Skip to main content

Authentication Bypass

31268 CVEs technique

Monthly

CVE-2026-46549 npm LOW PATCH GHSA Monitor

OAuth token scope enforcement is entirely absent at the ACL middleware layer in NocoDB (npm/nocodb ≤ 0.301.3), causing tokens issued with restricted scopes - such as MCP-only - to silently inherit the underlying authenticated user's full role across all routes. The per-base resource restriction (`granted_resources.base_id`) is additionally bypassed on org-level endpoints where `req.context.base_id` is never populated, rendering base-scoped token restrictions meaningless against workspace-level API calls. No public exploit has been identified at time of analysis, and no patched release has been confirmed despite a fix being described in the advisory.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
2.0
EPSS
0.0%
CVE-2026-46519 npm HIGH PATCH GHSA This Week

Authorization bypass in mcp-server-kubernetes versions prior to 3.6.0 allows authenticated clients to invoke any Kubernetes tool - including destructive operations like kubectl_delete, exec_in_pod, and node_management - regardless of ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, or ALLOWED_TOOLS restrictions. The controls were enforced only at the tools/list discovery layer, leaving tools/call unguarded, which effectively reduces operator-configured least-privilege policies to cosmetic filters. Publicly available exploit code exists (a single curl invocation reproduces it), and in cluster-admin deployments the flaw is equivalent to full cluster compromise for any client reaching the endpoint.

Kubernetes Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-46668 Go LOW PATCH GHSA Monitor

Improper cache key generation in SpiceDB's dispatch layer allows authorization bypass when caveat structures use nested lists. Affected versions (v1.15.0 through v1.51.x) generate colliding cache keys due to non-deterministic serialization of nested list structures in caveat contexts, causing the system to erroneously serve a cached positive authorization result in place of a correct negative one. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog, but exploitation is structurally straightforward for any party with the ability to send crafted CheckBulkPermission or LookupResources requests to a misconfigured deployment.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-46614 Go CRITICAL PATCH GHSA Act Now

Authentication bypass in Fission (Kubernetes serverless framework) versions 1.22.0 and earlier allows unauthenticated remote callers reaching the public router (svc/router, port 8888) to invoke any Function object by guessing its metadata.name and namespace via the /fission-function/<ns>/<name> route, completely bypassing HTTPTrigger host, path, method, and method-allow-list restrictions. The flaw also enables function-name enumeration and crosses tenant boundaries in multi-tenant deployments; no public exploit identified at time of analysis, though the fix commits and root-cause analysis are public on GitHub.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46612 Go HIGH PATCH GHSA This Week

Unauthenticated archive CRUD in Fission's storagesvc (≤ v1.22.0) lets any in-cluster workload list, download, replace, or delete function deployment archives across all tenants by hitting the ClusterIP-exposed /v1/archive and /v1/archives endpoints. Because uploaded archives are later fetched and executed by function specialization, the flaw escalates from a tenant data-exposure issue to in-cluster code execution. No public exploit identified at time of analysis, but the trivial HTTP pattern and lack of auth middleware make weaponization straightforward for any attacker with a foothold pod.

Kubernetes Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4843 MEDIUM This Month

Missing capability check in GSheet For Woo Importer (WordPress plugin, all versions through 2.3.1) allows authenticated attackers with Subscriber-level access to invoke the process_ajax_restore_action() AJAX function and permanently delete the plugin's Google Sheets API token and associated configuration options. This disrupts WooCommerce product import workflows dependent on the Google Sheets integration. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Google Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48245 MEDIUM PATCH This Month

Open ISES Tickets exposes a hardcoded Google Maps API key committed directly to its public GitHub source repository in tables.php, affecting all versions before 3.44.2. Any party with read access to the repository - effectively the entire internet - can extract the key and authenticate to Google Maps Platform as the application owner, generating API usage billed against the victim's Google Cloud project. No public exploit has been identified at time of analysis, but the SSVC framework rates this as automatable with partial technical impact, and the v3.44.2 release notes confirm the key is one of five hardcoded secrets removed in a batch of 88 security fixes.

PHP Google Authentication Bypass
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-48244 MEDIUM PATCH This Month

Hardcoded Google Maps API key exposure in Open ISES Tickets before v3.44.2 enables any party with read access to the public GitHub repository to extract a valid API credential from settings.inc.php and issue arbitrary Google Maps Platform requests billed against the victim organization's Google Cloud project. All versions from the initial release up to (but not including) 3.44.2 are affected per CPE cpe:2.3:a:open_ises:tickets:*:*:*:*:*:*:*:*. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation requires only the ability to read a publicly hosted source file - effectively zero technical barrier for any motivated actor.

PHP Google Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-48243 MEDIUM PATCH This Month

Open ISES Tickets before v3.44.2 exposes a hardcoded WhitePages reverse-phone API key committed directly into the public source file wp1.php, making it trivially accessible to any actor who can read the repository. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) reflects that no authentication or special conditions are required - extraction is as simple as reading a publicly hosted source file. Impact is bounded to third-party API abuse: an attacker can use the stolen key to make WhitePages lookups billed to or rate-capped against the legitimate owner's account. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV, though the passive nature of the exposure means any observer of the repository may already possess the key.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-48242 CRITICAL PATCH Act Now

Credential exposure in Open ISES Tickets versions prior to 3.44.2 allows remote attackers to obtain valid MySQL database connection parameters (host, username, password, database name) hardcoded in import_mdb.php and committed to the public source repository. Any attacker who can read the public GitHub source can extract these credentials and attempt to authenticate against deployed installations that retained the default values, with no public exploit identified at time of analysis.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-48241 CRITICAL PATCH Act Now

Hardcoded MySQL credentials in Open ISES Tickets before 3.44.2 expose database username, password, and database name through a public-facing loader.php utility that was committed to the source repository. Any user able to read the source tree on GitHub or fetch the file from a deployed installation can connect to the backing database if reachable, leading to full read/write access. No public exploit identified at time of analysis, but the credentials are trivially recoverable from the source tree.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-39593 MEDIUM This Month

Broken access control in the HAPPY WordPress helpdesk and support ticket plugin (versions through 1.0.10) by VillaTheme permits unauthenticated remote attackers to invoke restricted plugin functionality without any authorization check. The vulnerability stems from missing authorization gates on plugin endpoints, classified under CWE-862, enabling limited integrity and availability impact against affected WordPress installations. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Happy
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46403 Go MEDIUM PATCH GHSA This Month

KVM read-only execution isolation bypass in klever-go allows a low-privileged smart contract actor to commit irreversible contract deletion side effects through the `ExecuteReadOnlyWithTypedArguments` hook, violating the expected non-mutating guarantee of read-only calls. Affected are all deployments of klever-go prior to v1.7.17 where smart contract workflows invoke callees through read-only execution paths. A confirmed proof-of-concept was included with the original disclosure, demonstrating that `DeletedAccounts` in VM output transitions from zero entries to one after a read-only nested call - no public exploit is separately circulating and CISA KEV listing is not confirmed at time of analysis.

Oracle Authentication Bypass
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-13479 HIGH This Week

Unauthorized data disclosure in PosCube QR Menu (all versions through 21052026) allows remote attackers to access other users' restaurant menu data by manipulating user-controlled identifiers in requests. The flaw is an Insecure Direct Object Reference (IDOR) reachable over the network without authentication, and no public exploit identified at time of analysis. Reported by Turkey's national CERT (TR-CERT), with the vendor unresponsive to disclosure outreach.

Authentication Bypass Qr Menu
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-13477 HIGH This Week

Authentication bypass in Digital Operations Services Inc. WifiBurada (all versions through 21052026) allows authenticated remote attackers to access private personal information and credentials belonging to other users due to insufficient credential protection. The flaw, reported by TR-CERT and tracked as EUVD-2025-209910, carries a CVSS 7.1 score with high confidentiality impact; no public exploit identified at time of analysis and the vendor has not responded to disclosure attempts.

Authentication Bypass Wifiburada
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45760 Go PATCH GHSA Monitor

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

Kubernetes Apache Authentication Bypass Apache Camel K
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41999 MEDIUM PATCH This Month

Incorrect view selection in PowerDNS Authoritative Server when processing TCP PROXY protocol requests exposes DNS records intended for a different network segment to remote unauthenticated attackers, producing both unauthorized information disclosure and limited integrity impact. Deployments running split-horizon DNS via the Views feature alongside TCP PROXY protocol support are the specific affected population. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; however, the attack concept requires no authentication and no user interaction, making it relevant wherever both features are co-deployed.

Authentication Bypass Authoritative
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-27393 MEDIUM This Month

Missing authorization in the CF7 WOW Styler WordPress plugin (versions through 1.7.6) permits unauthenticated remote attackers to perform restricted administrative actions due to absent capability checks on one or more plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making it trivially reachable on any publicly exposed WordPress site running the affected plugin. Impact is limited to low-integrity writes (C:N/I:L/A:N), but no public exploit or CISA KEV entry has been identified at time of analysis.

Authentication Bypass Cf7 Wow Styler
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44058 HIGH PATCH This Week

Authentication bypass in Netatalk 2.2.2 through 4.4.2 allows attackers with high-privileged admin auth user credentials to circumvent authentication controls in this open-source AFP (Apple Filing Protocol) server implementation. The flaw, tracked as EUVD-2026-31234 and tagged as an Authentication Bypass weakness, carries a CVSS 7.2 (High) score and is fixed in version 4.5.0; no public exploit identified at time of analysis.

Authentication Bypass Suse
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-4055 Go MEDIUM PATCH This Month

Incorrect authorization in Mattermost Playbooks (versions 11.5.0-11.5.1) allows any authenticated team member to create playbook runs in teams where they hold no run_create permission, by supplying an arbitrary team ID in the run creation API request. The server validates permissions only against the user's originating context rather than the target team specified in the payload, a classic authorization bypass rooted in CWE-863. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the low attack complexity makes this trivially exploitable by any authenticated insider or compromised account.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2734 PyPI MEDIUM PATCH This Month

Missing post-response authorization filtering in MLflow's self-hosted server exposes all registered model version metadata to any authenticated user, regardless of their per-model permission level. Both the REST API endpoint `SearchModelVersions` and the GraphQL query `mlflowSearchModelVersions` were absent from the authorization middleware chains in versions up to 3.9.0, allowing a low-privilege authenticated user to enumerate model names, version descriptions, source artifact URIs, tags, and other metadata across all registered models in multi-tenant deployments. No public exploit identified at time of analysis; the vendor-released patch is confirmed in version 3.10.0.

Authentication Bypass Mlflow Mlflow
NVD GitHub
CVSS 3.0
6.5
EPSS
0.0%
CVE-2026-1881 MEDIUM This Month

Insecure Direct Object Reference in the Broadstreet WordPress plugin (all versions through 1.52.2) allows any authenticated user with Subscriber-level access to read arbitrary private post metadata by supplying a user-controlled key to the get_sponsored_meta AJAX endpoint without server-side authorization checks. The vulnerability stems from a missing object-level authorization check (CWE-639), a common class of flaw in WordPress plugin AJAX handlers. No public exploit code or active exploitation has been identified at time of analysis, and a patched version (1.53.2) is available via the WordPress plugin repository.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9152 CRITICAL HOSTED Monitor

A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's identifier can interact with that workspace's search index, crossing tenant boundaries. Successful exploitation allows reading a workspace's indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected.

Authentication Bypass Hashicorp
NVD VulDB
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-40165 HIGH This Week

Authentication bypass in authentik identity provider allows attackers with an account on a federated SAML Source to impersonate arbitrary users by injecting an XML comment into the NameID value of a signed SAML assertion. Affected versions are 2025.12.4 and prior, plus 2026.2.0-rc1 through 2026.2.2; the GitHub Security Advisory GHSA-9wj8-xv4r-qwrp confirms the issue with a CVSS 8.7 (High) score, and no public exploit is identified at time of analysis though the upstream commit and a regression test demonstrate the truncation behavior.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-9141 CRITICAL Act Now

Authentication bypass in Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets remote attackers reach the embedded web configuration interface without any login, granting full administrative read and write access over alarm routing and device settings. The CVSS 4.0 score of 9.3 reflects unauthenticated network exploitation with high impact on confidentiality, integrity, and availability, and a public technical write-up exists on Medium alongside a VulnCheck advisory, though no public exploit identified at time of analysis.

Authentication Bypass Ag1000 01A Sms Alert Gateway
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-9139 CRITICAL Act Now

Authentication bypass in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) allows unauthenticated remote attackers to recover hard-coded administrative credentials by viewing the page source of login.zhtml, because the validate() function performs credential checking entirely client-side. With a CVSS 4.0 base score of 9.3 (AV:N/AC:L/PR:N/UI:N) and a VulnCheck advisory plus a public Medium write-up, the flaw is trivially exploitable, though no public exploit identified at time of analysis as a packaged tool and the device is not currently listed in CISA KEV.

Authentication Bypass Ag1000 01A Sms Alert Gateway
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-9115 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Service Worker subsystem (all versions prior to 148.0.7778.179) allows remote unauthenticated attackers to read cross-origin data by luring a victim to a crafted HTML page. The flaw originates from insufficient policy enforcement (CWE-693) within the Service Worker layer, enabling unauthorized access to confidential data across origins. No public exploit code has been identified and no active exploitation is confirmed; Google has shipped a fix in stable channel version 148.0.7778.179.

Google Authentication Bypass Suse Red Hat Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-39310 HIGH PATCH This Week

Authentication bypass in Trilium Notes Desktop (Electron build) versions 0.102.1 and earlier allows remote unauthenticated attackers on the same network to access the Clipper API and read or manipulate notes without any credentials. The Electron runtime detection explicitly disables auth middleware on endpoints like /api/clipper/notes and the handshake endpoint, which fingerprints the application - no public exploit identified at time of analysis, but the vendor advisory GHSA-jcvx-vc83-cppw confirms the issue and the fix shipped in 0.102.2.

CSRF Authentication Bypass Trilium
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-33137 Maven CRITICAL PATCH GHSA Act Now

Unauthenticated XAR import in XWiki Platform allows remote attackers to create or modify arbitrary documents in a target wiki via the POST /wikis/{wikiName} REST endpoint, which was missing authorization checks. Affects all releases prior to 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1. CVSS 4.0 base score is 9.3 (critical) with no public exploit identified at time of analysis, but the patch commit clearly exposes the trivial nature of the bypass.

Authentication Bypass Xwiki Platform
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-26028 npm MEDIUM PATCH GHSA This Month

HTML sanitizer bypass in CryptPad's Diffmarked.js allows remote unauthenticated attackers to inject arbitrary HTML into collaborative documents, completely defeating the platform's bounce sandboxing mechanism. All CryptPad versions prior to 2026.2.0 are affected; the CVSS scope change (S:C) reflects that exploitation crosses sandbox boundaries, enabling link injection and delivery of malicious interactive content to any user who opens a crafted document. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though the attack vector is network-accessible with no authentication required.

Microsoft Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-9136 HIGH PATCH This Week

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submission privileges to overwrite arbitrary existing ShadowAttribute records by supplying a target id within the add proposal request. The framework's ORM interprets a client-supplied primary key as an update directive, breaking the boundary between proposal creation and modification. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Misp
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-2812 MEDIUM This Month

Improper authentication on an undocumented administrative endpoint in ArcGIS Server 11.1 through 12.0 allows unauthenticated remote attackers to disrupt the web-based browsing interface by sending a crafted HTTP request. The vulnerability is classified as CWE-287 and carries a CVSS 5.3 medium score, reflecting network-reachable, zero-privilege exploitation offset by limited impact (integrity only, no confidentiality or availability loss). No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Arcgis Server
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-20238 MEDIUM PATCH This Month

Unauthorized data disclosure in Splunk AI Toolkit versions below 5.7.3 allows authenticated low-privileged users to bypass srchFilter-based access controls and read confidential data scoped to more restricted custom roles. The flaw stems from the Splunk platform's behavior of combining inherited search filters via the OR SPL operator, causing the permissive filter injected by the AI Toolkit's authorize.conf to override stricter filters on child roles. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, but the CVSS confidentiality impact is rated High, making this a meaningful data exposure risk in multi-tenant or compliance-sensitive Splunk deployments.

Authentication Bypass Splunk
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9087 Maven HIGH PATCH This Week

Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstream Identity Provider to hijack a victim's local account through the cross-session account-linking flow. The cross-session verification proof is keyed only by the tuple of local userId and idpAlias without binding to the specific upstream identity that was actually verified, so the proof can be replayed against a different upstream account on the same IdP. EPSS is currently 0.03% (8th percentile) and no public exploit identified at time of analysis, but technical impact is rated total by CISA SSVC.

Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-20223 CRITICAL NEWS Act Now

Authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to invoke internal REST API endpoints and act with Site Admin privileges across tenant boundaries. The flaw carries a maximum CVSS 10.0 score with a changed scope and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation enables reading sensitive tenant data and modifying configuration globally, making this a critical-priority issue for any organization running affected versions.

Authentication Bypass Cisco Cisco Secure Workload
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-9084 MEDIUM PATCH This Month

Account takeover in MISP's OidcAuth plugin (versions 2.5.0 through 2.5.37) enables an unauthenticated attacker holding a valid OIDC token from an insecure or untrusted IdP to authenticate as any local MISP user whose account has a NULL stored `sub` value. The vulnerability arises because the plugin unconditionally trusted the OIDC email claim to link identities to existing local accounts without verifying email ownership, bypassing authentication controls entirely (CWE-287). No public exploit has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.0 reflects adjacent network vector and high complexity conditions that constrain realistic exposure.

Authentication Bypass Misp
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-47068 LOW POC PATCH GHSA Monitor

Cross-session PubSub topic injection in phoenix_storybook (versions 0.4.0 through before 1.1.0) allows a remote unauthenticated attacker to redirect a victim's playground control messages to an attacker-controlled LiveView iframe process. The vulnerability exists because ComponentIframeLive reads the PubSub coordination topic verbatim from a URL query parameter with no session-binding validation, enabling an attacker who loads a crafted iframe URL to hijack variation state changes, theme switches, and extra-assign payloads intended for a victim's active playground session. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 score of 2.3 reflects genuinely low severity given the prerequisites required.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-21836 MEDIUM This Month

HCL DominoIQ's Retrieval-Augmented Generation (RAG) feature fails to enforce document-level access controls when processing AI queries, allowing authenticated low-privileged users to retrieve sensitive Domino documents they are not authorized to view. Affecting the AI query subsystem of HCL DominoIQ, this broken access control flaw carries a CVSS 6.5 with High confidentiality impact, reflecting meaningful data exposure risk in enterprise Domino deployments. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Information Disclosure Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27405 MEDIUM This Month

Broken access control in the WpBookingly WordPress plugin (Magepeople Inc.) through version 1.2.9 enables network-authenticated high-privilege users to perform unauthorized integrity and availability-impacting actions against the booking management system. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce proper authorization checks on one or more endpoints, allowing exploitation of incorrectly configured access control levels. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Wpbookingly
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27424 MEDIUM This Month

Missing Authorization in the Image Photo Gallery Final Tiles Grid WordPress plugin (by WP Chill) allows low-privileged authenticated attackers to exploit incorrectly configured access control, resulting in unauthorized read access to restricted data. All plugin versions through 3.6.11 are affected per NVD and Patchstack. No public exploit identified at time of analysis, and the limited confidentiality impact (C:L) and authentication requirement (PR:L) constrain real-world blast radius, though the vulnerability remains a valid risk for multi-tenant or shared-access WordPress deployments.

Authentication Bypass Image Photo Gallery Final Tiles Grid
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45443 MEDIUM This Month

Missing authorization in PDF for Elementor Forms + Drag And Drop Template Builder (WordPress plugin by ADD-ONS.ORG) allows an authenticated low-privilege user to exploit incorrectly configured access control security levels, resulting in unauthorized integrity modifications with changed scope. All plugin versions through 5.5.1 are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, placing this in a monitor-and-patch priority tier rather than emergency response.

Authentication Bypass Pdf For Elementor Forms Drag And Drop Template Builder Elementor
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-0856 HIGH This Week

Privilege escalation in Mesalvo Meona Client Launcher and Server components allows a low-privileged authenticated user to gain access to the administrative panel due to improper access control enforcement. The flaw affects Meona Client Launcher Component through build 19.06.2020 15:11:49 and Meona Server Component through 2025.04 5+323020, and is tagged as an Authentication Bypass with no public exploit identified at time of analysis. The high CVSS score of 7.8 reflects full confidentiality, integrity, and availability impact once a normal user account is leveraged to escalate privileges.

Authentication Bypass Meona Client Launcher Component Meona Server Component
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-5200 HIGH This Week

Authenticated privilege escalation in the AcyMailing WordPress plugin (versions up to and including 10.8.2) allows users with subscriber-level access or higher to modify privileged plugin configuration and export subscriber secret keys. By chaining these missing authorization flaws with knowledge of an administrator's email address, attackers can achieve full administrator account takeover. No public exploit identified at time of analysis, but Wordfence - the reporting party - typically tracks WordPress plugin abuse closely.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6566 MEDIUM This Month

Insecure Direct Object Reference in NextGEN Gallery WordPress plugin through version 4.2.0 allows authenticated attackers with Subscriber-level privileges and the 'NextGEN Manage gallery' capability to delete gallery images belonging to other users, including their physical files from disk. The DELETE /imagely/v1/images/{id} REST endpoint validates only the 'NextGEN Manage gallery' capability, entirely omitting gallery ownership checks and the 'NextGEN Manage others gallery' permission - making cross-user image destruction possible at low privilege. No public exploit code identified at time of analysis and no CISA KEV listing; however, when deleteImg is enabled (default), exploitation results in irreversible file-level data loss beyond what the CVSS 4.3 integrity score alone conveys.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44392 MEDIUM This Month

Missing authorization in Movable Type allows authenticated non-administrator users to trigger unintended update operations under certain conditions. Affecting Movable Type, Movable Type Advanced, and Movable Type Premium products by Six Apart Ltd., the flaw (CWE-862) permits a low-privileged user to bypass access controls and perform write operations that should be restricted to administrators. No public exploit or CISA KEV listing exists at time of analysis; the vendor released a fix in version 9.0.8 on 2026-05-20 per the Six Apart advisory.

Authentication Bypass Movable Type Movable Type Advanced Movable Type Premium Movable Type Premium Advanced Edition
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-24207 CRITICAL POC Act Now

Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected functionality over the network, potentially chaining to code execution, privilege escalation, data tampering, denial of service, or information disclosure. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) reflects a critical severity issue affecting an AI/ML inference platform commonly deployed in production model-serving environments. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Information Disclosure Authentication Bypass RCE Denial Of Service Nvidia
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24206 HIGH This Week

Authentication bypass in NVIDIA Triton Inference Server allows remote unauthenticated attackers to circumvent access controls, potentially leading to privilege escalation, denial of service, or information disclosure. With a CVSS 7.3 score and network-reachable attack vector (AV:N/AC:L/PR:N/UI:N), the flaw is exploitable without user interaction or credentials, though no public exploit identified at time of analysis. The vulnerability is not currently listed in CISA KEV, and EPSS data was not provided in the source intelligence.

Information Disclosure Nvidia Denial Of Service Authentication Bypass
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-15369 MEDIUM This Month

Unauthorized template creation in the Xpro Addons for Elementor WordPress plugin exposes sites to unauthenticated content injection via a missing capability check on the get_content_editor AJAX function. All plugin versions through 1.5.0 are affected, allowing any remote attacker without credentials to create and publish Xpro templates on targeted WordPress sites. No public exploit identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitability against default installations with no preconditions.

WordPress Authentication Bypass Elementor
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6072 MEDIUM This Month

Authentication bypass in the Oliver POS WooCommerce Point of Sale WordPress plugin (all versions through 2.4.2.6) allows unauthenticated remote attackers to gain full access to the plugin's REST API namespace by exploiting PHP type juggling in the permission callback. On fresh installations where the admin has not yet completed the connection wizard, the stored authorization token is unset (PHP false), and sending the header 'OliverAuth: 0' satisfies the loose comparison '0' == false, returning true and granting unrestricted access to all /wp-json/pos-bridge/* endpoints. Successful exploitation enables reading administrator account details, updating user profiles including email addresses, deleting non-admin users, and ultimately resetting the admin email to achieve full WordPress site takeover. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-6456 HIGH This Week

Privilege escalation in the BeycanPress Account Switcher WordPress plugin (versions up to and including 1.0.2) allows authenticated Subscriber-level users to hijack any account, including Administrator, by abusing a loose PHP comparison in the rememberLogin REST endpoint. No public exploit is identified at the time of analysis, but the issue is trivially reproducible from the disclosed root cause and the plugin source on WordPress.org is publicly indexable.

WordPress PHP Authentication Bypass Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8610 MEDIUM This Month

Authorization bypass in the TypeSquare Webfonts for ConoHa WordPress plugin (all versions through 2.0.4) allows authenticated attackers with subscriber-level access to arbitrarily modify site-wide font configuration by submitting a POST request to any wp-admin page. The plugin fails to verify that the requesting user has permission to alter settings such as typesquare_auth (fontThemeUseType), show_post_form, and typesquare_fonttheme (CWE-862). Compounding the issue, when fontThemeUseType values 1 or 3 are targeted, nonce verification is also absent, making those specific code branches additionally exploitable via cross-site request forgery against higher-privileged users. No public exploit has been identified at time of analysis, and no confirmed patched version has been released.

WordPress CSRF Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-43617 MEDIUM PATCH This Month

Hostname-based ACL bypass in the rsync daemon (rsync ≤ 3.4.2) allows unauthenticated remote attackers to circumvent administrator-configured deny rules when the daemon runs with chroot enabled. By manipulating the PTR record for their source IP or engineering a reverse DNS resolution failure, an attacker causes the daemon to fall back to the default hostname 'UNKNOWN', which does not match any configured deny entry and therefore permits the connection. Confidentiality and integrity are both partially at risk; no public exploit has been identified at time of analysis, and a vendor-released patch (v3.4.3) is available.

Authentication Bypass Rsync
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-39309 MEDIUM This Month

Trilium Notes Electron desktop application on macOS, versions 0.102.1 and prior, permits local attackers to spoof macOS Transparency, Consent, and Control (TCC) permission prompts by exploiting the enabled RunAsNode Electron fuse, which allows arbitrary Node.js code to execute under Trilium's trusted identity. An attacker with local code execution can spawn a subprocess inheriting Trilium's macOS identity and then request TCC-protected resources - camera, microphone, screen, ~/Documents, ~/Downloads - causing the system prompt to appear as if the legitimate Trilium Notes app is requesting access, not the attacker. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the social-engineering angle makes it particularly dangerous for macOS users who extend implicit trust to Trilium. Version 0.102.2 resolves the issue by disabling the RunAsNode fuse.

Node.js Authentication Bypass Apple
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-44926 HIGH This Week

Privilege escalation in Veritas InfoScale CmdServer prior to version 7.4.2 allows authenticated remote attackers to bypass access control restrictions and achieve full compromise of confidentiality, integrity, and availability on the targeted host. The flaw is tagged as an authentication bypass by intelligence sources and carries a CVSS 8.8 (High) rating; no public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Authentication Bypass N A
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8495 PHP CRITICAL PATCH Act Now

Forceful browsing in the Drupal Date iCal contributed module (versions prior to 4.0.15) allows remote unauthenticated attackers to bypass authorization checks and access protected calendar resources. Despite a CVSS score of 9.8, the EPSS exploitation probability sits at just 0.02% (4th percentile) and no public exploit has been identified at time of analysis. The flaw is a CWE-862 missing authorization issue patched by the Drupal Security Team in version 4.0.15.

Authentication Bypass Date Ical
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-34358 HIGH PATCH This Week

Privilege escalation in CtrlPanel hosting billing software (versions ≤1.1.1) allows any authenticated low-privilege user to invoke admin write endpoints because store()/update() controller methods omit the RBAC permission checks present on their corresponding form-display methods. Successful exploitation yields effective admin control over API credentials, coupons, vouchers, partner commissions, shop pricing, server ownership, and user accounts (including roles, credits, passwords, and Pterodactyl linkages). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-34233 MEDIUM PATCH This Month

CtrlPanel versions 1.1.1 and prior expose administrative DataTable endpoints without enforcing admin-level authorization, allowing any authenticated low-privileged user to retrieve sensitive records that should be restricted to administrators. The flaw stems from a gap between route-prefix-level middleware and per-endpoint permission enforcement: routes under /admin/ appear protected but datatable() methods lack role verification, making the protection illusory. Exploitation yields access to user PII, payment and transaction records, active coupon codes, role/permission structure, server ownership mappings, and support ticket contents - a significant confidentiality breach. No public exploit or CISA KEV listing is identified at time of analysis; a vendor-released patch is available in version 1.2.0.

Authentication Bypass Panel
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46415 Go HIGH PATCH GHSA This Week

IP allowlist/blocklist bypass in Caddy Defender versions prior to 0.10.1 lets attackers from blocked IP ranges evade filtering when Caddy sits behind a trusted proxy, CDN, or load balancer. The module evaluated requests against r.RemoteAddr (the proxy's IP) instead of Caddy's resolved client_ip variable, so any source whose true IP should have been blocked could reach protected backends. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-42526 PyPI MEDIUM PATCH This Month

In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team's secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue.

Apache Authentication Bypass Apache Airflow Amazon Provider
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41470 HIGH POC PATCH This Week

Authorization bypass in LIVE555 RTSP server (versions before 2026.04.22) allows remote unauthenticated attackers to hijack active streaming sessions by replaying valid Session tokens over a separate TCP connection. By issuing PLAY or TEARDOWN commands with a captured token, attackers can crash the server via virtual function call errors or terminate legitimate viewers' streams. Publicly available exploit code exists, and a vendor patch has been released; no public exploit identified as actively exploited in CISA KEV at time of analysis.

Authentication Bypass Suse
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-34154 LOW PATCH Monitor

Payment bypass in the discourse-subscriptions plugin allows unauthenticated users to gain membership in subscription-gated groups without completing a financial transaction. Affected are all Discourse installations running the subscriptions plugin prior to fixed versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.1 reflects high attack complexity, required user interaction, and limited confidentiality impact confined to the vulnerable system.

Authentication Bypass Discourse
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8096 MEDIUM This Month

Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.6) allows authenticated attackers with subscriber-level privileges to enumerate and read all frontend form structures and stored visitor submission data, including contact details and messages submitted through any site form powered by the plugin. The flaw originates in missing authorization checks on an AJAX handler (Ajax.php, line 675), meaning any logged-in user - including the lowest-privilege role WordPress assigns - can exfiltrate sensitive visitor-submitted information without any administrative context. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege barrier and network-accessible attack vector make this a realistic data exposure risk for any multi-user or public-registration WordPress site running the affected plugin.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8605 MEDIUM CISA This Month

In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.

Authentication Bypass Scadabr
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-8602 HIGH CISA Act Now

In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.

Authentication Bypass Scadabr
NVD
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-45670 npm MEDIUM PATCH GHSA This Month

Source code disclosure in Nuxt's webpack and rspack dev server middleware enables a malicious website on the same local network to exfiltrate full application source code when developers run `nuxt dev --host`. The previous fix for GHSA-4gf7-ff8x-hq99 relied exclusively on Sec-Fetch-Mode and Sec-Fetch-Site headers, which browsers only send from potentially trustworthy origins (HTTPS or localhost) per the W3C Fetch Metadata specification - requests originating from plain HTTP pages on LAN omit these headers entirely, bypassing the same-origin check. A working proof-of-concept is embedded in the vendor advisory; no public exploit identified at time of analysis in CISA KEV.

Node.js Google Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-45758 PyPI CRITICAL GHSA MAL Act Now

Supply chain compromise in the guardrails-ai Python package allows attackers to execute embedded malicious code on any developer or production host that installed version 0.10.1 from PyPI on May 11, 2026. The malicious release was live for roughly two hours before PyPI quarantined it, and the vendor reports no observed callbacks to Guardrails AI infrastructure, but any system that pulled 0.10.1 should be treated as compromised. No public exploit identified at time of analysis as a separate artifact - the package itself is the exploit, and exploitation requires user interaction (the install action) per the CVSS UI:R designation.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-5804 HIGH PATCH This Week

Authentication bypass in the Motorola Factory Test component (com.motorola.motocit) on Motorola phones lets a co-resident Android app abuse an exposed writable file descriptor in external storage to stand up a TCP server, harvest protected settings, and act with the factory-test app's elevated permissions. The flaw is locally exploitable by any installed third-party app with low privileges and carries CVSS 4.0 score 8.4 with high confidentiality and integrity impact. No public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Phones
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-47100 HIGH PATCH This Week

Stored cross-site scripting via missing authorization in Funnel Builder for WooCommerce Checkout (FunnelKit) plugin versions prior to 3.15.0.3 allows remote unauthenticated attackers to write arbitrary content to the plugin's External Scripts global setting through an exposed public AJAX endpoint. Injected JavaScript executes in the browser of every visitor to the WooCommerce checkout page, enabling credit card skimming, session theft, and credential harvesting. Publicly available exploit code exists and Sansec research indicates the flaw is being exploited in the wild against live e-commerce sites.

WordPress Authentication Bypass
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-43634 HIGH POC PATCH This Week

Authentication security bypass in HestiaCP 1.2.0 through 1.9.4 allows unauthenticated remote attackers to spoof their source IP address by injecting an arbitrary value into the CF-Connecting-IP HTTP header, which the panel trusts unconditionally without verifying the request originated from Cloudflare's network. This enables attackers to defeat fail2ban brute-force throttling, evade per-user IP allowlists, and poison authentication audit logs. Publicly available exploit code exists and a vendor patch is available.

Authentication Bypass Hestiacp
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42097 CRITICAL Act Now

Unauthenticated SQL execution affects Sparx Pro Cloud Server when attackers omit the 'model' query parameter from the URL and instead supply the model name inside the binary POST body, bypassing the URL-based authentication check. Version 6.1 (build 167) and earlier are confirmed vulnerable, with broader version coverage unknown because the vendor did not respond to coordinated disclosure by CERT-PL. Publicly available exploit code exists via the researcher's blog write-up, though there is no CISA KEV listing of active in-the-wild exploitation.

Authentication Bypass Pro Cloud Server
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-42096 HIGH This Week

Broken access control in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated low-privileged users to execute arbitrary SQL queries against the backend database with the database user's privileges. The flaw stems from missing permission checks in the database communication layer, effectively granting any logged-in user the ability to read or modify any data the service account can access. No public exploit identified at time of analysis, but technical write-ups have been published by CERT-PL and independent researchers.

Authentication Bypass Pro Cloud Server
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-8971 MEDIUM PATCH This Month

Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Suse Red Hat
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8969 HIGH PATCH This Week

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Suse Red Hat
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-8963 HIGH PATCH This Week

Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Suse Red Hat
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8962 HIGH PATCH This Week

Mitigation bypass in Mozilla Firefox's DOM: Security component allows remote attackers to circumvent built-in browser security protections when a user visits a maliciously crafted web page. The flaw affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with CVSS 8.1 reflecting high confidentiality and integrity impact contingent on user interaction. EPSS scoring is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but the CWE-693 protection-mechanism-failure classification means defensive layers users rely on may not function as intended.

Mozilla Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-8961 MEDIUM PATCH This Month

Spoofing via the Form Autofill component in Mozilla Firefox allows a network-based attacker to achieve high integrity impact against users who interact with attacker-controlled content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms no authentication is required from the attacker side, but a victim must interact with malicious content for the attack to succeed. No public exploit code has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), indicating very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.

Mozilla Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8960 HIGH PATCH This Week

Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Suse Red Hat
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8951 MEDIUM PATCH This Month

Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.

Mozilla Google Authentication Bypass Suse Red Hat
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8950 CRITICAL PATCH Act Now

Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Mozilla Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-8948 CRITICAL PATCH Act Now

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Cors Misconfiguration
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-7507 Maven HIGH PATCH GHSA This Week

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take over accounts, including highly privileged administrative ones. Exploitation requires the victim to click an attacker-crafted link, after which an existing SSO session causes transparent authentication into the attacker-controlled flow. No public exploit identified at time of analysis, but Red Hat has confirmed the flaw in Red Hat Build of Keycloak.

CSRF Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45442 MEDIUM This Month

Broken access control in Brainstorm Force's Presto Player WordPress plugin (through version 4.1.3) allows authenticated low-privilege users to bypass authorization checks and read restricted data. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is network-exploitable by any authenticated WordPress user with no interaction required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass Presto Player
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-37982 Maven MEDIUM PATCH This Month

Token replay exploitation in Red Hat Build of Keycloak's WebAuthn flow allows an unauthenticated remote attacker who intercepts an ExecuteActionsActionToken email link to enroll their own hardware-backed WebAuthn authenticator to a victim's account. Successful exploitation bypasses authentication entirely and grants the attacker persistent, credential-backed access to the compromised account. No public exploit code has been identified at time of analysis, and CISA KEV confirmation is absent, but the High confidentiality and integrity impact from CVSS underscores the severity if the attack preconditions are met.

Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-37979 Maven MEDIUM PATCH This Month

Audience restriction bypass in Keycloak's OpenID Connect token introspection endpoint exposes sensitive token claims to unauthorized confidential clients. Any attacker-controlled confidential client holding valid realm credentials can query the introspection endpoint and retrieve claims from lightweight access tokens issued to other resource servers - violating the isolation guarantees of audience-scoped tokens. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and network-accessible vector make this a realistic threat in multi-tenant or multi-service Keycloak deployments where client isolation is a security boundary.

Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-37978 Maven MEDIUM PATCH This Month

Unauthorized PII disclosure in Red Hat Build of Keycloak allows a low-privilege administrator holding only the 'view-clients' role to enumerate user identities and authorization grants across the entire realm by invoking the 'evaluate-scopes' Admin API endpoint with an arbitrary userId parameter. The vulnerability is an Insecure Direct Object Reference (CWE-639) in the Admin API layer, exploitable remotely over the network without requiring additional user interaction. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and clear abuse path make targeted insider or compromised-credential scenarios a realistic concern.

Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-4630 Maven MEDIUM PATCH This Month

Keycloak's Authorization Services Protection API is vulnerable to an Insecure Direct Object Reference (IDOR) flaw that allows authenticated low-privileged clients to perform unauthorized GET, PUT, and DELETE operations on resources owned by a different Resource Server within the same realm. By supplying a resource UUID belonging to a peer Resource Server - which a client can obtain through enumeration or disclosure - the attacker bypasses Keycloak's authorization enforcement entirely. The CVSS score of 6.8 (High) reflects confirmed confidentiality and integrity impact, though High complexity (AC:H) indicates the attacker must first acquire valid cross-server UUIDs. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-45434 CRITICAL PATCH Act Now

Remote code execution in Apache OFBiz before 24.09.06 stems from an improper authentication flaw in the password-change logic that allows unauthenticated remote attackers to bypass authentication and ultimately execute arbitrary code on the server. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against a widely deployed open-source ERP platform, though EPSS sits at only 0.07% and SSVC currently marks exploitation as 'none' - meaning no public exploit identified at time of analysis despite the severe technical impact.

Apache Authentication Bypass RCE Apache Ofbiz
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-45187 MEDIUM PATCH This Month

Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31388 MEDIUM PATCH This Month

Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-31387 MEDIUM PATCH This Month

Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
EPSS 0% CVSS 2.0
LOW PATCH Monitor

OAuth token scope enforcement is entirely absent at the ACL middleware layer in NocoDB (npm/nocodb ≤ 0.301.3), causing tokens issued with restricted scopes - such as MCP-only - to silently inherit the underlying authenticated user's full role across all routes. The per-base resource restriction (`granted_resources.base_id`) is additionally bypassed on org-level endpoints where `req.context.base_id` is never populated, rendering base-scoped token restrictions meaningless against workspace-level API calls. No public exploit has been identified at time of analysis, and no patched release has been confirmed despite a fix being described in the advisory.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authorization bypass in mcp-server-kubernetes versions prior to 3.6.0 allows authenticated clients to invoke any Kubernetes tool - including destructive operations like kubectl_delete, exec_in_pod, and node_management - regardless of ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, or ALLOWED_TOOLS restrictions. The controls were enforced only at the tools/list discovery layer, leaving tools/call unguarded, which effectively reduces operator-configured least-privilege policies to cosmetic filters. Publicly available exploit code exists (a single curl invocation reproduces it), and in cluster-admin deployments the flaw is equivalent to full cluster compromise for any client reaching the endpoint.

Kubernetes Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Improper cache key generation in SpiceDB's dispatch layer allows authorization bypass when caveat structures use nested lists. Affected versions (v1.15.0 through v1.51.x) generate colliding cache keys due to non-deterministic serialization of nested list structures in caveat contexts, causing the system to erroneously serve a cached positive authorization result in place of a correct negative one. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog, but exploitation is structurally straightforward for any party with the ability to send crafted CheckBulkPermission or LookupResources requests to a misconfigured deployment.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in Fission (Kubernetes serverless framework) versions 1.22.0 and earlier allows unauthenticated remote callers reaching the public router (svc/router, port 8888) to invoke any Function object by guessing its metadata.name and namespace via the /fission-function/<ns>/<name> route, completely bypassing HTTPTrigger host, path, method, and method-allow-list restrictions. The flaw also enables function-name enumeration and crosses tenant boundaries in multi-tenant deployments; no public exploit identified at time of analysis, though the fix commits and root-cause analysis are public on GitHub.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Unauthenticated archive CRUD in Fission's storagesvc (≤ v1.22.0) lets any in-cluster workload list, download, replace, or delete function deployment archives across all tenants by hitting the ClusterIP-exposed /v1/archive and /v1/archives endpoints. Because uploaded archives are later fetched and executed by function specialization, the flaw escalates from a tenant data-exposure issue to in-cluster code execution. No public exploit identified at time of analysis, but the trivial HTTP pattern and lack of auth middleware make weaponization straightforward for any attacker with a foothold pod.

Kubernetes Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing capability check in GSheet For Woo Importer (WordPress plugin, all versions through 2.3.1) allows authenticated attackers with Subscriber-level access to invoke the process_ajax_restore_action() AJAX function and permanently delete the plugin's Google Sheets API token and associated configuration options. This disrupts WooCommerce product import workflows dependent on the Google Sheets integration. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Google Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Open ISES Tickets exposes a hardcoded Google Maps API key committed directly to its public GitHub source repository in tables.php, affecting all versions before 3.44.2. Any party with read access to the repository - effectively the entire internet - can extract the key and authenticate to Google Maps Platform as the application owner, generating API usage billed against the victim's Google Cloud project. No public exploit has been identified at time of analysis, but the SSVC framework rates this as automatable with partial technical impact, and the v3.44.2 release notes confirm the key is one of five hardcoded secrets removed in a batch of 88 security fixes.

PHP Google Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Hardcoded Google Maps API key exposure in Open ISES Tickets before v3.44.2 enables any party with read access to the public GitHub repository to extract a valid API credential from settings.inc.php and issue arbitrary Google Maps Platform requests billed against the victim organization's Google Cloud project. All versions from the initial release up to (but not including) 3.44.2 are affected per CPE cpe:2.3:a:open_ises:tickets:*:*:*:*:*:*:*:*. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation requires only the ability to read a publicly hosted source file - effectively zero technical barrier for any motivated actor.

PHP Google Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Open ISES Tickets before v3.44.2 exposes a hardcoded WhitePages reverse-phone API key committed directly into the public source file wp1.php, making it trivially accessible to any actor who can read the repository. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) reflects that no authentication or special conditions are required - extraction is as simple as reading a publicly hosted source file. Impact is bounded to third-party API abuse: an attacker can use the stolen key to make WhitePages lookups billed to or rate-capped against the legitimate owner's account. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV, though the passive nature of the exposure means any observer of the repository may already possess the key.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Credential exposure in Open ISES Tickets versions prior to 3.44.2 allows remote attackers to obtain valid MySQL database connection parameters (host, username, password, database name) hardcoded in import_mdb.php and committed to the public source repository. Any attacker who can read the public GitHub source can extract these credentials and attempt to authenticate against deployed installations that retained the default values, with no public exploit identified at time of analysis.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Hardcoded MySQL credentials in Open ISES Tickets before 3.44.2 expose database username, password, and database name through a public-facing loader.php utility that was committed to the source repository. Any user able to read the source tree on GitHub or fetch the file from a deployed installation can connect to the backing database if reachable, leading to full read/write access. No public exploit identified at time of analysis, but the credentials are trivially recoverable from the source tree.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the HAPPY WordPress helpdesk and support ticket plugin (versions through 1.0.10) by VillaTheme permits unauthenticated remote attackers to invoke restricted plugin functionality without any authorization check. The vulnerability stems from missing authorization gates on plugin endpoints, classified under CWE-862, enabling limited integrity and availability impact against affected WordPress installations. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Happy
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

KVM read-only execution isolation bypass in klever-go allows a low-privileged smart contract actor to commit irreversible contract deletion side effects through the `ExecuteReadOnlyWithTypedArguments` hook, violating the expected non-mutating guarantee of read-only calls. Affected are all deployments of klever-go prior to v1.7.17 where smart contract workflows invoke callees through read-only execution paths. A confirmed proof-of-concept was included with the original disclosure, demonstrating that `DeletedAccounts` in VM output transitions from zero entries to one after a read-only nested call - no public exploit is separately circulating and CISA KEV listing is not confirmed at time of analysis.

Oracle Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data disclosure in PosCube QR Menu (all versions through 21052026) allows remote attackers to access other users' restaurant menu data by manipulating user-controlled identifiers in requests. The flaw is an Insecure Direct Object Reference (IDOR) reachable over the network without authentication, and no public exploit identified at time of analysis. Reported by Turkey's national CERT (TR-CERT), with the vendor unresponsive to disclosure outreach.

Authentication Bypass Qr Menu
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Authentication bypass in Digital Operations Services Inc. WifiBurada (all versions through 21052026) allows authenticated remote attackers to access private personal information and credentials belonging to other users due to insufficient credential protection. The flaw, reported by TR-CERT and tracked as EUVD-2025-209910, carries a CVSS 7.1 score with high confidentiality impact; no public exploit identified at time of analysis and the vendor has not responded to disclosure attempts.

Authentication Bypass Wifiburada
NVD
EPSS 0% CVSS 8.1
PATCH Monitor

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

Kubernetes Apache Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Incorrect view selection in PowerDNS Authoritative Server when processing TCP PROXY protocol requests exposes DNS records intended for a different network segment to remote unauthenticated attackers, producing both unauthorized information disclosure and limited integrity impact. Deployments running split-horizon DNS via the Views feature alongside TCP PROXY protocol support are the specific affected population. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; however, the attack concept requires no authentication and no user interaction, making it relevant wherever both features are co-deployed.

Authentication Bypass Authoritative
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in the CF7 WOW Styler WordPress plugin (versions through 1.7.6) permits unauthenticated remote attackers to perform restricted administrative actions due to absent capability checks on one or more plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making it trivially reachable on any publicly exposed WordPress site running the affected plugin. Impact is limited to low-integrity writes (C:N/I:L/A:N), but no public exploit or CISA KEV entry has been identified at time of analysis.

Authentication Bypass Cf7 Wow Styler
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Authentication bypass in Netatalk 2.2.2 through 4.4.2 allows attackers with high-privileged admin auth user credentials to circumvent authentication controls in this open-source AFP (Apple Filing Protocol) server implementation. The flaw, tracked as EUVD-2026-31234 and tagged as an Authentication Bypass weakness, carries a CVSS 7.2 (High) score and is fixed in version 4.5.0; no public exploit identified at time of analysis.

Authentication Bypass Suse
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect authorization in Mattermost Playbooks (versions 11.5.0-11.5.1) allows any authenticated team member to create playbook runs in teams where they hold no run_create permission, by supplying an arbitrary team ID in the run creation API request. The server validates permissions only against the user's originating context rather than the target team specified in the payload, a classic authorization bypass rooted in CWE-863. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the low attack complexity makes this trivially exploitable by any authenticated insider or compromised account.

Authentication Bypass Mattermost
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing post-response authorization filtering in MLflow's self-hosted server exposes all registered model version metadata to any authenticated user, regardless of their per-model permission level. Both the REST API endpoint `SearchModelVersions` and the GraphQL query `mlflowSearchModelVersions` were absent from the authorization middleware chains in versions up to 3.9.0, allowing a low-privilege authenticated user to enumerate model names, version descriptions, source artifact URIs, tags, and other metadata across all registered models in multi-tenant deployments. No public exploit identified at time of analysis; the vendor-released patch is confirmed in version 3.10.0.

Authentication Bypass Mlflow Mlflow
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Broadstreet WordPress plugin (all versions through 1.52.2) allows any authenticated user with Subscriber-level access to read arbitrary private post metadata by supplying a user-controlled key to the get_sponsored_meta AJAX endpoint without server-side authorization checks. The vulnerability stems from a missing object-level authorization check (CWE-639), a common class of flaw in WordPress plugin AJAX handlers. No public exploit code or active exploitation has been identified at time of analysis, and a patched version (1.53.2) is available via the WordPress plugin repository.

WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL HOSTED Monitor

A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's identifier can interact with that workspace's search index, crossing tenant boundaries. Successful exploitation allows reading a workspace's indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected.

Authentication Bypass Hashicorp
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Authentication bypass in authentik identity provider allows attackers with an account on a federated SAML Source to impersonate arbitrary users by injecting an XML comment into the NameID value of a signed SAML assertion. Affected versions are 2025.12.4 and prior, plus 2026.2.0-rc1 through 2026.2.2; the GitHub Security Advisory GHSA-9wj8-xv4r-qwrp confirms the issue with a CVSS 8.7 (High) score, and no public exploit is identified at time of analysis though the upstream commit and a regression test demonstrate the truncation behavior.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Authentication bypass in Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets remote attackers reach the embedded web configuration interface without any login, granting full administrative read and write access over alarm routing and device settings. The CVSS 4.0 score of 9.3 reflects unauthenticated network exploitation with high impact on confidentiality, integrity, and availability, and a public technical write-up exists on Medium alongside a VulnCheck advisory, though no public exploit identified at time of analysis.

Authentication Bypass Ag1000 01A Sms Alert Gateway
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Authentication bypass in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) allows unauthenticated remote attackers to recover hard-coded administrative credentials by viewing the page source of login.zhtml, because the validate() function performs credential checking entirely client-side. With a CVSS 4.0 base score of 9.3 (AV:N/AC:L/PR:N/UI:N) and a VulnCheck advisory plus a public Medium write-up, the flaw is trivially exploitable, though no public exploit identified at time of analysis as a packaged tool and the device is not currently listed in CISA KEV.

Authentication Bypass Ag1000 01A Sms Alert Gateway
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Service Worker subsystem (all versions prior to 148.0.7778.179) allows remote unauthenticated attackers to read cross-origin data by luring a victim to a crafted HTML page. The flaw originates from insufficient policy enforcement (CWE-693) within the Service Worker layer, enabling unauthorized access to confidential data across origins. No public exploit code has been identified and no active exploitation is confirmed; Google has shipped a fix in stable channel version 148.0.7778.179.

Google Authentication Bypass Suse +2
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authentication bypass in Trilium Notes Desktop (Electron build) versions 0.102.1 and earlier allows remote unauthenticated attackers on the same network to access the Clipper API and read or manipulate notes without any credentials. The Electron runtime detection explicitly disables auth middleware on endpoints like /api/clipper/notes and the handshake endpoint, which fingerprints the application - no public exploit identified at time of analysis, but the vendor advisory GHSA-jcvx-vc83-cppw confirms the issue and the fix shipped in 0.102.2.

CSRF Authentication Bypass Trilium
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated XAR import in XWiki Platform allows remote attackers to create or modify arbitrary documents in a target wiki via the POST /wikis/{wikiName} REST endpoint, which was missing authorization checks. Affects all releases prior to 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1. CVSS 4.0 base score is 9.3 (critical) with no public exploit identified at time of analysis, but the patch commit clearly exposes the trivial nature of the bypass.

Authentication Bypass Xwiki Platform
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

HTML sanitizer bypass in CryptPad's Diffmarked.js allows remote unauthenticated attackers to inject arbitrary HTML into collaborative documents, completely defeating the platform's bounce sandboxing mechanism. All CryptPad versions prior to 2026.2.0 are affected; the CVSS scope change (S:C) reflects that exploitation crosses sandbox boundaries, enabling link injection and delivery of malicious interactive content to any user who opens a crafted document. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though the attack vector is network-accessible with no authentication required.

Microsoft Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submission privileges to overwrite arbitrary existing ShadowAttribute records by supplying a target id within the add proposal request. The framework's ORM interprets a client-supplied primary key as an update directive, breaking the boundary between proposal creation and modification. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Misp
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper authentication on an undocumented administrative endpoint in ArcGIS Server 11.1 through 12.0 allows unauthenticated remote attackers to disrupt the web-based browsing interface by sending a crafted HTTP request. The vulnerability is classified as CWE-287 and carries a CVSS 5.3 medium score, reflecting network-reachable, zero-privilege exploitation offset by limited impact (integrity only, no confidentiality or availability loss). No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Arcgis Server
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthorized data disclosure in Splunk AI Toolkit versions below 5.7.3 allows authenticated low-privileged users to bypass srchFilter-based access controls and read confidential data scoped to more restricted custom roles. The flaw stems from the Splunk platform's behavior of combining inherited search filters via the OR SPL operator, causing the permissive filter injected by the AI Toolkit's authorize.conf to override stricter filters on child roles. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, but the CVSS confidentiality impact is rated High, making this a meaningful data exposure risk in multi-tenant or compliance-sensitive Splunk deployments.

Authentication Bypass Splunk
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstream Identity Provider to hijack a victim's local account through the cross-session account-linking flow. The cross-session verification proof is keyed only by the tuple of local userId and idpAlias without binding to the specific upstream identity that was actually verified, so the proof can be replayed against a different upstream account on the same IdP. EPSS is currently 0.03% (8th percentile) and no public exploit identified at time of analysis, but technical impact is rated total by CISA SSVC.

Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to invoke internal REST API endpoints and act with Site Admin privileges across tenant boundaries. The flaw carries a maximum CVSS 10.0 score with a changed scope and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation enables reading sensitive tenant data and modifying configuration globally, making this a critical-priority issue for any organization running affected versions.

Authentication Bypass Cisco Cisco Secure Workload
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Account takeover in MISP's OidcAuth plugin (versions 2.5.0 through 2.5.37) enables an unauthenticated attacker holding a valid OIDC token from an insecure or untrusted IdP to authenticate as any local MISP user whose account has a NULL stored `sub` value. The vulnerability arises because the plugin unconditionally trusted the OIDC email claim to link identities to existing local accounts without verifying email ownership, bypassing authentication controls entirely (CWE-287). No public exploit has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.0 reflects adjacent network vector and high complexity conditions that constrain realistic exposure.

Authentication Bypass Misp
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Cross-session PubSub topic injection in phoenix_storybook (versions 0.4.0 through before 1.1.0) allows a remote unauthenticated attacker to redirect a victim's playground control messages to an attacker-controlled LiveView iframe process. The vulnerability exists because ComponentIframeLive reads the PubSub coordination topic verbatim from a URL query parameter with no session-binding validation, enabling an attacker who loads a crafted iframe URL to hijack variation state changes, theme switches, and extra-assign payloads intended for a victim's active playground session. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 score of 2.3 reflects genuinely low severity given the prerequisites required.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

HCL DominoIQ's Retrieval-Augmented Generation (RAG) feature fails to enforce document-level access controls when processing AI queries, allowing authenticated low-privileged users to retrieve sensitive Domino documents they are not authorized to view. Affecting the AI query subsystem of HCL DominoIQ, this broken access control flaw carries a CVSS 6.5 with High confidentiality impact, reflecting meaningful data exposure risk in enterprise Domino deployments. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Information Disclosure Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the WpBookingly WordPress plugin (Magepeople Inc.) through version 1.2.9 enables network-authenticated high-privilege users to perform unauthorized integrity and availability-impacting actions against the booking management system. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce proper authorization checks on one or more endpoints, allowing exploitation of incorrectly configured access control levels. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Wpbookingly
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing Authorization in the Image Photo Gallery Final Tiles Grid WordPress plugin (by WP Chill) allows low-privileged authenticated attackers to exploit incorrectly configured access control, resulting in unauthorized read access to restricted data. All plugin versions through 3.6.11 are affected per NVD and Patchstack. No public exploit identified at time of analysis, and the limited confidentiality impact (C:L) and authentication requirement (PR:L) constrain real-world blast radius, though the vulnerability remains a valid risk for multi-tenant or shared-access WordPress deployments.

Authentication Bypass Image Photo Gallery Final Tiles Grid
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

Missing authorization in PDF for Elementor Forms + Drag And Drop Template Builder (WordPress plugin by ADD-ONS.ORG) allows an authenticated low-privilege user to exploit incorrectly configured access control security levels, resulting in unauthorized integrity modifications with changed scope. All plugin versions through 5.5.1 are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, placing this in a monitor-and-patch priority tier rather than emergency response.

Authentication Bypass Pdf For Elementor Forms Drag And Drop Template Builder Elementor
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Privilege escalation in Mesalvo Meona Client Launcher and Server components allows a low-privileged authenticated user to gain access to the administrative panel due to improper access control enforcement. The flaw affects Meona Client Launcher Component through build 19.06.2020 15:11:49 and Meona Server Component through 2025.04 5+323020, and is tagged as an Authentication Bypass with no public exploit identified at time of analysis. The high CVSS score of 7.8 reflects full confidentiality, integrity, and availability impact once a normal user account is leveraged to escalate privileges.

Authentication Bypass Meona Client Launcher Component Meona Server Component
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated privilege escalation in the AcyMailing WordPress plugin (versions up to and including 10.8.2) allows users with subscriber-level access or higher to modify privileged plugin configuration and export subscriber secret keys. By chaining these missing authorization flaws with knowledge of an administrator's email address, attackers can achieve full administrator account takeover. No public exploit identified at time of analysis, but Wordfence - the reporting party - typically tracks WordPress plugin abuse closely.

WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in NextGEN Gallery WordPress plugin through version 4.2.0 allows authenticated attackers with Subscriber-level privileges and the 'NextGEN Manage gallery' capability to delete gallery images belonging to other users, including their physical files from disk. The DELETE /imagely/v1/images/{id} REST endpoint validates only the 'NextGEN Manage gallery' capability, entirely omitting gallery ownership checks and the 'NextGEN Manage others gallery' permission - making cross-user image destruction possible at low privilege. No public exploit code identified at time of analysis and no CISA KEV listing; however, when deleteImg is enabled (default), exploitation results in irreversible file-level data loss beyond what the CVSS 4.3 integrity score alone conveys.

WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in Movable Type allows authenticated non-administrator users to trigger unintended update operations under certain conditions. Affecting Movable Type, Movable Type Advanced, and Movable Type Premium products by Six Apart Ltd., the flaw (CWE-862) permits a low-privileged user to bypass access controls and perform write operations that should be restricted to administrators. No public exploit or CISA KEV listing exists at time of analysis; the vendor released a fix in version 9.0.8 on 2026-05-20 per the Six Apart advisory.

Authentication Bypass Movable Type Movable Type Advanced +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected functionality over the network, potentially chaining to code execution, privilege escalation, data tampering, denial of service, or information disclosure. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) reflects a critical severity issue affecting an AI/ML inference platform commonly deployed in production model-serving environments. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Information Disclosure Authentication Bypass RCE +2
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Authentication bypass in NVIDIA Triton Inference Server allows remote unauthenticated attackers to circumvent access controls, potentially leading to privilege escalation, denial of service, or information disclosure. With a CVSS 7.3 score and network-reachable attack vector (AV:N/AC:L/PR:N/UI:N), the flaw is exploitable without user interaction or credentials, though no public exploit identified at time of analysis. The vulnerability is not currently listed in CISA KEV, and EPSS data was not provided in the source intelligence.

Information Disclosure Nvidia Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthorized template creation in the Xpro Addons for Elementor WordPress plugin exposes sites to unauthenticated content injection via a missing capability check on the get_content_editor AJAX function. All plugin versions through 1.5.0 are affected, allowing any remote attacker without credentials to create and publish Xpro templates on targeted WordPress sites. No public exploit identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitability against default installations with no preconditions.

WordPress Authentication Bypass Elementor
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Authentication bypass in the Oliver POS WooCommerce Point of Sale WordPress plugin (all versions through 2.4.2.6) allows unauthenticated remote attackers to gain full access to the plugin's REST API namespace by exploiting PHP type juggling in the permission callback. On fresh installations where the admin has not yet completed the connection wizard, the stored authorization token is unset (PHP false), and sending the header 'OliverAuth: 0' satisfies the loose comparison '0' == false, returning true and granting unrestricted access to all /wp-json/pos-bridge/* endpoints. Successful exploitation enables reading administrator account details, updating user profiles including email addresses, deleting non-admin users, and ultimately resetting the admin email to achieve full WordPress site takeover. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress PHP Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the BeycanPress Account Switcher WordPress plugin (versions up to and including 1.0.2) allows authenticated Subscriber-level users to hijack any account, including Administrator, by abusing a loose PHP comparison in the rememberLogin REST endpoint. No public exploit is identified at the time of analysis, but the issue is trivially reproducible from the disclosed root cause and the plugin source on WordPress.org is publicly indexable.

WordPress PHP Authentication Bypass +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the TypeSquare Webfonts for ConoHa WordPress plugin (all versions through 2.0.4) allows authenticated attackers with subscriber-level access to arbitrarily modify site-wide font configuration by submitting a POST request to any wp-admin page. The plugin fails to verify that the requesting user has permission to alter settings such as typesquare_auth (fontThemeUseType), show_post_form, and typesquare_fonttheme (CWE-862). Compounding the issue, when fontThemeUseType values 1 or 3 are targeted, nonce verification is also absent, making those specific code branches additionally exploitable via cross-site request forgery against higher-privileged users. No public exploit has been identified at time of analysis, and no confirmed patched version has been released.

WordPress CSRF Authentication Bypass
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Hostname-based ACL bypass in the rsync daemon (rsync ≤ 3.4.2) allows unauthenticated remote attackers to circumvent administrator-configured deny rules when the daemon runs with chroot enabled. By manipulating the PTR record for their source IP or engineering a reverse DNS resolution failure, an attacker causes the daemon to fall back to the default hostname 'UNKNOWN', which does not match any configured deny entry and therefore permits the connection. Confidentiality and integrity are both partially at risk; no public exploit has been identified at time of analysis, and a vendor-released patch (v3.4.3) is available.

Authentication Bypass Rsync
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Trilium Notes Electron desktop application on macOS, versions 0.102.1 and prior, permits local attackers to spoof macOS Transparency, Consent, and Control (TCC) permission prompts by exploiting the enabled RunAsNode Electron fuse, which allows arbitrary Node.js code to execute under Trilium's trusted identity. An attacker with local code execution can spawn a subprocess inheriting Trilium's macOS identity and then request TCC-protected resources - camera, microphone, screen, ~/Documents, ~/Downloads - causing the system prompt to appear as if the legitimate Trilium Notes app is requesting access, not the attacker. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the social-engineering angle makes it particularly dangerous for macOS users who extend implicit trust to Trilium. Version 0.102.2 resolves the issue by disabling the RunAsNode fuse.

Node.js Authentication Bypass Apple
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in Veritas InfoScale CmdServer prior to version 7.4.2 allows authenticated remote attackers to bypass access control restrictions and achieve full compromise of confidentiality, integrity, and availability on the targeted host. The flaw is tagged as an authentication bypass by intelligence sources and carries a CVSS 8.8 (High) rating; no public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Authentication Bypass N A
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Forceful browsing in the Drupal Date iCal contributed module (versions prior to 4.0.15) allows remote unauthenticated attackers to bypass authorization checks and access protected calendar resources. Despite a CVSS score of 9.8, the EPSS exploitation probability sits at just 0.02% (4th percentile) and no public exploit has been identified at time of analysis. The flaw is a CWE-862 missing authorization issue patched by the Drupal Security Team in version 4.0.15.

Authentication Bypass Date Ical
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in CtrlPanel hosting billing software (versions ≤1.1.1) allows any authenticated low-privilege user to invoke admin write endpoints because store()/update() controller methods omit the RBAC permission checks present on their corresponding form-display methods. Successful exploitation yields effective admin control over API credentials, coupons, vouchers, partner commissions, shop pricing, server ownership, and user accounts (including roles, credits, passwords, and Pterodactyl linkages). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

CtrlPanel versions 1.1.1 and prior expose administrative DataTable endpoints without enforcing admin-level authorization, allowing any authenticated low-privileged user to retrieve sensitive records that should be restricted to administrators. The flaw stems from a gap between route-prefix-level middleware and per-endpoint permission enforcement: routes under /admin/ appear protected but datatable() methods lack role verification, making the protection illusory. Exploitation yields access to user PII, payment and transaction records, active coupon codes, role/permission structure, server ownership mappings, and support ticket contents - a significant confidentiality breach. No public exploit or CISA KEV listing is identified at time of analysis; a vendor-released patch is available in version 1.2.0.

Authentication Bypass Panel
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

IP allowlist/blocklist bypass in Caddy Defender versions prior to 0.10.1 lets attackers from blocked IP ranges evade filtering when Caddy sits behind a trusted proxy, CDN, or load balancer. The module evaluated requests against r.RemoteAddr (the proxy's IP) instead of Caddy's resolved client_ip variable, so any source whose true IP should have been blocked could reach protected backends. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team's secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue.

Apache Authentication Bypass Apache Airflow Amazon Provider
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Authorization bypass in LIVE555 RTSP server (versions before 2026.04.22) allows remote unauthenticated attackers to hijack active streaming sessions by replaying valid Session tokens over a separate TCP connection. By issuing PLAY or TEARDOWN commands with a captured token, attackers can crash the server via virtual function call errors or terminate legitimate viewers' streams. Publicly available exploit code exists, and a vendor patch has been released; no public exploit identified as actively exploited in CISA KEV at time of analysis.

Authentication Bypass Suse
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Payment bypass in the discourse-subscriptions plugin allows unauthenticated users to gain membership in subscription-gated groups without completing a financial transaction. Affected are all Discourse installations running the subscriptions plugin prior to fixed versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.1 reflects high attack complexity, required user interaction, and limited confidentiality impact confined to the vulnerable system.

Authentication Bypass Discourse
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.6) allows authenticated attackers with subscriber-level privileges to enumerate and read all frontend form structures and stored visitor submission data, including contact details and messages submitted through any site form powered by the plugin. The flaw originates in missing authorization checks on an AJAX handler (Ajax.php, line 675), meaning any logged-in user - including the lowest-privilege role WordPress assigns - can exfiltrate sensitive visitor-submitted information without any administrative context. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege barrier and network-accessible attack vector make this a realistic data exposure risk for any multi-user or public-registration WordPress site running the affected plugin.

WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.

Authentication Bypass Scadabr
NVD
EPSS 0% CVSS 8.8
HIGH Act Now

In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.

Authentication Bypass Scadabr
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Source code disclosure in Nuxt's webpack and rspack dev server middleware enables a malicious website on the same local network to exfiltrate full application source code when developers run `nuxt dev --host`. The previous fix for GHSA-4gf7-ff8x-hq99 relied exclusively on Sec-Fetch-Mode and Sec-Fetch-Site headers, which browsers only send from potentially trustworthy origins (HTTPS or localhost) per the W3C Fetch Metadata specification - requests originating from plain HTTP pages on LAN omit these headers entirely, bypassing the same-origin check. A working proof-of-concept is embedded in the vendor advisory; no public exploit identified at time of analysis in CISA KEV.

Node.js Google Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

Supply chain compromise in the guardrails-ai Python package allows attackers to execute embedded malicious code on any developer or production host that installed version 0.10.1 from PyPI on May 11, 2026. The malicious release was live for roughly two hours before PyPI quarantined it, and the vendor reports no observed callbacks to Guardrails AI infrastructure, but any system that pulled 0.10.1 should be treated as compromised. No public exploit identified at time of analysis as a separate artifact - the package itself is the exploit, and exploitation requires user interaction (the install action) per the CVSS UI:R designation.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Authentication bypass in the Motorola Factory Test component (com.motorola.motocit) on Motorola phones lets a co-resident Android app abuse an exposed writable file descriptor in external storage to stand up a TCP server, harvest protected settings, and act with the factory-test app's elevated permissions. The flaw is locally exploitable by any installed third-party app with low privileges and carries CVSS 4.0 score 8.4 with high confidentiality and integrity impact. No public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Phones
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting via missing authorization in Funnel Builder for WooCommerce Checkout (FunnelKit) plugin versions prior to 3.15.0.3 allows remote unauthenticated attackers to write arbitrary content to the plugin's External Scripts global setting through an exposed public AJAX endpoint. Injected JavaScript executes in the browser of every visitor to the WooCommerce checkout page, enabling credit card skimming, session theft, and credential harvesting. Publicly available exploit code exists and Sansec research indicates the flaw is being exploited in the wild against live e-commerce sites.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Authentication security bypass in HestiaCP 1.2.0 through 1.9.4 allows unauthenticated remote attackers to spoof their source IP address by injecting an arbitrary value into the CF-Connecting-IP HTTP header, which the panel trusts unconditionally without verifying the request originated from Cloudflare's network. This enables attackers to defeat fail2ban brute-force throttling, evade per-user IP allowlists, and poison authentication audit logs. Publicly available exploit code exists and a vendor patch is available.

Authentication Bypass Hestiacp
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL execution affects Sparx Pro Cloud Server when attackers omit the 'model' query parameter from the URL and instead supply the model name inside the binary POST body, bypassing the URL-based authentication check. Version 6.1 (build 167) and earlier are confirmed vulnerable, with broader version coverage unknown because the vendor did not respond to coordinated disclosure by CERT-PL. Publicly available exploit code exists via the researcher's blog write-up, though there is no CISA KEV listing of active in-the-wild exploitation.

Authentication Bypass Pro Cloud Server
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Broken access control in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated low-privileged users to execute arbitrary SQL queries against the backend database with the database user's privileges. The flaw stems from missing permission checks in the database communication layer, effectively granting any logged-in user the ability to read or modify any data the service account can access. No public exploit identified at time of analysis, but technical write-ups have been published by CERT-PL and independent researchers.

Authentication Bypass Pro Cloud Server
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Suse +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Suse +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Suse +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Mitigation bypass in Mozilla Firefox's DOM: Security component allows remote attackers to circumvent built-in browser security protections when a user visits a maliciously crafted web page. The flaw affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with CVSS 8.1 reflecting high confidentiality and integrity impact contingent on user interaction. EPSS scoring is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but the CWE-693 protection-mechanism-failure classification means defensive layers users rely on may not function as intended.

Mozilla Authentication Bypass Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Spoofing via the Form Autofill component in Mozilla Firefox allows a network-based attacker to achieve high integrity impact against users who interact with attacker-controlled content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms no authentication is required from the attacker side, but a victim must interact with malicious content for the attack to succeed. No public exploit code has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), indicating very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.

Mozilla Authentication Bypass Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Suse +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.

Mozilla Google Authentication Bypass +2
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Mozilla Authentication Bypass Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Cors Misconfiguration
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take over accounts, including highly privileged administrative ones. Exploitation requires the victim to click an attacker-crafted link, after which an existing SSO session causes transparent authentication into the attacker-controlled flow. No public exploit identified at time of analysis, but Red Hat has confirmed the flaw in Red Hat Build of Keycloak.

CSRF Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in Brainstorm Force's Presto Player WordPress plugin (through version 4.1.3) allows authenticated low-privilege users to bypass authorization checks and read restricted data. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is network-exploitable by any authenticated WordPress user with no interaction required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass Presto Player
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Token replay exploitation in Red Hat Build of Keycloak's WebAuthn flow allows an unauthenticated remote attacker who intercepts an ExecuteActionsActionToken email link to enroll their own hardware-backed WebAuthn authenticator to a victim's account. Successful exploitation bypasses authentication entirely and grants the attacker persistent, credential-backed access to the compromised account. No public exploit code has been identified at time of analysis, and CISA KEV confirmation is absent, but the High confidentiality and integrity impact from CVSS underscores the severity if the attack preconditions are met.

Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Audience restriction bypass in Keycloak's OpenID Connect token introspection endpoint exposes sensitive token claims to unauthorized confidential clients. Any attacker-controlled confidential client holding valid realm credentials can query the introspection endpoint and retrieve claims from lightweight access tokens issued to other resource servers - violating the isolation guarantees of audience-scoped tokens. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and network-accessible vector make this a realistic threat in multi-tenant or multi-service Keycloak deployments where client isolation is a security boundary.

Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Unauthorized PII disclosure in Red Hat Build of Keycloak allows a low-privilege administrator holding only the 'view-clients' role to enumerate user identities and authorization grants across the entire realm by invoking the 'evaluate-scopes' Admin API endpoint with an arbitrary userId parameter. The vulnerability is an Insecure Direct Object Reference (CWE-639) in the Admin API layer, exploitable remotely over the network without requiring additional user interaction. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and clear abuse path make targeted insider or compromised-credential scenarios a realistic concern.

Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Keycloak's Authorization Services Protection API is vulnerable to an Insecure Direct Object Reference (IDOR) flaw that allows authenticated low-privileged clients to perform unauthorized GET, PUT, and DELETE operations on resources owned by a different Resource Server within the same realm. By supplying a resource UUID belonging to a peer Resource Server - which a client can obtain through enumeration or disclosure - the attacker bypasses Keycloak's authorization enforcement entirely. The CVSS score of 6.8 (High) reflects confirmed confidentiality and integrity impact, though High complexity (AC:H) indicates the attacker must first acquire valid cross-server UUIDs. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Apache OFBiz before 24.09.06 stems from an improper authentication flaw in the password-change logic that allows unauthenticated remote attackers to bypass authentication and ultimately execute arbitrary code on the server. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against a widely deployed open-source ERP platform, though EPSS sits at only 0.07% and SSVC currently marks exploitation as 'none' - meaning no public exploit identified at time of analysis despite the severe technical impact.

Apache Authentication Bypass RCE +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Authentication Bypass
NVD
Prev Page 35 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy