Skip to main content

Authentication Bypass

31164 CVEs technique

Monthly

CVE-2026-15087 PHP MEDIUM This Month

vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.

Clean Restful Authentication Bypass
NVD VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-15089 PHP CRITICAL Act Now

Authentication bypass in the Drupal Commerce Guest Registration contributed module allows remote unauthenticated attackers to circumvent identity verification during the guest checkout/registration flow, per Drupal advisory SA-CONTRIB-2026-079. The CVSS 9.1 scoring (C:H/I:H) indicates an attacker can gain unauthorized access to or hijack account/order data without credentials or user interaction. No public exploit has been identified at time of analysis, and the low EPSS score (0.24%, 15th percentile) suggests exploitation is not yet widespread.

Authentication Bypass Commerce Guest Registration
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-58590 PHP MEDIUM PATCH This Month

Missing Authorization (CWE-862) in the Drupal FlowDrop contributed module allows authenticated low-privilege users to perform Forceful Browsing - directly accessing protected URLs without proper permission checks being enforced. All FlowDrop releases from 0.0.0 up to 1.6.0 are affected; a successful attacker can read or modify content and workflow data beyond their authorized scope. No public exploit has been identified and EPSS sits at 0.18% (8th percentile), indicating negligible observed exploitation probability at time of analysis; the vulnerability is not listed in CISA KEV.

Authentication Bypass Flowdrop
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-58589 PHP MEDIUM PATCH This Month

Missing authorization in the FlowDrop Drupal contributed module (versions prior to 1.6.0) enables authenticated low-privilege users to perform forceful browsing, accessing URLs and resources that should be restricted to higher-privilege roles. The vulnerability stems from CWE-862, where authorization checks are absent or bypassed on protected endpoints within the module. No public exploit code or CISA KEV listing exists at time of analysis; the EPSS score of 0.18% (8th percentile) reflects low observed exploitation probability, but the low attack complexity and network accessibility make it a meaningful risk on multi-tenant or public Drupal sites with the module installed.

Authentication Bypass Flowdrop
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-13241 PHP MEDIUM PATCH This Month

Missing authorization in the Drupal Paragraphs contributed module (all versions through 1.20.x) enables unauthenticated remote attackers to perform forceful browsing - directly accessing paragraph entity URLs or endpoints without passing any authorization check. The CVSS vector (PR:N/AC:L/AV:N) confirms exploitation requires no credentials against default-configured Drupal sites running the affected module. Despite an automatable attack surface, SSVC rates exploitation as none, EPSS sits at 0.13% (3rd percentile), and no active exploitation is confirmed; a vendor patch is available via Drupal SA-contrib-2026-061.

Authentication Bypass Paragraphs
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13240 PHP MEDIUM PATCH This Month

Forceful Browsing via missing authorization (CWE-862) in the Drupal Paragraphs contributed module allows remote unauthenticated users to access paragraph entities they are not authorized to view or modify, bypassing the CMS access control layer entirely. All Paragraphs releases from 0.0.0 up to but not including 1.21.0 are affected, per vendor advisory SA-CONTRIB-2026-060. Despite being automatable per SSVC analysis and network-exploitable with no privileges required, real-world exploitation risk is low: EPSS sits at 0.13% (3rd percentile), no public exploit code has been identified, and CISA has not added this to KEV.

Authentication Bypass Paragraphs
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13239 PHP MEDIUM PATCH This Month

Missing authorization controls in Drupal WissKI versions prior to 4.2.0 enable unauthenticated remote attackers to perform forceful browsing - directly accessing restricted resources by guessing or enumerating URLs without undergoing proper authorization checks. The affected versions span the entire release history from 0.0.0 through 4.2.0, making all prior deployments vulnerable. SSVC assessment confirms no active exploitation at time of analysis, and the EPSS score of 0.13% (3rd percentile) suggests very low real-world exploitation probability despite the automatable nature of the attack.

Authentication Bypass Wisski
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13238 PHP MEDIUM PATCH This Month

Incorrect Authorization (CWE-863) in the Drupal Commerce Realex / Global Payments module exposes protected payment and order resources to forceful browsing, allowing unauthenticated remote attackers to access endpoints that should require authorization. All module versions from 0.0.0 through 3.0.2 (exclusive) are affected on Drupal Commerce deployments. No public exploit code has been identified and SSVC confirms no active exploitation at time of analysis, though the nature of a payment gateway module means successful access could expose order or transaction data.

Authentication Bypass Commerce Realex Global Payments
NVD VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-13237 PHP MEDIUM PATCH This Month

Incorrect Authorization (CWE-863) in the Drupal AI Agents contributed module enables Forceful Browsing, allowing network-reachable attackers to access restricted AI agent resources without proper permission checks. Three distinct release branches are affected: 0.0.0-1.1.4, 1.2.0-1.2.5, and 1.3.0-1.3.1. CISA SSVC classifies exploitation as none with partial technical impact, EPSS sits at the 4th percentile, and no public exploit has been identified at time of analysis - signals that collectively indicate limited immediate real-world risk despite the network-accessible attack vector.

Authentication Bypass Ai Agents
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-13236 PHP MEDIUM PATCH This Month

Missing authorization controls in the Drupal AI Agents contrib module expose protected resources to forceful browsing by authenticated low-privilege users. Affected installations span three version branches - 0.0.0 through 1.1.3, 1.2.0 through 1.2.4, and 1.3.0 - across the Drupal ecosystem. No public exploit has been identified and CISA has not added this to KEV; EPSS at 0.14% (4th percentile) and SSVC's 'none' exploitation status confirm minimal real-world threat at time of analysis.

Authentication Bypass Ai Agents
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-13235 PHP LOW PATCH Monitor

Forceful browsing exposure in Drupal's AI (Artificial Intelligence) contributed module permits high-privileged authenticated users to access protected resources without proper authorization checks, affecting versions 0.0.0-1.2.17, 1.3.0-1.3.8, and 1.4.0-1.4.3. The vulnerability stems from CWE-862 (Missing Authorization), where path-level access controls are not enforced on certain AI module endpoints, allowing an authenticated user with high privileges to traverse to unauthorized resources. No public exploit code exists, EPSS sits at 0.14% (4th percentile), and CISA SSVC confirms no active exploitation, placing this firmly in the low-urgency tier despite its network-accessible attack vector.

Authentication Bypass Ai Artificial Intelligence
NVD VulDB
CVSS 3.1
3.3
EPSS
0.1%
CVE-2026-13232 PHP LOW PATCH Monitor

Incorrect authorization in the Drupal Advanced Content Feedback (admin_feedback) contributed module allows authenticated low-privilege users to perform forceful browsing, accessing restricted feedback resources without proper authorization checks. All module releases from 0.0.0 up to (but not including) 2.8.0 are affected. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 4th percentile, consistent with the SSVC assessment of zero current exploitation.

Authentication Bypass Advanced Content Feedback Aka Admin Feedback
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-11909 PHP LOW PATCH Monitor

Missing Authorization in Drupal's Examples for Developers module (versions 0.0.0 through 4.0.5) permits forceful browsing by an already highly-privileged authenticated attacker, exposing restricted paths with limited confidentiality and integrity impact. All available signals converge on minimal real-world risk: CVSS scores 3.3 (Low), EPSS sits at 0.14% (4th percentile), SSVC reports no known exploitation and non-automatable attack conditions, and neither active exploitation nor public proof-of-concept code has been identified. A vendor patch is available at version 4.0.6.

Authentication Bypass Examples For Developers
NVD
CVSS 3.1
3.3
EPSS
0.1%
CVE-2026-10768 PHP CRITICAL PATCH Act Now

Missing authorization in the Drupal LocalGov Workflows contrib module (all versions 0.0.0 through 1.6.0, fixed in 1.6.0) lets remote attackers reach protected workflow-related routes through forceful browsing without proper permission checks. The flaw carries a vendor CVSS of 9.8 (AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.14%, 4th percentile) and there is no public exploit identified at time of analysis. Affected sites are Drupal deployments running this LocalGov Drupal editorial-workflow module.

Authentication Bypass Localgov Workflows
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-52761 MEDIUM PATCH This Month

WAF rule bypass in ModSecurity 3.0.0-3.0.15 on i386 architecture allows network-accessible attackers to evade rules that use the t:utf8toUnicode transformation, potentially permitting injection attacks or other malicious payloads to reach protected applications undetected. The root cause is CWE-467 - sizeof() applied to a char pointer in utf8_to_unicode.cc yields the pointer width (4 bytes on i386) rather than the unicode buffer length, corrupting transformation output. No public exploit code or active exploitation has been identified at time of analysis; the fix is available in v3.0.16.

Authentication Bypass Nginx Apache Modsecurity
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-49394 HIGH PATCH This Week

Broken access control in the Frappe framework (all versions prior to 16.19.0) lets a low-privileged authenticated user modify public Workspaces they should not control, because the update_page endpoint failed to enforce the Workspace Manager edit permission on public workspaces. Any user able to reach the endpoint can alter shared workspace layout and content, an integrity-only impact with no data disclosure. No public exploit has been identified, EPSS/KEV data were not provided, and the fix is shipped in Frappe 16.19.0.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-48127 MEDIUM PATCH This Month

Unauthorized file attachment in Frappe, a Python/JavaScript full-stack web framework, allows any authenticated low-privilege user to attach files to arbitrary doctypes through file-handling API endpoints such as add_attachments, bypassing per-document write permission enforcement. Affected are all Frappe v15 releases prior to 15.110.0 and all v16 releases prior to 16.20.0. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make exploitation straightforward for any valid account holder on a multi-tenant instance.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-47422 MEDIUM PATCH This Month

Missing authorization on the reportview endpoint in Frappe framework permits authenticated low-privileged users to access or manipulate report data beyond their permitted scope. Versions prior to 15.107.5 (v15 branch) and 16.18.2 (v16 branch) are affected, confirmed via GitHub Security Advisory GHSA-w8g7-j846-j248. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 PR:L metric confirms exploitation is bounded by requiring a valid authenticated session.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-57574 HIGH PATCH This Week

Authentication replay in Misskey before 2026.6.0 lets an attacker reuse a valid TOTP code that should be single-use, because UserAuthService fails to invalidate a code after its first successful use within the same time step. An adversary who concurrently captures a victim's password and one TOTP value can replay that code to authenticate, enabling unauthorized actions up to account takeover. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the vendor fixed the flaw in release 2026.6.0.

Authentication Bypass Misskey
NVD GitHub
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-7639 HIGH This Week

Local memory-corruption escalation in Imagination Technologies' Graphics DDK (the PowerVR GPU driver stack) lets an unprivileged user trigger a use-after-free by issuing an improper sequence of GPU system calls. By forcing a failure path in the MMU mapping logic, an attacker leaves internal driver state incompletely cleaned up, enabling unauthorized read/write access to physical memory from shader code. There is no public exploit identified at time of analysis and EPSS is low (0.15%), but the flaw carries high confidentiality, integrity, and availability impact for local attackers.

Authentication Bypass Denial Of Service Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-55881 HIGH PATCH This Week

Cross-tenant information disclosure in OpenReplay's self-hosted session-replay backend (versions 1.22.0 through 1.26.x) lets any authenticated low-privilege user retrieve the first 15 seconds of another tenant's DOM session-replay recording. The getFirstMob endpoint issued a 15-second presigned S3 URL keyed only on a user-supplied session path, while validateProjectAccess confirmed project-to-tenant ownership but never confirmed that the requested session actually belonged to that project, breaking multi-tenant isolation. No public exploit identified at time of analysis, but the flaw is trivially triggerable by any valid account and is fixed in 1.27.0.

Authentication Bypass Openreplay
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-55880 HIGH This Week

Broken object-level authorization (IDOR) in OpenReplay 1.27.0 and earlier lets any authenticated project member tamper with other users' private data: the notes.delete, dashboards.update_widget, and dashboards.remove_widget backend functions omit the ownership predicate their sibling read/edit functions enforce, so they act on any note or widget matching only an id and project/dashboard id. An authenticated low-privilege member can delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. There is no public exploit identified and no CISA KEV listing; impact is integrity/availability of other tenants' data, not disclosure (CVSS 7.1, C:N/I:H/A:L).

Authentication Bypass Openreplay
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57807 CRITICAL Act Now

Authentication bypass in the miniOrange OAuth Single Sign On - SSO (OAuth Client) WordPress plugin (versions up to and including 38.5.8) lets remote unauthenticated attackers abuse an alternate authentication path in the password-recovery flow to log in as arbitrary users, including administrators. Rated CVSS 9.8, the flaw grants full account takeover without credentials or user interaction; there is no public exploit identified at time of analysis, but the plugin's SSO role and low attack complexity make it a high-value target.

Authentication Bypass Oauth Single Sign On Sso Oauth Client
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-12761 CRITICAL Act Now

Authentication bypass in the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) WordPress plugin through version 7.7.0 lets unauthenticated attackers seize any account, including administrators. The Profile Completion flow trusts an attacker-supplied 'email_field' POST value without confirming it matches the OAuth provider's verified identity, and the send_otp_token() routine leaks a SHA-512(customer_key||otp) hash to the client where the OTP is one of only 99,000 values and customer_key is a static (often empty) option - so the OTP can be brute-forced offline in under a second. Rated CVSS 9.8; no public exploit identified at time of analysis, but the full attack primitive is described in the Wordfence advisory.

Authentication Bypass WordPress Google Miniorange Social Login And Register Discord Google Twitter Linkedin
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-13039 MEDIUM This Month

Authorization bypass in the Eventin WordPress plugin (versions 4.0.26-4.1.15) enables unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash to the payment_complete() REST endpoint. The wp_rest nonce required to reach this endpoint is embedded in the HTML of every public event page, eliminating any credential or session requirement. This is a confirmed regression - the same function and endpoint were previously patched by Arraytics, but the fix was lost in subsequent releases; no public exploit has been identified at time of analysis.

Authentication Bypass WordPress PHP Eventin Event Calendar Event Registration Tickets Booking Ai Powered
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57217 HIGH PATCH This Week

Authorization bypass in RabbitMQ topic permissions lets an authenticated user with restricted topic rights publish to or bind on topics they should be denied, but only during metadata-store failure windows. When the Khepri metadata store returns a lookup error, the topic-permission result collapses to 'undefined', which the internal authorization backend fails open and treats as 'allow'. There is no public exploit identified at time of analysis and it is not on CISA KEV; the CVSS 4.0 base score is 7.0.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-57221 MEDIUM PATCH This Month

Authenticated RabbitMQ users can bypass authorization controls on passive AMQP 0-9-1 declare operations, exposing internal broker topology metadata across all affected release branches (3.13.x, 4.0.x, 4.1.x, 4.2.x). The missing authorization check on passive queue.declare and exchange.declare allows any user with vhost connectivity to enumerate queue and exchange names and read live message and consumer counts without requiring elevated permissions. No public exploit code has been identified and the vulnerability is not in CISA KEV; however, the low exploitation complexity, authentication-only prerequisite, and broad affected version range meaningfully elevate real-world exposure risk in multi-tenant or shared-credential deployments.

Authentication Bypass Microsoft Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-57215 HIGH PATCH This Week

Improper authorization in RabbitMQ broker (versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) allows an authenticated client to create foreign bindings against another connection's volatile amq.rabbitmq.reply-to (direct reply-to) destination, so persistent route entries survive after unbind and can leak RPC reply traffic intended for other clients. The flaw stems from Khepri-backed deletion checks that omit these volatile pseudo-queues, letting stale routes persist. No public exploit identified at time of analysis; exploitation requires valid credentials and has high attack complexity per the vendor CVSS 4.0 vector.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-57218 MEDIUM PATCH This Month

RabbitMQ Server prior to 4.2.6 fails to cancel or reauthorize existing AMQP 0-9-1 consumers when an OAuth token expires or when connection.update_secret reduces token scopes, allowing an authenticated consumer to continue receiving messages it is no longer authorized to access. The broker evaluates authorization only at consumer registration time, not at message delivery time, creating a persistent authorization bypass window for as long as the connection remains open. No public exploit exists at time of analysis, but the CVSS 4.0 vector assigns high subsequent-system confidentiality impact (SC:H), reflecting meaningful data-access risk in OAuth-governed or multi-tenant deployments.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.3%
CVE-2026-57216 CRITICAL PATCH Act Now

Authentication bypass in RabbitMQ (broker versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) lets a loopback-restricted account such as the default guest user authenticate from a remote network when the broker sits behind a trusted PROXY-protocol path and the backend listener is loopback-bound. Because the loopback check evaluates the listener-side socket address (which appears as 127.0.0.1 to the local proxy) instead of the real client source carried in the PROXY header, the 'local only' restriction on guest is silently defeated across AMQP 0-9-1, AMQP 1.0, and the Stream Protocol. SSVC records a proof-of-concept; there is no CISA KEV listing and EPSS is low (0.34%, 26th percentile), indicating the flaw is potent but not yet mass-exploited.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-57850 HIGH PATCH This Week

Privilege escalation within RustDesk before 1.4.9 lets an authenticated peer that was granted only a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) send control messages and login options reserved for a full Remote session, because the server never re-validates a session's authorized scope. The result is that a peer given, for example, file-transfer-only access can observe and control the host's screen and input as if it held full remote-control rights. No public exploit has been identified at time of analysis, though the fixing pull request and commit are public, and no EPSS or CISA KEV data was supplied.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-55515 MEDIUM PATCH This Month

Cross-tenant authorization bypass in Snipe-IT prior to v8.6.2 allows an authenticated user with only `reports.view` permission in one company to delete pending checkout acceptance records belonging to any other company by supplying arbitrary global IDs to the unaccepted-assets report delete endpoint. The root cause is a classic IDOR (CWE-639): the endpoint validates role but not company-scope ownership. No public exploit has been identified and this CVE is absent from the CISA KEV catalog, but multi-tenant deployments relying on organizational data isolation are directly impacted.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-55479 MEDIUM PATCH This Month

Broken authorization in Snipe-IT's legacy single-seat license checkin endpoint allows authenticated users with only checkout (assign) rights to invoke the checkin (unassign) action, bypassing the intended permission boundary. Versions prior to 8.6.2 are affected; this is fixed in v8.6.2. No public exploit has been identified at time of analysis, and the flaw is not listed in the CISA KEV catalog, but the low-complexity, network-accessible nature of the bypass makes it straightforward to exploit for any authenticated user with checkout-level access.

Authentication Bypass Snipe It
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-55475 MEDIUM PATCH This Month

Unauthorized modification of import ownership metadata in Snipe-IT prior to version 8.6.1 allows an authenticated user with CSV import capabilities to overwrite the created_by field on import records via the Importer API endpoint. The flaw stems from insufficient authorization enforcement (CWE-863) on the created_by parameter during CSV import operations, enabling a low-privileged API user to falsify asset audit trails and attribution records. No public exploit code has been identified and this vulnerability is absent from CISA KEV; a vendor-released patch is available in v8.6.1.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
5.7
EPSS
0.2%
CVE-2026-55462 MEDIUM PATCH This Month

Incorrect authorization in Snipe-IT's UsersController before version 8.6.2 allows any authenticated user holding only the users.view permission to access restricted inventory and procurement metadata - including assigned licenses, accessories, consumables, and associated cost and order data - from modules their direct permissions would otherwise deny. The flaw exists in both the show() and printInventory() controller methods, which enforce authorization only for the user-viewing scope before eagerly loading and rendering related asset relationships without further permission checks. No public exploit exists and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and common assignment of users.view to helpdesk staff makes this a realistic insider access-control bypass in enterprise deployments.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-55377 HIGH PATCH This Week

Authentication step-up bypass in Logto self-hosted auth infrastructure prior to 1.41.0 lets an already-authenticated user manage MFA factors without re-proving their identity. The Account Center accepted any of the user's own verified records - including a self-created WebAuthn passkey-registration record - as proof of identity verification, so an attacker holding only a valid Account API bearer token could forge the logto-verification-id header and satisfy step-up checks. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw is fixed in 1.41.0.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-54136 Cargo MEDIUM PATCH GHSA This Month

{workspace}/scripts/list_search` handler validates the token's domain and action (`scripts:read`) at the route level but omits per-row filtering against the token's resource/path segment (e.g., `scripts:read:f/allowed/*`), causing the underlying SQL query to return all non-archived workspace scripts regardless of path restrictions. Affects all Windmill deployments up to version 1.714.1; no public exploit or CISA KEV listing at time of analysis, but full reproduction steps are published in the GitHub security advisory.

Authentication Bypass
NVD GitHub
CVE-2026-55460 HIGH PATCH This Week

Broken authorization in Snipe-IT before 8.6.2 lets an authenticated non-admin user who holds users.view and users.edit - but explicitly not users.delete - soft-delete other non-admin user accounts by POSTing delete_user=1 to /users/bulksave. The root cause is that BulkUsersController::destroy() checks only the 'update' authorization, so the delete permission gate is never enforced. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-55472 MEDIUM PATCH This Month

Incorrect authorization enforcement in Snipe-IT's API location creation endpoint allows an authenticated low-privilege user to create a child location under a parent location belonging to a different company, bypassing the intended multi-tenant isolation boundary. The vulnerability affects all Snipe-IT versions prior to 8.6.2 when both Full Multiple Companies Support and the scope_locations_fmcs option are simultaneously enabled. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; real-world risk is constrained by the non-default configuration prerequisites and the requirement for authenticated access.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-55476 MEDIUM PATCH NEWS This Month

Missing authorization on Snipe-IT's asset request cancellation endpoint prior to version 8.6.0 allows any authenticated low-privileged user to cancel another user's pending asset requests by supplying a victim's user ID in the URL path segment. The cancel_by_admin path parameter is accepted without server-side privilege verification, constituting a CWE-862 (Missing Authorization) flaw - effectively a broken object-level authorization issue on an administrative action. No public exploit has been identified at time of analysis, and CVSS 4.0 scoring (5.3) reflects limited scope: integrity-only impact with no data exposure or availability loss.

Authentication Bypass Snipe It
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-6212 HIGH This Week

Authorization bypass in Teracity TeraMIS (versions V03.26.01.14 through the 30.04.2026 build) lets an authenticated low-privilege user tamper with a user-controlled object key to reach records and functions belonging to other users or higher-privilege roles (CWE-639 IDOR). The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms remote, low-complexity exploitation by any account holder, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS and POC data were not provided.

Authentication Bypass Teramis
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-61459 CRITICAL POC PATCH Act Now

Argument injection in Flux159 MCP Server Kubernetes before 3.9.0 lets remote attackers redirect kubectl operations to an attacker-controlled API server by smuggling a leading-dash `--server` flag through the resourceType and name parameters of the kubectl_get, kubectl_describe, and kubectl_delete structured tools. Because the injected values bypass the assertNoDangerousFlags check, the operator's bearer token is transmitted to the external server, enabling full Kubernetes cluster compromise. Reported by VulnCheck, it carries CVSS 4.0 9.3, has publicly available exploit code, and a vendor patch in release 3.9.0; there is no confirmed active exploitation.

Authentication Bypass Kubernetes Mcp Server Kubernetes
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-55478 MEDIUM PATCH This Month

{kit_id}/licenses allows authenticated low-privilege users to bind arbitrary licenses - including those belonging to other departments or users - into kits they control. The server validates kit-edit permissions but performs no ownership or access check against the referenced license object, a classic IDOR pattern (CWE-639). No public exploit exists and the vulnerability is not listed in CISA KEV; it is fixed in version 8.6.2.

Authentication Bypass Snipe It
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-55516 HIGH PATCH This Week

{maintenance_id} endpoint authorizes the original record and asset but trusts an attacker-supplied asset_id without re-checking company scope, breaking multi-tenant isolation (CVSS 7.7, scope-changed). No public exploit identified at time of analysis, but the upstream fix commit and GitHub Security Advisory (GHSA-575r-357h-fhch) are published.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-61460 HIGH POC This Week

Broken object-level authorization in Krayin CRM (Laravel CRM) through version 2.2.3 lets any authenticated user tamper with leads, persons, organizations, quotes, and activities belonging to other users. Because the edit, update, and destroy methods across five controllers never verify record ownership, a low-privileged account can read, modify, reassign, or delete arbitrary CRM records by manipulating the object ID. Publicly available exploit details exist (reported by VulnCheck), though the issue is not listed in CISA KEV and no EPSS score was provided.

Authentication Bypass Laravel Crm
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59151 CRITICAL PATCH Act Now

Cross-tenant account takeover in Prowler (cloud security platform) before 5.30.3 lets an authenticated attacker who operates a controlled SAML IdP obtain a tenant-scoped JWT for a victim tenant. The ACS finish logic in api/src/backend/api/v1/views.py derived the destination tenant from the user-asserted email domain rather than binding token issuance to the validated SAML configuration, so an attacker completing a legitimate SAML flow for their own domain while asserting a victim-domain email address receives a SAMLToken and JWT for the wrong tenant. Rated CVSS 9.6 (scope-changing); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Prowler
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-56668 HIGH PATCH This Week

Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 token to exchange it for elevated permissions at a different application, because the token-exchange endpoint fails to bind the subject token to the requesting client and does not constrain requested scopes to the original token's scopes. Any authenticated principal with a valid low-scope token can escalate laterally across relying applications; no public exploit is identified at time of analysis and it is not listed in CISA KEV. A vendor patch (4.15.3) and fixing commit are available.

Authentication Bypass Microsoft Zitadel
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-56666 MEDIUM PATCH This Month

Account takeover in ZITADEL's external identity provider auto-linking logic prior to version 4.15.3 allows an unauthenticated network attacker to hijack a victim's local ZITADEL account. The handler confirms that the local user's email is verified but fails to require the external IdP to also confirm ownership of that same email address before completing the link - meaning an attacker who registers a victim's email on a permissive external IdP (one that does not enforce email verification) can silently gain full access to the victim's ZITADEL account. No public exploit has been identified at time of analysis; the fix is available in the vendor-released patch v4.15.3.

Authentication Bypass Zitadel
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-57476 MEDIUM PATCH This Month

Unauthenticated API endpoints in Deloitte AI Assist for Customer exposed the platform's retrieval-augmented generation corpus to unauthorized read access and content injection by any network-reachable attacker who could discover the required request parameters. The root cause is missing authentication on critical internal API functions (CWE-306), enabling adversaries to exfiltrate proprietary knowledge base content or poison AI-generated responses with injected documents. The vendor applied a server-side fix on 2026-03-25 by restricting network access and enforcing authentication; no public exploit code or CISA KEV listing has been identified, though an independent security advisory has been published.

Authentication Bypass Ai Assist For Customer
NVD
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-57475 MEDIUM PATCH This Month

Deloitte AI Assist for Customer exposed public-facing REST API endpoints that accepted unauthenticated POST requests, enabling remote attackers to inject limited additions into the application's configuration store without credentials. The root cause is CWE-306 (Missing Authentication for Critical Function), and the CVSS 4.0 vector (PR:N/AV:N/AC:L) confirms zero-friction remote exploitation against default deployments. Critically, the vendor states that the injected configuration additions were not consumed or acted upon by the system, substantially constraining real-world operational impact. The vendor remediated the issue on 2026-03-25 by restricting network access and enforcing authentication; no public exploit has been identified at time of analysis.

Authentication Bypass Ai Assist For Customer
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-2398 HIGH This Week

Privilege escalation in Adam Retail Automation's MobilMen 20T (versions v3 through build 10072026) lets an authenticated low-privileged user manipulate a user-controlled key (CWE-639) to access resources or actions belonging to other, higher-privileged accounts. The flaw carries CVSS 8.8 and was reported by Turkey's national CERT (TR-CERT), but no public exploit identified at time of analysis and it is not in CISA KEV. The vendor was contacted but did not respond, so no coordinated fix is confirmed.

Authentication Bypass Privilege Escalation Mobilmen 20T
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-59190 HIGH This Week

{username}?task=save with data[password]. The saveUser handler checks that the caller has user-management rights but never verifies the caller is allowed to edit that specific target, an authorization gap (CWE-639) carrying a CVSS 4.0 score of 8.7. No public exploit identified at time of analysis; the fix is expected in 1.10.53.

Authentication Bypass Grav
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-1667 HIGH This Week

Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the unauthenticated, low-complexity nature makes it an attractive target for automated WordPress campaigns.

Authentication Bypass WordPress XSS Geo Plugin By Squirrly Seo
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-15377 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 exposes the /callrec/sendlogfile endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to log file functionality with confirmed confidentiality impact. The flaw (CWE-285) stems from missing or bypassable authorization checks on a sensitive operational endpoint within the call recording platform. A publicly available proof-of-concept exploit exists, and the vendor failed to respond to coordinated disclosure - no patch has been released.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-49977 npm MEDIUM POC PATCH GHSA This Month

Cookie deletion via unauthorized class-based invocation in tarteaucitron.js allows an attacker with HTML injection capability to silently delete browser cookies by placing arbitrary elements bearing the purgeBtn CSS class in a page that loads the library. The tarteaucitron.cookie.purge() function responds to any matching DOM element without verifying whether it was created by the library itself or whether the specified cookie belongs to a tarteaucitron-managed service, enabling targeted cookie removal against visitors who interact with the crafted element. No public exploit identified at time of analysis beyond the researcher-published PoC; this vulnerability is not listed in CISA KEV and EPSS data is unavailable.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
CVE-2026-39903 HIGH PATCH This Week

Authorization bypass in Simple Machines Forum (SMF) 2.1 before 2.1.8 and 3.0 before 3.0 Alpha 5 lets any authenticated low-privileged member manipulate the attachment moderation queue without the required approve_posts permission. A single-character operator mistake in Sources/Actions/AttachmentApprove.php makes the permission check evaluate to true for everyone, so an ordinary user can approve, reject, or delete pending attachments on any board and enumerate other users' unapproved uploads. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by VulnCheck and a vendor patch is available.

Authentication Bypass PHP Smf
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-59154 MEDIUM PATCH This Month

Cross-board authorization bypass in Wekan prior to version 9.64 allows a low-privileged authenticated user to inject checklist data into private boards where they hold no membership. The flaw resides in Meteor's collection allow rules for Checklists and ChecklistItems, which validate write access against the source card's context but ignore the destination cardId or boardId embedded in the update modifier - enabling an attacker with write access to any one board to redirect checklist mutations into boards they are not permitted to access. No active exploitation has been identified and no public exploit code exists; a vendor-confirmed fix is available in version 9.64.

Authentication Bypass Wekan
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15376 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated users to access the /callrec/statisticReportAction.do endpoint beyond their privilege level, enabling unauthorized read, write, and availability impact on sensitive call statistics and reporting data. The vendor was notified but did not respond, leaving version 9.7.0 unpatched. A proof-of-concept exploit is publicly available, raising immediate risk for any organization running this version of the software.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-56675 HIGH PATCH This Week

Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach protected /v1/* proxy APIs because src/dashboardGuard.js trusts any request arriving over loopback. When 9Router runs behind a same-host reverse proxy that forwards public traffic through 127.0.0.1 - the standard production deployment - external requests are misclassified as local, exposing /v1/models and enabling abuse of configured upstream AI provider credentials. No public exploit identified at time of analysis; scored CVSS 8.3 with a scope change reflecting downstream provider-credential abuse.

Authentication Bypass 9Router
NVD GitHub
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-55638 HIGH PATCH This Week

Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protected upstream LLM functionality through the /codex/* path, which next.config.mjs rewrites to /api/v1/responses without ever passing through the dashboardGuard API-key check. Because src/dashboardGuard.js only allowlists /v1, /v1beta, /api/v1, and /api/v1beta — omitting /codex — attackers can force the server to make upstream provider calls billed to operator-stored LLM credentials. No public exploit identified at time of analysis; fixed in 0.5.2.

Authentication Bypass 9Router
NVD GitHub
CVSS 3.1
8.6
EPSS
0.4%
CVE-2026-55641 HIGH PATCH This Week

Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: localhost' header so the /v1 LLM proxy treats the request as local and skips API-key checks. Once past authentication, an attacker abuses stored provider credentials for upstream LLM calls and leverages /v1/search's searxng provider_options.baseUrl to force server-side requests to internal or cloud-metadata endpoints (SSRF). No public exploit identified at time of analysis, though the fixing commit is public, and EPSS/KEV signals are not provided.

Authentication Bypass 9Router
NVD GitHub
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-15375 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows low-privileged authenticated remote users to bypass access controls on the LDAP User Interface endpoint `/callrec/users_ldap.jsp`, exposing restricted LDAP directory user data without appropriate privilege verification. A public proof-of-concept exploit has been disclosed via Google Drive and the vendor has not responded to responsible disclosure, leaving no official patch or advisory available. The CVSS 4.0 base score of 2.1 reflects narrow confidentiality-only impact, but POC availability and vendor silence increase practical urgency for affected deployments.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15374 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated low-privileged users to manipulate the role and group management endpoint (/callrec/roleAddAction.do), bypassing access controls without proper privilege checks. A publicly available exploit exists for this flaw, raising practical risk despite the relatively low CVSS 4.0 score of 2.1 (inflated downward by the E:P threat metric). The vendor was unresponsive to coordinated disclosure, meaning no official patch or acknowledgment exists at time of analysis.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15373 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote low-privileged users to manipulate the 'role' parameter in the /callrec/userAddAction.do endpoint, potentially enabling unauthorized role assignment during user creation. The vulnerability carries a CVSS 4.0 score of 2.1 with low-impact metrics across confidentiality, integrity, and availability, though the real-world risk of privilege escalation through role manipulation may be underrepresented by that score. A proof-of-concept exploit is publicly available; no vendor patch exists as the vendor did not respond to responsible disclosure.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-59796 HIGH PATCH This Week

Improper permission enforcement in JetBrains TeamCity before 2026.1.2 lets authenticated low-privilege users modify CI/CD pipelines they should not control, undermining build integrity and potentially exposing pipeline secrets. Reported by JetBrains itself and carrying a CVSS 8.1, the flaw is a missing-authorization issue (CWE-862) rather than a memory-safety bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Teamcity
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-38059 HIGH CISA This Week

Missing authentication on the ST Engineering iDirect iQ200 satellite terminal exposes the /api/identity and /api/ REST endpoints to any unauthenticated party on the network, letting them harvest the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and firmware version. Because the DID and TPK underpin satellite-network authentication on the iDirect platform, the leaked identifiers can support terminal impersonation and targeted reconnaissance. Reported by CISA ICS-CERT (ICSA-26-183-01); no public exploit identified at time of analysis, and no EPSS score was provided.

Authentication Bypass Evolution Iq Series Terminals 3315 Series 9 Series Terminals
NVD GitHub
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-61441 HIGH PATCH This Week

Broken authorization in PraisonAI Platform before 0.1.9 lets an authenticated workspace member delete owner-created issue dependencies they should not be able to remove. The DELETE dependency route accepts either endpoint of a dependency edge and validates delete permission only against the caller-supplied issue URL, so a member blocked (403) via the owner's issue endpoint can delete the same edge by targeting their own member-owned issue endpoint. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Praisonai
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-60086 MEDIUM PATCH This Month

Prompt injection defenses in PraisonAI before version 4.6.78 can be bypassed by crafting single or double-vector injections classified at the HIGH threat level, which the protection mechanism silently allows through to the underlying language model. The defense only blocks CRITICAL-classified injections - those matching three or more detector families simultaneously - meaning attackers who deliberately keep their payload below that threshold face no blocking at all. No active exploitation has been confirmed via CISA KEV and no public exploit code has been identified at time of analysis, though the bypass technique is conceptually straightforward given that the classification threshold logic is now publicly disclosed.

Authentication Bypass Praisonai
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56765 Go CRITICAL PATCH Act Now

Instance-wide data breach in Vikunja before 2.2.1 lets remote attackers exfiltrate and destroy every file attachment across all projects on a server. Two flaws chain together: the LinkSharing.ReadAll endpoint leaks share hashes to any user with read access, enabling escalation to admin-level shares, and the GetTaskAttachment endpoint validates permissions against a user-supplied task ID while fetching the attachment by an unrelated sequential ID, an insecure-direct-object-reference that ignores ownership. Rated CVSS 4.0 9.3 (critical) with a network, unauthenticated vector; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Vikunja
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-56335 HIGH PATCH This Week

Improper access control in Capgo before 12.128.2 lets holders of write-scoped API keys directly mutate protected channel configuration fields (such as public, allow_emulator, and security-related flags) through the PostgREST data layer, bypassing intended application route restrictions. The flaw stems from a null authentication check in the database immutability trigger, allowing a low-privileged but authenticated actor to alter integrity-sensitive delivery settings for a Capacitor live-update backend. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56312 MEDIUM PATCH This Month

Capgo's accept_invitation endpoint creates user accounts before captcha validation is enforced, allowing unauthenticated remote attackers to bypass captcha entirely by submitting POST requests with invalid captcha tokens. This logic-ordering flaw enables automated account creation and exhaustion of invite links against any Capgo instance running versions prior to 12.128.2. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56305 HIGH PATCH This Week

Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (CWE-620), letting an attacker who holds any temporary or low-privilege session set a new password without proving they know the old one. Because the CVSS 4.0 vector reflects a low-privilege (PR:L) network attacker with high confidentiality and integrity impact, a hijacked or briefly-borrowed session can be converted into permanent control, locking legitimate users out. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so risk is credible but not confirmed as actively exploited.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56279 HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 lets unauthenticated remote attackers call the get_orgs_v7(userid) RPC endpoint with arbitrary user UUIDs to read foreign users' organization memberships, roles, management emails, and billing metadata. The endpoint remained publicly invokable despite intended private access controls, so any internet-facing Capgo deployment on an affected version exposes tenant data cross-account. No public exploit has been identified at time of analysis, though the trivial invocation pattern (supply a UUID) makes weaponization straightforward.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-22659 HIGH PATCH This Week

Authorization bypass in FlaskBB through 2.2.0 lets authenticated moderators perform lock, unlock, delete, or hide actions on topics in forums they have no authority over. By anchoring a crafted batch request with a low-ID topic from a permitted forum, the attacker slips past a permission check that is applied only to the first result. No public exploit is identified at time of analysis, and the flaw is fixed in commit acc88cf.

Authentication Bypass Flaskbb
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-54470 MEDIUM PATCH This Month

Unauthorized file disclosure in Dell Unisphere for PowerMax 10.3.0.5 and prior is achievable by a remote low-privileged attacker via an XML External Entity (XXE) injection flaw (CWE-611). By submitting crafted XML containing external entity declarations to a vulnerable parsing endpoint, an authenticated attacker can cause the server to read and return sensitive local files or initiate server-side requests, resulting in High confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis; however, Dell has issued advisory DSA-2026-272 covering this and related vulnerabilities across the PowerMax product family.

XXE Dell Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56690 HIGH PATCH This Week

SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker to inject crafted SQL commands through the management interface, resulting in information disclosure and unauthorized access to data beyond the attacker's authorized scope. Rated CVSS 8.5 with a scope-changed vector, the flaw is reported by Dell (DSA-2026-066) and carries confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Dell SQLi Information Disclosure
NVD VulDB
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-9857 MEDIUM This Month

Authorization bypass in the Invoice123 WordPress plugin (versions up to and including 1.7.0) permits authenticated attackers holding only subscriber-level accounts to overwrite the plugin's external API key, modify invoice configuration settings, and directly alter WooCommerce tax rate records in the database. The root cause is absent capability checks in the plugin's admin-page handlers, meaning low-privilege users can invoke privileged administrative actions over the network. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2026-41878 HIGH This Week

Broken object-level authorization in R-SOFT DMS lets any authenticated user download arbitrary files by manipulating the object ID in multiple file-download endpoints, since the application enforces only session authentication and never checks whether the requester owns or may access the requested file. This is an authenticated confidentiality breach (CVSS 4.0 7.1) affecting all versions prior to v3.19-2862 and v3.17-2580. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD VulDB
CVSS 4.0
7.1
EPSS
0.5%
CVE-2026-15378 CRITICAL Act Now

Server-Side Request Forgery in the guardrails-detectors component allows a remote attacker to submit a crafted XML Schema Definition (XSD) that forces the service to make attacker-directed requests, reaching cloud metadata services, the Kubernetes API, internal MinIO object storage, and other internal endpoints, and to read local files such as service account tokens and pod secrets. Because the flaw is blind SSRF chained to local file disclosure inside a container/Kubernetes context, an attacker can harvest credentials and pivot deeper into the cluster. No public exploit identified at time of analysis, but the CVSS 9.3 rating and scope-changing impact make this high priority for affected AI-guardrails deployments.

Authentication Bypass SSRF Kubernetes
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-11990 MEDIUM This Month

Authorization bypass in the KiviCare WordPress EHR plugin (all versions through 4.4.0) allows unauthenticated network attackers to confirm arbitrary pending clinic appointments and inject forged payment records into the wp_kc_payments_appointment_mappings table using attacker-supplied payment IDs, completely circumventing the payment collection process. The root defect is a two-part failure: the appointments API controller does not verify user authorization before processing status changes, and the KCPaymentGatewayFactory returns all registered gateways regardless of admin-enabled status - meaning the KCPayLater manual-payment gateway is always selectable, even by unauthenticated callers on default installations. No public exploit or CISA KEV listing exists at time of analysis, though the trivially low attack complexity makes scripted abuse realistic.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.6%
CVE-2026-15026 MEDIUM This Month

Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Information Disclosure Import And Export Users And Customers
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11992 MEDIUM This Month

Authorization bypass in the Easy Appointments WordPress plugin (all versions up to and including 3.12.27) permits any authenticated user holding the Author role or above to mass-cancel every future appointment across the entire site by exploiting a missing capability check on the plugin's AJAX cancellation handler. The attack is made trivially accessible because the nonce required to authenticate the cancellation request is rendered directly on the Appointments admin page, which is gated only by the `edit_posts` capability that Authors possess by default. No public exploit has been identified at time of analysis, but the low privilege barrier and deterministic exploit path present a high-consequence business-disruption risk for any organization running booking workflows on affected installations.

Authentication Bypass WordPress Easy Appointments
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-12955 MEDIUM This Month

Unauthorized modification of cookie scan schedule configuration in the GDPR Cookie Consent WordPress plugin (versions up to 4.3.6) is achievable by any authenticated subscriber-level user. The vulnerability stems from a dual failure - absent capability check and absent nonce verification - on the wp_ajax_gcc_save_schedule_scan AJAX action, allowing low-privileged users to overwrite the gdpr_scan_schedule_data option that is administratively intended to require manage_options capability. No public exploit has been identified and the flaw is not listed in CISA KEV; a patched version (4.3.7) is available via the plugin's SVN repository.

Authentication Bypass WordPress Cookie Banner For Gdpr Ccpa Wplp Cookie Consent
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12400 MEDIUM This Month

Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass WordPress Flowforms Conversational Form Builder
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-6802 MEDIUM This Month

Unauthenticated media library attachment deletion affects the Easy Upload Files During Checkout WordPress plugin through version 3.0.1, enabling any remote visitor to permanently destroy arbitrary files from the site's media library with no credentials. The root cause is CWE-639: the ufdc_custom_init() hook processes a user-controlled 'eufdc-delete' parameter without nonce verification, capability checks, or attachment ownership validation, reducing authorization to a trivial parameter-guessing exercise against sequential WordPress attachment IDs. No public exploit code or CISA KEV listing has been identified, but the attack requires zero prerequisites beyond plugin presence, making it trivially reproducible.

Authentication Bypass WordPress Easy Upload Files During Checkout
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-1946 MEDIUM This Month

Unauthorized GravityWrite disconnection in the GW AI Website Builder WordPress plugin (versions ≤ 1.0.1) is achievable by any authenticated subscriber-level user due to a missing capability check on the gwaiwebu_gravitywrite_disconnect_handler() AJAX function. The flaw allows low-privilege WordPress accounts to sever the plugin's integration with the GravityWrite AI service, degrading AI-powered site-building functionality for all users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; impact is confined to service integrity disruption rather than data exfiltration or code execution.

Authentication Bypass WordPress Gw Ai Website Builder
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-40452 HIGH PATCH This Week

Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access last-value time-series data they are not authorized to view. Affected versions span the 1.3.x branch (1.3.5 through 1.3.7) and the 2.0.x branch (2.0.5 through 2.0.9). No public exploit code or active exploitation has been identified at time of analysis, but the REST interface nature of the flaw means any valid credential holder can attempt unauthorized data retrieval without elevated privilege.

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40006 HIGH PATCH This Week

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the DataNode process when the AirGap pipe receiver is enabled. The receiver's readLength method reads an attacker-controlled 32-bit length field from a raw TCP connection on port 9780 and passes it directly to new byte[length], letting a single connection trigger a heap allocation of up to ~2 GB and exhaust JVM memory. No public exploit has been identified at time of analysis, but exploitation is trivial once the feature is enabled, and Apache has released a fixed version (2.0.10).

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-28564 CRITICAL PATCH Act Now

Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials against the REST interface because Basic Authentication continues to accept cached credentials that should have been invalidated. An attacker who has captured or previously held valid credentials can keep authenticating after those credentials should have expired or been revoked, gaining full read/write control of the time-series database. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), so no active exploitation is indicated despite the 9.8 CVSS.

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-21044 MEDIUM This Month

Improper authorization in Samsung's KnoxGuardManager component allows local low-privileged attackers to bypass the application's persistence configuration, potentially undermining enterprise device management and carrier lock enforcement on affected Samsung Mobile Devices. Devices running Android 14, 15, and 16 prior to SMR Jul-2026 Release 1 are affected, making this a notable concern for enterprise MDM deployments and carrier-managed device fleets relying on Knox Guard controls. No public exploit has been identified and no active exploitation is confirmed; Samsung has shipped a patch in the July 2026 Security Maintenance Release.

Authentication Bypass
NVD VulDB
CVSS 4.0
5.8
EPSS
0.1%
EPSS 0% CVSS 5.9
MEDIUM This Month

vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.

Clean Restful Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass in the Drupal Commerce Guest Registration contributed module allows remote unauthenticated attackers to circumvent identity verification during the guest checkout/registration flow, per Drupal advisory SA-CONTRIB-2026-079. The CVSS 9.1 scoring (C:H/I:H) indicates an attacker can gain unauthorized access to or hijack account/order data without credentials or user interaction. No public exploit has been identified at time of analysis, and the low EPSS score (0.24%, 15th percentile) suggests exploitation is not yet widespread.

Authentication Bypass Commerce Guest Registration
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Missing Authorization (CWE-862) in the Drupal FlowDrop contributed module allows authenticated low-privilege users to perform Forceful Browsing - directly accessing protected URLs without proper permission checks being enforced. All FlowDrop releases from 0.0.0 up to 1.6.0 are affected; a successful attacker can read or modify content and workflow data beyond their authorized scope. No public exploit has been identified and EPSS sits at 0.18% (8th percentile), indicating negligible observed exploitation probability at time of analysis; the vulnerability is not listed in CISA KEV.

Authentication Bypass Flowdrop
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Missing authorization in the FlowDrop Drupal contributed module (versions prior to 1.6.0) enables authenticated low-privilege users to perform forceful browsing, accessing URLs and resources that should be restricted to higher-privilege roles. The vulnerability stems from CWE-862, where authorization checks are absent or bypassed on protected endpoints within the module. No public exploit code or CISA KEV listing exists at time of analysis; the EPSS score of 0.18% (8th percentile) reflects low observed exploitation probability, but the low attack complexity and network accessibility make it a meaningful risk on multi-tenant or public Drupal sites with the module installed.

Authentication Bypass Flowdrop
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing authorization in the Drupal Paragraphs contributed module (all versions through 1.20.x) enables unauthenticated remote attackers to perform forceful browsing - directly accessing paragraph entity URLs or endpoints without passing any authorization check. The CVSS vector (PR:N/AC:L/AV:N) confirms exploitation requires no credentials against default-configured Drupal sites running the affected module. Despite an automatable attack surface, SSVC rates exploitation as none, EPSS sits at 0.13% (3rd percentile), and no active exploitation is confirmed; a vendor patch is available via Drupal SA-contrib-2026-061.

Authentication Bypass Paragraphs
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Forceful Browsing via missing authorization (CWE-862) in the Drupal Paragraphs contributed module allows remote unauthenticated users to access paragraph entities they are not authorized to view or modify, bypassing the CMS access control layer entirely. All Paragraphs releases from 0.0.0 up to but not including 1.21.0 are affected, per vendor advisory SA-CONTRIB-2026-060. Despite being automatable per SSVC analysis and network-exploitable with no privileges required, real-world exploitation risk is low: EPSS sits at 0.13% (3rd percentile), no public exploit code has been identified, and CISA has not added this to KEV.

Authentication Bypass Paragraphs
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing authorization controls in Drupal WissKI versions prior to 4.2.0 enable unauthenticated remote attackers to perform forceful browsing - directly accessing restricted resources by guessing or enumerating URLs without undergoing proper authorization checks. The affected versions span the entire release history from 0.0.0 through 4.2.0, making all prior deployments vulnerable. SSVC assessment confirms no active exploitation at time of analysis, and the EPSS score of 0.13% (3rd percentile) suggests very low real-world exploitation probability despite the automatable nature of the attack.

Authentication Bypass Wisski
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Incorrect Authorization (CWE-863) in the Drupal Commerce Realex / Global Payments module exposes protected payment and order resources to forceful browsing, allowing unauthenticated remote attackers to access endpoints that should require authorization. All module versions from 0.0.0 through 3.0.2 (exclusive) are affected on Drupal Commerce deployments. No public exploit code has been identified and SSVC confirms no active exploitation at time of analysis, though the nature of a payment gateway module means successful access could expose order or transaction data.

Authentication Bypass Commerce Realex Global Payments
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Incorrect Authorization (CWE-863) in the Drupal AI Agents contributed module enables Forceful Browsing, allowing network-reachable attackers to access restricted AI agent resources without proper permission checks. Three distinct release branches are affected: 0.0.0-1.1.4, 1.2.0-1.2.5, and 1.3.0-1.3.1. CISA SSVC classifies exploitation as none with partial technical impact, EPSS sits at the 4th percentile, and no public exploit has been identified at time of analysis - signals that collectively indicate limited immediate real-world risk despite the network-accessible attack vector.

Authentication Bypass Ai Agents
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Missing authorization controls in the Drupal AI Agents contrib module expose protected resources to forceful browsing by authenticated low-privilege users. Affected installations span three version branches - 0.0.0 through 1.1.3, 1.2.0 through 1.2.4, and 1.3.0 - across the Drupal ecosystem. No public exploit has been identified and CISA has not added this to KEV; EPSS at 0.14% (4th percentile) and SSVC's 'none' exploitation status confirm minimal real-world threat at time of analysis.

Authentication Bypass Ai Agents
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Forceful browsing exposure in Drupal's AI (Artificial Intelligence) contributed module permits high-privileged authenticated users to access protected resources without proper authorization checks, affecting versions 0.0.0-1.2.17, 1.3.0-1.3.8, and 1.4.0-1.4.3. The vulnerability stems from CWE-862 (Missing Authorization), where path-level access controls are not enforced on certain AI module endpoints, allowing an authenticated user with high privileges to traverse to unauthorized resources. No public exploit code exists, EPSS sits at 0.14% (4th percentile), and CISA SSVC confirms no active exploitation, placing this firmly in the low-urgency tier despite its network-accessible attack vector.

Authentication Bypass Ai Artificial Intelligence
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Incorrect authorization in the Drupal Advanced Content Feedback (admin_feedback) contributed module allows authenticated low-privilege users to perform forceful browsing, accessing restricted feedback resources without proper authorization checks. All module releases from 0.0.0 up to (but not including) 2.8.0 are affected. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 4th percentile, consistent with the SSVC assessment of zero current exploitation.

Authentication Bypass Advanced Content Feedback Aka Admin Feedback
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Missing Authorization in Drupal's Examples for Developers module (versions 0.0.0 through 4.0.5) permits forceful browsing by an already highly-privileged authenticated attacker, exposing restricted paths with limited confidentiality and integrity impact. All available signals converge on minimal real-world risk: CVSS scores 3.3 (Low), EPSS sits at 0.14% (4th percentile), SSVC reports no known exploitation and non-automatable attack conditions, and neither active exploitation nor public proof-of-concept code has been identified. A vendor patch is available at version 4.0.6.

Authentication Bypass Examples For Developers
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Missing authorization in the Drupal LocalGov Workflows contrib module (all versions 0.0.0 through 1.6.0, fixed in 1.6.0) lets remote attackers reach protected workflow-related routes through forceful browsing without proper permission checks. The flaw carries a vendor CVSS of 9.8 (AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.14%, 4th percentile) and there is no public exploit identified at time of analysis. Affected sites are Drupal deployments running this LocalGov Drupal editorial-workflow module.

Authentication Bypass Localgov Workflows
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

WAF rule bypass in ModSecurity 3.0.0-3.0.15 on i386 architecture allows network-accessible attackers to evade rules that use the t:utf8toUnicode transformation, potentially permitting injection attacks or other malicious payloads to reach protected applications undetected. The root cause is CWE-467 - sizeof() applied to a char pointer in utf8_to_unicode.cc yields the pointer width (4 bytes on i386) rather than the unicode buffer length, corrupting transformation output. No public exploit code or active exploitation has been identified at time of analysis; the fix is available in v3.0.16.

Authentication Bypass Nginx Apache +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken access control in the Frappe framework (all versions prior to 16.19.0) lets a low-privileged authenticated user modify public Workspaces they should not control, because the update_page endpoint failed to enforce the Workspace Manager edit permission on public workspaces. Any user able to reach the endpoint can alter shared workspace layout and content, an integrity-only impact with no data disclosure. No public exploit has been identified, EPSS/KEV data were not provided, and the fix is shipped in Frappe 16.19.0.

Authentication Bypass Frappe
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthorized file attachment in Frappe, a Python/JavaScript full-stack web framework, allows any authenticated low-privilege user to attach files to arbitrary doctypes through file-handling API endpoints such as add_attachments, bypassing per-document write permission enforcement. Affected are all Frappe v15 releases prior to 15.110.0 and all v16 releases prior to 16.20.0. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make exploitation straightforward for any valid account holder on a multi-tenant instance.

Authentication Bypass Frappe
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing authorization on the reportview endpoint in Frappe framework permits authenticated low-privileged users to access or manipulate report data beyond their permitted scope. Versions prior to 15.107.5 (v15 branch) and 16.18.2 (v16 branch) are affected, confirmed via GitHub Security Advisory GHSA-w8g7-j846-j248. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 PR:L metric confirms exploitation is bounded by requiring a valid authenticated session.

Authentication Bypass Frappe
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authentication replay in Misskey before 2026.6.0 lets an attacker reuse a valid TOTP code that should be single-use, because UserAuthService fails to invalidate a code after its first successful use within the same time step. An adversary who concurrently captures a victim's password and one TOTP value can replay that code to authenticate, enabling unauthorized actions up to account takeover. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the vendor fixed the flaw in release 2026.6.0.

Authentication Bypass Misskey
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local memory-corruption escalation in Imagination Technologies' Graphics DDK (the PowerVR GPU driver stack) lets an unprivileged user trigger a use-after-free by issuing an improper sequence of GPU system calls. By forcing a failure path in the MMU mapping logic, an attacker leaves internal driver state incompletely cleaned up, enabling unauthorized read/write access to physical memory from shader code. There is no public exploit identified at time of analysis and EPSS is low (0.15%), but the flaw carries high confidentiality, integrity, and availability impact for local attackers.

Authentication Bypass Denial Of Service Graphics Ddk
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant information disclosure in OpenReplay's self-hosted session-replay backend (versions 1.22.0 through 1.26.x) lets any authenticated low-privilege user retrieve the first 15 seconds of another tenant's DOM session-replay recording. The getFirstMob endpoint issued a 15-second presigned S3 URL keyed only on a user-supplied session path, while validateProjectAccess confirmed project-to-tenant ownership but never confirmed that the requested session actually belonged to that project, breaking multi-tenant isolation. No public exploit identified at time of analysis, but the flaw is trivially triggerable by any valid account and is fixed in 1.27.0.

Authentication Bypass Openreplay
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Broken object-level authorization (IDOR) in OpenReplay 1.27.0 and earlier lets any authenticated project member tamper with other users' private data: the notes.delete, dashboards.update_widget, and dashboards.remove_widget backend functions omit the ownership predicate their sibling read/edit functions enforce, so they act on any note or widget matching only an id and project/dashboard id. An authenticated low-privilege member can delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. There is no public exploit identified and no CISA KEV listing; impact is integrity/availability of other tenants' data, not disclosure (CVSS 7.1, C:N/I:H/A:L).

Authentication Bypass Openreplay
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in the miniOrange OAuth Single Sign On - SSO (OAuth Client) WordPress plugin (versions up to and including 38.5.8) lets remote unauthenticated attackers abuse an alternate authentication path in the password-recovery flow to log in as arbitrary users, including administrators. Rated CVSS 9.8, the flaw grants full account takeover without credentials or user interaction; there is no public exploit identified at time of analysis, but the plugin's SSO role and low attack complexity make it a high-value target.

Authentication Bypass Oauth Single Sign On Sso Oauth Client
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) WordPress plugin through version 7.7.0 lets unauthenticated attackers seize any account, including administrators. The Profile Completion flow trusts an attacker-supplied 'email_field' POST value without confirming it matches the OAuth provider's verified identity, and the send_otp_token() routine leaks a SHA-512(customer_key||otp) hash to the client where the OTP is one of only 99,000 values and customer_key is a static (often empty) option - so the OTP can be brute-forced offline in under a second. Rated CVSS 9.8; no public exploit identified at time of analysis, but the full attack primitive is described in the Wordfence advisory.

Authentication Bypass WordPress Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the Eventin WordPress plugin (versions 4.0.26-4.1.15) enables unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash to the payment_complete() REST endpoint. The wp_rest nonce required to reach this endpoint is embedded in the HTML of every public event page, eliminating any credential or session requirement. This is a confirmed regression - the same function and endpoint were previously patched by Arraytics, but the fix was lost in subsequent releases; no public exploit has been identified at time of analysis.

Authentication Bypass WordPress PHP +1
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Authorization bypass in RabbitMQ topic permissions lets an authenticated user with restricted topic rights publish to or bind on topics they should be denied, but only during metadata-store failure windows. When the Khepri metadata store returns a lookup error, the topic-permission result collapses to 'undefined', which the internal authorization backend fails open and treats as 'allow'. There is no public exploit identified at time of analysis and it is not on CISA KEV; the CVSS 4.0 base score is 7.0.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authenticated RabbitMQ users can bypass authorization controls on passive AMQP 0-9-1 declare operations, exposing internal broker topology metadata across all affected release branches (3.13.x, 4.0.x, 4.1.x, 4.2.x). The missing authorization check on passive queue.declare and exchange.declare allows any user with vhost connectivity to enumerate queue and exchange names and read live message and consumer counts without requiring elevated permissions. No public exploit code has been identified and the vulnerability is not in CISA KEV; however, the low exploitation complexity, authentication-only prerequisite, and broad affected version range meaningfully elevate real-world exposure risk in multi-tenant or shared-credential deployments.

Authentication Bypass Microsoft Rabbitmq Server
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Improper authorization in RabbitMQ broker (versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) allows an authenticated client to create foreign bindings against another connection's volatile amq.rabbitmq.reply-to (direct reply-to) destination, so persistent route entries survive after unbind and can leak RPC reply traffic intended for other clients. The flaw stems from Khepri-backed deletion checks that omit these volatile pseudo-queues, letting stale routes persist. No public exploit identified at time of analysis; exploitation requires valid credentials and has high attack complexity per the vendor CVSS 4.0 vector.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

RabbitMQ Server prior to 4.2.6 fails to cancel or reauthorize existing AMQP 0-9-1 consumers when an OAuth token expires or when connection.update_secret reduces token scopes, allowing an authenticated consumer to continue receiving messages it is no longer authorized to access. The broker evaluates authorization only at consumer registration time, not at message delivery time, creating a persistent authorization bypass window for as long as the connection remains open. No public exploit exists at time of analysis, but the CVSS 4.0 vector assigns high subsequent-system confidentiality impact (SC:H), reflecting meaningful data-access risk in OAuth-governed or multi-tenant deployments.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Authentication bypass in RabbitMQ (broker versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) lets a loopback-restricted account such as the default guest user authenticate from a remote network when the broker sits behind a trusted PROXY-protocol path and the backend listener is loopback-bound. Because the loopback check evaluates the listener-side socket address (which appears as 127.0.0.1 to the local proxy) instead of the real client source carried in the PROXY header, the 'local only' restriction on guest is silently defeated across AMQP 0-9-1, AMQP 1.0, and the Stream Protocol. SSVC records a proof-of-concept; there is no CISA KEV listing and EPSS is low (0.34%, 26th percentile), indicating the flaw is potent but not yet mass-exploited.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation within RustDesk before 1.4.9 lets an authenticated peer that was granted only a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) send control messages and login options reserved for a full Remote session, because the server never re-validates a session's authorized scope. The result is that a peer given, for example, file-transfer-only access can observe and control the host's screen and input as if it held full remote-control rights. No public exploit has been identified at time of analysis, though the fixing pull request and commit are public, and no EPSS or CISA KEV data was supplied.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Cross-tenant authorization bypass in Snipe-IT prior to v8.6.2 allows an authenticated user with only `reports.view` permission in one company to delete pending checkout acceptance records belonging to any other company by supplying arbitrary global IDs to the unaccepted-assets report delete endpoint. The root cause is a classic IDOR (CWE-639): the endpoint validates role but not company-scope ownership. No public exploit has been identified and this CVE is absent from the CISA KEV catalog, but multi-tenant deployments relying on organizational data isolation are directly impacted.

Authentication Bypass Snipe It
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Broken authorization in Snipe-IT's legacy single-seat license checkin endpoint allows authenticated users with only checkout (assign) rights to invoke the checkin (unassign) action, bypassing the intended permission boundary. Versions prior to 8.6.2 are affected; this is fixed in v8.6.2. No public exploit has been identified at time of analysis, and the flaw is not listed in the CISA KEV catalog, but the low-complexity, network-accessible nature of the bypass makes it straightforward to exploit for any authenticated user with checkout-level access.

Authentication Bypass Snipe It
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Unauthorized modification of import ownership metadata in Snipe-IT prior to version 8.6.1 allows an authenticated user with CSV import capabilities to overwrite the created_by field on import records via the Importer API endpoint. The flaw stems from insufficient authorization enforcement (CWE-863) on the created_by parameter during CSV import operations, enabling a low-privileged API user to falsify asset audit trails and attribution records. No public exploit code has been identified and this vulnerability is absent from CISA KEV; a vendor-released patch is available in v8.6.1.

Authentication Bypass Snipe It
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect authorization in Snipe-IT's UsersController before version 8.6.2 allows any authenticated user holding only the users.view permission to access restricted inventory and procurement metadata - including assigned licenses, accessories, consumables, and associated cost and order data - from modules their direct permissions would otherwise deny. The flaw exists in both the show() and printInventory() controller methods, which enforce authorization only for the user-viewing scope before eagerly loading and rendering related asset relationships without further permission checks. No public exploit exists and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and common assignment of users.view to helpdesk staff makes this a realistic insider access-control bypass in enterprise deployments.

Authentication Bypass Snipe It
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication step-up bypass in Logto self-hosted auth infrastructure prior to 1.41.0 lets an already-authenticated user manage MFA factors without re-proving their identity. The Account Center accepted any of the user's own verified records - including a self-created WebAuthn passkey-registration record - as proof of identity verification, so an attacker holding only a valid Account API bearer token could forge the logto-verification-id header and satisfy step-up checks. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw is fixed in 1.41.0.

Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

{workspace}/scripts/list_search` handler validates the token's domain and action (`scripts:read`) at the route level but omits per-row filtering against the token's resource/path segment (e.g., `scripts:read:f/allowed/*`), causing the underlying SQL query to return all non-archived workspace scripts regardless of path restrictions. Affects all Windmill deployments up to version 1.714.1; no public exploit or CISA KEV listing at time of analysis, but full reproduction steps are published in the GitHub security advisory.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken authorization in Snipe-IT before 8.6.2 lets an authenticated non-admin user who holds users.view and users.edit - but explicitly not users.delete - soft-delete other non-admin user accounts by POSTing delete_user=1 to /users/bulksave. The root cause is that BulkUsersController::destroy() checks only the 'update' authorization, so the delete permission gate is never enforced. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Snipe It
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect authorization enforcement in Snipe-IT's API location creation endpoint allows an authenticated low-privilege user to create a child location under a parent location belonging to a different company, bypassing the intended multi-tenant isolation boundary. The vulnerability affects all Snipe-IT versions prior to 8.6.2 when both Full Multiple Companies Support and the scope_locations_fmcs option are simultaneously enabled. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; real-world risk is constrained by the non-default configuration prerequisites and the requirement for authenticated access.

Authentication Bypass Snipe It
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing authorization on Snipe-IT's asset request cancellation endpoint prior to version 8.6.0 allows any authenticated low-privileged user to cancel another user's pending asset requests by supplying a victim's user ID in the URL path segment. The cancel_by_admin path parameter is accepted without server-side privilege verification, constituting a CWE-862 (Missing Authorization) flaw - effectively a broken object-level authorization issue on an administrative action. No public exploit has been identified at time of analysis, and CVSS 4.0 scoring (5.3) reflects limited scope: integrity-only impact with no data exposure or availability loss.

Authentication Bypass Snipe It
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authorization bypass in Teracity TeraMIS (versions V03.26.01.14 through the 30.04.2026 build) lets an authenticated low-privilege user tamper with a user-controlled object key to reach records and functions belonging to other users or higher-privilege roles (CWE-639 IDOR). The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms remote, low-complexity exploitation by any account holder, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS and POC data were not provided.

Authentication Bypass Teramis
NVD
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Argument injection in Flux159 MCP Server Kubernetes before 3.9.0 lets remote attackers redirect kubectl operations to an attacker-controlled API server by smuggling a leading-dash `--server` flag through the resourceType and name parameters of the kubectl_get, kubectl_describe, and kubectl_delete structured tools. Because the injected values bypass the assertNoDangerousFlags check, the operator's bearer token is transmitted to the external server, enabling full Kubernetes cluster compromise. Reported by VulnCheck, it carries CVSS 4.0 9.3, has publicly available exploit code, and a vendor patch in release 3.9.0; there is no confirmed active exploitation.

Authentication Bypass Kubernetes Mcp Server Kubernetes
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

{kit_id}/licenses allows authenticated low-privilege users to bind arbitrary licenses - including those belonging to other departments or users - into kits they control. The server validates kit-edit permissions but performs no ownership or access check against the referenced license object, a classic IDOR pattern (CWE-639). No public exploit exists and the vulnerability is not listed in CISA KEV; it is fixed in version 8.6.2.

Authentication Bypass Snipe It
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

{maintenance_id} endpoint authorizes the original record and asset but trusts an attacker-supplied asset_id without re-checking company scope, breaking multi-tenant isolation (CVSS 7.7, scope-changed). No public exploit identified at time of analysis, but the upstream fix commit and GitHub Security Advisory (GHSA-575r-357h-fhch) are published.

Authentication Bypass Snipe It
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Broken object-level authorization in Krayin CRM (Laravel CRM) through version 2.2.3 lets any authenticated user tamper with leads, persons, organizations, quotes, and activities belonging to other users. Because the edit, update, and destroy methods across five controllers never verify record ownership, a low-privileged account can read, modify, reassign, or delete arbitrary CRM records by manipulating the object ID. Publicly available exploit details exist (reported by VulnCheck), though the issue is not listed in CISA KEV and no EPSS score was provided.

Authentication Bypass Laravel Crm
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Cross-tenant account takeover in Prowler (cloud security platform) before 5.30.3 lets an authenticated attacker who operates a controlled SAML IdP obtain a tenant-scoped JWT for a victim tenant. The ACS finish logic in api/src/backend/api/v1/views.py derived the destination tenant from the user-asserted email domain rather than binding token issuance to the validated SAML configuration, so an attacker completing a legitimate SAML flow for their own domain while asserting a victim-domain email address receives a SAMLToken and JWT for the wrong tenant. Rated CVSS 9.6 (scope-changing); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Prowler
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 token to exchange it for elevated permissions at a different application, because the token-exchange endpoint fails to bind the subject token to the requesting client and does not constrain requested scopes to the original token's scopes. Any authenticated principal with a valid low-scope token can escalate laterally across relying applications; no public exploit is identified at time of analysis and it is not listed in CISA KEV. A vendor patch (4.15.3) and fixing commit are available.

Authentication Bypass Microsoft Zitadel
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Account takeover in ZITADEL's external identity provider auto-linking logic prior to version 4.15.3 allows an unauthenticated network attacker to hijack a victim's local ZITADEL account. The handler confirms that the local user's email is verified but fails to require the external IdP to also confirm ownership of that same email address before completing the link - meaning an attacker who registers a victim's email on a permissive external IdP (one that does not enforce email verification) can silently gain full access to the victim's ZITADEL account. No public exploit has been identified at time of analysis; the fix is available in the vendor-released patch v4.15.3.

Authentication Bypass Zitadel
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthenticated API endpoints in Deloitte AI Assist for Customer exposed the platform's retrieval-augmented generation corpus to unauthorized read access and content injection by any network-reachable attacker who could discover the required request parameters. The root cause is missing authentication on critical internal API functions (CWE-306), enabling adversaries to exfiltrate proprietary knowledge base content or poison AI-generated responses with injected documents. The vendor applied a server-side fix on 2026-03-25 by restricting network access and enforcing authentication; no public exploit code or CISA KEV listing has been identified, though an independent security advisory has been published.

Authentication Bypass Ai Assist For Customer
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Deloitte AI Assist for Customer exposed public-facing REST API endpoints that accepted unauthenticated POST requests, enabling remote attackers to inject limited additions into the application's configuration store without credentials. The root cause is CWE-306 (Missing Authentication for Critical Function), and the CVSS 4.0 vector (PR:N/AV:N/AC:L) confirms zero-friction remote exploitation against default deployments. Critically, the vendor states that the injected configuration additions were not consumed or acted upon by the system, substantially constraining real-world operational impact. The vendor remediated the issue on 2026-03-25 by restricting network access and enforcing authentication; no public exploit has been identified at time of analysis.

Authentication Bypass Ai Assist For Customer
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in Adam Retail Automation's MobilMen 20T (versions v3 through build 10072026) lets an authenticated low-privileged user manipulate a user-controlled key (CWE-639) to access resources or actions belonging to other, higher-privileged accounts. The flaw carries CVSS 8.8 and was reported by Turkey's national CERT (TR-CERT), but no public exploit identified at time of analysis and it is not in CISA KEV. The vendor was contacted but did not respond, so no coordinated fix is confirmed.

Authentication Bypass Privilege Escalation Mobilmen 20T
NVD
EPSS 0% CVSS 8.7
HIGH This Week

{username}?task=save with data[password]. The saveUser handler checks that the caller has user-management rights but never verifies the caller is allowed to edit that specific target, an authorization gap (CWE-639) carrying a CVSS 4.0 score of 8.7. No public exploit identified at time of analysis; the fix is expected in 1.10.53.

Authentication Bypass Grav
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the unauthenticated, low-complexity nature makes it an attractive target for automated WordPress campaigns.

Authentication Bypass WordPress XSS +1
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 exposes the /callrec/sendlogfile endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to log file functionality with confirmed confidentiality impact. The flaw (CWE-285) stems from missing or bypassable authorization checks on a sensitive operational endpoint within the call recording platform. A publicly available proof-of-concept exploit exists, and the vendor failed to respond to coordinated disclosure - no patch has been released.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.3
MEDIUM POC PATCH This Month

Cookie deletion via unauthorized class-based invocation in tarteaucitron.js allows an attacker with HTML injection capability to silently delete browser cookies by placing arbitrary elements bearing the purgeBtn CSS class in a page that loads the library. The tarteaucitron.cookie.purge() function responds to any matching DOM element without verifying whether it was created by the library itself or whether the specified cookie belongs to a tarteaucitron-managed service, enabling targeted cookie removal against visitors who interact with the crafted element. No public exploit identified at time of analysis beyond the researcher-published PoC; this vulnerability is not listed in CISA KEV and EPSS data is unavailable.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in Simple Machines Forum (SMF) 2.1 before 2.1.8 and 3.0 before 3.0 Alpha 5 lets any authenticated low-privileged member manipulate the attachment moderation queue without the required approve_posts permission. A single-character operator mistake in Sources/Actions/AttachmentApprove.php makes the permission check evaluate to true for everyone, so an ordinary user can approve, reject, or delete pending attachments on any board and enumerate other users' unapproved uploads. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by VulnCheck and a vendor patch is available.

Authentication Bypass PHP Smf
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-board authorization bypass in Wekan prior to version 9.64 allows a low-privileged authenticated user to inject checklist data into private boards where they hold no membership. The flaw resides in Meteor's collection allow rules for Checklists and ChecklistItems, which validate write access against the source card's context but ignore the destination cardId or boardId embedded in the update modifier - enabling an attacker with write access to any one board to redirect checklist mutations into boards they are not permitted to access. No active exploitation has been identified and no public exploit code exists; a vendor-confirmed fix is available in version 9.64.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated users to access the /callrec/statisticReportAction.do endpoint beyond their privilege level, enabling unauthorized read, write, and availability impact on sensitive call statistics and reporting data. The vendor was notified but did not respond, leaving version 9.7.0 unpatched. A proof-of-concept exploit is publicly available, raising immediate risk for any organization running this version of the software.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach protected /v1/* proxy APIs because src/dashboardGuard.js trusts any request arriving over loopback. When 9Router runs behind a same-host reverse proxy that forwards public traffic through 127.0.0.1 - the standard production deployment - external requests are misclassified as local, exposing /v1/models and enabling abuse of configured upstream AI provider credentials. No public exploit identified at time of analysis; scored CVSS 8.3 with a scope change reflecting downstream provider-credential abuse.

Authentication Bypass 9Router
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protected upstream LLM functionality through the /codex/* path, which next.config.mjs rewrites to /api/v1/responses without ever passing through the dashboardGuard API-key check. Because src/dashboardGuard.js only allowlists /v1, /v1beta, /api/v1, and /api/v1beta — omitting /codex — attackers can force the server to make upstream provider calls billed to operator-stored LLM credentials. No public exploit identified at time of analysis; fixed in 0.5.2.

Authentication Bypass 9Router
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: localhost' header so the /v1 LLM proxy treats the request as local and skips API-key checks. Once past authentication, an attacker abuses stored provider credentials for upstream LLM calls and leverages /v1/search's searxng provider_options.baseUrl to force server-side requests to internal or cloud-metadata endpoints (SSRF). No public exploit identified at time of analysis, though the fixing commit is public, and EPSS/KEV signals are not provided.

Authentication Bypass 9Router
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows low-privileged authenticated remote users to bypass access controls on the LDAP User Interface endpoint `/callrec/users_ldap.jsp`, exposing restricted LDAP directory user data without appropriate privilege verification. A public proof-of-concept exploit has been disclosed via Google Drive and the vendor has not responded to responsible disclosure, leaving no official patch or advisory available. The CVSS 4.0 base score of 2.1 reflects narrow confidentiality-only impact, but POC availability and vendor silence increase practical urgency for affected deployments.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated low-privileged users to manipulate the role and group management endpoint (/callrec/roleAddAction.do), bypassing access controls without proper privilege checks. A publicly available exploit exists for this flaw, raising practical risk despite the relatively low CVSS 4.0 score of 2.1 (inflated downward by the E:P threat metric). The vendor was unresponsive to coordinated disclosure, meaning no official patch or acknowledgment exists at time of analysis.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote low-privileged users to manipulate the 'role' parameter in the /callrec/userAddAction.do endpoint, potentially enabling unauthorized role assignment during user creation. The vulnerability carries a CVSS 4.0 score of 2.1 with low-impact metrics across confidentiality, integrity, and availability, though the real-world risk of privilege escalation through role manipulation may be underrepresented by that score. A proof-of-concept exploit is publicly available; no vendor patch exists as the vendor did not respond to responsible disclosure.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Improper permission enforcement in JetBrains TeamCity before 2026.1.2 lets authenticated low-privilege users modify CI/CD pipelines they should not control, undermining build integrity and potentially exposing pipeline secrets. Reported by JetBrains itself and carrying a CVSS 8.1, the flaw is a missing-authorization issue (CWE-862) rather than a memory-safety bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Teamcity
NVD
EPSS 1% CVSS 8.7
HIGH This Week

Missing authentication on the ST Engineering iDirect iQ200 satellite terminal exposes the /api/identity and /api/ REST endpoints to any unauthenticated party on the network, letting them harvest the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and firmware version. Because the DID and TPK underpin satellite-network authentication on the iDirect platform, the leaked identifiers can support terminal impersonation and targeted reconnaissance. Reported by CISA ICS-CERT (ICSA-26-183-01); no public exploit identified at time of analysis, and no EPSS score was provided.

Authentication Bypass Evolution Iq Series Terminals 3315 Series +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken authorization in PraisonAI Platform before 0.1.9 lets an authenticated workspace member delete owner-created issue dependencies they should not be able to remove. The DELETE dependency route accepts either endpoint of a dependency edge and validates delete permission only against the caller-supplied issue URL, so a member blocked (403) via the owner's issue endpoint can delete the same edge by targeting their own member-owned issue endpoint. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Praisonai
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Prompt injection defenses in PraisonAI before version 4.6.78 can be bypassed by crafting single or double-vector injections classified at the HIGH threat level, which the protection mechanism silently allows through to the underlying language model. The defense only blocks CRITICAL-classified injections - those matching three or more detector families simultaneously - meaning attackers who deliberately keep their payload below that threshold face no blocking at all. No active exploitation has been confirmed via CISA KEV and no public exploit code has been identified at time of analysis, though the bypass technique is conceptually straightforward given that the classification threshold logic is now publicly disclosed.

Authentication Bypass Praisonai
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Instance-wide data breach in Vikunja before 2.2.1 lets remote attackers exfiltrate and destroy every file attachment across all projects on a server. Two flaws chain together: the LinkSharing.ReadAll endpoint leaks share hashes to any user with read access, enabling escalation to admin-level shares, and the GetTaskAttachment endpoint validates permissions against a user-supplied task ID while fetching the attachment by an unrelated sequential ID, an insecure-direct-object-reference that ignores ownership. Rated CVSS 4.0 9.3 (critical) with a network, unauthenticated vector; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Vikunja
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Improper access control in Capgo before 12.128.2 lets holders of write-scoped API keys directly mutate protected channel configuration fields (such as public, allow_emulator, and security-related flags) through the PostgREST data layer, bypassing intended application route restrictions. The flaw stems from a null authentication check in the database immutability trigger, allowing a low-privileged but authenticated actor to alter integrity-sensitive delivery settings for a Capacitor live-update backend. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Capgo's accept_invitation endpoint creates user accounts before captcha validation is enforced, allowing unauthenticated remote attackers to bypass captcha entirely by submitting POST requests with invalid captcha tokens. This logic-ordering flaw enables automated account creation and exhaustion of invite links against any Capgo instance running versions prior to 12.128.2. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (CWE-620), letting an attacker who holds any temporary or low-privilege session set a new password without proving they know the old one. Because the CVSS 4.0 vector reflects a low-privilege (PR:L) network attacker with high confidentiality and integrity impact, a hijacked or briefly-borrowed session can be converted into permanent control, locking legitimate users out. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so risk is credible but not confirmed as actively exploited.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 lets unauthenticated remote attackers call the get_orgs_v7(userid) RPC endpoint with arbitrary user UUIDs to read foreign users' organization memberships, roles, management emails, and billing metadata. The endpoint remained publicly invokable despite intended private access controls, so any internet-facing Capgo deployment on an affected version exposes tenant data cross-account. No public exploit has been identified at time of analysis, though the trivial invocation pattern (supply a UUID) makes weaponization straightforward.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Authorization bypass in FlaskBB through 2.2.0 lets authenticated moderators perform lock, unlock, delete, or hide actions on topics in forums they have no authority over. By anchoring a crafted batch request with a low-ID topic from a permitted forum, the attacker slips past a permission check that is applied only to the first result. No public exploit is identified at time of analysis, and the flaw is fixed in commit acc88cf.

Authentication Bypass Flaskbb
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthorized file disclosure in Dell Unisphere for PowerMax 10.3.0.5 and prior is achievable by a remote low-privileged attacker via an XML External Entity (XXE) injection flaw (CWE-611). By submitting crafted XML containing external entity declarations to a vulnerable parsing endpoint, an authenticated attacker can cause the server to read and return sensitive local files or initiate server-side requests, resulting in High confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis; however, Dell has issued advisory DSA-2026-272 covering this and related vulnerabilities across the PowerMax product family.

XXE Dell Authentication Bypass
NVD
EPSS 0% CVSS 8.5
HIGH PATCH This Week

SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker to inject crafted SQL commands through the management interface, resulting in information disclosure and unauthorized access to data beyond the attacker's authorized scope. Rated CVSS 8.5 with a scope-changed vector, the flaw is reported by Dell (DSA-2026-066) and carries confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Dell SQLi +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Invoice123 WordPress plugin (versions up to and including 1.7.0) permits authenticated attackers holding only subscriber-level accounts to overwrite the plugin's external API key, modify invoice configuration settings, and directly alter WooCommerce tax rate records in the database. The root cause is absent capability checks in the plugin's admin-page handlers, meaning low-privilege users can invoke privileged administrative actions over the network. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Broken object-level authorization in R-SOFT DMS lets any authenticated user download arbitrary files by manipulating the object ID in multiple file-download endpoints, since the application enforces only session authentication and never checks whether the requester owns or may access the requested file. This is an authenticated confidentiality breach (CVSS 4.0 7.1) affecting all versions prior to v3.19-2862 and v3.17-2580. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Server-Side Request Forgery in the guardrails-detectors component allows a remote attacker to submit a crafted XML Schema Definition (XSD) that forces the service to make attacker-directed requests, reaching cloud metadata services, the Kubernetes API, internal MinIO object storage, and other internal endpoints, and to read local files such as service account tokens and pod secrets. Because the flaw is blind SSRF chained to local file disclosure inside a container/Kubernetes context, an attacker can harvest credentials and pivot deeper into the cluster. No public exploit identified at time of analysis, but the CVSS 9.3 rating and scope-changing impact make this high priority for affected AI-guardrails deployments.

Authentication Bypass SSRF Kubernetes
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Authorization bypass in the KiviCare WordPress EHR plugin (all versions through 4.4.0) allows unauthenticated network attackers to confirm arbitrary pending clinic appointments and inject forged payment records into the wp_kc_payments_appointment_mappings table using attacker-supplied payment IDs, completely circumventing the payment collection process. The root defect is a two-part failure: the appointments API controller does not verify user authorization before processing status changes, and the KCPaymentGatewayFactory returns all registered gateways regardless of admin-enabled status - meaning the KCPayLater manual-payment gateway is always selectable, even by unauthenticated callers on default installations. No public exploit or CISA KEV listing exists at time of analysis, though the trivially low attack complexity makes scripted abuse realistic.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Easy Appointments WordPress plugin (all versions up to and including 3.12.27) permits any authenticated user holding the Author role or above to mass-cancel every future appointment across the entire site by exploiting a missing capability check on the plugin's AJAX cancellation handler. The attack is made trivially accessible because the nonce required to authenticate the cancellation request is rendered directly on the Appointments admin page, which is gated only by the `edit_posts` capability that Authors possess by default. No public exploit has been identified at time of analysis, but the low privilege barrier and deterministic exploit path present a high-consequence business-disruption risk for any organization running booking workflows on affected installations.

Authentication Bypass WordPress Easy Appointments
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized modification of cookie scan schedule configuration in the GDPR Cookie Consent WordPress plugin (versions up to 4.3.6) is achievable by any authenticated subscriber-level user. The vulnerability stems from a dual failure - absent capability check and absent nonce verification - on the wp_ajax_gcc_save_schedule_scan AJAX action, allowing low-privileged users to overwrite the gdpr_scan_schedule_data option that is administratively intended to require manage_options capability. No public exploit has been identified and the flaw is not listed in CISA KEV; a patched version (4.3.7) is available via the plugin's SVN repository.

Authentication Bypass WordPress Cookie Banner For Gdpr Ccpa Wplp Cookie Consent
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass WordPress Flowforms Conversational Form Builder
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated media library attachment deletion affects the Easy Upload Files During Checkout WordPress plugin through version 3.0.1, enabling any remote visitor to permanently destroy arbitrary files from the site's media library with no credentials. The root cause is CWE-639: the ufdc_custom_init() hook processes a user-controlled 'eufdc-delete' parameter without nonce verification, capability checks, or attachment ownership validation, reducing authorization to a trivial parameter-guessing exercise against sequential WordPress attachment IDs. No public exploit code or CISA KEV listing has been identified, but the attack requires zero prerequisites beyond plugin presence, making it trivially reproducible.

Authentication Bypass WordPress Easy Upload Files During Checkout
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized GravityWrite disconnection in the GW AI Website Builder WordPress plugin (versions ≤ 1.0.1) is achievable by any authenticated subscriber-level user due to a missing capability check on the gwaiwebu_gravitywrite_disconnect_handler() AJAX function. The flaw allows low-privilege WordPress accounts to sever the plugin's integration with the GravityWrite AI service, degrading AI-powered site-building functionality for all users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; impact is confined to service integrity disruption rather than data exfiltration or code execution.

Authentication Bypass WordPress Gw Ai Website Builder
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access last-value time-series data they are not authorized to view. Affected versions span the 1.3.x branch (1.3.5 through 1.3.7) and the 2.0.x branch (2.0.5 through 2.0.9). No public exploit code or active exploitation has been identified at time of analysis, but the REST interface nature of the flaw means any valid credential holder can attempt unauthorized data retrieval without elevated privilege.

Authentication Bypass Apache Apache Iotdb
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the DataNode process when the AirGap pipe receiver is enabled. The receiver's readLength method reads an attacker-controlled 32-bit length field from a raw TCP connection on port 9780 and passes it directly to new byte[length], letting a single connection trigger a heap allocation of up to ~2 GB and exhaust JVM memory. No public exploit has been identified at time of analysis, but exploitation is trivial once the feature is enabled, and Apache has released a fixed version (2.0.10).

Authentication Bypass Apache Apache Iotdb
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials against the REST interface because Basic Authentication continues to accept cached credentials that should have been invalidated. An attacker who has captured or previously held valid credentials can keep authenticating after those credentials should have expired or been revoked, gaining full read/write control of the time-series database. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), so no active exploitation is indicated despite the 9.8 CVSS.

Authentication Bypass Apache Apache Iotdb
NVD
EPSS 0% CVSS 5.8
MEDIUM This Month

Improper authorization in Samsung's KnoxGuardManager component allows local low-privileged attackers to bypass the application's persistence configuration, potentially undermining enterprise device management and carrier lock enforcement on affected Samsung Mobile Devices. Devices running Android 14, 15, and 16 prior to SMR Jul-2026 Release 1 are affected, making this a notable concern for enterprise MDM deployments and carrier-managed device fleets relying on Knox Guard controls. No public exploit has been identified and no active exploitation is confirmed; Samsung has shipped a patch in the July 2026 Security Maintenance Release.

Authentication Bypass
NVD VulDB
Prev Page 5 of 347 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy