Authentication Bypass
Monthly
Improper authorization in Eleveo Call Recording Software 9.7.0 exposes the /callrec/sendlogfile endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to log file functionality with confirmed confidentiality impact. The flaw (CWE-285) stems from missing or bypassable authorization checks on a sensitive operational endpoint within the call recording platform. A publicly available proof-of-concept exploit exists, and the vendor failed to respond to coordinated disclosure - no patch has been released.
Cookie deletion via unauthorized class-based invocation in tarteaucitron.js allows an attacker with HTML injection capability to silently delete browser cookies by placing arbitrary elements bearing the purgeBtn CSS class in a page that loads the library. The tarteaucitron.cookie.purge() function responds to any matching DOM element without verifying whether it was created by the library itself or whether the specified cookie belongs to a tarteaucitron-managed service, enabling targeted cookie removal against visitors who interact with the crafted element. No public exploit identified at time of analysis beyond the researcher-published PoC; this vulnerability is not listed in CISA KEV and EPSS data is unavailable.
Authorization bypass in Simple Machines Forum (SMF) 2.1 before 2.1.8 and 3.0 before 3.0 Alpha 5 lets any authenticated low-privileged member manipulate the attachment moderation queue without the required approve_posts permission. A single-character operator mistake in Sources/Actions/AttachmentApprove.php makes the permission check evaluate to true for everyone, so an ordinary user can approve, reject, or delete pending attachments on any board and enumerate other users' unapproved uploads. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by VulnCheck and a vendor patch is available.
Cross-board authorization bypass in Wekan prior to version 9.64 allows a low-privileged authenticated user to inject checklist data into private boards where they hold no membership. The flaw resides in Meteor's collection allow rules for Checklists and ChecklistItems, which validate write access against the source card's context but ignore the destination cardId or boardId embedded in the update modifier - enabling an attacker with write access to any one board to redirect checklist mutations into boards they are not permitted to access. No active exploitation has been identified and no public exploit code exists; a vendor-confirmed fix is available in version 9.64.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated users to access the /callrec/statisticReportAction.do endpoint beyond their privilege level, enabling unauthorized read, write, and availability impact on sensitive call statistics and reporting data. The vendor was notified but did not respond, leaving version 9.7.0 unpatched. A proof-of-concept exploit is publicly available, raising immediate risk for any organization running this version of the software.
Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach protected /v1/* proxy APIs because src/dashboardGuard.js trusts any request arriving over loopback. When 9Router runs behind a same-host reverse proxy that forwards public traffic through 127.0.0.1 - the standard production deployment - external requests are misclassified as local, exposing /v1/models and enabling abuse of configured upstream AI provider credentials. No public exploit identified at time of analysis; scored CVSS 8.3 with a scope change reflecting downstream provider-credential abuse.
Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protected upstream LLM functionality through the /codex/* path, which next.config.mjs rewrites to /api/v1/responses without ever passing through the dashboardGuard API-key check. Because src/dashboardGuard.js only allowlists /v1, /v1beta, /api/v1, and /api/v1beta — omitting /codex — attackers can force the server to make upstream provider calls billed to operator-stored LLM credentials. No public exploit identified at time of analysis; fixed in 0.5.2.
Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: localhost' header so the /v1 LLM proxy treats the request as local and skips API-key checks. Once past authentication, an attacker abuses stored provider credentials for upstream LLM calls and leverages /v1/search's searxng provider_options.baseUrl to force server-side requests to internal or cloud-metadata endpoints (SSRF). No public exploit identified at time of analysis, though the fixing commit is public, and EPSS/KEV signals are not provided.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows low-privileged authenticated remote users to bypass access controls on the LDAP User Interface endpoint `/callrec/users_ldap.jsp`, exposing restricted LDAP directory user data without appropriate privilege verification. A public proof-of-concept exploit has been disclosed via Google Drive and the vendor has not responded to responsible disclosure, leaving no official patch or advisory available. The CVSS 4.0 base score of 2.1 reflects narrow confidentiality-only impact, but POC availability and vendor silence increase practical urgency for affected deployments.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated low-privileged users to manipulate the role and group management endpoint (/callrec/roleAddAction.do), bypassing access controls without proper privilege checks. A publicly available exploit exists for this flaw, raising practical risk despite the relatively low CVSS 4.0 score of 2.1 (inflated downward by the E:P threat metric). The vendor was unresponsive to coordinated disclosure, meaning no official patch or acknowledgment exists at time of analysis.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote low-privileged users to manipulate the 'role' parameter in the /callrec/userAddAction.do endpoint, potentially enabling unauthorized role assignment during user creation. The vulnerability carries a CVSS 4.0 score of 2.1 with low-impact metrics across confidentiality, integrity, and availability, though the real-world risk of privilege escalation through role manipulation may be underrepresented by that score. A proof-of-concept exploit is publicly available; no vendor patch exists as the vendor did not respond to responsible disclosure.
Improper permission enforcement in JetBrains TeamCity before 2026.1.2 lets authenticated low-privilege users modify CI/CD pipelines they should not control, undermining build integrity and potentially exposing pipeline secrets. Reported by JetBrains itself and carrying a CVSS 8.1, the flaw is a missing-authorization issue (CWE-862) rather than a memory-safety bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Missing authentication on the ST Engineering iDirect iQ200 satellite terminal exposes the /api/identity and /api/ REST endpoints to any unauthenticated party on the network, letting them harvest the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and firmware version. Because the DID and TPK underpin satellite-network authentication on the iDirect platform, the leaked identifiers can support terminal impersonation and targeted reconnaissance. Reported by CISA ICS-CERT (ICSA-26-183-01); no public exploit identified at time of analysis, and no EPSS score was provided.
Broken authorization in PraisonAI Platform before 0.1.9 lets an authenticated workspace member delete owner-created issue dependencies they should not be able to remove. The DELETE dependency route accepts either endpoint of a dependency edge and validates delete permission only against the caller-supplied issue URL, so a member blocked (403) via the owner's issue endpoint can delete the same edge by targeting their own member-owned issue endpoint. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and it is not on CISA KEV.
Prompt injection defenses in PraisonAI before version 4.6.78 can be bypassed by crafting single or double-vector injections classified at the HIGH threat level, which the protection mechanism silently allows through to the underlying language model. The defense only blocks CRITICAL-classified injections - those matching three or more detector families simultaneously - meaning attackers who deliberately keep their payload below that threshold face no blocking at all. No active exploitation has been confirmed via CISA KEV and no public exploit code has been identified at time of analysis, though the bypass technique is conceptually straightforward given that the classification threshold logic is now publicly disclosed.
Instance-wide data breach in Vikunja before 2.2.1 lets remote attackers exfiltrate and destroy every file attachment across all projects on a server. Two flaws chain together: the LinkSharing.ReadAll endpoint leaks share hashes to any user with read access, enabling escalation to admin-level shares, and the GetTaskAttachment endpoint validates permissions against a user-supplied task ID while fetching the attachment by an unrelated sequential ID, an insecure-direct-object-reference that ignores ownership. Rated CVSS 4.0 9.3 (critical) with a network, unauthenticated vector; no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Improper access control in Capgo before 12.128.2 lets holders of write-scoped API keys directly mutate protected channel configuration fields (such as public, allow_emulator, and security-related flags) through the PostgREST data layer, bypassing intended application route restrictions. The flaw stems from a null authentication check in the database immutability trigger, allowing a low-privileged but authenticated actor to alter integrity-sensitive delivery settings for a Capacitor live-update backend. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.
Capgo's accept_invitation endpoint creates user accounts before captcha validation is enforced, allowing unauthenticated remote attackers to bypass captcha entirely by submitting POST requests with invalid captcha tokens. This logic-ordering flaw enables automated account creation and exhaustion of invite links against any Capgo instance running versions prior to 12.128.2. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (CWE-620), letting an attacker who holds any temporary or low-privilege session set a new password without proving they know the old one. Because the CVSS 4.0 vector reflects a low-privilege (PR:L) network attacker with high confidentiality and integrity impact, a hijacked or briefly-borrowed session can be converted into permanent control, locking legitimate users out. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so risk is credible but not confirmed as actively exploited.
Information disclosure in Capgo before 12.128.2 lets unauthenticated remote attackers call the get_orgs_v7(userid) RPC endpoint with arbitrary user UUIDs to read foreign users' organization memberships, roles, management emails, and billing metadata. The endpoint remained publicly invokable despite intended private access controls, so any internet-facing Capgo deployment on an affected version exposes tenant data cross-account. No public exploit has been identified at time of analysis, though the trivial invocation pattern (supply a UUID) makes weaponization straightforward.
Authorization bypass in FlaskBB through 2.2.0 lets authenticated moderators perform lock, unlock, delete, or hide actions on topics in forums they have no authority over. By anchoring a crafted batch request with a low-ID topic from a permitted forum, the attacker slips past a permission check that is applied only to the first result. No public exploit is identified at time of analysis, and the flaw is fixed in commit acc88cf.
Unauthorized file disclosure in Dell Unisphere for PowerMax 10.3.0.5 and prior is achievable by a remote low-privileged attacker via an XML External Entity (XXE) injection flaw (CWE-611). By submitting crafted XML containing external entity declarations to a vulnerable parsing endpoint, an authenticated attacker can cause the server to read and return sensitive local files or initiate server-side requests, resulting in High confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis; however, Dell has issued advisory DSA-2026-272 covering this and related vulnerabilities across the PowerMax product family.
SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker to inject crafted SQL commands through the management interface, resulting in information disclosure and unauthorized access to data beyond the attacker's authorized scope. Rated CVSS 8.5 with a scope-changed vector, the flaw is reported by Dell (DSA-2026-066) and carries confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authorization bypass in the Invoice123 WordPress plugin (versions up to and including 1.7.0) permits authenticated attackers holding only subscriber-level accounts to overwrite the plugin's external API key, modify invoice configuration settings, and directly alter WooCommerce tax rate records in the database. The root cause is absent capability checks in the plugin's admin-page handlers, meaning low-privilege users can invoke privileged administrative actions over the network. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Broken object-level authorization in R-SOFT DMS lets any authenticated user download arbitrary files by manipulating the object ID in multiple file-download endpoints, since the application enforces only session authentication and never checks whether the requester owns or may access the requested file. This is an authenticated confidentiality breach (CVSS 4.0 7.1) affecting all versions prior to v3.19-2862 and v3.17-2580. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Server-Side Request Forgery in the guardrails-detectors component allows a remote attacker to submit a crafted XML Schema Definition (XSD) that forces the service to make attacker-directed requests, reaching cloud metadata services, the Kubernetes API, internal MinIO object storage, and other internal endpoints, and to read local files such as service account tokens and pod secrets. Because the flaw is blind SSRF chained to local file disclosure inside a container/Kubernetes context, an attacker can harvest credentials and pivot deeper into the cluster. No public exploit identified at time of analysis, but the CVSS 9.3 rating and scope-changing impact make this high priority for affected AI-guardrails deployments.
Authorization bypass in the KiviCare WordPress EHR plugin (all versions through 4.4.0) allows unauthenticated network attackers to confirm arbitrary pending clinic appointments and inject forged payment records into the wp_kc_payments_appointment_mappings table using attacker-supplied payment IDs, completely circumventing the payment collection process. The root defect is a two-part failure: the appointments API controller does not verify user authorization before processing status changes, and the KCPaymentGatewayFactory returns all registered gateways regardless of admin-enabled status - meaning the KCPayLater manual-payment gateway is always selectable, even by unauthenticated callers on default installations. No public exploit or CISA KEV listing exists at time of analysis, though the trivially low attack complexity makes scripted abuse realistic.
Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.
Authorization bypass in the Easy Appointments WordPress plugin (all versions up to and including 3.12.27) permits any authenticated user holding the Author role or above to mass-cancel every future appointment across the entire site by exploiting a missing capability check on the plugin's AJAX cancellation handler. The attack is made trivially accessible because the nonce required to authenticate the cancellation request is rendered directly on the Appointments admin page, which is gated only by the `edit_posts` capability that Authors possess by default. No public exploit has been identified at time of analysis, but the low privilege barrier and deterministic exploit path present a high-consequence business-disruption risk for any organization running booking workflows on affected installations.
Unauthorized modification of cookie scan schedule configuration in the GDPR Cookie Consent WordPress plugin (versions up to 4.3.6) is achievable by any authenticated subscriber-level user. The vulnerability stems from a dual failure - absent capability check and absent nonce verification - on the wp_ajax_gcc_save_schedule_scan AJAX action, allowing low-privileged users to overwrite the gdpr_scan_schedule_data option that is administratively intended to require manage_options capability. No public exploit has been identified and the flaw is not listed in CISA KEV; a patched version (4.3.7) is available via the plugin's SVN repository.
Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Unauthenticated media library attachment deletion affects the Easy Upload Files During Checkout WordPress plugin through version 3.0.1, enabling any remote visitor to permanently destroy arbitrary files from the site's media library with no credentials. The root cause is CWE-639: the ufdc_custom_init() hook processes a user-controlled 'eufdc-delete' parameter without nonce verification, capability checks, or attachment ownership validation, reducing authorization to a trivial parameter-guessing exercise against sequential WordPress attachment IDs. No public exploit code or CISA KEV listing has been identified, but the attack requires zero prerequisites beyond plugin presence, making it trivially reproducible.
Unauthorized GravityWrite disconnection in the GW AI Website Builder WordPress plugin (versions ≤ 1.0.1) is achievable by any authenticated subscriber-level user due to a missing capability check on the gwaiwebu_gravitywrite_disconnect_handler() AJAX function. The flaw allows low-privilege WordPress accounts to sever the plugin's integration with the GravityWrite AI service, degrading AI-powered site-building functionality for all users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; impact is confined to service integrity disruption rather than data exfiltration or code execution.
Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access last-value time-series data they are not authorized to view. Affected versions span the 1.3.x branch (1.3.5 through 1.3.7) and the 2.0.x branch (2.0.5 through 2.0.9). No public exploit code or active exploitation has been identified at time of analysis, but the REST interface nature of the flaw means any valid credential holder can attempt unauthorized data retrieval without elevated privilege.
Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the DataNode process when the AirGap pipe receiver is enabled. The receiver's readLength method reads an attacker-controlled 32-bit length field from a raw TCP connection on port 9780 and passes it directly to new byte[length], letting a single connection trigger a heap allocation of up to ~2 GB and exhaust JVM memory. No public exploit has been identified at time of analysis, but exploitation is trivial once the feature is enabled, and Apache has released a fixed version (2.0.10).
Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials against the REST interface because Basic Authentication continues to accept cached credentials that should have been invalidated. An attacker who has captured or previously held valid credentials can keep authenticating after those credentials should have expired or been revoked, gaining full read/write control of the time-series database. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), so no active exploitation is indicated despite the 9.8 CVSS.
Improper authorization in Samsung's KnoxGuardManager component allows local low-privileged attackers to bypass the application's persistence configuration, potentially undermining enterprise device management and carrier lock enforcement on affected Samsung Mobile Devices. Devices running Android 14, 15, and 16 prior to SMR Jul-2026 Release 1 are affected, making this a notable concern for enterprise MDM deployments and carrier-managed device fleets relying on Knox Guard controls. No public exploit has been identified and no active exploitation is confirmed; Samsung has shipped a patch in the July 2026 Security Maintenance Release.
Missing authorization in zhayujie CowAgent up to version 2.1.0 allows remote attackers with low-privilege accounts to bypass access controls at the Message Endpoint defined in channel/channel.py, potentially enabling unauthorized access to or manipulation of messaging data. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low privileges, with low-level confidentiality, integrity, and availability impacts on the vulnerable system. A public proof-of-concept exploit has been released per VulDB, and the project maintainer has not yet responded to the coordinated disclosure filed via GitHub issue #2874.
Privilege escalation in the WP Business Intelligence Lite WordPress plugin (all versions through 3.2.0) allows authenticated Subscriber-level users to tamper with stored SQL queries because the plugin fails to enforce a capability/authorization check on the query-modification action (CWE-862). When an administrator later views the maliciously altered query, the attacker's arbitrary SQL executes in the admin context, enabling account takeover or full site compromise. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported through the Wordfence threat intelligence program.
{id} REST endpoints, which ship with no authentication or authorization checks. Any anonymous visitor can harvest customer PII - names, emails, phone numbers, WhatsApp message contents, full geolocation (IP, city, country, ISP, coordinates), device fingerprints, and even WordPress account details (user IDs, usernames, emails) for logged-in users who submitted the form. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivial and requires only an HTTP client.
Unauthorized post publication in Kadence Blocks (Gutenberg Blocks with AI by Kadence WP) versions up to and including 3.5.32 allows authenticated WordPress contributors to immediately publish posts, pages, and custom post types - entirely bypassing the platform's standard contributor review workflow. The flaw stems from a misconfigured capability check in the `get_items_permission_check` permission callback on the `process_pattern` REST API endpoint (CWE-863: Incorrect Authorization). No active exploitation is confirmed via CISA KEV, no public POC has been identified, and the CVSS score of 4.3 reflects a limited integrity-only impact with no confidentiality or availability consequences.
Authorization bypass in the WPCafe WordPress plugin (all versions through 3.0.14) allows any authenticated subscriber-level user to fully manage email notification flow workflows that are intended to be administrator-only. The FlowAPI REST endpoints bundled within the plugin's email notification SDK rely solely on a wp_rest nonce for access control - a token freely obtainable from the frontend page source by any logged-in user - completely bypassing role-based authorization. No public exploit or active exploitation has been identified at time of analysis, though the low exploitation complexity makes this a realistic risk on sites with open user registration.
Incorrect authorization in the Fluent Forms WordPress plugin (versions up to and including 6.2.1) enables any authenticated subscriber-level user to cancel payment subscriptions belonging to other users by supplying an arbitrary 'subscription_id' in the payment cancellation AJAX endpoint. The payment cancellation flow performs no ownership check - only that the user is authenticated - making this a classic IDOR (Insecure Direct Object Reference) under CWE-863. No public exploit code has been identified at time of analysis, and the flaw is not listed in CISA KEV, but the low bar for exploitation (any registered site account) raises practical risk for sites using Fluent Forms payment/subscription features.
Missing authorization in Sipeed PicoClaw up to version 0.2.9 permits remote low-privileged attackers to invoke the rt.ReloadConfig function in pkg/channels/pico/pico.go by manipulating the message.send argument without proper authorization checks. The integrity and availability of the affected system are both at limited risk, as the CVSS 4.0 vector confirms no confidentiality exposure but allows unauthorized configuration reload or disruption. A public exploit exists (E:P), though the GitHub issue tracking the report was closed automatically due to inactivity, indicating no vendor remediation has been issued.
Improper access control in Sipeed PicoClaw up to version 0.2.9 allows remote unauthenticated attackers to bypass the IP allowlist enforced by the Launcher's web backend middleware. The flaw resides in the IPAllowlist function within web/backend/middleware/access_control.go, which fails to correctly enforce source-address restrictions, permitting unauthorized network access to protected endpoints. A public proof-of-concept exploit exists (GitHub issue #3069), and an upstream patch (PR #3126) has been submitted but a formally released patched version has not been independently confirmed.
Incorrect authorization in Sipeed PicoClaw's MQTT Channel Handler (pkg/channels/mqtt/mqtt.go) through version 0.2.9 allows remote low-privileged attackers to bypass access controls by manipulating the `client_id` argument, enabling unauthorized access to MQTT channels belonging to other clients. A public proof-of-concept exploit exists via the referenced GitHub issue, elevating practical risk beyond the moderate CVSS 4.0 score of 5.3. No vendor patch has been released - the upstream GitHub issue was closed automatically due to inactivity - leaving affected deployments without an official remediation path.
Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers log in as any existing user - including Administrators - when the Spotify Social Login addon is enabled. The flaw stems from the plugin trusting the unverified email returned by Spotify's /v1/me endpoint to match and authenticate a WordPress account, so an attacker who registers a Spotify account with a victim's email gains that victim's session. No public exploit has been identified at time of analysis; CVSS is 8.1 with attack complexity rated High due to the required addon configuration.
Authentication bypass in the LoginPress Pro WordPress plugin (versions up to and including 6.2.3) lets unauthenticated attackers hijack any existing account, including administrators, by abusing the GitHub OAuth social-login callback. The loginpress_on_github_login() function binds the login session to profile[0]['email'] from GitHub's /user/emails endpoint without checking the verified flag, so an attacker who adds an unverified email matching a victim's account and triggers the callback can be logged in as that user. This maps to CWE-287 and carries a CVSS 8.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers hijack any existing account - administrators included - by exploiting the Discord OAuth login handler, which trusts the email returned by Discord without checking Discord's verified flag. An attacker who knows a target's WordPress email registers a Discord account with that same (unverified) email and completes the normal OAuth flow to receive an authenticated session as the victim. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw was reported by Wordfence and is a full account-takeover primitive.
System principal privilege escalation in Zen Browser prior to 1.21.5b allows a malicious webpage to bypass Firefox's content-to-file security boundary by exploiting the browser's custom glance and split-view context-menu features. The 'Open link in glance' and 'Split link in new tab' actions navigate attacker-supplied file:// URLs using the System principal rather than the originating page's content principal, granting access to local filesystem contents that would be blocked by an ordinary click. A vendor-released patch exists in version 1.21.5b; no public exploit has been identified at time of analysis.
Missing authorization on the `/api/storage/getCriteria` endpoint in SiYuan personal knowledge management software exposes saved search criteria - including private document paths, notebook and block IDs, and search/replace keyword history - to any publish-mode Reader, bypassing the access controls applied by all sibling storage endpoints. All SiYuan releases prior to 3.7.1 are affected per the vendor security advisory GHSA-px3c-cf92-9g83. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the low attack complexity and readily available fix commit make this straightforward to weaponize against exposed instances.
Unauthorized write access to the admin backup store in Discourse allows any authenticated regular user to route S3 multipart uploads into a storage area that should be restricted to administrators. The flaw exists in ExternalUploadManager, which fails to enforce authorization checks (CWE-862) when accepting direct S3 multipart upload requests, meaning a low-privilege account holder can target the admin backup destination path without restriction. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the low attack complexity and network accessibility make this a credible threat on any Discourse deployment using S3 direct uploads.
Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints that are supposed to be restricted to loopback traffic by spoofing an X-Forwarded-For header with a 127.0.0.1 value. Once past the origin check, an attacker can pivot to server-side request forgery against internal services and cloud metadata endpoints, overwrite LLM provider configuration and API keys, or start an OAuth device-code flow to mint persistent tokens saved in auth.json. A vendor patch exists; the flaw carries a CVSS 4.0 score of 9.3, but no public exploit code has been identified at time of analysis.
Broken authorization in Pimcore's Studio API lets a standard editor-level user create class definitions without administrative rights, because the POST /pimcore-studio/api/class/definition/configuration-view/detail/create endpoint checks the 'objects' permission rather than the 'classes' permission. Because class-definition creation writes new database tables and PHP class files to the server, this permission gap grants low-privileged users significant control over the application's data model and codebase, and absent API-layer UID validation malformed UIDs reach model-layer validation and surface internal exceptions. No public exploit identified at time of analysis; the flaw is fixed in 2025.4.6 and 2026.1.6.
Full admin account takeover in Pimcore (Studio backend) before 2025.4.6 and 2026.1.6 lets an unauthenticated attacker who knows a valid admin username hijack that account by submitting a password-reset request with an attacker-controlled resetPasswordUrl; the server appends a genuine recovery token to that URL and emails it to the victim, so a single victim click leaks the token to the attacker, who authenticates via POST /pimcore-studio/api/login/token with full admin rights and bypasses 2FA. GitHub advisory GHSA-h854-c3m3-mh5v classifies this as an authentication bypass (CWE-640). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.
Arbitrary file disclosure in docuForm GmbH Client v11.11c allows a remote, low-privileged attacker to read sensitive server files through the dfm-menu_report.php component by supplying attacker-controlled path input. The NVD description asserts arbitrary code execution and the vendor gist tags it 'RCE'/'Authentication Bypass', but the concrete described capability is reading configuration files, source code, and system files, with code execution unsubstantiated in the available data. No public exploit is confirmed via a flag, though a third-party gist reference (ZeroBreach-GmbH) is published and likely carries proof-of-concept detail; EPSS is low at 0.35% (27th percentile) and the CVE is not on CISA KEV.
Authenticated remote code execution in docuForm GmbH Client v11.11c lets low-privileged users abuse the report.php file-upload component to run arbitrary code on the server. The flaw combines an authorization-bypass weakness (CWE-639) with unrestricted file upload, so an attacker with any valid account can escalate to full server compromise. No public exploit identified at time of analysis, though a third-party gist referenced in NVD may contain technical write-up material; EPSS is low (0.24%, 15th percentile) and the CVE is not in CISA KEV.
Broken object-level authorization in docuForm GmbH Client v11.11c lets an authenticated remote user manipulate the user settings component to read and modify other users' account data, with the reporter additionally claiming this can escalate to arbitrary code execution. The flaw stems from user-controlled object references (CWE-639) that the application fails to authorize against the requesting session. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile).
Improper access control in the Proximus b-box v8c.725A ISP gateway lets an already-authenticated low-privilege user override authorization checks and freely add, alter, or delete port forwarding (NAT) rules. Publicly available exploit code exists (GitHub PoC by Cedrico03), though it is not listed in CISA KEV and carries a low EPSS score (0.22%, 12th percentile), indicating no evidence of widespread active exploitation. The flaw effectively grants any logged-in account router-administrator control over inbound traffic routing.
Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network attackers by allowing a specially formatted URL to evade the URL filtering plugin. The flaw stems from incorrect name or reference resolution (CWE-706), causing the router to forward traffic that security policy mandates be dropped. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 6.9 carries an Automatable:Yes modifier, indicating the bypass is scriptable at scale against any qualifying deployment.
Unauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell commands by reaching the product's embedded terminal API without any credentials. Because of a missing authentication check (CWE-306), an attacker chains four sequential unauthenticated HTTP requests to create a session, attach a PTY shell, and inject commands, executing code as the server process user. Reported by VulnCheck with a CVSS 4.0 base score of 9.3; a vendor patch is available and no public exploit code has been identified at time of analysis.
Ingress firewall filter bypass in Juniper Networks Junos OS on MX Series hardware (MPC10/11, LC4800/9600/4802, MX304) allows adjacent subscribers on static interfaces to evade configured protocol-level access controls and upstream bandwidth limitations. The Packet Forwarding Engine (PFE) fails to enforce ingress filters for these subscriber configurations, meaning neither protocol restrictions nor rate-limiting policies take effect. No public exploit code has been identified and the vulnerability is absent from CISA KEV, though the CVSS 4.0 AU:Y (Automatable) supplemental metric indicates exploitation could be scripted at scale against affected broadband aggregation deployments.
Session context hijacking in the arikusi DeepSeek MCP Server (versions 1.4.2 through 1.6.x) lets remote attackers read and continue another user's DeepSeek V4 conversations. The process-global SessionStore trusts any caller-supplied session_id without tying it to an authenticated principal or transport session, so an attacker can enumerate live sessions via the deepseek_sessions tool and then replay a victim's session_id through deepseek_chat. No public exploit identified at time of analysis and it is not on CISA KEV, but the mechanics are trivial and fully described in the vendor advisory (GHSA-fh3r-g96v-f578); version 1.7.0 fixes it.
Unauthenticated access to the self-hosted HTTP transport of DeepSeek MCP Server (versions 1.4.2-1.7.x) allows any network-reachable client to initialize a valid MCP session, enumerate server tools, and invoke them without credentials - including `deepseek_chat`, which silently consumes the server operator's `DEEPSEEK_API_KEY`. Default Docker deployments expose port 3000 in HTTP mode out of the box, maximizing the attack surface for any container running on a network-accessible host. No public exploit has been identified at time of analysis, though the GitHub advisory references reproduced testing confirming the full bypass against commit `5e1302171e99`.
License exhaustion in Juniper Networks Junos OS Evolved lets an unauthenticated, network-based attacker reach the device's license-management process, which was intended to be internal-only but is exposed on an open network port due to incorrect initialization. All Junos OS Evolved releases before 23.2R2-EVO are affected. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible network-facing denial-of-service risk to affected routing/switching platforms.
Missing ownership enforcement on Sylius Shop API payment request endpoints allows any caller who possesses a valid payment request UUID hash to read sensitive order data - including customer email, shipping addresses, and order totals - or manipulate post-payment redirect URLs to an attacker-controlled domain. Affected versions span the 2.0.x, 2.1.x, and 2.2.x release lines, with fixes available in 2.0.18, 2.1.15, and 2.2.6 per the vendor advisory GHSA-mr9r-h354-966r. No public exploit code or CISA KEV listing has been identified at time of analysis; real-world exploitability is gated on acquiring the UUID hash out-of-band.
Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally authenticated user, regardless of privilege class or assigned permissions, to execute a specific privileged 'request' command and cause complete traffic disruption on the affected switch. Affected platforms span EX2300, EX4000, EX4100, EX4300-MP, and EX4400 across six active Junos OS release trains from 23.2 through 25.4. No public exploit has been identified at time of analysis and the system recovers automatically, but the low barrier to exploitation - any authenticated local user qualifies - makes this a meaningful insider threat in shared-access or multi-tenant switch environments.
{tokenValue}/payments/{paymentId}` silently accepts and returns HTTP 200 for payment methods the store operator has explicitly excluded from the order's sales channel, while the equivalent checkout endpoint correctly rejects them with HTTP 422. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
{FIELD_ID}? or update? policy checks - even when both explicitly return false for the requesting user. Primarily impacts Avo Pro/Advanced multi-role deployments where non-administrator operators are expected to be constrained by per-field authorization policies. A PoC request spec confirms exploitation on Avo 3.31.2; no CISA KEV listing, so no confirmed active exploitation at time of analysis.
Certificate revocation in nebula-mgmt (forgekeep/nebula-mesh ≤ v0.3.6) is non-durable due to two distinct authorization gaps at certificate issuance time. Blocked hosts bypass blocklist enforcement entirely by re-enrolling with a new token because `enroll.go:128` calls `caMgr.Sign()` without consulting the blocklist - a fingerprint-keyed structure that treats any fresh certificate as unknown. Separately, hosts enrolled under a subsequently-disabled operator auto-renew certificates indefinitely because `signHostCert` never re-validates operator or CA lifecycle status, meaning operator offboarding does not terminate provisioned host access. No public exploit is identified at time of analysis; both issues were discovered during an internal offensive security audit (tracking issue #178).
Authentication bypass in the Large Scale VPN (LSVPN) feature of Palo Alto Networks PAN-OS enables unauthenticated network-adjacent attackers to establish unauthorized site-to-site VPN connections without valid credentials. The root cause is CWE-306 (Missing Authentication for Critical Function), where the LSVPN peer negotiation process fails to enforce authentication before allowing VPN tunnel establishment. While the CVSS 4.0 base score is 4.5, the subsequent-system confidentiality impact is rated High (SC:H), reflecting that a successful bypass grants the attacker routing-level access into networks protected by the VPN - a materially greater risk than the headline score suggests. No public exploit code exists and no active exploitation has been confirmed (CISA KEV not listed, E:U).
Security policy bypass in Palo Alto Networks PAN-OS exposes protected services behind the firewall to traffic that should be blocked, exploitable by unauthenticated remote attackers via crafted IPv6 packets targeting the dataplane. The CVSS 4.0 score of 1.7 reflects that direct impact on the firewall itself is nil (VC:N/VI:N/VA:N), with only low-severity downstream effect on subsequent systems (SC:L/SI:L), and specific attack conditions must be present (AT:P). No public exploit code exists and no active exploitation has been reported (E:U), though the automatable flag (AU:Y) indicates the attack could in principle be scripted once conditions are met.
Multiple protection mechanism failures in the Data Loss Prevention (DLP) component of Palo Alto Networks Prisma Access Agent for Windows enable a local authenticated user to bypass DLP policy enforcement controls. Only the Windows platform is affected; the Prisma Access Agent for macOS is explicitly excluded per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 supplemental urgency rating of Amber and high confidentiality/integrity impact on the vulnerable system make this a meaningful insider threat risk.
Missing authentication on Mockoon's admin API (commons-server admin-api.ts) prior to 9.7.0 lets any unauthenticated party who can reach the mock server port fully control the runtime. Because the admin routes are mounted on the same Express listener as user mock routes, enabled by default, serve Access-Control-Allow-Origin: * with write methods, and require no credentials, an attacker can read MOCKOON_* environment variables, write arbitrary process env vars, rewrite mock route bodies/statuses/headers, read transaction logs and SSE streams, and purge state. No public exploit identified at time of analysis; not listed in CISA KEV.
Unauthenticated API exposure in the Superior Court of California's Hearing Reminder Service (hrs.courts.ca.gov) permits any internet-accessible party to retrieve court reminder records containing potentially sensitive information with no credentials or preconditions. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote access, making bulk data harvesting trivial for any motivated actor. No public exploit code has been identified at time of analysis, and the service is not listed in the CISA KEV catalog, but the low technical barrier means exploitation requires nothing more than a standard HTTP request.
Open WebUI versions 0.8.12 through 0.9.x expose a missing authorization flaw that permits authenticated non-admin users to reach restricted underlying AI models by exploiting a code-path divergence in task endpoints. The standard chat route (/api/v1/chat/completions) correctly re-validates submodel access after arena wrapper resolution, but task endpoints such as /api/v1/tasks/moa/completions call utils.chat.generate_chat_completion() directly, triggering arena fallback resolution after the wrapper check passes and recursing with bypass_filter=True - effectively nullifying the submodel access control. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the attack requires only low-privilege authentication (PR:L), making it directly relevant to any multi-tenant or enterprise Open WebUI deployment with model access tiering.
Identity spoofing in Open WebUI before 0.10.0 lets an authenticated low-privileged user impersonate another account by injecting query parameters into the terminal WebSocket URL. Because backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter - while the HTTP proxy path trusted an integrity-unbound X-User-Id header - an attacker can make the terminal backend resolve a different user identity, gaining that victim's terminal session context. No public exploit has been identified at time of analysis, but the fix is confirmed in v0.10.0 and the flaw is scored CVSS 8.0.
Open WebUI's WEB_FETCH_FILTER_LIST blocklist enforcement fails to parse hostnames at label boundaries in versions prior to 0.10.0, enabling authenticated users to bypass administrator-configured host restrictions and trigger server-side fetches to internally restricted resources. Two bypass classes exist: embedding a blocked hostname in the URL path component (e.g., https://attacker.com/internal.corp/data) rather than the authority, and using a sibling domain sharing the blocked entry's suffix (e.g., evilinternalhost.example.com matching a blocklist entry for internalhost.example.com). No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
File upload authorization bypass in Open WebUI before 0.10.0 allows authenticated users with read-only knowledge base access to inject arbitrary files into restricted knowledge bases by supplying a crafted metadata.knowledge_id parameter. The upload endpoint omits the write-access check enforced by the dedicated /api/v1/knowledge/<id>/file/add route (CWE-862), creating a privilege escalation path for any authenticated platform user. No public exploit code or CISA KEV listing exists at time of analysis, but the impact extends beyond the low CVSS integrity score - injected content directly influences LLM responses for all users of the affected knowledge base, enabling indirect prompt injection.
Cross-channel thread context disclosure in Open WebUI prior to 0.10.0 allows authenticated low-privilege users to reference messages from private or DM channels they do not have access to, leaking thread content across channel boundaries. The root cause is a missing channel-binding validation on the parent_id parameter in thread reply handling - the server does not verify that the referenced parent message belongs to the channel specified in the URL. No public exploit or active exploitation has been identified; this is a low-severity, high-complexity authorization bypass with confirmed vendor fix in v0.10.0.
Incorrect authorization in Open WebUI versions 0.9.6 through 0.9.x allows authenticated users with read-only knowledge file access to escalate their privileges to file write or delete operations. The root cause is that `_verify_knowledge_file_access` validated only read permissions, while write and delete routes independently trusted access derived from writable model `meta.knowledge` entries - creating a logical gap where the authorization check and the actual enforcement were misaligned. No public exploit or CISA KEV listing is identified at time of analysis; this is a medium-severity, authenticated-only issue fixed in v0.10.0.
Authentication bypass in the MERCURY MIPC252W IP camera (firmware v1.0.5 Build 230306 Rel.79931n) lets an attacker on the same local network replay a captured RTSP Digest authentication exchange to view the live video feed without knowing the device credentials. The root cause is that the RTSP server never expires or invalidates authentication nonces, so a sniffed nonce/response pair remains valid on new connections indefinitely. No public exploit is identified at time of analysis and EPSS is low (0.19%), but the barrier to abuse is minimal for anyone already positioned on the LAN.
Missing authentication on APIv1 webhook endpoints in sendportal up to 3.0.1 permits remote unauthenticated actors to invoke webhook handlers for SendGrid, Postmark, Postal, and Mailjet without any credential verification. The flaw enables integrity and availability manipulation of email processing pipelines from any network location. A publicly disclosed exploit exists per VulDB submission 851624; no vendor patch has been released and the maintainer has not responded to the responsible disclosure report.
Sensitive data exposure in the PayRange Android app (versions 7.0.7 and below) stems from improper TLS certificate validation in the app's embedded webviews, which accept invalid or attacker-controlled certificates. A network-positioned (man-in-the-middle) attacker can therefore decrypt and capture information users submit through those webviews, such as account or payment-related data. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; the CERT/CC advisory (VU#152953) is the primary reference.
WebView sandbox escape in the PayRange 7.0.7 mobile payment app allows a network attacker to inject arbitrary JavaScript into the app's embedded WebView when chained with a separate SSL/TLS bypass, then invoke privileged JavaScript-to-native function calls to break out of the sandbox and perform dangerous actions on the victim's device. Affected users are those running PayRange 7.0.7 who can be induced to open attacker-influenced content while an attacker holds a man-in-the-middle position. No public exploit identified at time of analysis, and EPSS is low (0.20%, 10th percentile), indicating no observed mass exploitation despite the 9.6 CVSS rating; the issue is documented in CERT/CC VU#152953.
Unauthenticated manipulation of collaborative document state is possible in Open WebUI versions 0.6.16 through 0.9.x, where the Socket.IO server's always_connect=True configuration allows the ydoc:awareness:update and ydoc:document:leave event handlers to process requests from any connected client regardless of identity. An attacker with network access to the platform can inject false collaborative presence data or trigger spurious document-leave events, disrupting active collaboration sessions for legitimate users. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in the input.
Improper authorization in Open WebUI 0.9.x allows deactivated or pending users to continue executing scheduled AI model automations after their accounts should have lost that capability. The `execute_automation` function rehydrated automation owners without re-verifying that the owner account was still active or still held the `features.automations` permission, and `check_model_access` enforced private-model grants only against the current user role at the time of check rather than re-validating eligibility at execution time. No public exploit has been identified at time of analysis, and the CVSS score of 3.1 reflects the low real-world severity: high attack complexity, limited availability impact, and no confidentiality or integrity impact per the official assessment.
Authorization bypass in mettle Sendportal up to version 3.0.1 permits authenticated remote users to circumvent object-level access controls at the Campaign Creation Endpoint, potentially allowing cross-tenant campaign manipulation. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), a class of IDOR flaw where the server trusts a user-supplied identifier to gate resource access without re-verifying ownership. A publicly available exploit exists via GitHub issue #339, and the vendor has not responded to responsible disclosure; no patch is available at time of analysis.
Open WebUI versions 0.8.11 through 0.10.0 expose a missing-authorization flaw (CWE-862) on the POST /api/v1/images/edit endpoint, allowing any verified non-admin account to invoke server-side image editing even when administrators have disabled the global image-edit switch or revoked per-user image-generation permissions. The bypass enables unprivileged users to consume admin-configured third-party image provider credentials - exhausting API quotas or generating unauthorized images - undermining deliberate access controls set by the platform operator. No public exploit has been identified at time of analysis; a vendor-confirmed fix is available in version 0.10.0.
Authentication bypass in n8n's external identity resolution lets an attacker impersonate other users when the instance trusts more than one token-exchange issuer. Affecting n8n before 2.27.4 and version 2.28.0, the flaw stems from resolving federated identities using only the JWT sub claim while ignoring the iss claim, so a valid token from one trusted issuer whose sub matches a victim registered under a different issuer grants full access to that victim's account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the authentication-level impact (VC:H/VI:H) makes it a meaningful account-takeover risk for multi-issuer SSO deployments.
Improper authorization in Eleveo Call Recording Software 9.7.0 exposes the /callrec/sendlogfile endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to log file functionality with confirmed confidentiality impact. The flaw (CWE-285) stems from missing or bypassable authorization checks on a sensitive operational endpoint within the call recording platform. A publicly available proof-of-concept exploit exists, and the vendor failed to respond to coordinated disclosure - no patch has been released.
Cookie deletion via unauthorized class-based invocation in tarteaucitron.js allows an attacker with HTML injection capability to silently delete browser cookies by placing arbitrary elements bearing the purgeBtn CSS class in a page that loads the library. The tarteaucitron.cookie.purge() function responds to any matching DOM element without verifying whether it was created by the library itself or whether the specified cookie belongs to a tarteaucitron-managed service, enabling targeted cookie removal against visitors who interact with the crafted element. No public exploit identified at time of analysis beyond the researcher-published PoC; this vulnerability is not listed in CISA KEV and EPSS data is unavailable.
Authorization bypass in Simple Machines Forum (SMF) 2.1 before 2.1.8 and 3.0 before 3.0 Alpha 5 lets any authenticated low-privileged member manipulate the attachment moderation queue without the required approve_posts permission. A single-character operator mistake in Sources/Actions/AttachmentApprove.php makes the permission check evaluate to true for everyone, so an ordinary user can approve, reject, or delete pending attachments on any board and enumerate other users' unapproved uploads. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by VulnCheck and a vendor patch is available.
Cross-board authorization bypass in Wekan prior to version 9.64 allows a low-privileged authenticated user to inject checklist data into private boards where they hold no membership. The flaw resides in Meteor's collection allow rules for Checklists and ChecklistItems, which validate write access against the source card's context but ignore the destination cardId or boardId embedded in the update modifier - enabling an attacker with write access to any one board to redirect checklist mutations into boards they are not permitted to access. No active exploitation has been identified and no public exploit code exists; a vendor-confirmed fix is available in version 9.64.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated users to access the /callrec/statisticReportAction.do endpoint beyond their privilege level, enabling unauthorized read, write, and availability impact on sensitive call statistics and reporting data. The vendor was notified but did not respond, leaving version 9.7.0 unpatched. A proof-of-concept exploit is publicly available, raising immediate risk for any organization running this version of the software.
Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach protected /v1/* proxy APIs because src/dashboardGuard.js trusts any request arriving over loopback. When 9Router runs behind a same-host reverse proxy that forwards public traffic through 127.0.0.1 - the standard production deployment - external requests are misclassified as local, exposing /v1/models and enabling abuse of configured upstream AI provider credentials. No public exploit identified at time of analysis; scored CVSS 8.3 with a scope change reflecting downstream provider-credential abuse.
Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protected upstream LLM functionality through the /codex/* path, which next.config.mjs rewrites to /api/v1/responses without ever passing through the dashboardGuard API-key check. Because src/dashboardGuard.js only allowlists /v1, /v1beta, /api/v1, and /api/v1beta — omitting /codex — attackers can force the server to make upstream provider calls billed to operator-stored LLM credentials. No public exploit identified at time of analysis; fixed in 0.5.2.
Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: localhost' header so the /v1 LLM proxy treats the request as local and skips API-key checks. Once past authentication, an attacker abuses stored provider credentials for upstream LLM calls and leverages /v1/search's searxng provider_options.baseUrl to force server-side requests to internal or cloud-metadata endpoints (SSRF). No public exploit identified at time of analysis, though the fixing commit is public, and EPSS/KEV signals are not provided.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows low-privileged authenticated remote users to bypass access controls on the LDAP User Interface endpoint `/callrec/users_ldap.jsp`, exposing restricted LDAP directory user data without appropriate privilege verification. A public proof-of-concept exploit has been disclosed via Google Drive and the vendor has not responded to responsible disclosure, leaving no official patch or advisory available. The CVSS 4.0 base score of 2.1 reflects narrow confidentiality-only impact, but POC availability and vendor silence increase practical urgency for affected deployments.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated low-privileged users to manipulate the role and group management endpoint (/callrec/roleAddAction.do), bypassing access controls without proper privilege checks. A publicly available exploit exists for this flaw, raising practical risk despite the relatively low CVSS 4.0 score of 2.1 (inflated downward by the E:P threat metric). The vendor was unresponsive to coordinated disclosure, meaning no official patch or acknowledgment exists at time of analysis.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote low-privileged users to manipulate the 'role' parameter in the /callrec/userAddAction.do endpoint, potentially enabling unauthorized role assignment during user creation. The vulnerability carries a CVSS 4.0 score of 2.1 with low-impact metrics across confidentiality, integrity, and availability, though the real-world risk of privilege escalation through role manipulation may be underrepresented by that score. A proof-of-concept exploit is publicly available; no vendor patch exists as the vendor did not respond to responsible disclosure.
Improper permission enforcement in JetBrains TeamCity before 2026.1.2 lets authenticated low-privilege users modify CI/CD pipelines they should not control, undermining build integrity and potentially exposing pipeline secrets. Reported by JetBrains itself and carrying a CVSS 8.1, the flaw is a missing-authorization issue (CWE-862) rather than a memory-safety bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Missing authentication on the ST Engineering iDirect iQ200 satellite terminal exposes the /api/identity and /api/ REST endpoints to any unauthenticated party on the network, letting them harvest the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and firmware version. Because the DID and TPK underpin satellite-network authentication on the iDirect platform, the leaked identifiers can support terminal impersonation and targeted reconnaissance. Reported by CISA ICS-CERT (ICSA-26-183-01); no public exploit identified at time of analysis, and no EPSS score was provided.
Broken authorization in PraisonAI Platform before 0.1.9 lets an authenticated workspace member delete owner-created issue dependencies they should not be able to remove. The DELETE dependency route accepts either endpoint of a dependency edge and validates delete permission only against the caller-supplied issue URL, so a member blocked (403) via the owner's issue endpoint can delete the same edge by targeting their own member-owned issue endpoint. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and it is not on CISA KEV.
Prompt injection defenses in PraisonAI before version 4.6.78 can be bypassed by crafting single or double-vector injections classified at the HIGH threat level, which the protection mechanism silently allows through to the underlying language model. The defense only blocks CRITICAL-classified injections - those matching three or more detector families simultaneously - meaning attackers who deliberately keep their payload below that threshold face no blocking at all. No active exploitation has been confirmed via CISA KEV and no public exploit code has been identified at time of analysis, though the bypass technique is conceptually straightforward given that the classification threshold logic is now publicly disclosed.
Instance-wide data breach in Vikunja before 2.2.1 lets remote attackers exfiltrate and destroy every file attachment across all projects on a server. Two flaws chain together: the LinkSharing.ReadAll endpoint leaks share hashes to any user with read access, enabling escalation to admin-level shares, and the GetTaskAttachment endpoint validates permissions against a user-supplied task ID while fetching the attachment by an unrelated sequential ID, an insecure-direct-object-reference that ignores ownership. Rated CVSS 4.0 9.3 (critical) with a network, unauthenticated vector; no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Improper access control in Capgo before 12.128.2 lets holders of write-scoped API keys directly mutate protected channel configuration fields (such as public, allow_emulator, and security-related flags) through the PostgREST data layer, bypassing intended application route restrictions. The flaw stems from a null authentication check in the database immutability trigger, allowing a low-privileged but authenticated actor to alter integrity-sensitive delivery settings for a Capacitor live-update backend. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.
Capgo's accept_invitation endpoint creates user accounts before captcha validation is enforced, allowing unauthenticated remote attackers to bypass captcha entirely by submitting POST requests with invalid captcha tokens. This logic-ordering flaw enables automated account creation and exhaustion of invite links against any Capgo instance running versions prior to 12.128.2. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (CWE-620), letting an attacker who holds any temporary or low-privilege session set a new password without proving they know the old one. Because the CVSS 4.0 vector reflects a low-privilege (PR:L) network attacker with high confidentiality and integrity impact, a hijacked or briefly-borrowed session can be converted into permanent control, locking legitimate users out. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so risk is credible but not confirmed as actively exploited.
Information disclosure in Capgo before 12.128.2 lets unauthenticated remote attackers call the get_orgs_v7(userid) RPC endpoint with arbitrary user UUIDs to read foreign users' organization memberships, roles, management emails, and billing metadata. The endpoint remained publicly invokable despite intended private access controls, so any internet-facing Capgo deployment on an affected version exposes tenant data cross-account. No public exploit has been identified at time of analysis, though the trivial invocation pattern (supply a UUID) makes weaponization straightforward.
Authorization bypass in FlaskBB through 2.2.0 lets authenticated moderators perform lock, unlock, delete, or hide actions on topics in forums they have no authority over. By anchoring a crafted batch request with a low-ID topic from a permitted forum, the attacker slips past a permission check that is applied only to the first result. No public exploit is identified at time of analysis, and the flaw is fixed in commit acc88cf.
Unauthorized file disclosure in Dell Unisphere for PowerMax 10.3.0.5 and prior is achievable by a remote low-privileged attacker via an XML External Entity (XXE) injection flaw (CWE-611). By submitting crafted XML containing external entity declarations to a vulnerable parsing endpoint, an authenticated attacker can cause the server to read and return sensitive local files or initiate server-side requests, resulting in High confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis; however, Dell has issued advisory DSA-2026-272 covering this and related vulnerabilities across the PowerMax product family.
SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker to inject crafted SQL commands through the management interface, resulting in information disclosure and unauthorized access to data beyond the attacker's authorized scope. Rated CVSS 8.5 with a scope-changed vector, the flaw is reported by Dell (DSA-2026-066) and carries confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authorization bypass in the Invoice123 WordPress plugin (versions up to and including 1.7.0) permits authenticated attackers holding only subscriber-level accounts to overwrite the plugin's external API key, modify invoice configuration settings, and directly alter WooCommerce tax rate records in the database. The root cause is absent capability checks in the plugin's admin-page handlers, meaning low-privilege users can invoke privileged administrative actions over the network. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Broken object-level authorization in R-SOFT DMS lets any authenticated user download arbitrary files by manipulating the object ID in multiple file-download endpoints, since the application enforces only session authentication and never checks whether the requester owns or may access the requested file. This is an authenticated confidentiality breach (CVSS 4.0 7.1) affecting all versions prior to v3.19-2862 and v3.17-2580. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Server-Side Request Forgery in the guardrails-detectors component allows a remote attacker to submit a crafted XML Schema Definition (XSD) that forces the service to make attacker-directed requests, reaching cloud metadata services, the Kubernetes API, internal MinIO object storage, and other internal endpoints, and to read local files such as service account tokens and pod secrets. Because the flaw is blind SSRF chained to local file disclosure inside a container/Kubernetes context, an attacker can harvest credentials and pivot deeper into the cluster. No public exploit identified at time of analysis, but the CVSS 9.3 rating and scope-changing impact make this high priority for affected AI-guardrails deployments.
Authorization bypass in the KiviCare WordPress EHR plugin (all versions through 4.4.0) allows unauthenticated network attackers to confirm arbitrary pending clinic appointments and inject forged payment records into the wp_kc_payments_appointment_mappings table using attacker-supplied payment IDs, completely circumventing the payment collection process. The root defect is a two-part failure: the appointments API controller does not verify user authorization before processing status changes, and the KCPaymentGatewayFactory returns all registered gateways regardless of admin-enabled status - meaning the KCPayLater manual-payment gateway is always selectable, even by unauthenticated callers on default installations. No public exploit or CISA KEV listing exists at time of analysis, though the trivially low attack complexity makes scripted abuse realistic.
Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.
Authorization bypass in the Easy Appointments WordPress plugin (all versions up to and including 3.12.27) permits any authenticated user holding the Author role or above to mass-cancel every future appointment across the entire site by exploiting a missing capability check on the plugin's AJAX cancellation handler. The attack is made trivially accessible because the nonce required to authenticate the cancellation request is rendered directly on the Appointments admin page, which is gated only by the `edit_posts` capability that Authors possess by default. No public exploit has been identified at time of analysis, but the low privilege barrier and deterministic exploit path present a high-consequence business-disruption risk for any organization running booking workflows on affected installations.
Unauthorized modification of cookie scan schedule configuration in the GDPR Cookie Consent WordPress plugin (versions up to 4.3.6) is achievable by any authenticated subscriber-level user. The vulnerability stems from a dual failure - absent capability check and absent nonce verification - on the wp_ajax_gcc_save_schedule_scan AJAX action, allowing low-privileged users to overwrite the gdpr_scan_schedule_data option that is administratively intended to require manage_options capability. No public exploit has been identified and the flaw is not listed in CISA KEV; a patched version (4.3.7) is available via the plugin's SVN repository.
Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Unauthenticated media library attachment deletion affects the Easy Upload Files During Checkout WordPress plugin through version 3.0.1, enabling any remote visitor to permanently destroy arbitrary files from the site's media library with no credentials. The root cause is CWE-639: the ufdc_custom_init() hook processes a user-controlled 'eufdc-delete' parameter without nonce verification, capability checks, or attachment ownership validation, reducing authorization to a trivial parameter-guessing exercise against sequential WordPress attachment IDs. No public exploit code or CISA KEV listing has been identified, but the attack requires zero prerequisites beyond plugin presence, making it trivially reproducible.
Unauthorized GravityWrite disconnection in the GW AI Website Builder WordPress plugin (versions ≤ 1.0.1) is achievable by any authenticated subscriber-level user due to a missing capability check on the gwaiwebu_gravitywrite_disconnect_handler() AJAX function. The flaw allows low-privilege WordPress accounts to sever the plugin's integration with the GravityWrite AI service, degrading AI-powered site-building functionality for all users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; impact is confined to service integrity disruption rather than data exfiltration or code execution.
Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access last-value time-series data they are not authorized to view. Affected versions span the 1.3.x branch (1.3.5 through 1.3.7) and the 2.0.x branch (2.0.5 through 2.0.9). No public exploit code or active exploitation has been identified at time of analysis, but the REST interface nature of the flaw means any valid credential holder can attempt unauthorized data retrieval without elevated privilege.
Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the DataNode process when the AirGap pipe receiver is enabled. The receiver's readLength method reads an attacker-controlled 32-bit length field from a raw TCP connection on port 9780 and passes it directly to new byte[length], letting a single connection trigger a heap allocation of up to ~2 GB and exhaust JVM memory. No public exploit has been identified at time of analysis, but exploitation is trivial once the feature is enabled, and Apache has released a fixed version (2.0.10).
Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials against the REST interface because Basic Authentication continues to accept cached credentials that should have been invalidated. An attacker who has captured or previously held valid credentials can keep authenticating after those credentials should have expired or been revoked, gaining full read/write control of the time-series database. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), so no active exploitation is indicated despite the 9.8 CVSS.
Improper authorization in Samsung's KnoxGuardManager component allows local low-privileged attackers to bypass the application's persistence configuration, potentially undermining enterprise device management and carrier lock enforcement on affected Samsung Mobile Devices. Devices running Android 14, 15, and 16 prior to SMR Jul-2026 Release 1 are affected, making this a notable concern for enterprise MDM deployments and carrier-managed device fleets relying on Knox Guard controls. No public exploit has been identified and no active exploitation is confirmed; Samsung has shipped a patch in the July 2026 Security Maintenance Release.
Missing authorization in zhayujie CowAgent up to version 2.1.0 allows remote attackers with low-privilege accounts to bypass access controls at the Message Endpoint defined in channel/channel.py, potentially enabling unauthorized access to or manipulation of messaging data. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low privileges, with low-level confidentiality, integrity, and availability impacts on the vulnerable system. A public proof-of-concept exploit has been released per VulDB, and the project maintainer has not yet responded to the coordinated disclosure filed via GitHub issue #2874.
Privilege escalation in the WP Business Intelligence Lite WordPress plugin (all versions through 3.2.0) allows authenticated Subscriber-level users to tamper with stored SQL queries because the plugin fails to enforce a capability/authorization check on the query-modification action (CWE-862). When an administrator later views the maliciously altered query, the attacker's arbitrary SQL executes in the admin context, enabling account takeover or full site compromise. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported through the Wordfence threat intelligence program.
{id} REST endpoints, which ship with no authentication or authorization checks. Any anonymous visitor can harvest customer PII - names, emails, phone numbers, WhatsApp message contents, full geolocation (IP, city, country, ISP, coordinates), device fingerprints, and even WordPress account details (user IDs, usernames, emails) for logged-in users who submitted the form. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivial and requires only an HTTP client.
Unauthorized post publication in Kadence Blocks (Gutenberg Blocks with AI by Kadence WP) versions up to and including 3.5.32 allows authenticated WordPress contributors to immediately publish posts, pages, and custom post types - entirely bypassing the platform's standard contributor review workflow. The flaw stems from a misconfigured capability check in the `get_items_permission_check` permission callback on the `process_pattern` REST API endpoint (CWE-863: Incorrect Authorization). No active exploitation is confirmed via CISA KEV, no public POC has been identified, and the CVSS score of 4.3 reflects a limited integrity-only impact with no confidentiality or availability consequences.
Authorization bypass in the WPCafe WordPress plugin (all versions through 3.0.14) allows any authenticated subscriber-level user to fully manage email notification flow workflows that are intended to be administrator-only. The FlowAPI REST endpoints bundled within the plugin's email notification SDK rely solely on a wp_rest nonce for access control - a token freely obtainable from the frontend page source by any logged-in user - completely bypassing role-based authorization. No public exploit or active exploitation has been identified at time of analysis, though the low exploitation complexity makes this a realistic risk on sites with open user registration.
Incorrect authorization in the Fluent Forms WordPress plugin (versions up to and including 6.2.1) enables any authenticated subscriber-level user to cancel payment subscriptions belonging to other users by supplying an arbitrary 'subscription_id' in the payment cancellation AJAX endpoint. The payment cancellation flow performs no ownership check - only that the user is authenticated - making this a classic IDOR (Insecure Direct Object Reference) under CWE-863. No public exploit code has been identified at time of analysis, and the flaw is not listed in CISA KEV, but the low bar for exploitation (any registered site account) raises practical risk for sites using Fluent Forms payment/subscription features.
Missing authorization in Sipeed PicoClaw up to version 0.2.9 permits remote low-privileged attackers to invoke the rt.ReloadConfig function in pkg/channels/pico/pico.go by manipulating the message.send argument without proper authorization checks. The integrity and availability of the affected system are both at limited risk, as the CVSS 4.0 vector confirms no confidentiality exposure but allows unauthorized configuration reload or disruption. A public exploit exists (E:P), though the GitHub issue tracking the report was closed automatically due to inactivity, indicating no vendor remediation has been issued.
Improper access control in Sipeed PicoClaw up to version 0.2.9 allows remote unauthenticated attackers to bypass the IP allowlist enforced by the Launcher's web backend middleware. The flaw resides in the IPAllowlist function within web/backend/middleware/access_control.go, which fails to correctly enforce source-address restrictions, permitting unauthorized network access to protected endpoints. A public proof-of-concept exploit exists (GitHub issue #3069), and an upstream patch (PR #3126) has been submitted but a formally released patched version has not been independently confirmed.
Incorrect authorization in Sipeed PicoClaw's MQTT Channel Handler (pkg/channels/mqtt/mqtt.go) through version 0.2.9 allows remote low-privileged attackers to bypass access controls by manipulating the `client_id` argument, enabling unauthorized access to MQTT channels belonging to other clients. A public proof-of-concept exploit exists via the referenced GitHub issue, elevating practical risk beyond the moderate CVSS 4.0 score of 5.3. No vendor patch has been released - the upstream GitHub issue was closed automatically due to inactivity - leaving affected deployments without an official remediation path.
Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers log in as any existing user - including Administrators - when the Spotify Social Login addon is enabled. The flaw stems from the plugin trusting the unverified email returned by Spotify's /v1/me endpoint to match and authenticate a WordPress account, so an attacker who registers a Spotify account with a victim's email gains that victim's session. No public exploit has been identified at time of analysis; CVSS is 8.1 with attack complexity rated High due to the required addon configuration.
Authentication bypass in the LoginPress Pro WordPress plugin (versions up to and including 6.2.3) lets unauthenticated attackers hijack any existing account, including administrators, by abusing the GitHub OAuth social-login callback. The loginpress_on_github_login() function binds the login session to profile[0]['email'] from GitHub's /user/emails endpoint without checking the verified flag, so an attacker who adds an unverified email matching a victim's account and triggers the callback can be logged in as that user. This maps to CWE-287 and carries a CVSS 8.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers hijack any existing account - administrators included - by exploiting the Discord OAuth login handler, which trusts the email returned by Discord without checking Discord's verified flag. An attacker who knows a target's WordPress email registers a Discord account with that same (unverified) email and completes the normal OAuth flow to receive an authenticated session as the victim. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw was reported by Wordfence and is a full account-takeover primitive.
System principal privilege escalation in Zen Browser prior to 1.21.5b allows a malicious webpage to bypass Firefox's content-to-file security boundary by exploiting the browser's custom glance and split-view context-menu features. The 'Open link in glance' and 'Split link in new tab' actions navigate attacker-supplied file:// URLs using the System principal rather than the originating page's content principal, granting access to local filesystem contents that would be blocked by an ordinary click. A vendor-released patch exists in version 1.21.5b; no public exploit has been identified at time of analysis.
Missing authorization on the `/api/storage/getCriteria` endpoint in SiYuan personal knowledge management software exposes saved search criteria - including private document paths, notebook and block IDs, and search/replace keyword history - to any publish-mode Reader, bypassing the access controls applied by all sibling storage endpoints. All SiYuan releases prior to 3.7.1 are affected per the vendor security advisory GHSA-px3c-cf92-9g83. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the low attack complexity and readily available fix commit make this straightforward to weaponize against exposed instances.
Unauthorized write access to the admin backup store in Discourse allows any authenticated regular user to route S3 multipart uploads into a storage area that should be restricted to administrators. The flaw exists in ExternalUploadManager, which fails to enforce authorization checks (CWE-862) when accepting direct S3 multipart upload requests, meaning a low-privilege account holder can target the admin backup destination path without restriction. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the low attack complexity and network accessibility make this a credible threat on any Discourse deployment using S3 direct uploads.
Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints that are supposed to be restricted to loopback traffic by spoofing an X-Forwarded-For header with a 127.0.0.1 value. Once past the origin check, an attacker can pivot to server-side request forgery against internal services and cloud metadata endpoints, overwrite LLM provider configuration and API keys, or start an OAuth device-code flow to mint persistent tokens saved in auth.json. A vendor patch exists; the flaw carries a CVSS 4.0 score of 9.3, but no public exploit code has been identified at time of analysis.
Broken authorization in Pimcore's Studio API lets a standard editor-level user create class definitions without administrative rights, because the POST /pimcore-studio/api/class/definition/configuration-view/detail/create endpoint checks the 'objects' permission rather than the 'classes' permission. Because class-definition creation writes new database tables and PHP class files to the server, this permission gap grants low-privileged users significant control over the application's data model and codebase, and absent API-layer UID validation malformed UIDs reach model-layer validation and surface internal exceptions. No public exploit identified at time of analysis; the flaw is fixed in 2025.4.6 and 2026.1.6.
Full admin account takeover in Pimcore (Studio backend) before 2025.4.6 and 2026.1.6 lets an unauthenticated attacker who knows a valid admin username hijack that account by submitting a password-reset request with an attacker-controlled resetPasswordUrl; the server appends a genuine recovery token to that URL and emails it to the victim, so a single victim click leaks the token to the attacker, who authenticates via POST /pimcore-studio/api/login/token with full admin rights and bypasses 2FA. GitHub advisory GHSA-h854-c3m3-mh5v classifies this as an authentication bypass (CWE-640). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.
Arbitrary file disclosure in docuForm GmbH Client v11.11c allows a remote, low-privileged attacker to read sensitive server files through the dfm-menu_report.php component by supplying attacker-controlled path input. The NVD description asserts arbitrary code execution and the vendor gist tags it 'RCE'/'Authentication Bypass', but the concrete described capability is reading configuration files, source code, and system files, with code execution unsubstantiated in the available data. No public exploit is confirmed via a flag, though a third-party gist reference (ZeroBreach-GmbH) is published and likely carries proof-of-concept detail; EPSS is low at 0.35% (27th percentile) and the CVE is not on CISA KEV.
Authenticated remote code execution in docuForm GmbH Client v11.11c lets low-privileged users abuse the report.php file-upload component to run arbitrary code on the server. The flaw combines an authorization-bypass weakness (CWE-639) with unrestricted file upload, so an attacker with any valid account can escalate to full server compromise. No public exploit identified at time of analysis, though a third-party gist referenced in NVD may contain technical write-up material; EPSS is low (0.24%, 15th percentile) and the CVE is not in CISA KEV.
Broken object-level authorization in docuForm GmbH Client v11.11c lets an authenticated remote user manipulate the user settings component to read and modify other users' account data, with the reporter additionally claiming this can escalate to arbitrary code execution. The flaw stems from user-controlled object references (CWE-639) that the application fails to authorize against the requesting session. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile).
Improper access control in the Proximus b-box v8c.725A ISP gateway lets an already-authenticated low-privilege user override authorization checks and freely add, alter, or delete port forwarding (NAT) rules. Publicly available exploit code exists (GitHub PoC by Cedrico03), though it is not listed in CISA KEV and carries a low EPSS score (0.22%, 12th percentile), indicating no evidence of widespread active exploitation. The flaw effectively grants any logged-in account router-administrator control over inbound traffic routing.
Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network attackers by allowing a specially formatted URL to evade the URL filtering plugin. The flaw stems from incorrect name or reference resolution (CWE-706), causing the router to forward traffic that security policy mandates be dropped. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 6.9 carries an Automatable:Yes modifier, indicating the bypass is scriptable at scale against any qualifying deployment.
Unauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell commands by reaching the product's embedded terminal API without any credentials. Because of a missing authentication check (CWE-306), an attacker chains four sequential unauthenticated HTTP requests to create a session, attach a PTY shell, and inject commands, executing code as the server process user. Reported by VulnCheck with a CVSS 4.0 base score of 9.3; a vendor patch is available and no public exploit code has been identified at time of analysis.
Ingress firewall filter bypass in Juniper Networks Junos OS on MX Series hardware (MPC10/11, LC4800/9600/4802, MX304) allows adjacent subscribers on static interfaces to evade configured protocol-level access controls and upstream bandwidth limitations. The Packet Forwarding Engine (PFE) fails to enforce ingress filters for these subscriber configurations, meaning neither protocol restrictions nor rate-limiting policies take effect. No public exploit code has been identified and the vulnerability is absent from CISA KEV, though the CVSS 4.0 AU:Y (Automatable) supplemental metric indicates exploitation could be scripted at scale against affected broadband aggregation deployments.
Session context hijacking in the arikusi DeepSeek MCP Server (versions 1.4.2 through 1.6.x) lets remote attackers read and continue another user's DeepSeek V4 conversations. The process-global SessionStore trusts any caller-supplied session_id without tying it to an authenticated principal or transport session, so an attacker can enumerate live sessions via the deepseek_sessions tool and then replay a victim's session_id through deepseek_chat. No public exploit identified at time of analysis and it is not on CISA KEV, but the mechanics are trivial and fully described in the vendor advisory (GHSA-fh3r-g96v-f578); version 1.7.0 fixes it.
Unauthenticated access to the self-hosted HTTP transport of DeepSeek MCP Server (versions 1.4.2-1.7.x) allows any network-reachable client to initialize a valid MCP session, enumerate server tools, and invoke them without credentials - including `deepseek_chat`, which silently consumes the server operator's `DEEPSEEK_API_KEY`. Default Docker deployments expose port 3000 in HTTP mode out of the box, maximizing the attack surface for any container running on a network-accessible host. No public exploit has been identified at time of analysis, though the GitHub advisory references reproduced testing confirming the full bypass against commit `5e1302171e99`.
License exhaustion in Juniper Networks Junos OS Evolved lets an unauthenticated, network-based attacker reach the device's license-management process, which was intended to be internal-only but is exposed on an open network port due to incorrect initialization. All Junos OS Evolved releases before 23.2R2-EVO are affected. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible network-facing denial-of-service risk to affected routing/switching platforms.
Missing ownership enforcement on Sylius Shop API payment request endpoints allows any caller who possesses a valid payment request UUID hash to read sensitive order data - including customer email, shipping addresses, and order totals - or manipulate post-payment redirect URLs to an attacker-controlled domain. Affected versions span the 2.0.x, 2.1.x, and 2.2.x release lines, with fixes available in 2.0.18, 2.1.15, and 2.2.6 per the vendor advisory GHSA-mr9r-h354-966r. No public exploit code or CISA KEV listing has been identified at time of analysis; real-world exploitability is gated on acquiring the UUID hash out-of-band.
Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally authenticated user, regardless of privilege class or assigned permissions, to execute a specific privileged 'request' command and cause complete traffic disruption on the affected switch. Affected platforms span EX2300, EX4000, EX4100, EX4300-MP, and EX4400 across six active Junos OS release trains from 23.2 through 25.4. No public exploit has been identified at time of analysis and the system recovers automatically, but the low barrier to exploitation - any authenticated local user qualifies - makes this a meaningful insider threat in shared-access or multi-tenant switch environments.
{tokenValue}/payments/{paymentId}` silently accepts and returns HTTP 200 for payment methods the store operator has explicitly excluded from the order's sales channel, while the equivalent checkout endpoint correctly rejects them with HTTP 422. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
{FIELD_ID}? or update? policy checks - even when both explicitly return false for the requesting user. Primarily impacts Avo Pro/Advanced multi-role deployments where non-administrator operators are expected to be constrained by per-field authorization policies. A PoC request spec confirms exploitation on Avo 3.31.2; no CISA KEV listing, so no confirmed active exploitation at time of analysis.
Certificate revocation in nebula-mgmt (forgekeep/nebula-mesh ≤ v0.3.6) is non-durable due to two distinct authorization gaps at certificate issuance time. Blocked hosts bypass blocklist enforcement entirely by re-enrolling with a new token because `enroll.go:128` calls `caMgr.Sign()` without consulting the blocklist - a fingerprint-keyed structure that treats any fresh certificate as unknown. Separately, hosts enrolled under a subsequently-disabled operator auto-renew certificates indefinitely because `signHostCert` never re-validates operator or CA lifecycle status, meaning operator offboarding does not terminate provisioned host access. No public exploit is identified at time of analysis; both issues were discovered during an internal offensive security audit (tracking issue #178).
Authentication bypass in the Large Scale VPN (LSVPN) feature of Palo Alto Networks PAN-OS enables unauthenticated network-adjacent attackers to establish unauthorized site-to-site VPN connections without valid credentials. The root cause is CWE-306 (Missing Authentication for Critical Function), where the LSVPN peer negotiation process fails to enforce authentication before allowing VPN tunnel establishment. While the CVSS 4.0 base score is 4.5, the subsequent-system confidentiality impact is rated High (SC:H), reflecting that a successful bypass grants the attacker routing-level access into networks protected by the VPN - a materially greater risk than the headline score suggests. No public exploit code exists and no active exploitation has been confirmed (CISA KEV not listed, E:U).
Security policy bypass in Palo Alto Networks PAN-OS exposes protected services behind the firewall to traffic that should be blocked, exploitable by unauthenticated remote attackers via crafted IPv6 packets targeting the dataplane. The CVSS 4.0 score of 1.7 reflects that direct impact on the firewall itself is nil (VC:N/VI:N/VA:N), with only low-severity downstream effect on subsequent systems (SC:L/SI:L), and specific attack conditions must be present (AT:P). No public exploit code exists and no active exploitation has been reported (E:U), though the automatable flag (AU:Y) indicates the attack could in principle be scripted once conditions are met.
Multiple protection mechanism failures in the Data Loss Prevention (DLP) component of Palo Alto Networks Prisma Access Agent for Windows enable a local authenticated user to bypass DLP policy enforcement controls. Only the Windows platform is affected; the Prisma Access Agent for macOS is explicitly excluded per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 supplemental urgency rating of Amber and high confidentiality/integrity impact on the vulnerable system make this a meaningful insider threat risk.
Missing authentication on Mockoon's admin API (commons-server admin-api.ts) prior to 9.7.0 lets any unauthenticated party who can reach the mock server port fully control the runtime. Because the admin routes are mounted on the same Express listener as user mock routes, enabled by default, serve Access-Control-Allow-Origin: * with write methods, and require no credentials, an attacker can read MOCKOON_* environment variables, write arbitrary process env vars, rewrite mock route bodies/statuses/headers, read transaction logs and SSE streams, and purge state. No public exploit identified at time of analysis; not listed in CISA KEV.
Unauthenticated API exposure in the Superior Court of California's Hearing Reminder Service (hrs.courts.ca.gov) permits any internet-accessible party to retrieve court reminder records containing potentially sensitive information with no credentials or preconditions. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote access, making bulk data harvesting trivial for any motivated actor. No public exploit code has been identified at time of analysis, and the service is not listed in the CISA KEV catalog, but the low technical barrier means exploitation requires nothing more than a standard HTTP request.
Open WebUI versions 0.8.12 through 0.9.x expose a missing authorization flaw that permits authenticated non-admin users to reach restricted underlying AI models by exploiting a code-path divergence in task endpoints. The standard chat route (/api/v1/chat/completions) correctly re-validates submodel access after arena wrapper resolution, but task endpoints such as /api/v1/tasks/moa/completions call utils.chat.generate_chat_completion() directly, triggering arena fallback resolution after the wrapper check passes and recursing with bypass_filter=True - effectively nullifying the submodel access control. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the attack requires only low-privilege authentication (PR:L), making it directly relevant to any multi-tenant or enterprise Open WebUI deployment with model access tiering.
Identity spoofing in Open WebUI before 0.10.0 lets an authenticated low-privileged user impersonate another account by injecting query parameters into the terminal WebSocket URL. Because backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter - while the HTTP proxy path trusted an integrity-unbound X-User-Id header - an attacker can make the terminal backend resolve a different user identity, gaining that victim's terminal session context. No public exploit has been identified at time of analysis, but the fix is confirmed in v0.10.0 and the flaw is scored CVSS 8.0.
Open WebUI's WEB_FETCH_FILTER_LIST blocklist enforcement fails to parse hostnames at label boundaries in versions prior to 0.10.0, enabling authenticated users to bypass administrator-configured host restrictions and trigger server-side fetches to internally restricted resources. Two bypass classes exist: embedding a blocked hostname in the URL path component (e.g., https://attacker.com/internal.corp/data) rather than the authority, and using a sibling domain sharing the blocked entry's suffix (e.g., evilinternalhost.example.com matching a blocklist entry for internalhost.example.com). No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
File upload authorization bypass in Open WebUI before 0.10.0 allows authenticated users with read-only knowledge base access to inject arbitrary files into restricted knowledge bases by supplying a crafted metadata.knowledge_id parameter. The upload endpoint omits the write-access check enforced by the dedicated /api/v1/knowledge/<id>/file/add route (CWE-862), creating a privilege escalation path for any authenticated platform user. No public exploit code or CISA KEV listing exists at time of analysis, but the impact extends beyond the low CVSS integrity score - injected content directly influences LLM responses for all users of the affected knowledge base, enabling indirect prompt injection.
Cross-channel thread context disclosure in Open WebUI prior to 0.10.0 allows authenticated low-privilege users to reference messages from private or DM channels they do not have access to, leaking thread content across channel boundaries. The root cause is a missing channel-binding validation on the parent_id parameter in thread reply handling - the server does not verify that the referenced parent message belongs to the channel specified in the URL. No public exploit or active exploitation has been identified; this is a low-severity, high-complexity authorization bypass with confirmed vendor fix in v0.10.0.
Incorrect authorization in Open WebUI versions 0.9.6 through 0.9.x allows authenticated users with read-only knowledge file access to escalate their privileges to file write or delete operations. The root cause is that `_verify_knowledge_file_access` validated only read permissions, while write and delete routes independently trusted access derived from writable model `meta.knowledge` entries - creating a logical gap where the authorization check and the actual enforcement were misaligned. No public exploit or CISA KEV listing is identified at time of analysis; this is a medium-severity, authenticated-only issue fixed in v0.10.0.
Authentication bypass in the MERCURY MIPC252W IP camera (firmware v1.0.5 Build 230306 Rel.79931n) lets an attacker on the same local network replay a captured RTSP Digest authentication exchange to view the live video feed without knowing the device credentials. The root cause is that the RTSP server never expires or invalidates authentication nonces, so a sniffed nonce/response pair remains valid on new connections indefinitely. No public exploit is identified at time of analysis and EPSS is low (0.19%), but the barrier to abuse is minimal for anyone already positioned on the LAN.
Missing authentication on APIv1 webhook endpoints in sendportal up to 3.0.1 permits remote unauthenticated actors to invoke webhook handlers for SendGrid, Postmark, Postal, and Mailjet without any credential verification. The flaw enables integrity and availability manipulation of email processing pipelines from any network location. A publicly disclosed exploit exists per VulDB submission 851624; no vendor patch has been released and the maintainer has not responded to the responsible disclosure report.
Sensitive data exposure in the PayRange Android app (versions 7.0.7 and below) stems from improper TLS certificate validation in the app's embedded webviews, which accept invalid or attacker-controlled certificates. A network-positioned (man-in-the-middle) attacker can therefore decrypt and capture information users submit through those webviews, such as account or payment-related data. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; the CERT/CC advisory (VU#152953) is the primary reference.
WebView sandbox escape in the PayRange 7.0.7 mobile payment app allows a network attacker to inject arbitrary JavaScript into the app's embedded WebView when chained with a separate SSL/TLS bypass, then invoke privileged JavaScript-to-native function calls to break out of the sandbox and perform dangerous actions on the victim's device. Affected users are those running PayRange 7.0.7 who can be induced to open attacker-influenced content while an attacker holds a man-in-the-middle position. No public exploit identified at time of analysis, and EPSS is low (0.20%, 10th percentile), indicating no observed mass exploitation despite the 9.6 CVSS rating; the issue is documented in CERT/CC VU#152953.
Unauthenticated manipulation of collaborative document state is possible in Open WebUI versions 0.6.16 through 0.9.x, where the Socket.IO server's always_connect=True configuration allows the ydoc:awareness:update and ydoc:document:leave event handlers to process requests from any connected client regardless of identity. An attacker with network access to the platform can inject false collaborative presence data or trigger spurious document-leave events, disrupting active collaboration sessions for legitimate users. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in the input.
Improper authorization in Open WebUI 0.9.x allows deactivated or pending users to continue executing scheduled AI model automations after their accounts should have lost that capability. The `execute_automation` function rehydrated automation owners without re-verifying that the owner account was still active or still held the `features.automations` permission, and `check_model_access` enforced private-model grants only against the current user role at the time of check rather than re-validating eligibility at execution time. No public exploit has been identified at time of analysis, and the CVSS score of 3.1 reflects the low real-world severity: high attack complexity, limited availability impact, and no confidentiality or integrity impact per the official assessment.
Authorization bypass in mettle Sendportal up to version 3.0.1 permits authenticated remote users to circumvent object-level access controls at the Campaign Creation Endpoint, potentially allowing cross-tenant campaign manipulation. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), a class of IDOR flaw where the server trusts a user-supplied identifier to gate resource access without re-verifying ownership. A publicly available exploit exists via GitHub issue #339, and the vendor has not responded to responsible disclosure; no patch is available at time of analysis.
Open WebUI versions 0.8.11 through 0.10.0 expose a missing-authorization flaw (CWE-862) on the POST /api/v1/images/edit endpoint, allowing any verified non-admin account to invoke server-side image editing even when administrators have disabled the global image-edit switch or revoked per-user image-generation permissions. The bypass enables unprivileged users to consume admin-configured third-party image provider credentials - exhausting API quotas or generating unauthorized images - undermining deliberate access controls set by the platform operator. No public exploit has been identified at time of analysis; a vendor-confirmed fix is available in version 0.10.0.
Authentication bypass in n8n's external identity resolution lets an attacker impersonate other users when the instance trusts more than one token-exchange issuer. Affecting n8n before 2.27.4 and version 2.28.0, the flaw stems from resolving federated identities using only the JWT sub claim while ignoring the iss claim, so a valid token from one trusted issuer whose sub matches a victim registered under a different issuer grants full access to that victim's account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the authentication-level impact (VC:H/VI:H) makes it a meaningful account-takeover risk for multi-issuer SSO deployments.