoded secrets elevates practical risk significantly beyond the 6.5 CVSS score suggests.

Authentication Bypass Typebot Io
NVD GitHub
EPSS 0%
MEDIUM PATCH This Month

Session freshness bypass in Flask-Security-Too 5.8.0 allows an attacker who controls a stale authenticated victim session to satisfy the victim session's reauthentication requirement using their own OAuth identity, not the victim's. The flaw in `oauth_glue.py` causes `oauth_verify_response()` to update `session["fs_paa"]` (the freshness timestamp) without verifying that the OAuth-resolved user matches the currently authenticated session user. Exploitation was confirmed via a detailed proof-of-concept that successfully changed a victim user's username through the built-in `/change-username` route after bypassing the freshness gate. Publicly available exploit code exists; no CISA KEV listing at time of analysis.

Python CSRF Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in LizardByte Sunshine self-hosted game stream host (versions prior to 2026.516.143833) allows remote unauthenticated attackers to bypass client-certificate authentication and access protected HTTPS endpoints. The custom OpenSSL verification callback in src/crypto.cpp incorrectly treats several certificate validation errors as successful verification, enabling untrusted certificates to pass authentication. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects trivial network-based exploitation against default deployments.

OpenSSL Authentication Bypass
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers to abuse the preview chat endpoint to make arbitrary internal HTTP requests from the server. The flaw stems from the isolated-vm sandbox's fetch function calling Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects HTTP Request blocks, bypassing mitigations added after GHSA-8gq9-rw7v-3jpr. No public exploit identified at time of analysis, but the CVSS 10.0 (Critical) score with scope-changed impact indicates severe risk for both self-hosted and hosted deployments.

Node.js Authentication Bypass SSRF +1
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Authorization bypass in AWS Kiro CLI versions prior to 1.28.0 allows a local attacker to invoke arbitrary tools, including shell commands, without triggering the user approval prompt by piping crafted content through stdin. Reported by Amazon (AMZN) and tagged as an Authentication Bypass, this issue has a vendor-released fix in 1.28.0; publicly available exploit code exists is not indicated, and the SSVC framework currently records no observed exploitation despite a Total technical impact rating.

Authentication Bypass Kiro Cli
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

OAuth scope validation bypass in Mattermost's GitHub integration allows authenticated users to escalate repository access beyond what was originally authorized. By manipulating the scope parameter in the GitHub OAuth authorization URL before the callback is processed, a low-privileged Mattermost user can obtain a GitHub token with broader permissions - including access to private repositories - than the application intended to grant. Affecting versions across four active release branches (10.11.x through 11.6.x), this is no public exploit identified at time of analysis and is not listed in CISA KEV, but the low complexity and authentication-only barrier make it a realistic insider or compromised-account risk.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read execution logs belonging to other workspaces by supplying an arbitrary victim resultId alongside their own authorized typebotId. The endpoint authorizes the caller by typebotId but fetches log records by resultId alone, skipping cross-ownership validation that all peer endpoints in the same router correctly enforce. Exploitation exposes sensitive runtime data including HTTP response bodies, AI model outputs, and webhook payloads. No public exploit or CISA KEV listing has been identified at time of analysis, but the straightforward nature of the IDOR - requiring only a valid session and a guessed or enumerated resultId - makes unauthorized data access realistic for any authenticated platform user.

Information Disclosure Authentication Bypass Typebot Io
NVD GitHub
EPSS 0% CVSS 5.4
This Week

Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Authentication Bypass Server
NVD
EPSS 0% CVSS 4.3
Monitor

Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Authentication Bypass Server
NVD VulDB
EPSS 0% CVSS 4.3
This Week

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Hashicorp Authentication Bypass Server
NVD
EPSS 0% CVSS 4.3
This Week

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Authentication Bypass Server
NVD
EPSS 0% CVSS 2.6
Monitor

Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Hashicorp Authentication Bypass Server
NVD
EPSS 0% CVSS 4.3
Monitor

Missing authorization in the vault import feature in Devolutions Server  2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.

Hashicorp Authentication Bypass Server
NVD
EPSS 0% CVSS 7.6
Monitor

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0

Authentication Bypass Server
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Dell Unisphere for PowerMax vApp version prior to 10.0.0.2, contains an authorization bypass vulnerability in the Unisphere for VMAX application running in vApp. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Dell Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management (IAM) module. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Dell Authentication Bypass Ecs
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog.  This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-privileged local users, resulting in unauthorized disclosure of confidential data with high confidentiality impact per CVSS. Affected deployments span both the Appliance and Rack form factors of the platform. No public exploit code has been identified at time of analysis and CISA KEV does not list this vulnerability, though the CWE-922 root cause and the 'Authentication Bypass' tag suggest the exposed data may include credentials or tokens that could enable downstream privilege escalation or lateral movement.

Dell Authentication Bypass Powerflex Manager Appliance +2
NVD
EPSS 0% CVSS 3.6
LOW PATCH Monitor

Broken or risky cryptographic algorithm use in Dell PowerFlex Manager's SSH component (versions ≤4.6.2) allows a locally authenticated low-privileged attacker to bypass SSH protection mechanisms, affecting both Appliance and Rack form factors. The CVSS vector (AV:L/AC:H/PR:L) reflects significant exploitation barriers: physical or logical local access is required, attack complexity is high, and impact is limited to partial confidentiality and integrity loss with no availability impact. Dell has published dual advisories (DSA-2025-434 for Appliance, DSA-2025-435 for Rack); no public exploit or CISA KEV listing exists at time of analysis.

Dell Authentication Bypass Powerflex Manager Appliance +2
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentials, keys, or configuration secrets to any attacker with local OS-level access to the appliance - no PowerFlex Manager authentication required. The CVSS vector (AV:L/AC:L/PR:N/UI:N) confirms the attacker needs only local system access, not application credentials, to retrieve the improperly protected data. No public exploit identified at time of analysis and no CISA KEV listing; however, the 'Authentication Bypass' tag in the intelligence data suggests the exposed sensitive material may itself enable downstream privilege escalation or authentication bypass against PowerFlex or its managed infrastructure.

Dell Authentication Bypass Powerflex Manager Appliance +2
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

File ownership and access control enforcement is absent in the Boards API across four release branches of Mattermost, allowing any authenticated user to access and download files belonging to other users or teams by submitting crafted API requests containing valid file IDs. Affected deployments span versions 10.11.x through 11.6.x per EUVD-2026-31429 and vendor advisory MMSA-2026-00620. CVSS scores this at 5.9 (Medium) reflecting high attack complexity due to the file ID prerequisite; no public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Mattermost
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Broken access control in TeamViewer DEX Platform (On-Premises) before version 9.2 allows authenticated low-privileged users to invoke administrative API endpoints and access sensitive resources outside their authorized scope. The root cause is CWE-862 (Missing Authorization) - backend API endpoints omit proper role-based authorization checks despite confirming user identity. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, but the network-accessible attack vector and low complexity make exploitation straightforward for any user holding valid platform credentials.

Authentication Bypass Dex On Premises
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

Unauthorized playlist data disclosure in the AudioIgniter WordPress plugin (≤2.0.2) allows remote unauthenticated attackers to retrieve track metadata for non-public playlists via the /audioigniter/playlist/{id}/ rewrite endpoint. The handle_playlist_endpoint() function validates only post_type, omitting authentication, capability, and post_status checks, so draft, private, pending, and trashed playlists are reachable by ID enumeration. No public exploit identified at time of analysis; the issue is fixed in version 2.0.3 per the vendor commit.

WordPress Authentication Bypass Audioigniter Music Player
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in MotoPress Hotel Booking plugin for WordPress (all versions through 6.0.1) allows unauthenticated remote attackers to overwrite or delete internal booking notes for any reservation by supplying an arbitrary booking ID. The root cause is a nonce that is unconditionally output into every public page's HTML via wp_localize_script under MPHB._data.nonces, meaning any site visitor - without an account or any prior interaction - can obtain a valid nonce and invoke the update-booking-notes AJAX action against any booking. No public exploit code has been identified at time of analysis, but the trivially accessible nonce makes this effectively zero-friction to abuse.

WordPress Authentication Bypass Motopress Hotel Booking
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data disclosure in the Ditty - Responsive News Tickers, Sliders, and Lists WordPress plugin (versions 0 through 3.1.65) allows unauthenticated remote attackers to retrieve the full contents of non-public Ditty entries - including drafts, pending, scheduled, and disabled posts - by enumerating integer post IDs against the ditty_init AJAX endpoint. The flaw stems from the init_ajax() handler omitting the 'publish' post status check that its non-AJAX counterpart performs, exposing content administrators deliberately withheld from public view. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

WordPress Authentication Bypass Ditty Responsive News Tickers Sliders And Lists
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Vedrixa Forms WordPress plugin (all versions through 1.1.1) permits authenticated attackers with subscriber-level access to overwrite the structure of any registration form by writing attacker-controlled data directly to the plugin's FORMS database table. The root cause is a missing authorization check on the form-saving AJAX handler, compounded by the fact that the required ajax-nonce is publicly exposed via wp_localize_script() on any page rendering a form shortcode - meaning any authenticated visitor can harvest the nonce without elevated privileges. The vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis; however, on open-registration WordPress sites the subscriber-level barrier is trivially bypassed.

WordPress Authentication Bypass Vedrixa Forms User Registration Form Signup Form Drag Drop Form Builder
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization controls in the FastX WordPress theme allow authenticated Subscriber-level users to install and activate the PostX plugin without administrative approval. The vulnerability exists in two AJAX callback functions - 'ultp_install_callback' and 'ultp_activate_callback' - which fail to verify whether the requesting user holds sufficient capabilities before executing privileged plugin management operations. All versions up to and including 1.0.2 are affected per WPXPO's theme codebase on themes.trac.wordpress.org. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized modification of weather display settings in the Location Weather WordPress plugin (versions ≤3.0.2) is achievable by any authenticated user with Contributor-level access or above, due to missing capability checks on the administrative functions `splw_update_block_options()` and `lwp_clean_weather_transients()`. Affected sites expose the protective nonce to all authenticated sessions via `wp_localize_script()` on the `init` hook, neutralizing what would otherwise be a secondary CSRF defense and making exploitation straightforward for any logged-in user. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; real-world impact is limited to disruption of weather widget display and cache integrity rather than data theft or code execution.

WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Authorization bypass in the Go golang.org/x/crypto/ssh package before version 0.52.0 allows remote attackers to circumvent source-address restrictions when SSH server configurations use callback authentication types other than public key. This is an incomplete-fix follow-up to CVE-2024-45337, which only addressed the public-key callback path while leaving other callback types vulnerable to the same source-address validation skip. No public exploit identified at time of analysis, EPSS is very low at 0.02%, and SSVC indicates no observed exploitation though the issue is automatable with partial technical impact.

Authentication Bypass Golang Org X Crypto Ssh
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in the Go x/crypto/ssh library (versions before 0.52.0) allows SSH servers to accept FIDO/U2F security key signatures that were generated without the required physical user touch. The Verify() method for sk-ecdsa-sha2-nistp256@openssh.com and sk-ssh-ed25519@openssh.com key types failed to check the User Presence flag, enabling unattended use of stolen or relayed hardware-token signatures. No public exploit identified at time of analysis and EPSS is very low (0.01%), but SSVC rates technical impact as total with automatable exploitation.

SSH Authentication Bypass Golang Org X Crypto Ssh +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in Go's golang.org/x/crypto/ssh/agent in-memory keyring (versions before 0.52.0) allows SSH key signing operations to proceed without the intended ConfirmBeforeUse user confirmation prompt. Applications that relied on this constraint to gate sensitive signing actions effectively had no protection, with no error returned to indicate the constraint was silently ignored. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total.

Authentication Bypass Golang Org X Crypto Ssh Agent Suse
NVD VulDB
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV PATCH THREAT Act Now

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments.

Ubiquiti Authentication Bypass Unifi Os Server +30
NVD VulDB GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Sandbox escape in Boxlite versions prior to 0.9.0 lets untrusted code running inside the lightweight VM remount host-shared virtiofs directories from read-only to read-write, enabling arbitrary writes to host files that operators believed were protected. Because the container is granted all 41 Linux capabilities (including CAP_SYS_ADMIN), a trivial 'mount -o remount,rw' bypasses the client-side MS_RDONLY enforcement, and in AI-agent deployments this leads to host code execution by tampering with mounted code, virtualenvs, or credentials. Publicly available exploit code exists (working PoC published in the GHSA advisory) and the issue carries a CVSS 10.0 with scope change; no public exploit identified at time of analysis in CISA KEV.

Node.js Docker Authentication Bypass +2
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

runAsNonRoot bypass in containerd allows crafted container images to execute as UID 0 despite Kubernetes security policies designed to prevent root execution. The flaw stems from containerd treating numeric USER directives that overflow a 32-bit integer as usernames, and if the image's /etc/passwd maps that string to root, the container runs as root. No public exploit identified at time of analysis, but the issue was responsibly disclosed by Lei Wang (@ssst0n3) and fixed in multiple containerd release branches.

Memory Corruption Kubernetes Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authorization bypass in sqladmin (pip package, versions <= 0.25.0) allows authenticated-but-unauthorized users to query restricted model data through the `ajax_lookup` endpoint, silently circumventing any `is_accessible()` access control overrides that developers have implemented. Every other admin endpoint (`list`, `create`, `edit`, `delete`, `details`, `export`) enforces both the login requirement and the `is_accessible()` model-level authorization hook - the `ajax_lookup` endpoint at `GET /{identity}/ajax/lookup` enforced neither prior to patching. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sandbox escape in Twig 3.24.0 through 3.25.x lets an attacker with write access to a sandboxed template read arbitrary public properties and invoke any public getter on objects exposed to the template, bypassing the SandboxExtension's SecurityPolicy allowlists. The flaw exists because the object-destructuring compiler hardcodes the $sandboxed flag to false when emitting CoreExtension::getAttribute() calls, so policy checks never run for destructuring expressions whenever the {% do %} tag is permitted. No public exploit identified at time of analysis, but the issue was responsibly disclosed with vendor-confirmed root cause and an upstream patch.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Twig's sandbox security policy is bypassed via the `column` filter when processing arrays of PHP objects, allowing an untrusted template author to read any public or magic property of any object reachable in the render context - completely circumventing the `SecurityPolicy`'s `allowedProperties` restrictions. All twig/twig versions prior to 3.26.0 are affected when sandbox mode is active and untrusted authors have `column` in their `allowedFilters`. This is a structural variant of CVE-2024-51755 that the prior ArrayAccess-focused fix left uncovered; no public exploit has been identified at time of analysis, and the fix is confirmed in Twig 3.26.0.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OAuth 2.0 Authorization Code handler in Concrete CMS 9.5.0 and earlier fails to enforce account status checks, allowing users with suspended, banned, or terminated accounts (uIsActive=0) to complete OAuth flows and receive valid API tokens. Deployments using OAuth 2.0 as an authentication mechanism are affected, with the primary real-world impact being unauthorized continued access by deprovisioned users - such as terminated employees or revoked contractors - who retain OAuth credentials. With a CVSS v4.0 score of 2.3, no CISA KEV listing, and no public exploit identified at time of analysis, this is a low-severity issue with narrow scope but meaningful identity governance implications for organizations relying on CMS-level account suspension as a deprovisioning control.

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and below allows authenticated users with conversation posting rights to bypass the file permission system and reference arbitrary files from the CMS file manager. The AddMessage and UpdateMessage conversation controllers accept user-supplied integer attachment IDs and load file objects directly via the ORM without invoking the canViewFile() permission check, enabling unauthorized read and limited write access to files across the system. No public exploit code has been identified at time of analysis, and the ConcreteCMS security team assessed this as a low-severity issue (CVSS 4.0: 2.3), but sites storing sensitive private files are at meaningful risk if those files are served from within the webroot.

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Concrete CMS 9.5.0 and earlier allows authenticated users with access to the bulk user assignment dashboard to add arbitrary accounts to the Administrators group and remove existing admins, effectively hijacking site control. The flaw stems from missing authorization checks in bulk_user_assignment.php and was disclosed with a vendor-assigned CVSS v4.0 score of 7.5. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

PHP Authentication Bypass Privilege Escalation
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cross-calendar data disclosure in Concrete CMS 9.5.0 and below exposes private calendar event data to unauthenticated remote attackers via an authorization bypass (CWE-639) in the Calendar Event Frontend Dialog. A publicly accessible calendar block serves as a required pivot point, allowing attackers to reference and retrieve event data from private calendars within the same installation. No public exploit has been identified at time of analysis; the vendor assigned a CVSS 4.0 score of 6.3, reflecting constrained confidentiality impact and a prerequisite attack condition (AT:P).

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in LiteLLM prior to 1.83.10 allows any authenticated user with access to the /user/update endpoint to elevate themselves to proxy_admin by including a user_role field in a self-update request. The endpoint enforces ownership (users can only update their own account) but fails to restrict which fields are mutable, granting full administrative control over users, teams, keys, models, and prompt history. Publicly available exploit code exists via a published huntr.com bounty writeup and gist PoC, though no public exploit identified as actively used in the wild at time of analysis.

Authentication Bypass Litellm
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in LiteLLM proxy versions prior to 1.83.14 allows an authenticated internal_user to elevate to proxy_admin by generating an API key with an attacker-controlled allowed_routes field that grants access to admin-only endpoints. Because the key-generation handler did not verify that the requested routes fell within the caller's own role permissions, the resulting key successfully reaches admin routes and bypasses role-based access control. Publicly available exploit code exists via a Huntr bounty disclosure and gist, and the upstream commits are merged in the v1.83.14-stable release.

Authentication Bypass Privilege Escalation Litellm
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Concrete CMS versions below 9.5.0 expose authenticated users to two related privilege-abuse primitives via a mass assignment flaw: password replacement without the current password, and disabling per-user IP-pinning that guards against session hijacking. The user-profile edit controller forwards the entire raw POST body to UserInfo::update() with no field whitelist, allowing any registered user to inject arbitrary model attributes - including the password field and session-security settings - into their own profile update. No public exploit code has been identified at time of analysis, but the attack is low-complexity and network-accessible for any authenticated user.

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Concrete CMS versions up to and including 9.5.0 enables unauthenticated remote attackers to cast fraudulent votes in restricted private surveys by submitting a private survey's optionID through the publicly accessible voting endpoint. The vulnerability is configuration-dependent - exploitation requires the target site to simultaneously host both public and private surveys - which the CVSS v4.0 vector encodes as AT:P (Attack Requirements: Present), moderately lowering the practical risk surface compared to a universally exploitable flaw. No public exploit code or active exploitation has been identified at time of analysis. Impact is limited to integrity: survey result manipulation with no confidentiality or availability consequence.

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthenticated page metadata disclosure in Concrete CMS 9.5.0 and below exposes private, draft, and restricted page details - including title, URL path, description, and author - to any remote attacker on sites with summary templates configured. The flaw stems from improper access control (CWE-284) where the summary template rendering pipeline bypasses page visibility restrictions entirely, making sensitive page structure visible without any credential. No active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis; the CVSS v4.0 score of 6.3 with AT:P reflects that exploitation depends on a non-universal template configuration being present.

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthorized access to all Express form submissions is possible in Concrete CMS 9.5.0 and below through an Insecure Direct Object Reference (IDOR) in the Express Entry Detail block, exploitable by unauthenticated remote attackers who manipulate the exEntryID parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) confirms network-accessible, unauthenticated exploitation, though the AT:P metric indicates a specific deployment precondition - the Express Entry Detail block must be in active use. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available in the 9.5.1 release.

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthorized file download in Concrete CMS 9.5.0 and below exposes permission-restricted files via a broken authorization check in the file download controller. The submit_password() method in download_file.php processes file access without enforcing the view_file permission gate, producing two exploitable paths: any unauthenticated network actor can retrieve files that carry no password protection, and any actor who possesses a file's password can retrieve that file regardless of whether their account holds view_file permission. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

PHP Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier exposes the full content of any conversation message through an unauthenticated frontend API endpoint, including messages from restricted pages, member-only areas, and the moderation queue. Unauthenticated remote attackers can enumerate message records and harvest file attachment download URLs by querying `/ccm/frontend/conversations/message_page` without credentials. No public exploit code has been identified and no CISA KEV listing exists; however, the network-accessible unauthenticated attack vector (PR:N, AV:N) makes patching a priority for any public-facing installation using the Conversations feature.

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthenticated information disclosure in Concrete CMS 9.5.0 and earlier allows remote attackers to enumerate all conversation messages - including content from restricted pages, member-only areas, and the moderation queue - by exploiting a missing authorization check on the `/ccm/frontend/conversations/message_detail` endpoint. File attachment download URLs are also exposed, compounding the data leakage risk. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the attack requires no credentials and no user interaction, making bulk enumeration trivial once the conversations feature is confirmed active.

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier allows unauthenticated remote attackers to enumerate arbitrary conversation message IDs via the `/ccm/frontend/conversations/get_rating` endpoint, confirming message existence and leaking rating scores. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:L) indicates no authentication is required but a prerequisite condition must be met - likely the Conversations module being enabled and publicly reachable. No public exploit has been identified and this CVE is not listed in CISA KEV, placing it in the low-priority tier despite its network-accessible nature.

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthenticated information disclosure in Concrete CMS 9.5.0 and below allows any network-accessible attacker to enumerate internal site structure data - including page IDs, version numbers, and URL paths - by sending GET requests to the /ccm/system/dialogs/file/usage/{fID} endpoint without any credentials. The flaw combines CWE-862 (Missing Authorization) with a classic IDOR pattern on an integer file ID parameter, and is scored CVSS 4.0 at 6.3 (Medium) by the vendor with PR:N and AC:L, though the AT:P metric indicates that valid file IDs must exist for meaningful data to be returned. No public exploit code and no CISA KEV listing exist at time of analysis.

Authentication Bypass Concrete Cms
NVD
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Improper authorization in NocoDB (npm/nocodb ≤ 0.301.3) allows unauthenticated network attackers holding only a shared-base UUID to enumerate base members and inject arbitrary email addresses as permanent authenticated base members. The invited account redeems the invite through the normal signup flow, obtains a persistent JWT scoped to the target base, and retains that access even after the base owner revokes the shared link - effectively converting ephemeral anonymous share access into durable authenticated membership. No public exploit code has been identified and there is no CISA KEV listing at time of analysis, but the absence of a released patch and the trivial exploitation prerequisites materially elevate operational risk beyond what the CVSS 5.8 score alone implies.

Authentication Bypass
NVD GitHub VulDB
Prev Page 34 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy