Authentication Bypass
Monthly
Mass assignment in the TYPO3 'Frontend User Registration' extension allows unauthenticated remote attackers to assign arbitrary frontend user groups to accounts created or modified via the public registration and profile-edit flows. Because the extension neither restricts which user properties may be submitted nor enforces server-side access control on the group assignment field, an attacker registers or edits an account while injecting a privileged frontend user group identifier, immediately gaining access to content and functionality that would otherwise require elevated membership. No public exploit is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Improper permission control on the ZTE MU5250 web management interface allows an adjacent-network attacker with low-level credentials to modify device configuration beyond their authorized scope, resulting in high availability impact and low integrity impact. Affected firmware is confirmed as BD_FLYMODEMMU5250V1.0.0B27, self-disclosed by ZTE via their security bulletin. No public exploit code or CISA KEV listing exists at time of analysis, and exploitation is constrained to adjacent network access with some level of authenticated access per the CVSS vector.
Token revocation bypass in Red Hat Keycloak's OIDC Introspection endpoint allows low-privileged authenticated users to continue using tokens that should have been invalidated by realm-level notBefore revocation policies. When both realm-level and client-level notBefore policies are simultaneously active, the introspection endpoint incorrectly evaluates only the client-level policy, silently ignoring the realm-wide revocation. This means an administrator's deliberate, broad-scope revocation action - typically used in incident response or forced re-authentication scenarios - is rendered ineffective for any clients that also carry a client-level notBefore setting. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.
WebAuthn policy enforcement bypass in Red Hat Build of Keycloak allows low-privileged authenticated users to register credentials that violate administrator-configured realm security policies. The server-side processAction() method does not validate that newly registered WebAuthn credential parameters - such as public key algorithms - conform to the realm's defined WebAuthn policies, enabling a user to manipulate client-side JavaScript during the registration flow to submit non-compliant credential data. No public exploit has been identified at time of analysis; exploitation requires an authenticated session and is limited to integrity impact (policy bypass), with no direct confidentiality or availability consequence.
Broken access control on the /api/v1/autotranslate.translateMessage endpoint in Rocket.Chat allows any authenticated user to retrieve the full content of messages from rooms they have no membership in - including private groups, direct messages, and channels - by supplying only a valid message ID. The vulnerability stems from the complete absence of a room-level authorization check (canAccessRoomIdAsync is never invoked) before the message fetch via Messages.findOneById(). No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact (C:H in CVSS) means successful exploitation exposes sensitive private communications organization-wide.
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
Unauthorized form structure disclosure in GLPI 11.0.0 through 11.0.6 allows a high-privileged authenticated user holding forms READ permission to export the structural definition of forms they are not authorized to access. The flaw, rooted in CWE-862 (Missing Authorization), means the application validates that a user can perform form exports in general but fails to verify per-form access entitlements before returning structure data. Impact is limited to low confidentiality exposure of form schemas with no integrity or availability consequence. No public exploit code or CISA KEV listing exists at time of analysis, and the vendor has released a confirmed fix in 11.0.7.
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump all user records including bcrypt password hashes, tamper with drug inventory, and read private medical prescription data. The flaw stems from missing authentication middleware on backend Express routes such as /api/user/getUserData and /api/doctorOder. Publicly available exploit code exists, though EPSS rates exploitation probability at only 0.06% (17th percentile), consistent with a low-deployment open-source project rather than mass exploitation.
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.
Authorization bypass in Innoshop 0.6.0 allows authenticated frontend users to directly invoke backend administrative interfaces, enabling privileged operations outside their intended scope. The CVSS 7.3 score reflects low-impact gains across confidentiality, integrity, and availability achievable without prior authentication to the admin panel. No public exploit identified at time of analysis, and EPSS estimates exploitation probability at just 0.02% (5th percentile), indicating minimal observed attacker interest so far.
Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user to take over another user's session via an IDOR flaw in the PATCH /sessions/{session_id}/assign-user endpoint. An attacker who can guess or otherwise learn a target session_id can reassign that session to themselves, read its conversation contents, and lock the legitimate owner out. No public exploit identified at time of analysis, and the issue is fixed in 0.6.51 per the upstream GHSA-q58p-v9r9-7gqj advisory.
Broken access control in HCL Connections exposes an integrity risk where an authenticated low-privileged user can update data outside their intended authorization scope under specific conditions. The CVSS vector (AV:N/AC:L/PR:L/UI:R) confirms the attack is network-reachable, requires only low-privilege credentials, and involves some form of user interaction. No public exploit code has been identified and HCL Connections is not listed in the CISA KEV catalog, placing this in a moderate-priority remediation tier for most organizations, though environments where data integrity in Connections is business-critical should treat it with elevated urgency.
Missing authorization in the Summarize browser extension (versions prior to 0.15.1/0.15.2, CPE: cpe:2.3:a:steipete:summarize) allows remote unauthenticated attackers to execute browser automation actions - including navigation and debugger-backed operations - without triggering per-call user approval. Exploitation requires the extension automation feature to be enabled and the user to interact with attacker-controlled content (UI:R per CVSS), making this a prompt-injection-driven authorization bypass rather than a standalone remote attack. No public exploit has been identified at time of analysis, and the vendor released a patch in v0.15.2 as reported by VulnCheck.
Path traversal in steipete/summarize prior to 0.15.1 lets authenticated callers of the /v1/summarize daemon endpoint write slide_*.png and slides.json files to arbitrary directories by supplying an absolute path or traversal sequences in the slidesDir parameter, and subsequently delete matching files via repeat extraction. The flaw, reported by VulnCheck and patched in v0.15.2, enables file write and limited destructive impact across the filesystem; no public exploit identified at time of analysis.
Missing authorization in the Summarize browser extension's content script window.postMessage bridge permits any malicious web page to perform unauthorized CRUD operations on automation artifacts scoped to the affected browser tab. By injecting messages with spoofed sender identifiers, an attacker-controlled page bypasses all authorization checks - enabling it to list, read, create, overwrite, or delete extension-managed artifacts without user awareness. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the attack barrier is low: exploitation requires only that the victim passively visit a malicious page while the extension is active.
Row action trigger endpoint in Budibase allows authenticated low-privilege users to execute automations on rows outside their authorized view scope, bypassing a documented security boundary. Any user holding BASIC-role READ access to a filtered view can supply an arbitrary `rowId` to `POST /api/tables/:sourceId/actions/:actionId/trigger` and invoke automations against rows explicitly excluded by the view's filters. Publicly available exploit code (curl PoC) is included in the GHSA advisory; this vulnerability is not listed in CISA KEV and no confirmed widespread active exploitation has been identified at time of analysis.
Cross-tenant credential fallback in n8n-mcp versions 2.51.1 and earlier allows an authenticated MCP tenant on a shared multi-tenant HTTP deployment to operate against the operator's own n8n instance instead of their assigned tenant. When ENABLE_MULTI_TENANT=true and a request omitted (or partially supplied) the x-n8n-url and x-n8n-key headers, n8n-mcp silently fell back to the process-level N8N_API_URL/N8N_API_KEY credentials, granting tenants unintended access to read/write workflows, executions, data-tables, and credential metadata. Patched in 2.51.2; no public exploit identified at time of analysis but the underlying logic is straightforward and the upstream fix commit is publicly visible.
Authentication bypass in the ruby-jwt gem (versions < 3.2.0) allows remote attackers to forge valid HS256/HS384/HS512 tokens when an application supplies an empty string or nil as the verification key. Because OpenSSL::HMAC.digest happily computes a digest under an empty key and JWT::JWA::Hmac coerces nil to '' without validating, any application whose key lookup degrades to '' (common with Redis misses, ORM string defaults, or `ENV['SECRET'] || ''` patterns) will accept attacker-signed tokens. No public exploit identified at time of analysis, but the vendor advisory (GHSA-c32j-vqhx-rx3x) and the v3.2.0 patch confirm the issue and the trivial forgery primitive.
Unauthenticated broadcast hijack in TinyIce versions 0.8.95 through 2.4.1 allows any network attacker reaching the HTTP port to inject arbitrary audio/video streams onto any mount via the WebRTC source-ingest endpoint. The POST /webrtc/source-offer handler omitted the source-password check that all other ingest paths (Icecast SOURCE/PUT, RTMP, SRT) enforce, letting attackers replace legitimate broadcasts with their own content. Publicly available exploit code exists in the form of a one-line curl probe published in the GHSA advisory, though no public exploit identified for sustained hijack at time of analysis.
Privilege elevation in Microsoft Azure Local Disconnected Operations allows unauthenticated network-based attackers to gain elevated rights via an improper authentication weakness (CWE-287). The flaw carries a maximum CVSS 10.0 score with scope change, and Microsoft has issued a patched build (Azure Local 2604.2.25645). No public exploit identified at time of analysis, but the trivial attack profile (AV:N/AC:L/PR:N/UI:N) makes this a top-priority fix for affected hybrid-cloud deployments.
Security feature bypass in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 enables remote attackers to circumvent browser security controls through improper input validation (CWE-20), resulting in limited confidentiality and integrity compromise. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation is network-based, requires no attacker privileges, but demands user interaction - consistent with a browser-based attack requiring a victim to engage with malicious content. No public exploit code or CISA KEV listing has been identified at time of analysis.
Authentication bypass in Neotoma (npm package for Node.js data exploration) versions 0.6.0 through 0.11.0 allows unauthenticated remote attackers to access production Inspector UI and API endpoints when deployed behind reverse proxies. The vulnerability stems from CWE-288 authentication logic flaw where the REST middleware incorrectly treats reverse-proxied public requests as local development traffic when received over loopback sockets without Bearer tokens, granting unauthorized local-user privileges. Fixed in version 0.11.1 released April 2025, which implements X-Forwarded-For validation and fails closed in production environments. No public exploit code identified at time of analysis, though exploitation is straightforward for attackers who identify affected deployments.
Cross-tenant document disclosure in Dify 1.14.1 and prior allows any authenticated user to read up to 3,000 characters of arbitrary uploaded files across all tenants and workspaces by submitting the file's UUID to the /console/api/files/{file_id}/preview endpoint. The flaw is amplified on Dify Cloud, where free self-registration makes account creation trivial, and publicly available exploit code exists via the Huntr disclosure. No CISA KEV listing has been recorded at time of analysis, but the combination of low-friction account access and a documented PoC raises practical exposure considerably.
Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another tenant's LLM trace traffic - including prompts and model responses - to an attacker-controlled observability provider. Because Dify Cloud permits free self-registration, the authentication barrier is effectively trivial; publicly available exploit code exists and a vendor patch is shipped via PR #35793. The flaw is an instance of CWE-639 (insecure direct object reference) in the trace-configuration endpoints, which accepted an app_id without validating tenant ownership.
Broken access control in Arcane's GitOps backend (versions <= 1.18.1) allows any authenticated low-privilege user to exfiltrate plaintext Git credentials (PATs/SSH keys) stored for source-of-truth repositories. Eight of nine /api/customize/git-repositories endpoints omit the checkAdmin() gate, letting a 'user' role attacker repoint a repository URL to an attacker-controlled host and trigger a /test or /branches call that transmits the decrypted token via HTTP Basic auth. No public exploit identified at time of analysis, but the GHSA advisory documents a complete attack chain and a patched release (1.19.0) is available.
Authorization bypass in Creartia's ICMS content management system allows remote unauthenticated attackers to gain unauthorized access to protected features and escalate privileges by manipulating HTTP redirect headers during the login process. The vulnerability has a CVSS 9.3 score and vendor patches are available through INCIBE advisory.
Authenticated team members with 'Manage Own Slash Commands' permission can hijack existing slash commands in Mattermost 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 by editing their own command triggers to match already-registered system or custom commands. This privilege escalation flaw (CWE-863: Incorrect Authorization) enables command impersonation, allowing attackers to intercept and potentially manipulate user interactions with legitimate slash commands. With CVSS 4.3 (low-medium severity) and EPSS data unavailable, real-world risk depends heavily on organizational use of slash commands for sensitive operations. No public exploit identified at time of analysis, and the attack requires authenticated access with specific permissions, limiting immediate exposure compared to unauthenticated network vulnerabilities.
Unauthorized access to public playbooks in Mattermost 10.11.x through 11.5.x allows authenticated users without proper permissions to retrieve public playbooks via the /get endpoint. The vulnerability affects all versions from 10.11.0 through 10.11.13, 11.4.0 through 11.4.3, and 11.5.0 through 11.5.1 due to missing public/private permission validation. With CVSS 4.3 (Medium) and requiring authenticated access (PR:L), this represents a privilege escalation issue allowing disclosure of potentially sensitive playbook configurations, but is limited to low confidentiality impact without integrity or availability compromise. No active exploitation confirmed (not in CISA KEV) and EPSS data not provided.
Authenticated Mattermost users can read private channel threads and direct messages they lack access to by exploiting the AI post rewrite endpoint. Versions 11.5.0 and 11.5.1 fail to verify channel membership before processing AI-assisted message rewrites, enabling privilege escalation from low-privileged authenticated users to access confidential communications. CVSS 6.5 reflects network-accessible attack with low complexity requiring only basic authentication. EPSS data not available; no public exploit or KEV listing identified at time of analysis.
Authenticated users in Mattermost Plugins can disrupt Gitlab integration by uninstalling instances or modifying webhook connections without proper authorization. The CWE-862 authorization flaw in versions <=11.5, 11.1.5, 10.13.11, and 11.3.4.0 allows users with low-level privileges (PR:L) to execute administrative commands via `/gitlab instance {option}` or `/gitlab webhook {option}`, resulting in availability impact (A:H) to the Gitlab plugin infrastructure. CVSS 6.5 reflects moderate risk, with EPSS data and active exploitation status not available at time of analysis.
Authorization bypass in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated users with 'Manage Playbook Configurations' permission to reassign playbooks to arbitrary teams via PUT API, circumventing team membership restrictions. This access control flaw enables lateral privilege escalation across team boundaries without proper authorization checks. EPSS exploitation probability data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.
Mattermost Plugins through version 11.5 allow authenticated users to bypass group-level access controls and create issues or attach comments to locked groups they should not access. Attackers holding membership in multiple groups can exploit missing API-level authorization checks via direct API requests to write data into restricted groups, violating intended access boundaries. EPSS risk data not available; CVSS 4.3 reflects low-privilege authenticated network attack with low complexity. No active exploitation confirmed by CISA KEV at time of analysis, though vendor advisory (MMSA-2026-00602) confirms the vulnerability.
Authorization bypass in Mattermost Plugins allows authenticated users to subscribe to unauthorized notification groups by exploiting prefix-matching namespace validation. Affected versions (≤11.5, 11.1.5, 10.13.11, 11.3.4.0) fail to enforce group whitelisting, enabling low-privileged plugin users to create groups sharing prefixes with authorized groups and thereby receive notifications or access information from out-of-scope channels. EPSS data unavailable; not listed in CISA KEV; CVSS 4.3 reflects low-privilege network exploitation with limited integrity impact but no confidentiality or availability compromise.
Authenticated attackers can bypass token rotation in Mattermost's remote cluster invite confirmation process by reusing original invite tokens. The flaw affects Mattermost Server versions 11.5.x through 11.5.1 and 10.11.x through 10.11.13, allowing token reuse despite intended security controls. While rated low severity (CVSS 3.7), this represents an authentication bypass vulnerability (CWE-863) that undermines session management security. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Privilege escalation in Mattermost Server allows authenticated users with revoked channel posting permissions to continue modifying their existing posts. Affected versions include 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3. Attackers bypass authorization controls by sending direct API requests to post update and patch endpoints, circumventing permission checks that should prevent post edits after privileges are revoked. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. CVSS 4.3 (Medium) reflects low integrity impact limited to existing content modification.
Authorization bypass in Mattermost shared channel synchronization allows authenticated remote cluster administrators to remove arbitrary users from any channel, including private channels outside the attacker's authorization scope. Affects versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3. CVSS 4.3 reflects the low-privilege requirement (authenticated remote cluster) and limited impact scope (integrity only, no data exposure), though cross-tenant authorization violations in collaboration platforms warrant attention. EPSS data unavailable; no public exploit identified at time of analysis; not listed in CISA KEV.
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
Authorization bypass in Tencent WeKnora's Config API endpoint allows authenticated attackers to access unauthorized knowledge bases by manipulating the kbId parameter in getKnowledgeBaseForInitialization function. Affects all versions up to 0.3.6. Publicly available exploit code exists via GitHub Gist, enabling low-complexity attacks with network access. CVSS 6.3 reflects moderate impact across confidentiality, integrity, and availability. EPSS data not available, but public POC increases exploitation likelihood. Vendor unresponsive to disclosure, indicating no official patch timeline.
Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper access controls in H2O-3's Rapids setproperty primitive allow remote unauthenticated attackers to modify system properties via the AstSetProperty.java exec function. The vulnerability permits low-impact integrity violations through manipulation of configuration settings accessible via the Rapids API. Public exploit code is available (VulDB 364379), increasing exploitation risk, though no active exploitation confirmed by CISA KEV at time of analysis. EPSS data not provided. Vendor unresponsive to disclosure attempts.
Improper authorization in Z-BlogPHP 1.7.4.3430 allows authenticated attackers to bypass comment approval controls via the CheckComment function in c_system_event.php. Remote exploitation requires low-complexity attacks with low-privilege credentials and no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). Public exploit code is available (VulDB 364334), enabling attackers to read, modify, or disrupt comment moderation workflows with low confidentiality, integrity, and availability impact. No vendor patch information identified at time of analysis; EPSS and KEV data not provided.
Improper authorization in Open5GS AMF/MME component (versions up to 2.7.6) allows authenticated network attackers to manipulate NGAP user context lookups, potentially accessing or interfering with other users' 5G/LTE sessions. The vulnerability stems from insufficient validation of AMF_UE_NGAP_ID and RAN_UE_NGAP_ID pairs in the ran_ue_find_by_amf_ue_ngap_id function, enabling attackers with low-level network privileges to bypass session-to-base-station association controls. Publicly available exploit code exists (GitHub issue #4498), and a vendor-released patch (commit 5746b857) is available. CVSS 6.3 (Medium) reflects network vector with low attack complexity but requires authentication.
Authentication bypass in Sanluan PublicCMS 5.202506.d allows remote unauthenticated attackers to access arbitrary user trade address data via manipulation of userId/id parameters in the TradeAddressListDirective component. Public exploit code exists (CVSS E:P), enabling unauthorized disclosure of confidential address information including names, phone numbers, and shipping details. EPSS data unavailable; not listed in CISA KEV. Vendor non-responsive to disclosure.
FIT image signature verification bypass in Das U-Boot before 2026.04 lets an attacker who can supply a Flat Image Tree get tampered boot components accepted as authentic, defeating verified/secure boot. Because the 'hashed-nodes' list is omitted from the computed hash, an attacker can alter which nodes are actually covered by the signature and load unsigned or modified kernels/images. There is no public exploit identified at time of analysis and EPSS is 0.00%, but SSVC rates technical impact as total, reflecting a full compromise of the chain of trust.
iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authorization bypass in Multicollab WordPress plugin allows authenticated attackers with Subscriber-level privileges to inject comments into arbitrary editorial collaborations. This affects all versions up to and including 5.2. While CVSS rates this 4.3 (Low), the ability for low-privileged users to pollute editorial workflows could enable social engineering, misinformation injection into content review processes, or disruption of collaborative editing. EPSS data not provided. No active exploitation confirmed (not in CISA KEV). Patch available in version 3519252 per WordPress plugin repository changeset.
Authorization bypass in Essential Chat Support plugin for WordPress versions ≤1.0.1 allows unauthenticated remote attackers to reset all plugin configuration settings to defaults via a single POST request. The vulnerability stems from missing authorization checks in the settings reset function, enabling tampering with general settings, display rules, custom CSS, and WooCommerce integration without credentials. CVSS 5.3 indicates medium severity with network-accessible exploitation requiring no privileges or user interaction. No public exploit identified at time of analysis, though the attack is trivial given the simple POST parameter requirement.
Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The checkout endpoint fails to verify cart ownership when processing a user-supplied cart_id parameter, enabling attackers to access and potentially complete purchases using another user's cart contents. This vulnerability has been patched in version 1.0.8.3.
Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators through the admin/auth-token endpoint by manipulating the admin_id parameter. This authorization bypass allows lateral privilege escalation between admin accounts, potentially compromising all administrative API operations. The vulnerability requires low-privileged authenticated access and has been patched in version 1.0.8.3.
{id}.html endpoint, leaking titles, internal IDs, languages, and category bindings via 301 redirect Location headers. The flaw stems from a missing permission filter in the getIdFromSolutionId() method, and a publicly available exploit code path is documented in the GitHub Security Advisory (GHSA-99qv-g4x9-mgc3) with SSVC marking exploitation as PoC and automatable. EPSS is low (0.06%, 19th percentile) and the issue is not in CISA KEV, indicating no confirmed active exploitation despite the high CVSS 4.0 score of 8.7.
Authenticated users without administrative privileges can delete FAQ tags via phpMyFAQ's DELETE /admin/api/content/tags/{tagId} endpoint. The vulnerability affects versions before 4.1.2 and stems from missing authorization checks that allow any logged-in user, including regular frontend users, to permanently delete arbitrary tags using only a valid session cookie. While CVSS rates this 5.4 (Medium), the permanent data loss and FAQ organization disruption represent material operational impact. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists per VulnCheck advisory and GitHub security advisory GHSA-7cx3-2qx2-3g6w, lowering exploitation barriers for authenticated attackers.
Authorization bypass in phpMyFAQ versions prior to 4.1.2 allows any authenticated administrative user to access all permission-protected admin pages, regardless of their assigned privileges. The flaw resides in AbstractAdministrationController::userHasPermission() which sends a forbidden response but fails to terminate execution, leaking admin logs, user data, system information, and configuration. Publicly available exploit details exist via the GHSA advisory, though EPSS exploitation probability remains very low at 0.04%.
Authorization bypass in phpMyFAQ versions before 4.1.2 allows authenticated frontend users to access admin-only API endpoints and retrieve sensitive backend configuration data. The vulnerability stems from admin-api routes checking only login status (isLoggedIn) without verifying administrative privileges, enabling any valid user account to query dashboard versions, LDAP configuration details, Elasticsearch statistics, and health-check data. While this is an information disclosure issue rather than direct write access, it exposes internal infrastructure details useful for reconnaissance. The low CVSS score (4.3) reflects limited confidentiality impact, but defenders should prioritize remediation in environments where backend configuration exposure aids broader attack campaigns. Vendor patch available in version 4.1.2.
Insufficient authorization in phpMyFAQ 4.1.1 and earlier allows any authenticated user to enumerate sensitive system configuration metadata through 12 admin API endpoints. The ConfigurationTabController improperly uses userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT), enabling low-privilege users to query /admin/api/configuration endpoints and discover the permission model, active template, cache backend, mail provider, translation settings, and other deployment details that should require administrative access. This information disclosure violates least privilege principles and aids reconnaissance for subsequent attacks. EPSS data not available; no active exploitation confirmed at time of analysis. Vendor-released patch available in version 4.1.2.
Cross-site request forgery in AVideo's LoginControl plugin allows remote attackers to disable two-factor authentication for authenticated victims through a single malicious HTTP request. The vulnerability exists in plugin/LoginControl/set.json.php which accepts POST requests to toggle 2FA without CSRF token validation, origin verification, or re-authentication. Attackers deliver a weaponized webpage containing a hidden form that auto-submits to the vulnerable endpoint; when a logged-in AVideo administrator visits this page, their 2FA protection is silently stripped, enabling subsequent credential-based account takeover. The flaw is confirmed through GitHub security advisory GHSA-3mv2-vmwh-rwfx with source code evidence showing the endpoint performs only session authentication (User::isLogged()) while omitting the forbidIfIsUntrustedRequest() protection used throughout the rest of the codebase. No public exploit code identified at time of analysis, though the attack is trivial to weaponize given the detailed advisory.
Authenticated users in Mathesar 0.2.0 through 0.9.x can access metadata for PostgreSQL databases where they lack collaborator privileges, due to missing authorization checks in four API methods (collaborators.list, tables.metadata.list, explorations.list, forms.list). Exposed data includes table schemas, saved explorations, form configurations, and critically, public form submission tokens that grant unauthorized database write access under the form's PostgreSQL role. Fixed in version 0.10.0. CVSS 5.3 (Medium) reflects network-accessible, low-complexity exploitation requiring only basic authentication. No public exploit code or active exploitation detected (EPSS data unavailable, not in CISA KEV).
Broken access control in Mathesar 0.2.0 through 0.9.x allows authenticated users to read, modify, or delete saved explorations (database query definitions) in databases where they lack collaborator privileges. Exploitation requires only a valid user account and knowledge of an exploration ID - easily guessed or enumerated. Fixed in version 0.10.0. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.
Authenticated users in Sharp (a Laravel admin framework) can bypass authorization to download arbitrary files from any configured Laravel Storage disk through the generic download endpoint. The vulnerability allows authenticated users with view access to any single Sharp entity to download unrelated files including backups, invoices, internal documents, and tenant-specific data by manipulating the disk and path parameters. Sharp v9.22.0 fixes this by implementing signed URLs that prevent parameter tampering.
Budibase servers before version 3.38.1 allow any authenticated application user to modify datasource connection parameters through the REST API endpoint PUT /api/datasources/:datasourceId, which requires only basic TABLE/READ permissions instead of builder-level access. This authorization bypass enables attackers with minimal BASIC role privileges to redirect PostgreSQL, MySQL, MongoDB, or REST datasources to arbitrary hosts and ports, creating server-side request forgery (SSRF) conditions that bypass existing HTTP-layer protections for SQL driver connections. The vulnerability has been assigned CVSS 8.8 (High) and is fixed in Budibase 3.38.1.
Rate limiter bypass in better-auth versions < 1.4.17 allows attackers to defeat authentication attempt limits by rotating through IPv6 addresses within their allocated /64 prefix or using different textual representations of the same address. The vulnerability affects authentication endpoints including sign-in, sign-up, and password reset when serving IPv6 clients, which includes most cloud providers by default. No public exploit identified at time of analysis.
Algorithm confusion in LibJWT 3.0.0 through 3.3.2 allows authentication bypass when RSA JWKs lack the 'alg' parameter. The OpenSSL backend incorrectly processes HMAC verification with a zero-length key when an RSA key without 'alg' is used to verify HS256/HS384/HS512 tokens, enabling attackers to forge valid JWTs without knowing any secret. Public exploit code exists (SSVC), making this a critical authentication bypass affecting applications using JWKS-based key lookup.
Remote code execution in Google Cloud Application Integration allows unauthenticated attackers to access exposed internal API endpoints and execute arbitrary code. The vulnerability stems from improper access controls on internal APIs that were inadvertently exposed to external networks. With a CVSS 4.0 score of 10.0, this represents a critical risk allowing both information disclosure and full system compromise without authentication.
Medical Management System a81df1ce700a9662cb136b27af47f4cbde64156b is vulnerable to Insecure Permissions, which allows arbitrary user password reset.
Authenticated attackers with subscriber-level access can add arbitrary notes to any order in the Classified Listing - AI-Powered Classified ads & Business Directory Plugin (all versions up to 5.3.10) due to missing authorization checks, triggering unsolicited notification and moderation emails to listing owners. The plugin fails to verify user permissions before allowing note creation, enabling privilege escalation within WordPress installations where subscriber accounts exist. No public exploit code or active exploitation has been identified at the time of analysis.
Unauthenticated attackers can modify Smartcat API credentials in the Smartcat Translator for WPML plugin through a missing capability check on the 'routeData' REST endpoint, allowing hijacking of translation services or denial of service. All versions through 3.1.77 are affected. The vulnerability requires only network access and no user interaction, making it remotely exploitable by any unauthenticated actor against default WordPress configurations running the vulnerable plugin.
Authentication bypass in Form Notify WordPress plugin versions ≤1.1.10 allows remote unauthenticated attackers to gain administrator access through LINE OAuth flow manipulation. Attackers exploit the plugin's trust of the 'form_notify_line_email' cookie when LINE OAuth doesn't return an email address, authenticating as any site user by injecting a cookie containing the victim's email while completing OAuth with their own LINE account. Wordfence reported this vulnerability with proof-of-concept code available via GitHub commit diffs. EPSS data not available, but the CVSS 9.8 score and network vector with no authentication requirement indicate critical severity. No CISA KEV listing at time of analysis.
Supply chain compromise of DAEMON Tools Lite for Windows delivered trojanized installers through the legitimate vendor website daemon-tools.cc from April 8 to May 5, 2026. Attackers compromised AVB Disc Soft's build infrastructure and injected malicious code into three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), all signed with the vendor's legitimate code-signing certificate. This allowed remote attackers to achieve arbitrary code execution on systems installing affected versions (12.5.0.2421 through 12.5.0.2434) with no user interaction required beyond normal installation. The legitimate digital signature bypassed security controls that rely on code-signing verification, making detection extremely difficult during the compromise window.
Authenticated attackers with Contributor-level access can delete entire multi-currency configurations in FOX Currency Switcher Professional for WooCommerce by visiting any wp-admin page with a specific parameter, and the lack of nonce verification allows CSRF-based exploitation against administrators. Confirmed actively exploited (CISA KEV). CVSS 8.1 reflects high integrity and availability impact, with EPSS data unavailable. WordPress plugin affects versions ≤1.4.5, with patch released in version 1.4.6 per Wordfence advisory. The dual attack vectors (direct authenticated abuse and CSRF) significantly increase real-world risk for WooCommerce installations using this currency management plugin.
Unrestricted IP address binding in the AMD Device Metrics Exporter (ROCm ecosystem) could allow a remote attacker to perform unauthorized changes to the GPU configuration, potentially resulting in loss of availability
Improper isolation of VCN-JPEG HW register space could allow a malicious Guest Virtual Machine (VM) or a process to perform unauthorized access to the register space of the JPEG cores assigned a. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Improper isolation of GPU HW register space could allow a privileged attacker in malicious Guest Virtual Machine (VM) to perform unauthorized access to specific victim range of GPU MMIO register. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
Authentication bypass in MLflow 3.9.0 and earlier allows unauthenticated remote attackers to access protected Job API and OpenTelemetry trace ingestion endpoints when the server runs with basic-auth enabled via uvicorn/ASGI. Attackers can submit jobs, read results, cancel operations, and inject trace data without credentials. The FastAPI permission middleware incorrectly enforced authentication only on /gateway/ routes, leaving /ajax-api/3.0/jobs/* and /v1/traces unprotected due to architectural mismatch between Flask and FastAPI authentication mechanisms. Fixed in version 3.10.0 with GitHub commit bb62e77 adding proper validators for all FastAPI routes.
Improper access control between JTAG and AXI interfaces in AMD Ryzen 7040, 8000, 8040 mobile, and Embedded 8000 series processors allows attackers with physical access to read or modify cross-chip debug (XCD) registers, potentially compromising data integrity and confidentiality. The vulnerability requires physical proximity and specialized hardware capability but can bypass authentication mechanisms protecting debug interfaces. No public exploit code or active exploitation has been identified at the time of analysis.
Hedera Guardian through version 3.5.1 allows unauthenticated attackers to retrieve sensitive user information via the GET /api/v1/demo/registered-users endpoint, which lacks proper authentication controls. Attackers can access this endpoint without credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users. The vulnerability affects confidentiality with a CVSS score of 5.3 and has been fixed in the upstream repository via GitHub PR #6076.
Unauthorized deletion of preview resources in Tuist API allows authenticated attackers to delete arbitrary project previews regardless of ownership. An attacker with valid credentials can manipulate the DELETE endpoint's URL path to pass authorization checks against a project they control, while supplying any preview UUID to delete resources belonging to other users' projects. No public exploit code identified at time of analysis, but exploitation requires only low-complexity API manipulation with standard HTTP tools.
Open WebUI versions through 0.8.11 allow authenticated users to execute arbitrary Python code in the Jupyter container by bypassing the ENABLE_CODE_EXECUTION=false configuration flag. The /api/v1/utils/code/execute endpoint fails to enforce the admin-configured feature gate (CWE-863: Incorrect Authorization), enabling any verified user to run code even when administrators believe execution is disabled. The vulnerability is confirmed by vendor POC (verified 2026-03-25) demonstrating successful code execution, file access, and SSRF to internal Docker services despite explicit admin configuration disabling the feature. Vendor-released patch available in v0.8.12 (commit 6d736d3c5) enforces the configuration check before dispatching code to Jupyter.
Broken object-level authorization in Open WebUI versions ≤0.8.12 allows any authenticated user to permanently delete files owned by other users when those files are referenced in any shared chat. The has_access_to_file() authorization function unconditionally grants access through its shared-chat branch, failing to validate both the requesting user's identity and the operation type (read vs. write). File UUIDs, which would otherwise prevent enumeration attacks, are exposed via the knowledge base API endpoint GET /api/v1/knowledge/{id}/files to any user with read access. This affects all default Docker deployments where chat sharing is enabled. Vendor-released patch available in v0.9.0 (commit 2e52ad8ff). No active exploitation confirmed (not in CISA KEV). CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H scores 8.0, though real-world impact extends beyond confidentiality to permanent data destruction with no recovery mechanism.
Unauthenticated attackers can invoke the GET `/api/v1/memories/ef` endpoint in Open WebUI versions ≤0.7.2 to trigger arbitrary embedding generation without authentication, enabling cost-based attacks against paid embedding providers (OpenAI, Azure) and denial-of-service via resource exhaustion. The endpoint executes `request.app.state.EMBEDDING_FUNCTION()` without any authentication check, allowing unlimited free API calls to downstream embedding services. Vendor-released patch available in v0.8.0 (February 2026) that removes the vulnerable endpoint entirely.
Open WebUI versions prior to 0.8.11 allow authenticated users to access notes belonging to other users via Indirect Object Reference (IDOR) in the /api/v1/notes/{note_id} endpoint, enabling unauthorized disclosure of potentially sensitive private data. The vulnerability is exploitable both when the notes feature is enabled in the UI and when disabled but re-enabled via /api/config endpoint manipulation, requiring only valid user authentication and UUID enumeration or guessing.
Authenticated attackers can exfiltrate and overwrite any user's private files in Open WebUI ≤0.9.4 by injecting victim file UUIDs into attacker-controlled folders or knowledge bases. Two distinct attack paths bypass authorization checks: folder-knowledge ingestion (Path 1) leaks file content via RAG responses, while knowledge-base attachment (Path 2) grants persistent read/write access through standard file endpoints. File UUIDs leak through normal usage (chat citations, shared chats, URLs, browser history). Vendor-released patch version 0.9.5 available. No public exploit identified at time of analysis, but proof-of-concept code published in GitHub advisory GHSA-r472-mw7m-967f demonstrates both attack vectors with working curl commands.
Broken object-level authorization in Open WebUI allows any authenticated low-privilege user to enumerate and terminate background tasks belonging to other users via GET /api/tasks and POST /api/tasks/stop/{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.
Insecure Direct Object Reference (IDOR) in Open WebUI's retrieval API allows authenticated users to bypass knowledge base access controls and directly access, modify, or delete other users' private knowledge bases by supplying the target UUID as a collection name. The authorization gap affects seven endpoints: two read endpoints (/query/doc, /query/collection) permit exfiltration of private knowledge base content, while five write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube) enable content injection, poisoning, or complete data destruction via overwrite. Affects Open WebUI <= 0.9.4; fixed in v0.9.5 via PR #22109. EPSS data not available; no confirmed active exploitation (CVSS 7.5 reflects AC:H due to UUID prerequisite, but UUIDs leak through multiple channels per researcher analysis).
Open WebUI's GET /api/v1/retrieval/ endpoint discloses RAG pipeline configuration including embedding models, chunking parameters, and RAG templates to unauthenticated attackers with a single HTTP request. The vulnerability affects v0.9.2 and earlier, where this endpoint lacks authentication guards present on all adjacent endpoints, enabling reconnaissance for RAG poisoning attacks and infrastructure fingerprinting without requiring credentials, authentication tokens, or user interaction.
Open WebUI versions 0.9.4 and earlier allow read-only users to pin and unpin messages in standard channels due to insufficient permission checks in the pin_channel_message API endpoint. The endpoint verifies only read access when it should enforce write access, enabling authenticated users with read-only permission to modify message pin status (is_pinned, pinned_by, pinned_at fields) without authorization. This permission bypass undermines channel information hierarchy and access control models. Vendor-released patch: version 0.9.5.
Modify messages from any channel member in Open WebUI v0.8.12 through v0.9.4 via Insecure Direct Object Reference (IDOR) in the message update API endpoint. Any authenticated user with group or direct message channel membership can tamper with messages sent by other members, including administrators, by bypassing message ownership verification. Publicly available exploit code exists demonstrating the vulnerability; patch available in v0.9.5.
Open WebUI versions 0.8.10 and earlier allow authenticated users to bypass model access control by appending ?bypass_filter=true to POST requests to /openai/chat/completions or /ollama/api/chat endpoints. The vulnerability exposes an internal-only FastAPI function parameter to external HTTP clients via query string binding, permitting any authenticated user to invoke admin-restricted models regardless of their assigned access grants. Vendor-released patch: v0.8.11 (March 2026). No public exploit code identified beyond the PoC in the advisory, but exploitation is trivial for any authenticated user.
Low-privileged authenticated users in Open WebUI <=0.8.5 can invoke admin-restricted external tools (MCP servers, GitHub integrations, etc.) via the chat completion API by supplying arbitrary tool_ids or tool_servers parameters. Exploited tools execute with server-stored credentials, enabling unauthorized data access or actions through third-party integrations. Publicly available exploit code exists (PoC in GitHub advisory GHSA-4pcg-253r-rf9w). EPSS data not provided; CVSS 7.1 indicates network-accessible authenticated exploitation with high confidentiality impact. Vendor-released patches: v0.7.0 (partial, local tools) and v0.8.6 (complete fix for MCP servers). Users on >=0.8.6 are not affected.
Broken access control in Open WebUI's `/api/chat/completions` endpoint allows any authenticated user to read and continue other users' private conversations by supplying a known Chat ID. The API fails to verify chat ownership before granting access, exposing sensitive conversation data across multi-user deployments with shared AI models. Fixed in v0.9.0 via commit cf4218e68, which enforces ownership validation through `Chats.is_chat_owner()` checks. Exploitation requires low-privilege authentication (PR:L) and network access (AV:N), but no user interaction (UI:N) or special configuration-any default multi-user instance with shared pipelines is vulnerable. CVSS 7.1 (High) reflects network-accessible confidentiality breach (C:H) with limited integrity impact (I:L). No public exploit identified at time of analysis, but proof-of-concept published in GitHub advisory GHSA-gfm2-xm6c-37qc demonstrates trivial exploitation via legitimate API key usage.
Mass assignment in the TYPO3 'Frontend User Registration' extension allows unauthenticated remote attackers to assign arbitrary frontend user groups to accounts created or modified via the public registration and profile-edit flows. Because the extension neither restricts which user properties may be submitted nor enforces server-side access control on the group assignment field, an attacker registers or edits an account while injecting a privileged frontend user group identifier, immediately gaining access to content and functionality that would otherwise require elevated membership. No public exploit is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Improper permission control on the ZTE MU5250 web management interface allows an adjacent-network attacker with low-level credentials to modify device configuration beyond their authorized scope, resulting in high availability impact and low integrity impact. Affected firmware is confirmed as BD_FLYMODEMMU5250V1.0.0B27, self-disclosed by ZTE via their security bulletin. No public exploit code or CISA KEV listing exists at time of analysis, and exploitation is constrained to adjacent network access with some level of authenticated access per the CVSS vector.
Token revocation bypass in Red Hat Keycloak's OIDC Introspection endpoint allows low-privileged authenticated users to continue using tokens that should have been invalidated by realm-level notBefore revocation policies. When both realm-level and client-level notBefore policies are simultaneously active, the introspection endpoint incorrectly evaluates only the client-level policy, silently ignoring the realm-wide revocation. This means an administrator's deliberate, broad-scope revocation action - typically used in incident response or forced re-authentication scenarios - is rendered ineffective for any clients that also carry a client-level notBefore setting. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.
WebAuthn policy enforcement bypass in Red Hat Build of Keycloak allows low-privileged authenticated users to register credentials that violate administrator-configured realm security policies. The server-side processAction() method does not validate that newly registered WebAuthn credential parameters - such as public key algorithms - conform to the realm's defined WebAuthn policies, enabling a user to manipulate client-side JavaScript during the registration flow to submit non-compliant credential data. No public exploit has been identified at time of analysis; exploitation requires an authenticated session and is limited to integrity impact (policy bypass), with no direct confidentiality or availability consequence.
Broken access control on the /api/v1/autotranslate.translateMessage endpoint in Rocket.Chat allows any authenticated user to retrieve the full content of messages from rooms they have no membership in - including private groups, direct messages, and channels - by supplying only a valid message ID. The vulnerability stems from the complete absence of a room-level authorization check (canAccessRoomIdAsync is never invoked) before the message fetch via Messages.findOneById(). No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact (C:H in CVSS) means successful exploitation exposes sensitive private communications organization-wide.
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
Unauthorized form structure disclosure in GLPI 11.0.0 through 11.0.6 allows a high-privileged authenticated user holding forms READ permission to export the structural definition of forms they are not authorized to access. The flaw, rooted in CWE-862 (Missing Authorization), means the application validates that a user can perform form exports in general but fails to verify per-form access entitlements before returning structure data. Impact is limited to low confidentiality exposure of form schemas with no integrity or availability consequence. No public exploit code or CISA KEV listing exists at time of analysis, and the vendor has released a confirmed fix in 11.0.7.
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump all user records including bcrypt password hashes, tamper with drug inventory, and read private medical prescription data. The flaw stems from missing authentication middleware on backend Express routes such as /api/user/getUserData and /api/doctorOder. Publicly available exploit code exists, though EPSS rates exploitation probability at only 0.06% (17th percentile), consistent with a low-deployment open-source project rather than mass exploitation.
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.
Authorization bypass in Innoshop 0.6.0 allows authenticated frontend users to directly invoke backend administrative interfaces, enabling privileged operations outside their intended scope. The CVSS 7.3 score reflects low-impact gains across confidentiality, integrity, and availability achievable without prior authentication to the admin panel. No public exploit identified at time of analysis, and EPSS estimates exploitation probability at just 0.02% (5th percentile), indicating minimal observed attacker interest so far.
Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user to take over another user's session via an IDOR flaw in the PATCH /sessions/{session_id}/assign-user endpoint. An attacker who can guess or otherwise learn a target session_id can reassign that session to themselves, read its conversation contents, and lock the legitimate owner out. No public exploit identified at time of analysis, and the issue is fixed in 0.6.51 per the upstream GHSA-q58p-v9r9-7gqj advisory.
Broken access control in HCL Connections exposes an integrity risk where an authenticated low-privileged user can update data outside their intended authorization scope under specific conditions. The CVSS vector (AV:N/AC:L/PR:L/UI:R) confirms the attack is network-reachable, requires only low-privilege credentials, and involves some form of user interaction. No public exploit code has been identified and HCL Connections is not listed in the CISA KEV catalog, placing this in a moderate-priority remediation tier for most organizations, though environments where data integrity in Connections is business-critical should treat it with elevated urgency.
Missing authorization in the Summarize browser extension (versions prior to 0.15.1/0.15.2, CPE: cpe:2.3:a:steipete:summarize) allows remote unauthenticated attackers to execute browser automation actions - including navigation and debugger-backed operations - without triggering per-call user approval. Exploitation requires the extension automation feature to be enabled and the user to interact with attacker-controlled content (UI:R per CVSS), making this a prompt-injection-driven authorization bypass rather than a standalone remote attack. No public exploit has been identified at time of analysis, and the vendor released a patch in v0.15.2 as reported by VulnCheck.
Path traversal in steipete/summarize prior to 0.15.1 lets authenticated callers of the /v1/summarize daemon endpoint write slide_*.png and slides.json files to arbitrary directories by supplying an absolute path or traversal sequences in the slidesDir parameter, and subsequently delete matching files via repeat extraction. The flaw, reported by VulnCheck and patched in v0.15.2, enables file write and limited destructive impact across the filesystem; no public exploit identified at time of analysis.
Missing authorization in the Summarize browser extension's content script window.postMessage bridge permits any malicious web page to perform unauthorized CRUD operations on automation artifacts scoped to the affected browser tab. By injecting messages with spoofed sender identifiers, an attacker-controlled page bypasses all authorization checks - enabling it to list, read, create, overwrite, or delete extension-managed artifacts without user awareness. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the attack barrier is low: exploitation requires only that the victim passively visit a malicious page while the extension is active.
Row action trigger endpoint in Budibase allows authenticated low-privilege users to execute automations on rows outside their authorized view scope, bypassing a documented security boundary. Any user holding BASIC-role READ access to a filtered view can supply an arbitrary `rowId` to `POST /api/tables/:sourceId/actions/:actionId/trigger` and invoke automations against rows explicitly excluded by the view's filters. Publicly available exploit code (curl PoC) is included in the GHSA advisory; this vulnerability is not listed in CISA KEV and no confirmed widespread active exploitation has been identified at time of analysis.
Cross-tenant credential fallback in n8n-mcp versions 2.51.1 and earlier allows an authenticated MCP tenant on a shared multi-tenant HTTP deployment to operate against the operator's own n8n instance instead of their assigned tenant. When ENABLE_MULTI_TENANT=true and a request omitted (or partially supplied) the x-n8n-url and x-n8n-key headers, n8n-mcp silently fell back to the process-level N8N_API_URL/N8N_API_KEY credentials, granting tenants unintended access to read/write workflows, executions, data-tables, and credential metadata. Patched in 2.51.2; no public exploit identified at time of analysis but the underlying logic is straightforward and the upstream fix commit is publicly visible.
Authentication bypass in the ruby-jwt gem (versions < 3.2.0) allows remote attackers to forge valid HS256/HS384/HS512 tokens when an application supplies an empty string or nil as the verification key. Because OpenSSL::HMAC.digest happily computes a digest under an empty key and JWT::JWA::Hmac coerces nil to '' without validating, any application whose key lookup degrades to '' (common with Redis misses, ORM string defaults, or `ENV['SECRET'] || ''` patterns) will accept attacker-signed tokens. No public exploit identified at time of analysis, but the vendor advisory (GHSA-c32j-vqhx-rx3x) and the v3.2.0 patch confirm the issue and the trivial forgery primitive.
Unauthenticated broadcast hijack in TinyIce versions 0.8.95 through 2.4.1 allows any network attacker reaching the HTTP port to inject arbitrary audio/video streams onto any mount via the WebRTC source-ingest endpoint. The POST /webrtc/source-offer handler omitted the source-password check that all other ingest paths (Icecast SOURCE/PUT, RTMP, SRT) enforce, letting attackers replace legitimate broadcasts with their own content. Publicly available exploit code exists in the form of a one-line curl probe published in the GHSA advisory, though no public exploit identified for sustained hijack at time of analysis.
Privilege elevation in Microsoft Azure Local Disconnected Operations allows unauthenticated network-based attackers to gain elevated rights via an improper authentication weakness (CWE-287). The flaw carries a maximum CVSS 10.0 score with scope change, and Microsoft has issued a patched build (Azure Local 2604.2.25645). No public exploit identified at time of analysis, but the trivial attack profile (AV:N/AC:L/PR:N/UI:N) makes this a top-priority fix for affected hybrid-cloud deployments.
Security feature bypass in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 enables remote attackers to circumvent browser security controls through improper input validation (CWE-20), resulting in limited confidentiality and integrity compromise. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation is network-based, requires no attacker privileges, but demands user interaction - consistent with a browser-based attack requiring a victim to engage with malicious content. No public exploit code or CISA KEV listing has been identified at time of analysis.
Authentication bypass in Neotoma (npm package for Node.js data exploration) versions 0.6.0 through 0.11.0 allows unauthenticated remote attackers to access production Inspector UI and API endpoints when deployed behind reverse proxies. The vulnerability stems from CWE-288 authentication logic flaw where the REST middleware incorrectly treats reverse-proxied public requests as local development traffic when received over loopback sockets without Bearer tokens, granting unauthorized local-user privileges. Fixed in version 0.11.1 released April 2025, which implements X-Forwarded-For validation and fails closed in production environments. No public exploit code identified at time of analysis, though exploitation is straightforward for attackers who identify affected deployments.
Cross-tenant document disclosure in Dify 1.14.1 and prior allows any authenticated user to read up to 3,000 characters of arbitrary uploaded files across all tenants and workspaces by submitting the file's UUID to the /console/api/files/{file_id}/preview endpoint. The flaw is amplified on Dify Cloud, where free self-registration makes account creation trivial, and publicly available exploit code exists via the Huntr disclosure. No CISA KEV listing has been recorded at time of analysis, but the combination of low-friction account access and a documented PoC raises practical exposure considerably.
Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another tenant's LLM trace traffic - including prompts and model responses - to an attacker-controlled observability provider. Because Dify Cloud permits free self-registration, the authentication barrier is effectively trivial; publicly available exploit code exists and a vendor patch is shipped via PR #35793. The flaw is an instance of CWE-639 (insecure direct object reference) in the trace-configuration endpoints, which accepted an app_id without validating tenant ownership.
Broken access control in Arcane's GitOps backend (versions <= 1.18.1) allows any authenticated low-privilege user to exfiltrate plaintext Git credentials (PATs/SSH keys) stored for source-of-truth repositories. Eight of nine /api/customize/git-repositories endpoints omit the checkAdmin() gate, letting a 'user' role attacker repoint a repository URL to an attacker-controlled host and trigger a /test or /branches call that transmits the decrypted token via HTTP Basic auth. No public exploit identified at time of analysis, but the GHSA advisory documents a complete attack chain and a patched release (1.19.0) is available.
Authorization bypass in Creartia's ICMS content management system allows remote unauthenticated attackers to gain unauthorized access to protected features and escalate privileges by manipulating HTTP redirect headers during the login process. The vulnerability has a CVSS 9.3 score and vendor patches are available through INCIBE advisory.
Authenticated team members with 'Manage Own Slash Commands' permission can hijack existing slash commands in Mattermost 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 by editing their own command triggers to match already-registered system or custom commands. This privilege escalation flaw (CWE-863: Incorrect Authorization) enables command impersonation, allowing attackers to intercept and potentially manipulate user interactions with legitimate slash commands. With CVSS 4.3 (low-medium severity) and EPSS data unavailable, real-world risk depends heavily on organizational use of slash commands for sensitive operations. No public exploit identified at time of analysis, and the attack requires authenticated access with specific permissions, limiting immediate exposure compared to unauthenticated network vulnerabilities.
Unauthorized access to public playbooks in Mattermost 10.11.x through 11.5.x allows authenticated users without proper permissions to retrieve public playbooks via the /get endpoint. The vulnerability affects all versions from 10.11.0 through 10.11.13, 11.4.0 through 11.4.3, and 11.5.0 through 11.5.1 due to missing public/private permission validation. With CVSS 4.3 (Medium) and requiring authenticated access (PR:L), this represents a privilege escalation issue allowing disclosure of potentially sensitive playbook configurations, but is limited to low confidentiality impact without integrity or availability compromise. No active exploitation confirmed (not in CISA KEV) and EPSS data not provided.
Authenticated Mattermost users can read private channel threads and direct messages they lack access to by exploiting the AI post rewrite endpoint. Versions 11.5.0 and 11.5.1 fail to verify channel membership before processing AI-assisted message rewrites, enabling privilege escalation from low-privileged authenticated users to access confidential communications. CVSS 6.5 reflects network-accessible attack with low complexity requiring only basic authentication. EPSS data not available; no public exploit or KEV listing identified at time of analysis.
Authenticated users in Mattermost Plugins can disrupt Gitlab integration by uninstalling instances or modifying webhook connections without proper authorization. The CWE-862 authorization flaw in versions <=11.5, 11.1.5, 10.13.11, and 11.3.4.0 allows users with low-level privileges (PR:L) to execute administrative commands via `/gitlab instance {option}` or `/gitlab webhook {option}`, resulting in availability impact (A:H) to the Gitlab plugin infrastructure. CVSS 6.5 reflects moderate risk, with EPSS data and active exploitation status not available at time of analysis.
Authorization bypass in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated users with 'Manage Playbook Configurations' permission to reassign playbooks to arbitrary teams via PUT API, circumventing team membership restrictions. This access control flaw enables lateral privilege escalation across team boundaries without proper authorization checks. EPSS exploitation probability data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.
Mattermost Plugins through version 11.5 allow authenticated users to bypass group-level access controls and create issues or attach comments to locked groups they should not access. Attackers holding membership in multiple groups can exploit missing API-level authorization checks via direct API requests to write data into restricted groups, violating intended access boundaries. EPSS risk data not available; CVSS 4.3 reflects low-privilege authenticated network attack with low complexity. No active exploitation confirmed by CISA KEV at time of analysis, though vendor advisory (MMSA-2026-00602) confirms the vulnerability.
Authorization bypass in Mattermost Plugins allows authenticated users to subscribe to unauthorized notification groups by exploiting prefix-matching namespace validation. Affected versions (≤11.5, 11.1.5, 10.13.11, 11.3.4.0) fail to enforce group whitelisting, enabling low-privileged plugin users to create groups sharing prefixes with authorized groups and thereby receive notifications or access information from out-of-scope channels. EPSS data unavailable; not listed in CISA KEV; CVSS 4.3 reflects low-privilege network exploitation with limited integrity impact but no confidentiality or availability compromise.
Authenticated attackers can bypass token rotation in Mattermost's remote cluster invite confirmation process by reusing original invite tokens. The flaw affects Mattermost Server versions 11.5.x through 11.5.1 and 10.11.x through 10.11.13, allowing token reuse despite intended security controls. While rated low severity (CVSS 3.7), this represents an authentication bypass vulnerability (CWE-863) that undermines session management security. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Privilege escalation in Mattermost Server allows authenticated users with revoked channel posting permissions to continue modifying their existing posts. Affected versions include 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3. Attackers bypass authorization controls by sending direct API requests to post update and patch endpoints, circumventing permission checks that should prevent post edits after privileges are revoked. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. CVSS 4.3 (Medium) reflects low integrity impact limited to existing content modification.
Authorization bypass in Mattermost shared channel synchronization allows authenticated remote cluster administrators to remove arbitrary users from any channel, including private channels outside the attacker's authorization scope. Affects versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3. CVSS 4.3 reflects the low-privilege requirement (authenticated remote cluster) and limited impact scope (integrity only, no data exposure), though cross-tenant authorization violations in collaboration platforms warrant attention. EPSS data unavailable; no public exploit identified at time of analysis; not listed in CISA KEV.
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
Authorization bypass in Tencent WeKnora's Config API endpoint allows authenticated attackers to access unauthorized knowledge bases by manipulating the kbId parameter in getKnowledgeBaseForInitialization function. Affects all versions up to 0.3.6. Publicly available exploit code exists via GitHub Gist, enabling low-complexity attacks with network access. CVSS 6.3 reflects moderate impact across confidentiality, integrity, and availability. EPSS data not available, but public POC increases exploitation likelihood. Vendor unresponsive to disclosure, indicating no official patch timeline.
Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper access controls in H2O-3's Rapids setproperty primitive allow remote unauthenticated attackers to modify system properties via the AstSetProperty.java exec function. The vulnerability permits low-impact integrity violations through manipulation of configuration settings accessible via the Rapids API. Public exploit code is available (VulDB 364379), increasing exploitation risk, though no active exploitation confirmed by CISA KEV at time of analysis. EPSS data not provided. Vendor unresponsive to disclosure attempts.
Improper authorization in Z-BlogPHP 1.7.4.3430 allows authenticated attackers to bypass comment approval controls via the CheckComment function in c_system_event.php. Remote exploitation requires low-complexity attacks with low-privilege credentials and no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). Public exploit code is available (VulDB 364334), enabling attackers to read, modify, or disrupt comment moderation workflows with low confidentiality, integrity, and availability impact. No vendor patch information identified at time of analysis; EPSS and KEV data not provided.
Improper authorization in Open5GS AMF/MME component (versions up to 2.7.6) allows authenticated network attackers to manipulate NGAP user context lookups, potentially accessing or interfering with other users' 5G/LTE sessions. The vulnerability stems from insufficient validation of AMF_UE_NGAP_ID and RAN_UE_NGAP_ID pairs in the ran_ue_find_by_amf_ue_ngap_id function, enabling attackers with low-level network privileges to bypass session-to-base-station association controls. Publicly available exploit code exists (GitHub issue #4498), and a vendor-released patch (commit 5746b857) is available. CVSS 6.3 (Medium) reflects network vector with low attack complexity but requires authentication.
Authentication bypass in Sanluan PublicCMS 5.202506.d allows remote unauthenticated attackers to access arbitrary user trade address data via manipulation of userId/id parameters in the TradeAddressListDirective component. Public exploit code exists (CVSS E:P), enabling unauthorized disclosure of confidential address information including names, phone numbers, and shipping details. EPSS data unavailable; not listed in CISA KEV. Vendor non-responsive to disclosure.
FIT image signature verification bypass in Das U-Boot before 2026.04 lets an attacker who can supply a Flat Image Tree get tampered boot components accepted as authentic, defeating verified/secure boot. Because the 'hashed-nodes' list is omitted from the computed hash, an attacker can alter which nodes are actually covered by the signature and load unsigned or modified kernels/images. There is no public exploit identified at time of analysis and EPSS is 0.00%, but SSVC rates technical impact as total, reflecting a full compromise of the chain of trust.
iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authorization bypass in Multicollab WordPress plugin allows authenticated attackers with Subscriber-level privileges to inject comments into arbitrary editorial collaborations. This affects all versions up to and including 5.2. While CVSS rates this 4.3 (Low), the ability for low-privileged users to pollute editorial workflows could enable social engineering, misinformation injection into content review processes, or disruption of collaborative editing. EPSS data not provided. No active exploitation confirmed (not in CISA KEV). Patch available in version 3519252 per WordPress plugin repository changeset.
Authorization bypass in Essential Chat Support plugin for WordPress versions ≤1.0.1 allows unauthenticated remote attackers to reset all plugin configuration settings to defaults via a single POST request. The vulnerability stems from missing authorization checks in the settings reset function, enabling tampering with general settings, display rules, custom CSS, and WooCommerce integration without credentials. CVSS 5.3 indicates medium severity with network-accessible exploitation requiring no privileges or user interaction. No public exploit identified at time of analysis, though the attack is trivial given the simple POST parameter requirement.
Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The checkout endpoint fails to verify cart ownership when processing a user-supplied cart_id parameter, enabling attackers to access and potentially complete purchases using another user's cart contents. This vulnerability has been patched in version 1.0.8.3.
Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators through the admin/auth-token endpoint by manipulating the admin_id parameter. This authorization bypass allows lateral privilege escalation between admin accounts, potentially compromising all administrative API operations. The vulnerability requires low-privileged authenticated access and has been patched in version 1.0.8.3.
{id}.html endpoint, leaking titles, internal IDs, languages, and category bindings via 301 redirect Location headers. The flaw stems from a missing permission filter in the getIdFromSolutionId() method, and a publicly available exploit code path is documented in the GitHub Security Advisory (GHSA-99qv-g4x9-mgc3) with SSVC marking exploitation as PoC and automatable. EPSS is low (0.06%, 19th percentile) and the issue is not in CISA KEV, indicating no confirmed active exploitation despite the high CVSS 4.0 score of 8.7.
Authenticated users without administrative privileges can delete FAQ tags via phpMyFAQ's DELETE /admin/api/content/tags/{tagId} endpoint. The vulnerability affects versions before 4.1.2 and stems from missing authorization checks that allow any logged-in user, including regular frontend users, to permanently delete arbitrary tags using only a valid session cookie. While CVSS rates this 5.4 (Medium), the permanent data loss and FAQ organization disruption represent material operational impact. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists per VulnCheck advisory and GitHub security advisory GHSA-7cx3-2qx2-3g6w, lowering exploitation barriers for authenticated attackers.
Authorization bypass in phpMyFAQ versions prior to 4.1.2 allows any authenticated administrative user to access all permission-protected admin pages, regardless of their assigned privileges. The flaw resides in AbstractAdministrationController::userHasPermission() which sends a forbidden response but fails to terminate execution, leaking admin logs, user data, system information, and configuration. Publicly available exploit details exist via the GHSA advisory, though EPSS exploitation probability remains very low at 0.04%.
Authorization bypass in phpMyFAQ versions before 4.1.2 allows authenticated frontend users to access admin-only API endpoints and retrieve sensitive backend configuration data. The vulnerability stems from admin-api routes checking only login status (isLoggedIn) without verifying administrative privileges, enabling any valid user account to query dashboard versions, LDAP configuration details, Elasticsearch statistics, and health-check data. While this is an information disclosure issue rather than direct write access, it exposes internal infrastructure details useful for reconnaissance. The low CVSS score (4.3) reflects limited confidentiality impact, but defenders should prioritize remediation in environments where backend configuration exposure aids broader attack campaigns. Vendor patch available in version 4.1.2.
Insufficient authorization in phpMyFAQ 4.1.1 and earlier allows any authenticated user to enumerate sensitive system configuration metadata through 12 admin API endpoints. The ConfigurationTabController improperly uses userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT), enabling low-privilege users to query /admin/api/configuration endpoints and discover the permission model, active template, cache backend, mail provider, translation settings, and other deployment details that should require administrative access. This information disclosure violates least privilege principles and aids reconnaissance for subsequent attacks. EPSS data not available; no active exploitation confirmed at time of analysis. Vendor-released patch available in version 4.1.2.
Cross-site request forgery in AVideo's LoginControl plugin allows remote attackers to disable two-factor authentication for authenticated victims through a single malicious HTTP request. The vulnerability exists in plugin/LoginControl/set.json.php which accepts POST requests to toggle 2FA without CSRF token validation, origin verification, or re-authentication. Attackers deliver a weaponized webpage containing a hidden form that auto-submits to the vulnerable endpoint; when a logged-in AVideo administrator visits this page, their 2FA protection is silently stripped, enabling subsequent credential-based account takeover. The flaw is confirmed through GitHub security advisory GHSA-3mv2-vmwh-rwfx with source code evidence showing the endpoint performs only session authentication (User::isLogged()) while omitting the forbidIfIsUntrustedRequest() protection used throughout the rest of the codebase. No public exploit code identified at time of analysis, though the attack is trivial to weaponize given the detailed advisory.
Authenticated users in Mathesar 0.2.0 through 0.9.x can access metadata for PostgreSQL databases where they lack collaborator privileges, due to missing authorization checks in four API methods (collaborators.list, tables.metadata.list, explorations.list, forms.list). Exposed data includes table schemas, saved explorations, form configurations, and critically, public form submission tokens that grant unauthorized database write access under the form's PostgreSQL role. Fixed in version 0.10.0. CVSS 5.3 (Medium) reflects network-accessible, low-complexity exploitation requiring only basic authentication. No public exploit code or active exploitation detected (EPSS data unavailable, not in CISA KEV).
Broken access control in Mathesar 0.2.0 through 0.9.x allows authenticated users to read, modify, or delete saved explorations (database query definitions) in databases where they lack collaborator privileges. Exploitation requires only a valid user account and knowledge of an exploration ID - easily guessed or enumerated. Fixed in version 0.10.0. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.
Authenticated users in Sharp (a Laravel admin framework) can bypass authorization to download arbitrary files from any configured Laravel Storage disk through the generic download endpoint. The vulnerability allows authenticated users with view access to any single Sharp entity to download unrelated files including backups, invoices, internal documents, and tenant-specific data by manipulating the disk and path parameters. Sharp v9.22.0 fixes this by implementing signed URLs that prevent parameter tampering.
Budibase servers before version 3.38.1 allow any authenticated application user to modify datasource connection parameters through the REST API endpoint PUT /api/datasources/:datasourceId, which requires only basic TABLE/READ permissions instead of builder-level access. This authorization bypass enables attackers with minimal BASIC role privileges to redirect PostgreSQL, MySQL, MongoDB, or REST datasources to arbitrary hosts and ports, creating server-side request forgery (SSRF) conditions that bypass existing HTTP-layer protections for SQL driver connections. The vulnerability has been assigned CVSS 8.8 (High) and is fixed in Budibase 3.38.1.
Rate limiter bypass in better-auth versions < 1.4.17 allows attackers to defeat authentication attempt limits by rotating through IPv6 addresses within their allocated /64 prefix or using different textual representations of the same address. The vulnerability affects authentication endpoints including sign-in, sign-up, and password reset when serving IPv6 clients, which includes most cloud providers by default. No public exploit identified at time of analysis.
Algorithm confusion in LibJWT 3.0.0 through 3.3.2 allows authentication bypass when RSA JWKs lack the 'alg' parameter. The OpenSSL backend incorrectly processes HMAC verification with a zero-length key when an RSA key without 'alg' is used to verify HS256/HS384/HS512 tokens, enabling attackers to forge valid JWTs without knowing any secret. Public exploit code exists (SSVC), making this a critical authentication bypass affecting applications using JWKS-based key lookup.
Remote code execution in Google Cloud Application Integration allows unauthenticated attackers to access exposed internal API endpoints and execute arbitrary code. The vulnerability stems from improper access controls on internal APIs that were inadvertently exposed to external networks. With a CVSS 4.0 score of 10.0, this represents a critical risk allowing both information disclosure and full system compromise without authentication.
Medical Management System a81df1ce700a9662cb136b27af47f4cbde64156b is vulnerable to Insecure Permissions, which allows arbitrary user password reset.
Authenticated attackers with subscriber-level access can add arbitrary notes to any order in the Classified Listing - AI-Powered Classified ads & Business Directory Plugin (all versions up to 5.3.10) due to missing authorization checks, triggering unsolicited notification and moderation emails to listing owners. The plugin fails to verify user permissions before allowing note creation, enabling privilege escalation within WordPress installations where subscriber accounts exist. No public exploit code or active exploitation has been identified at the time of analysis.
Unauthenticated attackers can modify Smartcat API credentials in the Smartcat Translator for WPML plugin through a missing capability check on the 'routeData' REST endpoint, allowing hijacking of translation services or denial of service. All versions through 3.1.77 are affected. The vulnerability requires only network access and no user interaction, making it remotely exploitable by any unauthenticated actor against default WordPress configurations running the vulnerable plugin.
Authentication bypass in Form Notify WordPress plugin versions ≤1.1.10 allows remote unauthenticated attackers to gain administrator access through LINE OAuth flow manipulation. Attackers exploit the plugin's trust of the 'form_notify_line_email' cookie when LINE OAuth doesn't return an email address, authenticating as any site user by injecting a cookie containing the victim's email while completing OAuth with their own LINE account. Wordfence reported this vulnerability with proof-of-concept code available via GitHub commit diffs. EPSS data not available, but the CVSS 9.8 score and network vector with no authentication requirement indicate critical severity. No CISA KEV listing at time of analysis.
Supply chain compromise of DAEMON Tools Lite for Windows delivered trojanized installers through the legitimate vendor website daemon-tools.cc from April 8 to May 5, 2026. Attackers compromised AVB Disc Soft's build infrastructure and injected malicious code into three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), all signed with the vendor's legitimate code-signing certificate. This allowed remote attackers to achieve arbitrary code execution on systems installing affected versions (12.5.0.2421 through 12.5.0.2434) with no user interaction required beyond normal installation. The legitimate digital signature bypassed security controls that rely on code-signing verification, making detection extremely difficult during the compromise window.
Authenticated attackers with Contributor-level access can delete entire multi-currency configurations in FOX Currency Switcher Professional for WooCommerce by visiting any wp-admin page with a specific parameter, and the lack of nonce verification allows CSRF-based exploitation against administrators. Confirmed actively exploited (CISA KEV). CVSS 8.1 reflects high integrity and availability impact, with EPSS data unavailable. WordPress plugin affects versions ≤1.4.5, with patch released in version 1.4.6 per Wordfence advisory. The dual attack vectors (direct authenticated abuse and CSRF) significantly increase real-world risk for WooCommerce installations using this currency management plugin.
Unrestricted IP address binding in the AMD Device Metrics Exporter (ROCm ecosystem) could allow a remote attacker to perform unauthorized changes to the GPU configuration, potentially resulting in loss of availability
Improper isolation of VCN-JPEG HW register space could allow a malicious Guest Virtual Machine (VM) or a process to perform unauthorized access to the register space of the JPEG cores assigned a. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Improper isolation of GPU HW register space could allow a privileged attacker in malicious Guest Virtual Machine (VM) to perform unauthorized access to specific victim range of GPU MMIO register. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
Authentication bypass in MLflow 3.9.0 and earlier allows unauthenticated remote attackers to access protected Job API and OpenTelemetry trace ingestion endpoints when the server runs with basic-auth enabled via uvicorn/ASGI. Attackers can submit jobs, read results, cancel operations, and inject trace data without credentials. The FastAPI permission middleware incorrectly enforced authentication only on /gateway/ routes, leaving /ajax-api/3.0/jobs/* and /v1/traces unprotected due to architectural mismatch between Flask and FastAPI authentication mechanisms. Fixed in version 3.10.0 with GitHub commit bb62e77 adding proper validators for all FastAPI routes.
Improper access control between JTAG and AXI interfaces in AMD Ryzen 7040, 8000, 8040 mobile, and Embedded 8000 series processors allows attackers with physical access to read or modify cross-chip debug (XCD) registers, potentially compromising data integrity and confidentiality. The vulnerability requires physical proximity and specialized hardware capability but can bypass authentication mechanisms protecting debug interfaces. No public exploit code or active exploitation has been identified at the time of analysis.
Hedera Guardian through version 3.5.1 allows unauthenticated attackers to retrieve sensitive user information via the GET /api/v1/demo/registered-users endpoint, which lacks proper authentication controls. Attackers can access this endpoint without credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users. The vulnerability affects confidentiality with a CVSS score of 5.3 and has been fixed in the upstream repository via GitHub PR #6076.
Unauthorized deletion of preview resources in Tuist API allows authenticated attackers to delete arbitrary project previews regardless of ownership. An attacker with valid credentials can manipulate the DELETE endpoint's URL path to pass authorization checks against a project they control, while supplying any preview UUID to delete resources belonging to other users' projects. No public exploit code identified at time of analysis, but exploitation requires only low-complexity API manipulation with standard HTTP tools.
Open WebUI versions through 0.8.11 allow authenticated users to execute arbitrary Python code in the Jupyter container by bypassing the ENABLE_CODE_EXECUTION=false configuration flag. The /api/v1/utils/code/execute endpoint fails to enforce the admin-configured feature gate (CWE-863: Incorrect Authorization), enabling any verified user to run code even when administrators believe execution is disabled. The vulnerability is confirmed by vendor POC (verified 2026-03-25) demonstrating successful code execution, file access, and SSRF to internal Docker services despite explicit admin configuration disabling the feature. Vendor-released patch available in v0.8.12 (commit 6d736d3c5) enforces the configuration check before dispatching code to Jupyter.
Broken object-level authorization in Open WebUI versions ≤0.8.12 allows any authenticated user to permanently delete files owned by other users when those files are referenced in any shared chat. The has_access_to_file() authorization function unconditionally grants access through its shared-chat branch, failing to validate both the requesting user's identity and the operation type (read vs. write). File UUIDs, which would otherwise prevent enumeration attacks, are exposed via the knowledge base API endpoint GET /api/v1/knowledge/{id}/files to any user with read access. This affects all default Docker deployments where chat sharing is enabled. Vendor-released patch available in v0.9.0 (commit 2e52ad8ff). No active exploitation confirmed (not in CISA KEV). CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H scores 8.0, though real-world impact extends beyond confidentiality to permanent data destruction with no recovery mechanism.
Unauthenticated attackers can invoke the GET `/api/v1/memories/ef` endpoint in Open WebUI versions ≤0.7.2 to trigger arbitrary embedding generation without authentication, enabling cost-based attacks against paid embedding providers (OpenAI, Azure) and denial-of-service via resource exhaustion. The endpoint executes `request.app.state.EMBEDDING_FUNCTION()` without any authentication check, allowing unlimited free API calls to downstream embedding services. Vendor-released patch available in v0.8.0 (February 2026) that removes the vulnerable endpoint entirely.
Open WebUI versions prior to 0.8.11 allow authenticated users to access notes belonging to other users via Indirect Object Reference (IDOR) in the /api/v1/notes/{note_id} endpoint, enabling unauthorized disclosure of potentially sensitive private data. The vulnerability is exploitable both when the notes feature is enabled in the UI and when disabled but re-enabled via /api/config endpoint manipulation, requiring only valid user authentication and UUID enumeration or guessing.
Authenticated attackers can exfiltrate and overwrite any user's private files in Open WebUI ≤0.9.4 by injecting victim file UUIDs into attacker-controlled folders or knowledge bases. Two distinct attack paths bypass authorization checks: folder-knowledge ingestion (Path 1) leaks file content via RAG responses, while knowledge-base attachment (Path 2) grants persistent read/write access through standard file endpoints. File UUIDs leak through normal usage (chat citations, shared chats, URLs, browser history). Vendor-released patch version 0.9.5 available. No public exploit identified at time of analysis, but proof-of-concept code published in GitHub advisory GHSA-r472-mw7m-967f demonstrates both attack vectors with working curl commands.
Broken object-level authorization in Open WebUI allows any authenticated low-privilege user to enumerate and terminate background tasks belonging to other users via GET /api/tasks and POST /api/tasks/stop/{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.
Insecure Direct Object Reference (IDOR) in Open WebUI's retrieval API allows authenticated users to bypass knowledge base access controls and directly access, modify, or delete other users' private knowledge bases by supplying the target UUID as a collection name. The authorization gap affects seven endpoints: two read endpoints (/query/doc, /query/collection) permit exfiltration of private knowledge base content, while five write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube) enable content injection, poisoning, or complete data destruction via overwrite. Affects Open WebUI <= 0.9.4; fixed in v0.9.5 via PR #22109. EPSS data not available; no confirmed active exploitation (CVSS 7.5 reflects AC:H due to UUID prerequisite, but UUIDs leak through multiple channels per researcher analysis).
Open WebUI's GET /api/v1/retrieval/ endpoint discloses RAG pipeline configuration including embedding models, chunking parameters, and RAG templates to unauthenticated attackers with a single HTTP request. The vulnerability affects v0.9.2 and earlier, where this endpoint lacks authentication guards present on all adjacent endpoints, enabling reconnaissance for RAG poisoning attacks and infrastructure fingerprinting without requiring credentials, authentication tokens, or user interaction.
Open WebUI versions 0.9.4 and earlier allow read-only users to pin and unpin messages in standard channels due to insufficient permission checks in the pin_channel_message API endpoint. The endpoint verifies only read access when it should enforce write access, enabling authenticated users with read-only permission to modify message pin status (is_pinned, pinned_by, pinned_at fields) without authorization. This permission bypass undermines channel information hierarchy and access control models. Vendor-released patch: version 0.9.5.
Modify messages from any channel member in Open WebUI v0.8.12 through v0.9.4 via Insecure Direct Object Reference (IDOR) in the message update API endpoint. Any authenticated user with group or direct message channel membership can tamper with messages sent by other members, including administrators, by bypassing message ownership verification. Publicly available exploit code exists demonstrating the vulnerability; patch available in v0.9.5.
Open WebUI versions 0.8.10 and earlier allow authenticated users to bypass model access control by appending ?bypass_filter=true to POST requests to /openai/chat/completions or /ollama/api/chat endpoints. The vulnerability exposes an internal-only FastAPI function parameter to external HTTP clients via query string binding, permitting any authenticated user to invoke admin-restricted models regardless of their assigned access grants. Vendor-released patch: v0.8.11 (March 2026). No public exploit code identified beyond the PoC in the advisory, but exploitation is trivial for any authenticated user.
Low-privileged authenticated users in Open WebUI <=0.8.5 can invoke admin-restricted external tools (MCP servers, GitHub integrations, etc.) via the chat completion API by supplying arbitrary tool_ids or tool_servers parameters. Exploited tools execute with server-stored credentials, enabling unauthorized data access or actions through third-party integrations. Publicly available exploit code exists (PoC in GitHub advisory GHSA-4pcg-253r-rf9w). EPSS data not provided; CVSS 7.1 indicates network-accessible authenticated exploitation with high confidentiality impact. Vendor-released patches: v0.7.0 (partial, local tools) and v0.8.6 (complete fix for MCP servers). Users on >=0.8.6 are not affected.
Broken access control in Open WebUI's `/api/chat/completions` endpoint allows any authenticated user to read and continue other users' private conversations by supplying a known Chat ID. The API fails to verify chat ownership before granting access, exposing sensitive conversation data across multi-user deployments with shared AI models. Fixed in v0.9.0 via commit cf4218e68, which enforces ownership validation through `Chats.is_chat_owner()` checks. Exploitation requires low-privilege authentication (PR:L) and network access (AV:N), but no user interaction (UI:N) or special configuration-any default multi-user instance with shared pipelines is vulnerable. CVSS 7.1 (High) reflects network-accessible confidentiality breach (C:H) with limited integrity impact (I:L). No public exploit identified at time of analysis, but proof-of-concept published in GitHub advisory GHSA-gfm2-xm6c-37qc demonstrates trivial exploitation via legitimate API key usage.