Skip to main content

Authentication Bypass

31228 CVEs technique

Monthly

CVE-2026-42331 HIGH PATCH This Week

Broken access control in FOSSBilling before 0.8.0 lets an unauthenticated attacker who knows an unpaid invoice's hash change the payment gateway (gateway_id) tied to that invoice, because the Guest API invoice/update endpoint omits an authorization check that its sibling invoice endpoints enforce. The attacker can only select gateways an administrator has already installed and configured, and the impact is further gated by the invoice_accessible_from_hash setting, so it cannot redirect funds to an arbitrary external endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Fossbilling
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-55428 Go HIGH PATCH GHSA This Week

Traffic interception in Coder's tailnet coordinator allows a malicious workspace agent to hijack another agent's tailnet address by advertising forged WireGuard AllowedIPs prefixes. The coordinator authorizes an agent's Addresses against its authenticated UUID but performs no equivalent check on AllowedIPs, which it forwards verbatim to tunnel peers; because ServerTailnet routes by tailnet IP, an attacker who claims a victim's prefix can intercept web terminal and workspace app traffic and serve spoofed content. Rated CVSS 8.2 (CWE-285, improper authorization); a vendor patch is available and no public exploit is identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-55429 Go HIGH PATCH GHSA This Week

Cross-workspace agent hijacking in Coder (self-hosted cloud development environment platform) lets a user with template-authorship or external-provisioner privileges rebind another user's workspace app to an attacker-controlled agent. By submitting a crafted CompleteJob payload referencing a known victim app UUID, the attacker causes later app traffic - including IDE and terminal sessions - to be proxied through their own workspace, enabling interception. No public exploit is identified at time of analysis; it is not listed in CISA KEV. Fixed in v2.34.2, v2.33.8, v2.32.7, and v2.29.17.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.5%
CVE-2026-42341 CRITICAL PATCH Act Now

Unauthenticated payment bypass in FOSSBilling 0.6.0 through 0.7.2 lets a remote attacker mark any unpaid invoice as paid and credit the associated client's account balance with a single crafted HTTP request to the IPN callback endpoint (/ipn.php), provided the Custom payment adapter is enabled. The flaw stems from missing authentication (CWE-306) on a financially critical callback, so no credentials or user interaction are needed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates it 9.2 (CVSS 4.0) and a patched release (0.8.0) is available.

Authentication Bypass PHP Fossbilling
NVD GitHub
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-55077 Go HIGH PATCH GHSA This Week

{user}/password, because the endpoint only checked ActionUpdatePersonal and never required the current password when an admin reset another user. A user-admin can therefore hijack an owner account and gain full deployment control, including self-assigning the owner role. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the practical blast radius is bounded by the need to already hold the privileged user-admin role.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.6%
CVE-2026-55075 Go HIGH PATCH GHSA This Week

Account takeover in Coder's OIDC login (versions before v2.34.2, v2.33.8, v2.32.7, and ESR v2.29.17) lets an attacker who controls a matching email address at the configured identity provider log in as a victim and seize their workspaces, templates and resources. Two chained flaws are responsible: email-based user matching silently linked accounts by email without verifying an existing IdP-subject link, and the email_verified claim was only honored when explicitly boolean false, so absent or malformed claims were treated as verified. CVSS is 7.4 (High) with no public exploit identified at time of analysis; the issue was privately reported by Anthropic's Security Team.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.5%
CVE-2026-55076 Go HIGH PATCH GHSA This Week

Account takeover in Coder's OIDC login flow allows an unauthenticated remote attacker to hijack an existing user account by registering the victim's email at a compatible identity provider. A Go `bool` type assertion on the `email_verified` claim failed open when an IdP returned the claim as a non-boolean (e.g. the string "false") or omitted it entirely, and an unconditional email-based account fallback then matched the attacker's session to the victim's account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was privately disclosed by Anthropic's Security Team and fixed across all supported release lines.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.5%
CVE-2026-54641 Maven HIGH PATCH GHSA This Week

Cross-tenant information disclosure in OpenRemote Manager lets a realm admin of one tenant read the profile, realm roles, and client roles of any user in any other realm - including the privileged master realm - simply by supplying the target user's UUID in the REST API path. Three read endpoints in UserResourceImpl verify the caller's read:admin role but never confirm the target user belongs to the caller's realm, breaking multi-tenant isolation for user data. Publicly available exploit code exists (a working curl-based PoC with live-instance HTTP 200 responses is documented), though it is not listed in CISA KEV and no active exploitation is confirmed.

Authentication Bypass Java
NVD GitHub
CVSS 3.1
7.7
CVE-2026-59712 HIGH PATCH This Week

Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row - password hashes, TOTP secrets, and session tokens - by invoking the users.getUser method with arbitrary user IDs (CWE-639, broken object-level authorization). Because the API returns records without verifying the caller owns or is authorized for the requested ID, a low-privileged user can enumerate and harvest credentials for every account, including administrators. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.6 (High).

Authentication Bypass Leantime
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-54765 MEDIUM PATCH This Month

Filter context poisoning in Traefik v3.7.0-v3.7.5 allows a low-privileged Kubernetes user to cause security-sensitive backendRef filters - such as tenant identity or authorization headers trusted by the backend - to be applied to requests from a different, co-located HTTPRoute that targets the same backend Service:port. This affects multi-tenant Kubernetes Gateway API deployments and can cross namespace boundaries when a ReferenceGrant permits cross-namespace backend targeting, making it an authorization bypass and tenant-isolation failure. No public exploit identified at time of analysis; the issue is fixed in Traefik v3.7.6.

Authentication Bypass Kubernetes Traefik
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-54764 MEDIUM PATCH This Month

Header injection in Traefik's ForwardAuth middleware allows unauthenticated remote attackers to manipulate the X-Forwarded-Port value sent to authentication backends, enabling bypass of port-based authorization checks. Affected are all Traefik v2.x prior to v2.11.51, v3.6.x from 3.0.0 prior to v3.6.22, and v3.7.x from 3.7.0 prior to v3.7.6. The flaw persists even when the trustForwardHeader: false safeguard is active, because the port derivation logic reads the original incoming request rather than the sanitized forwarded context. No public exploit code has been identified at time of analysis, and vendor-released patches are available.

Authentication Bypass Traefik
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-55727 HIGH PATCH This Week

Unauthenticated video stream access in Genetec Security Center 5.14.0.0 (builds prior to 5.14.178.18) lets remote attackers pull live video feeds by exploiting a flaw in the authentication mechanism that guards video stream requests. Because the CVSS vector is AV:N/PR:N/UI:N, no credentials or user interaction are needed, and the CWE-287 root cause means the stream endpoint fails to properly verify the requester's identity. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.

Authentication Bypass Genetec Security Center
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-44362 MEDIUM PATCH This Month

Subkey rollback protection in OP-TEE OS versions 3.20.0 through 4.10.x is completely non-functional due to a missing field assignment in the Trusted Application loading pipeline, allowing revoked or downgraded subkeys to authenticate TAs without detection. A locally authenticated attacker who can supply TA binaries to the REE filesystem loader can bypass the entire key-chain revocation model, loading previously invalidated trusted code into the TrustZone secure world. No public exploit has been identified at time of analysis and this is not listed in CISA KEV, but the integrity impact is categorical - the rollback database never advances, permanently defeating the control for any deployment relying on subkey-based TA signing chains.

Authentication Bypass Linux Optee Os
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-14536 HIGH PATCH This Week

Multi-factor authentication bypass in Devolutions Server (DVLS) versions 2026.2.4 through 2026.2.8 lets an attacker who already holds valid user credentials authenticate without completing MFA, defeating an enforced 'MFA Required' policy. The flaw triggers when DVLS encounters an invalid default MFA value, causing the mandatory second factor to be skipped. It is vendor-reported with a patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).

Authentication Bypass Server
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-55379 PyPI HIGH PATCH This Week

Uncontrolled memory allocation in Python Pillow before 12.3.0 lets a crafted BDF font file exhaust available memory and crash the host application. The BdfFontFile parser trusts the attacker-supplied BBX width/height fields and hands them to Image.new() while skipping Pillow's decompression-bomb size check, so a tiny malicious font can request a huge in-memory bitmap. Impact is availability-only (denial of service); there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Python Pillow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55786 PyPI HIGH POC PATCH GHSA This Week

Unauthenticated OS command execution in flyto-core (Python package, confirmed on 2.26.2) allows any client that can reach the HTTP MCP endpoint (POST /mcp) to run arbitrary shell commands as the server process. The JSON-RPC tools/call handler lacks the require_auth dependency present on the equivalent REST route, so an attacker can invoke execute_module against sandbox.execute_shell and reach asyncio.create_subprocess_shell with attacker-controlled input. Publicly available exploit code exists (a curl one-liner and poc.py in the advisory); there is no CISA KEV listing and no EPSS score provided, and by default the server binds to 127.0.0.1, making this a local (CVSS 8.4) issue that becomes network-exploitable only when started with --host 0.0.0.0.

Command Injection Python Authentication Bypass Docker
NVD GitHub
CVSS 3.1
8.4
CVE-2026-49445 Go CRITICAL PATCH GHSA Act Now

Missing authorization on Cilium's Envoy admin socket lets any local user on a cluster node reach privileged Envoy admin endpoints when L7 (Layer 7) network policy functionality is enabled. Affecting Cilium 1.17.x before 1.17.14, 1.18.0-1.18.7, and 1.19.0-1.19.1 in both embedded and standalone Envoy models, it carries a CVSS 9.2 (scope-changing) rating and allows dumping TLS secrets, disrupting cluster traffic, or killing the Envoy proxy. No public exploit identified at time of analysis, and there is no workaround - only upgrading resolves it.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.2
EPSS
0.2%
CVE-2026-49439 Maven MEDIUM POC PATCH GHSA This Month

{realm}/asset/predicted/{assetId}/{attributeName}) incorrectly authorizes write operations by checking READ_ASSETS permission instead of WRITE_ASSETS, enabling any authenticated user with read:assets privileges to persist arbitrary predicted datapoint values to the database. This privilege escalation exposes IoT asset prediction data to tampering by low-privileged or compromised accounts. A working proof-of-concept is embedded in the public GitHub Security Advisory GHSA-xj53-j257-hxvg; no active exploitation has been identified in CISA KEV.

Authentication Bypass Java
NVD GitHub
CVSS 3.1
4.3
CVE-2026-40139 CRITICAL PATCH NEWS Act Now

Authentication bypass in BeyondTrust Remote Support (and the related Privileged Remote Access product) lets an unauthenticated remote attacker defeat access controls in the appliance's authentication subsystem and log in as arbitrary accounts, including highly privileged ones. Rated CVSS 4.0 9.2 (critical) and tracked as CWE-287 (Improper Authentication), the flaw is pre-authentication and network-reachable but is gated by a specific authentication configuration being enabled, reflected in the vector's Attack Requirements (AT:P). No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Authentication Bypass Remote Support Privileged Remote Access
NVD VulDB
CVSS 4.0
9.2
EPSS
0.7%
CVE-2026-40138 CRITICAL PATCH NEWS Act Now

Pre-authentication access-control bypass in BeyondTrust Remote Support and Privileged Remote Access appliances lets a network-positioned attacker abuse improper authentication-data validation to reach the appliance and take over accounts, including privileged ones. Exploitation only works when a specific authentication configuration is enabled, and success requires overcoming meaningful attack conditions (CVSS 4.0 AC:H/AT:P). No public exploit has been identified at time of analysis and it is not on CISA KEV, but the pre-auth nature and privileged-access role of these appliances make it high-priority for internet-exposed deployments.

Authentication Bypass Remote Support Privileged Remote Access
NVD VulDB
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-5268 CRITICAL Act Now

Authentication bypass in the default SFTP server component shared across Ciena's 6500 S-Series, 6500 T-Series, PTS, and CPL packet-optical transport platforms allows a remote, unauthenticated attacker to reach the underlying filesystem and read or modify system files. Rated CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and classified as CWE-288, the flaw undermines the primary access control on management-plane file transfer. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass 6500 S Series 6500 T Series Pts Cpl
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-12686 CRITICAL PATCH Act Now

Cross-tenant authorization bypass in Adiss Biloop allows an authenticated user to manipulate the company ID parameter in a backend POST request and access or modify data belonging to other companies (tenants) hosted in the same subdomain environment. The flaw exposes sensitive customer information including billing data and permits unauthorized modification of third-party records. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and low privilege requirement make this a high-priority issue for multi-tenant Biloop deployments.

Authentication Bypass Biloop
NVD VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-24013 PyPI CRITICAL PATCH Act Now

Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauthenticated attacker forge the sessionId parameter on certain Thrift RPC query handlers and retrieve valid query results without ever calling openSession. This exposes stored time-series data to arbitrary readers. No public exploit identified at time of analysis, and EPSS is low (0.20%, 10th percentile) despite the 9.1 CVSS, so exploitation is not confirmed in the wild.

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-24014 PyPI CRITICAL PATCH Act Now

Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can reach the internal DataNode RPC port to smuggle path-traversal sequences in an uploaded Trigger JAR filename, writing files outside the Trigger installation directory with the IoTDB process's privileges. Because the write is attacker-controlled, it can plausibly be escalated to remote code execution by overwriting configuration or startup artifacts. There is no public exploit identified at time of analysis, and the EPSS score is low (0.15%, 4th percentile), consistent with exploitation being gated on an exposed internal port rather than a default-reachable service.

Authentication Bypass Path Traversal Apache Apache Iotdb
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-46585 HIGH PATCH This Week

Query injection and authorization bypass in the Apache Camel Lucene component (camel-lucene) lets remote unauthenticated HTTP clients override the full-text search a route intends to run. Because the raw header names QUERY and RETURN_LUCENE_DOCS lack the Camel/camel prefix, HttpHeaderFilterStrategy does not strip them at the HTTP boundary, so an attacker-supplied header flows straight into the Exchange and executes against the index - enabling disclosure of documents the requester should not see (e.g. a match-all query dumping the whole index) and CPU-heavy regex queries. Affects 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x; no public exploit identified at time of analysis, and EPSS is low (0.16%, 6th percentile).

Authentication Bypass Microsoft Apache Apache Camel Lucene
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-46453 MEDIUM PATCH This Month

Authorization bypass in Apache Camel's camel-elasticsearch-rest-client component allows unauthenticated remote attackers to override Elasticsearch query operations by injecting HTTP headers. Because the component uses unprefixed header constants ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') that are not blocked by Camel's inbound HttpHeaderFilterStrategy - which filters only 'Camel'-prefixed names - any HTTP client reaching a Camel route that fronts an elasticsearch-rest-client producer can substitute their own query body, operation type, or target index. Practical outcomes include full index enumeration via match_all, targeted document deletion, and field-level data exfiltration. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the attack requires no credentials and is trivially reproducible from the description alone.

Authentication Bypass Elastic Microsoft Apache Java +1
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-14807 CRITICAL Act Now

Credential exposure and authentication bypass in PROG MIS's ERP App lets unauthenticated remote attackers log in using hard-coded credentials, then read application source code and extract the backing database account and password. Because the leaked database credentials grant direct access to the data tier, a single successful login can escalate into full compromise of the application's stored data. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and the CWE-798 root cause make this a high-priority fix for any organization running this Taiwanese ERP product.

Authentication Bypass Erp App
NVD
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-14794 MEDIUM PATCH This Month

Improper authorization in Craft CMS up to 4.18.0.1 allows authenticated low-privileged users to access new user statistics for arbitrary user groups via the Charts endpoint. The flaw resides in the `actionGetNewUsersData` function within `src/controllers/ChartsController.php`, where the `userGroupId` parameter is not properly validated against the requesting user's authorization scope, enabling horizontal privilege escalation to read data across user group boundaries. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 4.18.1.

Authentication Bypass PHP Cms
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-14793 MEDIUM PATCH This Month

Authorization bypass in Craft CMS up to 4.18.0.1 allows authenticated low-privilege users to invoke the reorder-sets endpoint and manipulate Global Set ordering outside their authorized scope. The flaw resides in the actionReorderSets function of GlobalsController.php and is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), an IDOR-class root cause where resource-level permission checks are absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; a vendor-released patch is available in version 4.18.1.

Authentication Bypass PHP Cms
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-14792 MEDIUM PATCH This Month

Improper access control in Formbricks 5.0.0 allows remote unauthenticated attackers to bypass authorization checks in the link survey handler, enabling unauthorized manipulation of survey data with limited integrity and availability impact. The flaw resides in the Survey Handler component (apps/web/modules/survey/link/actions.ts) and is tagged as an authentication bypass, confirmed by the CVSS 4.0 PR:N metric indicating no credentials are required. No active exploitation has been confirmed and no public exploit code has been identified; a patch is available as release candidate 5.1.0-rc.1.

Authentication Bypass Formbricks
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-58209 MEDIUM PATCH This Month

Insufficient data exists to characterize CVE-2026-58209 beyond its association with an Ubuntu vendor report. The CVE description is absent, no CVSS score or vector has been assigned, no CWE root cause is identified, and no additional intelligence sources were provided. Security teams should treat this as an unresolved reservation requiring active follow-up with Ubuntu Security Notices (USN) or the NVD pending full disclosure.

Authentication Bypass Nats Server
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-58252 MEDIUM PATCH This Month

CVE-2026-58252 is attributed to Ubuntu per vendor reporting, but no description, CVSS score, CWE classification, or technical details are available in the provided intelligence data. The vulnerability cannot be characterized beyond its association with the Ubuntu platform. Security teams should consult Ubuntu Security Notices (USN) directly for authoritative details as this record is effectively unpopulated.

Authentication Bypass Nats Server
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58253 HIGH PATCH This Week

Authentication bypass in NATS Server (nats-io/nats-server) lets an unauthenticated attacker on an adjacent network connect to the cluster (route) or leafnode listener and be silently dropped into the privileged no_auth_user account, bypassing the separate route/leafnode authorization. Any server configured with no_auth_user is affected up to the fixed releases (v2.11.16, v2.12.7, v2.14.0), enabling cross-account message injection over the internal route protocol. No public exploit identified at time of analysis, though the vendor's own regression test demonstrates the exact attack.

Authentication Bypass Nats Server
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-58211 MEDIUM PATCH This Month

CVE-2026-58211 was reported by Ubuntu with no description, CVSS score, CWE, or technical detail available at time of analysis. The affected product, vulnerability class, and impact cannot be determined from available data. Security teams should monitor the Ubuntu security tracker and NVD for updates before assessing risk.

Authentication Bypass Nats Server
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-58251 MEDIUM PATCH This Month

CVE-2026-58251 has been reported by Ubuntu with no description, CVSS score, CWE classification, or technical details available at time of analysis. The affected component, attack vector, and impact are entirely unknown. No exploitation status, patch availability, or severity rating can be determined from the provided intelligence.

Authentication Bypass Nats Server
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58214 MEDIUM PATCH This Month

Insufficient data exists to characterize this vulnerability. CVE-2026-58214 was reported by Ubuntu (vendor source) but carries no description, CVSS score, vector, or CWE at time of analysis. The affected component, attack vector, and impact are all unknown. Security teams should monitor the Ubuntu Security Notices (USN) feed and the NVD entry for this CVE for forthcoming details.

Authentication Bypass Nats Server
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-58254 MEDIUM PATCH This Month

CVE-2026-58254 has been reported through Ubuntu's vendor channel, but no description, CVSS score, CWE classification, or technical details are available in the provided intelligence data. The affected product, vulnerability class, and impact cannot be characterized at this time. No meaningful synthesis is possible without a description, patch reference, or advisory content.

Authentication Bypass Nats Server
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-53913 CRITICAL PATCH Act Now

Authentication bypass in Apache Camel's camel-keycloak component (versions 4.15.0-4.18.2 and 4.19.0-4.20.x) allows any caller presenting a non-null Authorization: Bearer header value - including an arbitrary string or a forged, unsigned JWT - to bypass Keycloak token verification entirely and access routes protected by KeycloakSecurityPolicy. The cryptographic token checks (signature, issuer, expiry) are embedded exclusively inside role and permission validation routines that are never invoked when requiredRoles and requiredPermissions are empty, which is the documented default 'Basic Setup.' Where the protected route connects to a code-execution-capable Camel producer, this authentication bypass can escalate to unauthenticated remote code execution; no public exploit has been identified at time of analysis.

Authentication Bypass Apache RCE Camel
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-49099 MEDIUM PATCH This Month

Header injection in Apache Camel's camel-salesforce component allows any HTTP client to override SOQL queries, SOSL searches, Salesforce object targets, and Apex REST endpoints by setting non-Camel-prefixed Exchange headers that the framework's HttpHeaderFilterStrategy fails to block. Routes that bridge an HTTP consumer (such as platform-http) into a salesforce: producer are the attack surface; when that HTTP consumer is unauthenticated, exploitation requires zero attacker credentials. All injected operations execute under the configured Salesforce integration user's permissions, which are typically broad, enabling unauthorized data exfiltration or destructive CRUD and Apex calls across the organization's Salesforce instance. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Microsoft Apache Camel
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-49086 MEDIUM PATCH This Month

Routing header injection in Apache Camel's camel-dapr component allows any actor with publish access to a subscribed Dapr Pub/Sub topic to redirect or exfiltrate re-published messages to an arbitrary Dapr Pub/Sub component and topic. The flaw exists in routes that both consume and republish via Dapr - specifically, DaprPubSubConsumer blindly copies attacker-controlled CloudEvent fields (pub/sub-name and topic) into producer-direction routing headers (CamelDaprPubSubName and CamelDaprTopic), which DaprConfigurationOptionsProxy then prefers over the route's configured endpoint destination. No public exploit code or CISA KEV listing exists at time of analysis, but exploitation is mechanically straightforward for any publisher on the subscribed topic.

Microsoft Apache Authentication Bypass Camel
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48206 MEDIUM PATCH This Month

Authorization bypass in Apache Camel's camel-jira component (versions 4.0.0 through pre-4.21.0) allows unauthenticated HTTP clients - in routes that bridge an HTTP consumer to a jira: producer - to drive arbitrary JIRA issue operations using the endpoint's configured service-account credentials, including deleting or transitioning issues, creating issues in unauthorized projects, modifying fields, and manipulating watchers. The root cause is that JIRA control header constants (IssueKey, ProjectKey, IssueTransitionId, linkType, and others) use non-Camel-prefixed string values, bypassing the HttpHeaderFilterStrategy which only guards the 'Camel/'/'camel' header namespace at the HTTP boundary. Fixes are confirmed in 4.14.8, 4.18.3, and 4.21.0; no public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Atlassian Microsoft Apache Authentication Bypass Camel
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-6509 HIGH PATCH This Week

Local privilege escalation in Pardus Update (versions <=0.6.3, fixed in 0.6.6), the software-update component of TÜBİTAK BİLGEM's Debian-based Pardus Linux distribution, allows a low-privileged local user to perform actions they should not be authorized for and escalate to root-level control. The CWE-862 Missing Authorization flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-14753 MEDIUM This Month

Authorization bypass in stumasy, a PHP-based student management system, exposes the Note Handler and Assignment Handler endpoints at /PHP/objects/notes to unauthenticated remote exploitation by manipulating the assignment_item_id parameter. The flaw (CWE-285: Improper Authorization) allows an attacker to read, modify, or otherwise interact with notes and assignment records belonging to other users without possessing the required authorization. Public exploit code exists per the CVSS 4.0 E:P threat metric, and the project maintainer has not responded to the disclosure, meaning no patch is available at time of analysis.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14736 MEDIUM This Month

Unrestricted file upload in Ruijie RG-UAC unified access controller appliances (all versions through 1.0-R1.8.2.p5) allows unauthenticated remote attackers to upload arbitrary files via the upload_image parameter in user_auth_commit.php. The combination of an authentication bypass (CWE-284) and unrestricted file type acceptance creates a pathway to persistent server-side code execution if uploaded content reaches an executable web path. A public proof-of-concept exploit exists, elevating the urgency of remediation despite the absence of a CISA KEV listing.

Authentication Bypass File Upload PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-14781 MEDIUM This Month

Keycloak's OIDC broker incorrectly applies the email_verified claim from the id_token to whichever email address is returned by the userinfo endpoint, even when those two sources disagree. An attacker who controls or compromises an upstream OIDC identity provider can exploit this desynchronization - configured with trustEmail=true - to mark an arbitrary, attacker-chosen email address as verified in Keycloak's database. The practical consequence is bypassing email verification workflows or triggering account linkage/takeover in applications that trust the email_verified flag from Keycloak for identity decisions. No public exploit code exists and no CISA KEV listing applies at time of analysis.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7 +1
NVD VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-14716 LOW POC Monitor

Incorrect authorization in nextlevelbuilder GoClaw's WebSocket RPC Handler allows authenticated low-privilege remote attackers to bypass access controls on restricted methods. Affects all versions up to and including 3.13.0-beta.2. No public exploit identified as actively exploited (not in CISA KEV), but a publicly available proof-of-concept exists, lowering the barrier for exploitation against any exposed GoClaw deployment.

Authentication Bypass Goclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14714 MEDIUM POC PATCH This Month

Missing authentication in CowAgent 2.1.0's /wx WeChat endpoint allows remote unauthenticated attackers to bypass server verification by supplying an empty or default wechatmp_token, causing the underlying HMAC signature check to silently degenerate into a predictable hash. The vendor confirms the flaw exists in verify_server() within channel/wechatmp/common.py, where no explicit non-empty token guard was enforced, making the endpoint fail open rather than closed. A public proof-of-concept exists (GitHub issue #2860), and the fix is available in version 2.1.1; no active exploitation has been confirmed by CISA KEV.

Authentication Bypass Chatgpt On Wechat Cowagent
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-14693 LOW POC Monitor

Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a low-privileged remote attacker to invoke the cancel_order function in classes/Master.php against orders they do not own, enabling unauthorized order cancellation and limited disruption of platform integrity. The vulnerability stems from CWE-285 (Improper Authorization) - the application fails to verify that the requesting user has authority over the targeted order resource. A proof-of-concept exploit has been publicly disclosed on GitHub, lowering the bar for exploitation; however, no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14690 MEDIUM POC This Month

Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to invoke the save_users function in classes/Users.php without valid authorization checks, enabling unauthorized user account creation or modification. The CVSS 4.0 vector confirms network-accessible, zero-privilege exploitation with low confidentiality, integrity, and availability impact on the vulnerable system. A public proof-of-concept exploit exists (GitHub), and no CISA KEV listing indicates active widespread exploitation has not been confirmed at time of analysis.

Authentication Bypass PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2025-13475 HIGH PATCH This Week

Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS application in one tenant inherit OAuth/OpenID consent that a user granted to a same-named application in a different tenant, breaking tenant isolation of authorization scopes. Because matching is done by application name rather than a tenant-scoped identifier, an application in attacker-controlled tenant B can read and modify a victim's data in tenant A without that user's explicit authorization. No active exploitation is reported (not in CISA KEV, EPSS 0.15%/4th percentile) and no public exploit is identified, but a vendor patch is available.

Authentication Bypass Wso2 Identity Server Wso2 Api Manager
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-14627 LOW POC Monitor

Improper authentication in NousResearch hermes-agent through version 0.15.2 allows remote attackers to bypass the Discord user allowlist by exploiting a logic flaw in the `DiscordAdapter._is_allowed_user` function within `gateway/platforms/discord.py`. Exploitation is rated high complexity (CVSS 4.0 AC:H), resulting in limited but confirmed confidentiality, integrity, and availability impact against the vulnerable system. A public proof-of-concept exploit has been disclosed via GitHub Gist; no vendor patch exists as the vendor did not respond to responsible disclosure.

Authentication Bypass Hermes Agent
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.4%
CVE-2026-12196 HIGH PATCH This Week

Privilege escalation and remote code execution in the HestiaCP control panel allows an authenticated low-privilege user to abuse the panel's cronjob feature, which invokes HestiaCP management scripts via passwordless sudo, to run arbitrary commands and seize administrator accounts and the underlying webserver. Because the cronjob editor lets an ordinary panel user schedule execution of privileged v-scripts, the flaw yields a straight path from a normal hosting account to full host compromise. A detailed public write-up (projectblack.io) documents the exploitation technique, though it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.3%
CVE-2026-14622 MEDIUM POC This Month

Unauthenticated access to the administrative AJAX endpoint in jairiidriss/restaurant-website-php-mysql exposes backend admin functions to any remote attacker without credentials. The /admin/ajax_files endpoint fails to enforce authentication (CWE-306), allowing manipulation of whatever administrative operations it services - likely CRUD operations on menu items, orders, or reservations. No CISA KEV listing exists, but a public proof-of-concept was published via GitHub issue #6, and the maintainer has not responded to disclosure, leaving all deployments up to commit 521428b5b612449df0cf4a5d15ee40cba67f3d35 unpatched.

Authentication Bypass Restaurant Website Php Mysql
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2025-71380 npm HIGH This Week

Arbitrary command execution in the n8n workflow automation platform lets authenticated users abuse the built-in Execute Command node to run OS commands directly on the host running n8n. Any user with workflow-editing access or stolen credentials can leverage this by-design node to exfiltrate data, disrupt the service, or fully compromise the underlying host, and CWE-284 (Improper Access Control) reflects that command execution is not restricted to trusted operators. Reported by VulnCheck; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Authentication Bypass N8n
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-58523 MEDIUM PATCH This Month

Security feature bypass in Microsoft Edge for Android exposes high-confidentiality data to unauthenticated network attackers who can induce user interaction. The vulnerability stems from improper access control (CWE-284) in the Chromium-based mobile browser, allowing an attacker to circumvent a security boundary and access protected information without credentials. No active exploitation is confirmed (CISA KEV absent, temporal metric E:U), and a vendor patch is available via MSRC, making this a patch-priority item rather than an emergency response.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58424 HIGH PATCH This Week

Authorization bypass in Gitea's Gitea Actions fork pull-request approval gate lets a low-privileged contributor permanently defeat the maintainer approval step that normally guards workflow execution on fork PRs, so that after the initial gate is subverted the attacker's workflow code runs against the repository's CI runners and secrets. CVSS is 8.9 (high) with a scope change and high integrity/availability impact; no public exploit has been identified at time of analysis, but a vendor patch (v1.26.4) is available. The flaw is classed as CWE-285 (Improper Authorization) and was self-reported by the Gitea project.

Authentication Bypass Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
8.9
EPSS
0.2%
CVE-2026-58423 HIGH PATCH This Week

Authentication bypass in Gitea's Git LFS (Large File Storage) SSH handling allows a low-privileged authenticated user to read files from private repositories they should not access by supplying a malformed SSH sub-verb, per the Gitea security advisory GHSA-7wvc-rvp7-w99x. Because the flaw crosses a security boundary (CVSS scope change) it exposes confidential repository contents without any integrity or availability impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, but a vendor patch is available in Gitea 1.26.4.

Authentication Bypass Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-58422 CRITICAL PATCH Act Now

Authorization bypass in Gitea Open Source Git Server (versions up to and including 1.26.1) allows a user whose account was deliberately disabled by an administrator to silently regain access simply by signing in through a linked OAuth provider. The OAuth sign-in callback fails to honor the administrator's 'disabled' flag, effectively reversing an intended access-revocation action. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the flaw undermines a core account-lifecycle control on a widely self-hosted platform.

Authentication Bypass Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-58421 HIGH PATCH This Week

Denial of service in Gitea, the self-hosted open-source Git service, allows a remote unauthenticated attacker to exhaust server CPU by triggering catastrophic backtracking in the regular-expression engine that evaluates CODEOWNERS pattern matching. All versions prior to the fixed 1.26.3/1.26.4 releases are affected, and the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H only) confirms network-reachable, low-complexity, no-authentication abuse with availability-only impact. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile), so exploitation risk is real but not yet widespread.

Authentication Bypass Denial Of Service Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-45489 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows a remote unauthenticated attacker to present deceptive browser UI to a victim user, resulting in high-confidentiality-impact information disclosure. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms exploitation is network-delivered and requires only a single user interaction, consistent with a classic UI-spoofing or URL-spoofing class of flaw. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; a vendor-released patch is available.

Microsoft Google Microsoft Edge Chromium Based Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58597 MEDIUM PATCH This Month

Insufficient UI warning of dangerous operations in Microsoft Edge (Chromium-based) before version 150.0.4078.48 enables network-based spoofing attacks against users who interact with adversary-controlled content. Per the CVSS vector (PR:N, UI:R), an unauthenticated remote attacker can exploit this flaw without any privileges, but requires the victim to interact with the browser during the attack. No public exploit identified at time of analysis; the Medium CVSS score of 4.3 and confidentiality-only impact (C:L) reflect a bounded but real risk primarily useful for phishing, credential harvesting, or identity spoofing scenarios.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-58295 HIGH PATCH This Week

Security-feature bypass in Microsoft Edge (Chromium-based) stems from a type-confusion (CWE-843) flaw that a remote, unauthenticated attacker can trigger over the network to defeat a browser security boundary. Microsoft has published a fix via its Update Guide (CVE-2026-58295), and the issue carries a CVSS 8.3 with a scope change reflecting the crossed trust boundary. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-58293 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets an unauthorized attacker run arbitrary code when a victim is lured to interact with attacker-controlled content, stemming from external control of a file name or path (CWE-73). The flaw is network-reachable but non-trivial to exploit, requiring user interaction and high attack complexity, and there is no public exploit identified at time of analysis. Microsoft has released a patched build, and EPSS estimates a low 0.53% exploitation probability with SSVC reporting no observed exploitation.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-58292 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated attacker run code on a victim's machine when the user is lured into interacting with attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and, per its CVSS scope-change metric, is consistent with a renderer/sandbox boundary escape. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a fix.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58290 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a type confusion flaw (CWE-843) that an unauthorized attacker can trigger over the network to run arbitrary code, provided the victim interacts with attacker-controlled web content. Microsoft self-reported and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high attack complexity (AC:H) and required user interaction (UI:R) temper an otherwise network-reachable, unauthenticated attack surface.

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58289 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run arbitrary code when a victim is lured to a malicious web page, via a type-confusion flaw (CWE-843) in the browser engine. The CVSS:3.1 score is 8.3 with a scope change (S:C), indicating a likely sandbox/renderer boundary escape, though exploitation carries high attack complexity and requires user interaction. There is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none, with EPSS at 0.53% (41st percentile).

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.5%
CVE-2026-58286 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker misrepresent trusted UI or content to a victim by abusing improper access control (CWE-284), per Microsoft's own advisory (MSRC CVE-2026-58286). The high CVSS 8.1 is driven by a scope-changed impact (S:C) with high integrity effect, though the AC:H rating signals the attack is not trivially reliable. Currently there is no public exploit identified at time of analysis and no CISA KEV listing, so this is a proactively-patched issue rather than one under active exploitation.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.9
EPSS
0.4%
CVE-2026-58285 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attacker run arbitrary code when a victim is lured to malicious web content. The CVSS 3.1 base score is 8.3 with a scope change, reflecting a likely renderer-to-sandbox impact, but exploitation requires user interaction and has high attack complexity. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available via Microsoft's MSRC update guide.

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-58284 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to break out of the browser's security boundary and run arbitrary code when a victim is lured to malicious web content. Rooted in an improper authorization flaw (CWE-285) with a scope-changing CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C), exploitation requires user interaction and high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV, so exploitation is currently theoretical rather than observed.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-45488 MEDIUM PATCH This Month

UI misrepresentation in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled web content. The browser fails to accurately present critical security information - such as origin indicators, security status, or authentication prompts - allowing an unauthenticated remote attacker to deceive victims into believing they are interacting with a trusted source. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and a vendor patch is available.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-58299 HIGH PATCH This Week

Remote code execution in Microsoft Edge for Android (Chromium-based) arises from a time-of-check to time-of-use (TOCTOU) race condition that an unauthenticated network attacker can win to run arbitrary code, though success requires the victim to interact (UI:R) and the timing window makes exploitation high-complexity. Microsoft (self-reported) has shipped an official fix, and the temporal signals (E:U, RC:C) indicate no public exploit identified at time of analysis despite confirmed technical validity. The flaw is credited to Microsoft/Google collaboration and tagged as an authentication-bypass-class issue.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58283 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) stems from a type-confusion memory-safety defect (CWE-843) that a remote, unauthenticated attacker can leverage over the network to misrepresent content or origin to the victim. Microsoft rates it CVSS 8.1 with a changed scope, driven largely by high integrity impact, though the CVSS vector's high attack complexity (AC:H) signals non-trivial exploitation. There is no public exploit identified at time of analysis (CVSS E:U), and it is not listed in CISA KEV; Microsoft has already shipped an official fix (RL:O).

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.9
EPSS
0.4%
CVE-2026-58282 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker bypass an origin/security-context access control (CWE-284) to misrepresent trusted content or UI over a network. The flaw carries CVSS 8.1 with a scope-changed vector and high integrity impact, meaning a successful spoof can influence resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has shipped an official fix.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.9
EPSS
0.4%
CVE-2026-57985 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote attacker to run arbitrary code when a victim is lured into loading attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and carries a high-severity CVSS of 8.8, though it requires user interaction and has no public exploit identified at time of analysis. EPSS risk is low (0.42%, 34th percentile) and CISA SSVC currently rates exploitation status as none.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-57983 CRITICAL PATCH Act Now

Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticated attacker circumvent a browser security control over the network via improper authorization (CWE-285). Microsoft rates it CVSS 10.0 with a changed scope, meaning a successful bypass can affect resources beyond the browser's original security boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation as 'none', so this is a high-severity but not currently-exploited issue with a vendor patch already available.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-57975 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a type-confusion flaw (CWE-843) that an unauthenticated attacker can trigger when a victim visits a malicious web page. Microsoft has released an official fix, and while exploit maturity is currently unproven (no public exploit identified at time of analysis), the high confidentiality, integrity, and availability impact combined with network reach makes it a meaningful browser patch. The CVSS 3.1 base score is 7.5 with high attack complexity and required user interaction, tempering real-world exploitability.

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-28740 HIGH PATCH This Week

Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds general repository access but has NOT been granted the Code unit permission read private source content by reusing Git LFS objects to authorize otherwise-restricted source objects. The flaw (CWE-639, tracked as GHSA-2m9v-5q2g-58vq) enables horizontal privilege escalation to confidential code within a repository. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch shipped in 1.26.3.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-27780 CRITICAL PATCH Act Now

Branch-protection bypass in Gitea's self-hosted Git server (all versions before 1.26.0) allows a user with push access to circumvent pre-receive hook enforcement by supplying oversized hook input that trips a bufio.Scanner error the code fails to handle safely. Because Gitea does not fail closed on the scanner error, the protection check is silently skipped and the push is accepted. No public exploit identified at time of analysis; EPSS is low (0.17%, 7th percentile) and this is not in CISA KEV, but a vendor patch (v1.26.0) is available.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-27779 HIGH PATCH This Week

Canonical URL spoofing in Gitea before 1.25.5 lets remote attackers inject malformed X-Forwarded-Proto values that the server trusts when computing its public-facing URL, causing it to emit attacker-controlled canonical links (e.g. in emails, redirects, and generated absolute URLs). No public exploit identified at time of analysis, and the low EPSS score (0.17%, 6th percentile) reflects minimal in-the-wild interest, but a vendor patch is available in v1.25.5. Note that the published CVSS vector claims availability impact (A:H) while the description describes URL spoofing (an integrity concern), a discrepancy worth verifying with the vendor.

Authentication Bypass Canonical Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-27775 HIGH PATCH This Week

Privilege escalation in Gitea 1.25.5 lets a user holding a per-branch maintainer-edit grant reuse that write permission against other refs and obtain full repository write access. The flaw stems from a branch-specific permission result being cached and incorrectly reused across multiple refs within a single pre-receive hook session. It is an authenticated authorization-bypass (CWE-863) fixed in Gitea 1.26.3; no public exploit has been identified and EPSS exploitation probability is low (0.20%).

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-27771 HIGH POC PATCH THREAT Act Now

Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers read private or internal Composer package source links they should not be authorized to see, leaking internal repository/source metadata. The flaw is a missing-authorization (CWE-862) issue reported by the Gitea project itself and fixed in v1.26.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. With a CVSS 3.0 base score of 8.2 driven by high confidentiality impact, the practical effect is unauthorized disclosure of otherwise-private package sourcing information.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.0
8.2
EPSS
40.7%
Threat
4.4
CVE-2026-27761 MEDIUM PATCH This Month

Gitea's repository RSS and Atom feed endpoints fail to enforce API token scope checks, exposing private repository commit metadata to any holder of a valid but under-privileged API token. Versions up to and including 1.26.2 are affected; the flaw is classified as CWE-863 (Incorrect Authorization) with a CVSS score of 4.3. No public exploit code or CISA KEV listing exists at time of analysis; vendor-released patches are available in v1.26.3 and v1.26.4.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-27660 HIGH PATCH This Week

Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-27657 HIGH PATCH This Week

Gitea versions before 1.25.5 allow a user to change another user's primary email address.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-26292 CRITICAL PATCH Act Now

Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-26247 CRITICAL PATCH Act Now

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.

Authentication Bypass Microsoft Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-25782 MEDIUM PATCH This Month

Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-25712 HIGH PATCH This Week

Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-24690 HIGH PATCH This Week

Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-20909 MEDIUM PATCH This Month

Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Broken access control in FOSSBilling before 0.8.0 lets an unauthenticated attacker who knows an unpaid invoice's hash change the payment gateway (gateway_id) tied to that invoice, because the Guest API invoice/update endpoint omits an authorization check that its sibling invoice endpoints enforce. The attacker can only select gateways an administrator has already installed and configured, and the impact is further gated by the invoice_accessible_from_hash setting, so it cannot redirect funds to an arbitrary external endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Fossbilling
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Traffic interception in Coder's tailnet coordinator allows a malicious workspace agent to hijack another agent's tailnet address by advertising forged WireGuard AllowedIPs prefixes. The coordinator authorizes an agent's Addresses against its authenticated UUID but performs no equivalent check on AllowedIPs, which it forwards verbatim to tunnel peers; because ServerTailnet routes by tailnet IP, an attacker who claims a victim's prefix can intercept web terminal and workspace app traffic and serve spoofed content. Rated CVSS 8.2 (CWE-285, improper authorization); a vendor patch is available and no public exploit is identified at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Cross-workspace agent hijacking in Coder (self-hosted cloud development environment platform) lets a user with template-authorship or external-provisioner privileges rebind another user's workspace app to an attacker-controlled agent. By submitting a crafted CompleteJob payload referencing a known victim app UUID, the attacker causes later app traffic - including IDE and terminal sessions - to be proxied through their own workspace, enabling interception. No public exploit is identified at time of analysis; it is not listed in CISA KEV. Fixed in v2.34.2, v2.33.8, v2.32.7, and v2.29.17.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Unauthenticated payment bypass in FOSSBilling 0.6.0 through 0.7.2 lets a remote attacker mark any unpaid invoice as paid and credit the associated client's account balance with a single crafted HTTP request to the IPN callback endpoint (/ipn.php), provided the Custom payment adapter is enabled. The flaw stems from missing authentication (CWE-306) on a financially critical callback, so no credentials or user interaction are needed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates it 9.2 (CVSS 4.0) and a patched release (0.8.0) is available.

Authentication Bypass PHP Fossbilling
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

{user}/password, because the endpoint only checked ActionUpdatePersonal and never required the current password when an admin reset another user. A user-admin can therefore hijack an owner account and gain full deployment control, including self-assigning the owner role. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the practical blast radius is bounded by the need to already hold the privileged user-admin role.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Account takeover in Coder's OIDC login (versions before v2.34.2, v2.33.8, v2.32.7, and ESR v2.29.17) lets an attacker who controls a matching email address at the configured identity provider log in as a victim and seize their workspaces, templates and resources. Two chained flaws are responsible: email-based user matching silently linked accounts by email without verifying an existing IdP-subject link, and the email_verified claim was only honored when explicitly boolean false, so absent or malformed claims were treated as verified. CVSS is 7.4 (High) with no public exploit identified at time of analysis; the issue was privately reported by Anthropic's Security Team.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Account takeover in Coder's OIDC login flow allows an unauthenticated remote attacker to hijack an existing user account by registering the victim's email at a compatible identity provider. A Go `bool` type assertion on the `email_verified` claim failed open when an IdP returned the claim as a non-boolean (e.g. the string "false") or omitted it entirely, and an unconditional email-based account fallback then matched the attacker's session to the victim's account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was privately disclosed by Anthropic's Security Team and fixed across all supported release lines.

Authentication Bypass
NVD GitHub VulDB
CVSS 7.7
HIGH PATCH This Week

Cross-tenant information disclosure in OpenRemote Manager lets a realm admin of one tenant read the profile, realm roles, and client roles of any user in any other realm - including the privileged master realm - simply by supplying the target user's UUID in the REST API path. Three read endpoints in UserResourceImpl verify the caller's read:admin role but never confirm the target user belongs to the caller's realm, breaking multi-tenant isolation for user data. Publicly available exploit code exists (a working curl-based PoC with live-instance HTTP 200 responses is documented), though it is not listed in CISA KEV and no active exploitation is confirmed.

Authentication Bypass Java
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row - password hashes, TOTP secrets, and session tokens - by invoking the users.getUser method with arbitrary user IDs (CWE-639, broken object-level authorization). Because the API returns records without verifying the caller owns or is authorized for the requested ID, a low-privileged user can enumerate and harvest credentials for every account, including administrators. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.6 (High).

Authentication Bypass Leantime
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Filter context poisoning in Traefik v3.7.0-v3.7.5 allows a low-privileged Kubernetes user to cause security-sensitive backendRef filters - such as tenant identity or authorization headers trusted by the backend - to be applied to requests from a different, co-located HTTPRoute that targets the same backend Service:port. This affects multi-tenant Kubernetes Gateway API deployments and can cross namespace boundaries when a ReferenceGrant permits cross-namespace backend targeting, making it an authorization bypass and tenant-isolation failure. No public exploit identified at time of analysis; the issue is fixed in Traefik v3.7.6.

Authentication Bypass Kubernetes Traefik
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Header injection in Traefik's ForwardAuth middleware allows unauthenticated remote attackers to manipulate the X-Forwarded-Port value sent to authentication backends, enabling bypass of port-based authorization checks. Affected are all Traefik v2.x prior to v2.11.51, v3.6.x from 3.0.0 prior to v3.6.22, and v3.7.x from 3.7.0 prior to v3.7.6. The flaw persists even when the trustForwardHeader: false safeguard is active, because the port derivation logic reads the original incoming request rather than the sanitized forwarded context. No public exploit code has been identified at time of analysis, and vendor-released patches are available.

Authentication Bypass Traefik
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated video stream access in Genetec Security Center 5.14.0.0 (builds prior to 5.14.178.18) lets remote attackers pull live video feeds by exploiting a flaw in the authentication mechanism that guards video stream requests. Because the CVSS vector is AV:N/PR:N/UI:N, no credentials or user interaction are needed, and the CWE-287 root cause means the stream endpoint fails to properly verify the requester's identity. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.

Authentication Bypass Genetec Security Center
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Subkey rollback protection in OP-TEE OS versions 3.20.0 through 4.10.x is completely non-functional due to a missing field assignment in the Trusted Application loading pipeline, allowing revoked or downgraded subkeys to authenticate TAs without detection. A locally authenticated attacker who can supply TA binaries to the REE filesystem loader can bypass the entire key-chain revocation model, loading previously invalidated trusted code into the TrustZone secure world. No public exploit has been identified at time of analysis and this is not listed in CISA KEV, but the integrity impact is categorical - the rollback database never advances, permanently defeating the control for any deployment relying on subkey-based TA signing chains.

Authentication Bypass Linux Optee Os
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Multi-factor authentication bypass in Devolutions Server (DVLS) versions 2026.2.4 through 2026.2.8 lets an attacker who already holds valid user credentials authenticate without completing MFA, defeating an enforced 'MFA Required' policy. The flaw triggers when DVLS encounters an invalid default MFA value, causing the mandatory second factor to be skipped. It is vendor-reported with a patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).

Authentication Bypass Server
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uncontrolled memory allocation in Python Pillow before 12.3.0 lets a crafted BDF font file exhaust available memory and crash the host application. The BdfFontFile parser trusts the attacker-supplied BBX width/height fields and hands them to Image.new() while skipping Pillow's decompression-bomb size check, so a tiny malicious font can request a huge in-memory bitmap. Impact is availability-only (denial of service); there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Python Pillow
NVD GitHub VulDB
CVSS 8.4
HIGH POC PATCH This Week

Unauthenticated OS command execution in flyto-core (Python package, confirmed on 2.26.2) allows any client that can reach the HTTP MCP endpoint (POST /mcp) to run arbitrary shell commands as the server process. The JSON-RPC tools/call handler lacks the require_auth dependency present on the equivalent REST route, so an attacker can invoke execute_module against sandbox.execute_shell and reach asyncio.create_subprocess_shell with attacker-controlled input. Publicly available exploit code exists (a curl one-liner and poc.py in the advisory); there is no CISA KEV listing and no EPSS score provided, and by default the server binds to 127.0.0.1, making this a local (CVSS 8.4) issue that becomes network-exploitable only when started with --host 0.0.0.0.

Command Injection Python Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Missing authorization on Cilium's Envoy admin socket lets any local user on a cluster node reach privileged Envoy admin endpoints when L7 (Layer 7) network policy functionality is enabled. Affecting Cilium 1.17.x before 1.17.14, 1.18.0-1.18.7, and 1.19.0-1.19.1 in both embedded and standalone Envoy models, it carries a CVSS 9.2 (scope-changing) rating and allows dumping TLS secrets, disrupting cluster traffic, or killing the Envoy proxy. No public exploit identified at time of analysis, and there is no workaround - only upgrading resolves it.

Authentication Bypass
NVD GitHub
CVSS 4.3
MEDIUM POC PATCH This Month

{realm}/asset/predicted/{assetId}/{attributeName}) incorrectly authorizes write operations by checking READ_ASSETS permission instead of WRITE_ASSETS, enabling any authenticated user with read:assets privileges to persist arbitrary predicted datapoint values to the database. This privilege escalation exposes IoT asset prediction data to tampering by low-privileged or compromised accounts. A working proof-of-concept is embedded in the public GitHub Security Advisory GHSA-xj53-j257-hxvg; no active exploitation has been identified in CISA KEV.

Authentication Bypass Java
NVD GitHub
EPSS 1% CVSS 9.2
CRITICAL PATCH Act Now

Authentication bypass in BeyondTrust Remote Support (and the related Privileged Remote Access product) lets an unauthenticated remote attacker defeat access controls in the appliance's authentication subsystem and log in as arbitrary accounts, including highly privileged ones. Rated CVSS 4.0 9.2 (critical) and tracked as CWE-287 (Improper Authentication), the flaw is pre-authentication and network-reachable but is gated by a specific authentication configuration being enabled, reflected in the vector's Attack Requirements (AT:P). No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Authentication Bypass Remote Support Privileged Remote Access
NVD VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Pre-authentication access-control bypass in BeyondTrust Remote Support and Privileged Remote Access appliances lets a network-positioned attacker abuse improper authentication-data validation to reach the appliance and take over accounts, including privileged ones. Exploitation only works when a specific authentication configuration is enabled, and success requires overcoming meaningful attack conditions (CVSS 4.0 AC:H/AT:P). No public exploit has been identified at time of analysis and it is not on CISA KEV, but the pre-auth nature and privileged-access role of these appliances make it high-priority for internet-exposed deployments.

Authentication Bypass Remote Support Privileged Remote Access
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass in the default SFTP server component shared across Ciena's 6500 S-Series, 6500 T-Series, PTS, and CPL packet-optical transport platforms allows a remote, unauthenticated attacker to reach the underlying filesystem and read or modify system files. Rated CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and classified as CWE-288, the flaw undermines the primary access control on management-plane file transfer. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass 6500 S Series 6500 T Series +2
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Cross-tenant authorization bypass in Adiss Biloop allows an authenticated user to manipulate the company ID parameter in a backend POST request and access or modify data belonging to other companies (tenants) hosted in the same subdomain environment. The flaw exposes sensitive customer information including billing data and permits unauthorized modification of third-party records. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and low privilege requirement make this a high-priority issue for multi-tenant Biloop deployments.

Authentication Bypass Biloop
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauthenticated attacker forge the sessionId parameter on certain Thrift RPC query handlers and retrieve valid query results without ever calling openSession. This exposes stored time-series data to arbitrary readers. No public exploit identified at time of analysis, and EPSS is low (0.20%, 10th percentile) despite the 9.1 CVSS, so exploitation is not confirmed in the wild.

Authentication Bypass Apache Apache Iotdb
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can reach the internal DataNode RPC port to smuggle path-traversal sequences in an uploaded Trigger JAR filename, writing files outside the Trigger installation directory with the IoTDB process's privileges. Because the write is attacker-controlled, it can plausibly be escalated to remote code execution by overwriting configuration or startup artifacts. There is no public exploit identified at time of analysis, and the EPSS score is low (0.15%, 4th percentile), consistent with exploitation being gated on an exposed internal port rather than a default-reachable service.

Authentication Bypass Path Traversal Apache +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Query injection and authorization bypass in the Apache Camel Lucene component (camel-lucene) lets remote unauthenticated HTTP clients override the full-text search a route intends to run. Because the raw header names QUERY and RETURN_LUCENE_DOCS lack the Camel/camel prefix, HttpHeaderFilterStrategy does not strip them at the HTTP boundary, so an attacker-supplied header flows straight into the Exchange and executes against the index - enabling disclosure of documents the requester should not see (e.g. a match-all query dumping the whole index) and CPU-heavy regex queries. Affects 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x; no public exploit identified at time of analysis, and EPSS is low (0.16%, 6th percentile).

Authentication Bypass Microsoft Apache +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authorization bypass in Apache Camel's camel-elasticsearch-rest-client component allows unauthenticated remote attackers to override Elasticsearch query operations by injecting HTTP headers. Because the component uses unprefixed header constants ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') that are not blocked by Camel's inbound HttpHeaderFilterStrategy - which filters only 'Camel'-prefixed names - any HTTP client reaching a Camel route that fronts an elasticsearch-rest-client producer can substitute their own query body, operation type, or target index. Practical outcomes include full index enumeration via match_all, targeted document deletion, and field-level data exfiltration. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the attack requires no credentials and is trivially reproducible from the description alone.

Authentication Bypass Elastic Microsoft +3
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Credential exposure and authentication bypass in PROG MIS's ERP App lets unauthenticated remote attackers log in using hard-coded credentials, then read application source code and extract the backing database account and password. Because the leaked database credentials grant direct access to the data tier, a single successful login can escalate into full compromise of the application's stored data. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and the CWE-798 root cause make this a high-priority fix for any organization running this Taiwanese ERP product.

Authentication Bypass Erp App
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in Craft CMS up to 4.18.0.1 allows authenticated low-privileged users to access new user statistics for arbitrary user groups via the Charts endpoint. The flaw resides in the `actionGetNewUsersData` function within `src/controllers/ChartsController.php`, where the `userGroupId` parameter is not properly validated against the requesting user's authorization scope, enabling horizontal privilege escalation to read data across user group boundaries. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 4.18.1.

Authentication Bypass PHP Cms
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authorization bypass in Craft CMS up to 4.18.0.1 allows authenticated low-privilege users to invoke the reorder-sets endpoint and manipulate Global Set ordering outside their authorized scope. The flaw resides in the actionReorderSets function of GlobalsController.php and is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), an IDOR-class root cause where resource-level permission checks are absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; a vendor-released patch is available in version 4.18.1.

Authentication Bypass PHP Cms
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Improper access control in Formbricks 5.0.0 allows remote unauthenticated attackers to bypass authorization checks in the link survey handler, enabling unauthorized manipulation of survey data with limited integrity and availability impact. The flaw resides in the Survey Handler component (apps/web/modules/survey/link/actions.ts) and is tagged as an authentication bypass, confirmed by the CVSS 4.0 PR:N metric indicating no credentials are required. No active exploitation has been confirmed and no public exploit code has been identified; a patch is available as release candidate 5.1.0-rc.1.

Authentication Bypass Formbricks
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient data exists to characterize CVE-2026-58209 beyond its association with an Ubuntu vendor report. The CVE description is absent, no CVSS score or vector has been assigned, no CWE root cause is identified, and no additional intelligence sources were provided. Security teams should treat this as an unresolved reservation requiring active follow-up with Ubuntu Security Notices (USN) or the NVD pending full disclosure.

Authentication Bypass Nats Server
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

CVE-2026-58252 is attributed to Ubuntu per vendor reporting, but no description, CVSS score, CWE classification, or technical details are available in the provided intelligence data. The vulnerability cannot be characterized beyond its association with the Ubuntu platform. Security teams should consult Ubuntu Security Notices (USN) directly for authoritative details as this record is effectively unpopulated.

Authentication Bypass Nats Server
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authentication bypass in NATS Server (nats-io/nats-server) lets an unauthenticated attacker on an adjacent network connect to the cluster (route) or leafnode listener and be silently dropped into the privileged no_auth_user account, bypassing the separate route/leafnode authorization. Any server configured with no_auth_user is affected up to the fixed releases (v2.11.16, v2.12.7, v2.14.0), enabling cross-account message injection over the internal route protocol. No public exploit identified at time of analysis, though the vendor's own regression test demonstrates the exact attack.

Authentication Bypass Nats Server
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

CVE-2026-58211 was reported by Ubuntu with no description, CVSS score, CWE, or technical detail available at time of analysis. The affected product, vulnerability class, and impact cannot be determined from available data. Security teams should monitor the Ubuntu security tracker and NVD for updates before assessing risk.

Authentication Bypass Nats Server
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

CVE-2026-58251 has been reported by Ubuntu with no description, CVSS score, CWE classification, or technical details available at time of analysis. The affected component, attack vector, and impact are entirely unknown. No exploitation status, patch availability, or severity rating can be determined from the provided intelligence.

Authentication Bypass Nats Server
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient data exists to characterize this vulnerability. CVE-2026-58214 was reported by Ubuntu (vendor source) but carries no description, CVSS score, vector, or CWE at time of analysis. The affected component, attack vector, and impact are all unknown. Security teams should monitor the Ubuntu Security Notices (USN) feed and the NVD entry for this CVE for forthcoming details.

Authentication Bypass Nats Server
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

CVE-2026-58254 has been reported through Ubuntu's vendor channel, but no description, CVSS score, CWE classification, or technical details are available in the provided intelligence data. The affected product, vulnerability class, and impact cannot be characterized at this time. No meaningful synthesis is possible without a description, patch reference, or advisory content.

Authentication Bypass Nats Server
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in Apache Camel's camel-keycloak component (versions 4.15.0-4.18.2 and 4.19.0-4.20.x) allows any caller presenting a non-null Authorization: Bearer header value - including an arbitrary string or a forged, unsigned JWT - to bypass Keycloak token verification entirely and access routes protected by KeycloakSecurityPolicy. The cryptographic token checks (signature, issuer, expiry) are embedded exclusively inside role and permission validation routines that are never invoked when requiredRoles and requiredPermissions are empty, which is the documented default 'Basic Setup.' Where the protected route connects to a code-execution-capable Camel producer, this authentication bypass can escalate to unauthenticated remote code execution; no public exploit has been identified at time of analysis.

Authentication Bypass Apache RCE +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Header injection in Apache Camel's camel-salesforce component allows any HTTP client to override SOQL queries, SOSL searches, Salesforce object targets, and Apex REST endpoints by setting non-Camel-prefixed Exchange headers that the framework's HttpHeaderFilterStrategy fails to block. Routes that bridge an HTTP consumer (such as platform-http) into a salesforce: producer are the attack surface; when that HTTP consumer is unauthenticated, exploitation requires zero attacker credentials. All injected operations execute under the configured Salesforce integration user's permissions, which are typically broad, enabling unauthorized data exfiltration or destructive CRUD and Apex calls across the organization's Salesforce instance. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Microsoft Apache +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Routing header injection in Apache Camel's camel-dapr component allows any actor with publish access to a subscribed Dapr Pub/Sub topic to redirect or exfiltrate re-published messages to an arbitrary Dapr Pub/Sub component and topic. The flaw exists in routes that both consume and republish via Dapr - specifically, DaprPubSubConsumer blindly copies attacker-controlled CloudEvent fields (pub/sub-name and topic) into producer-direction routing headers (CamelDaprPubSubName and CamelDaprTopic), which DaprConfigurationOptionsProxy then prefers over the route's configured endpoint destination. No public exploit code or CISA KEV listing exists at time of analysis, but exploitation is mechanically straightforward for any publisher on the subscribed topic.

Microsoft Apache Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authorization bypass in Apache Camel's camel-jira component (versions 4.0.0 through pre-4.21.0) allows unauthenticated HTTP clients - in routes that bridge an HTTP consumer to a jira: producer - to drive arbitrary JIRA issue operations using the endpoint's configured service-account credentials, including deleting or transitioning issues, creating issues in unauthorized projects, modifying fields, and manipulating watchers. The root cause is that JIRA control header constants (IssueKey, ProjectKey, IssueTransitionId, linkType, and others) use non-Camel-prefixed string values, bypassing the HttpHeaderFilterStrategy which only guards the 'Camel/'/'camel' header namespace at the HTTP boundary. Fixes are confirmed in 4.14.8, 4.18.3, and 4.21.0; no public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Atlassian Microsoft Apache +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Pardus Update (versions <=0.6.3, fixed in 0.6.6), the software-update component of TÜBİTAK BİLGEM's Debian-based Pardus Linux distribution, allows a low-privileged local user to perform actions they should not be authorized for and escalate to root-level control. The CWE-862 Missing Authorization flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Authorization bypass in stumasy, a PHP-based student management system, exposes the Note Handler and Assignment Handler endpoints at /PHP/objects/notes to unauthenticated remote exploitation by manipulating the assignment_item_id parameter. The flaw (CWE-285: Improper Authorization) allows an attacker to read, modify, or otherwise interact with notes and assignment records belonging to other users without possessing the required authorization. Public exploit code exists per the CVSS 4.0 E:P threat metric, and the project maintainer has not responded to the disclosure, meaning no patch is available at time of analysis.

Authentication Bypass PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unrestricted file upload in Ruijie RG-UAC unified access controller appliances (all versions through 1.0-R1.8.2.p5) allows unauthenticated remote attackers to upload arbitrary files via the upload_image parameter in user_auth_commit.php. The combination of an authentication bypass (CWE-284) and unrestricted file type acceptance creates a pathway to persistent server-side code execution if uploaded content reaches an executable web path. A public proof-of-concept exploit exists, elevating the urgency of remediation despite the absence of a CISA KEV listing.

Authentication Bypass File Upload PHP
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Keycloak's OIDC broker incorrectly applies the email_verified claim from the id_token to whichever email address is returned by the userinfo endpoint, even when those two sources disagree. An attacker who controls or compromises an upstream OIDC identity provider can exploit this desynchronization - configured with trustEmail=true - to mark an arbitrary, attacker-chosen email address as verified in Keycloak's database. The practical consequence is bypassing email verification workflows or triggering account linkage/takeover in applications that trust the email_verified flag from Keycloak for identity decisions. No public exploit code exists and no CISA KEV listing applies at time of analysis.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Data Grid 8 +3
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Incorrect authorization in nextlevelbuilder GoClaw's WebSocket RPC Handler allows authenticated low-privilege remote attackers to bypass access controls on restricted methods. Affects all versions up to and including 3.13.0-beta.2. No public exploit identified as actively exploited (not in CISA KEV), but a publicly available proof-of-concept exists, lowering the barrier for exploitation against any exposed GoClaw deployment.

Authentication Bypass Goclaw
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Missing authentication in CowAgent 2.1.0's /wx WeChat endpoint allows remote unauthenticated attackers to bypass server verification by supplying an empty or default wechatmp_token, causing the underlying HMAC signature check to silently degenerate into a predictable hash. The vendor confirms the flaw exists in verify_server() within channel/wechatmp/common.py, where no explicit non-empty token guard was enforced, making the endpoint fail open rather than closed. A public proof-of-concept exists (GitHub issue #2860), and the fix is available in version 2.1.1; no active exploitation has been confirmed by CISA KEV.

Authentication Bypass Chatgpt On Wechat Cowagent
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a low-privileged remote attacker to invoke the cancel_order function in classes/Master.php against orders they do not own, enabling unauthorized order cancellation and limited disruption of platform integrity. The vulnerability stems from CWE-285 (Improper Authorization) - the application fails to verify that the requesting user has authority over the targeted order resource. A proof-of-concept exploit has been publicly disclosed on GitHub, lowering the bar for exploitation; however, no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to invoke the save_users function in classes/Users.php without valid authorization checks, enabling unauthorized user account creation or modification. The CVSS 4.0 vector confirms network-accessible, zero-privilege exploitation with low confidentiality, integrity, and availability impact on the vulnerable system. A public proof-of-concept exploit exists (GitHub), and no CISA KEV listing indicates active widespread exploitation has not been confirmed at time of analysis.

Authentication Bypass PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS application in one tenant inherit OAuth/OpenID consent that a user granted to a same-named application in a different tenant, breaking tenant isolation of authorization scopes. Because matching is done by application name rather than a tenant-scoped identifier, an application in attacker-controlled tenant B can read and modify a victim's data in tenant A without that user's explicit authorization. No active exploitation is reported (not in CISA KEV, EPSS 0.15%/4th percentile) and no public exploit is identified, but a vendor patch is available.

Authentication Bypass Wso2 Identity Server Wso2 Api Manager
NVD VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper authentication in NousResearch hermes-agent through version 0.15.2 allows remote attackers to bypass the Discord user allowlist by exploiting a logic flaw in the `DiscordAdapter._is_allowed_user` function within `gateway/platforms/discord.py`. Exploitation is rated high complexity (CVSS 4.0 AC:H), resulting in limited but confirmed confidentiality, integrity, and availability impact against the vulnerable system. A public proof-of-concept exploit has been disclosed via GitHub Gist; no vendor patch exists as the vendor did not respond to responsible disclosure.

Authentication Bypass Hermes Agent
NVD VulDB GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Privilege escalation and remote code execution in the HestiaCP control panel allows an authenticated low-privilege user to abuse the panel's cronjob feature, which invokes HestiaCP management scripts via passwordless sudo, to run arbitrary commands and seize administrator accounts and the underlying webserver. Because the cronjob editor lets an ordinary panel user schedule execution of privileged v-scripts, the flaw yields a straight path from a normal hosting account to full host compromise. A detailed public write-up (projectblack.io) documents the exploitation technique, though it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Unauthenticated access to the administrative AJAX endpoint in jairiidriss/restaurant-website-php-mysql exposes backend admin functions to any remote attacker without credentials. The /admin/ajax_files endpoint fails to enforce authentication (CWE-306), allowing manipulation of whatever administrative operations it services - likely CRUD operations on menu items, orders, or reservations. No CISA KEV listing exists, but a public proof-of-concept was published via GitHub issue #6, and the maintainer has not responded to disclosure, leaving all deployments up to commit 521428b5b612449df0cf4a5d15ee40cba67f3d35 unpatched.

Authentication Bypass Restaurant Website Php Mysql
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Arbitrary command execution in the n8n workflow automation platform lets authenticated users abuse the built-in Execute Command node to run OS commands directly on the host running n8n. Any user with workflow-editing access or stolen credentials can leverage this by-design node to exfiltrate data, disrupt the service, or fully compromise the underlying host, and CWE-284 (Improper Access Control) reflects that command execution is not restricted to trusted operators. Reported by VulnCheck; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Authentication Bypass N8n
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Security feature bypass in Microsoft Edge for Android exposes high-confidentiality data to unauthenticated network attackers who can induce user interaction. The vulnerability stems from improper access control (CWE-284) in the Chromium-based mobile browser, allowing an attacker to circumvent a security boundary and access protected information without credentials. No active exploitation is confirmed (CISA KEV absent, temporal metric E:U), and a vendor patch is available via MSRC, making this a patch-priority item rather than an emergency response.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Authorization bypass in Gitea's Gitea Actions fork pull-request approval gate lets a low-privileged contributor permanently defeat the maintainer approval step that normally guards workflow execution on fork PRs, so that after the initial gate is subverted the attacker's workflow code runs against the repository's CI runners and secrets. CVSS is 8.9 (high) with a scope change and high integrity/availability impact; no public exploit has been identified at time of analysis, but a vendor patch (v1.26.4) is available. The flaw is classed as CWE-285 (Improper Authorization) and was self-reported by the Gitea project.

Authentication Bypass Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authentication bypass in Gitea's Git LFS (Large File Storage) SSH handling allows a low-privileged authenticated user to read files from private repositories they should not access by supplying a malformed SSH sub-verb, per the Gitea security advisory GHSA-7wvc-rvp7-w99x. Because the flaw crosses a security boundary (CVSS scope change) it exposes confidential repository contents without any integrity or availability impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, but a vendor patch is available in Gitea 1.26.4.

Authentication Bypass Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authorization bypass in Gitea Open Source Git Server (versions up to and including 1.26.1) allows a user whose account was deliberately disabled by an administrator to silently regain access simply by signing in through a linked OAuth provider. The OAuth sign-in callback fails to honor the administrator's 'disabled' flag, effectively reversing an intended access-revocation action. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the flaw undermines a core account-lifecycle control on a widely self-hosted platform.

Authentication Bypass Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Gitea, the self-hosted open-source Git service, allows a remote unauthenticated attacker to exhaust server CPU by triggering catastrophic backtracking in the regular-expression engine that evaluates CODEOWNERS pattern matching. All versions prior to the fixed 1.26.3/1.26.4 releases are affected, and the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H only) confirms network-reachable, low-complexity, no-authentication abuse with availability-only impact. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile), so exploitation risk is real but not yet widespread.

Authentication Bypass Denial Of Service Gitea Open Source Git Server
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows a remote unauthenticated attacker to present deceptive browser UI to a victim user, resulting in high-confidentiality-impact information disclosure. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms exploitation is network-delivered and requires only a single user interaction, consistent with a classic UI-spoofing or URL-spoofing class of flaw. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; a vendor-released patch is available.

Microsoft Google Microsoft Edge Chromium Based +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient UI warning of dangerous operations in Microsoft Edge (Chromium-based) before version 150.0.4078.48 enables network-based spoofing attacks against users who interact with adversary-controlled content. Per the CVSS vector (PR:N, UI:R), an unauthenticated remote attacker can exploit this flaw without any privileges, but requires the victim to interact with the browser during the attack. No public exploit identified at time of analysis; the Medium CVSS score of 4.3 and confidentiality-only impact (C:L) reflect a bounded but real risk primarily useful for phishing, credential harvesting, or identity spoofing scenarios.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Security-feature bypass in Microsoft Edge (Chromium-based) stems from a type-confusion (CWE-843) flaw that a remote, unauthenticated attacker can trigger over the network to defeat a browser security boundary. Microsoft has published a fix via its Update Guide (CVE-2026-58295), and the issue carries a CVSS 8.3 with a scope change reflecting the crossed trust boundary. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets an unauthorized attacker run arbitrary code when a victim is lured to interact with attacker-controlled content, stemming from external control of a file name or path (CWE-73). The flaw is network-reachable but non-trivial to exploit, requiring user interaction and high attack complexity, and there is no public exploit identified at time of analysis. Microsoft has released a patched build, and EPSS estimates a low 0.53% exploitation probability with SSVC reporting no observed exploitation.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated attacker run code on a victim's machine when the user is lured into interacting with attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and, per its CVSS scope-change metric, is consistent with a renderer/sandbox boundary escape. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a fix.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a type confusion flaw (CWE-843) that an unauthorized attacker can trigger over the network to run arbitrary code, provided the victim interacts with attacker-controlled web content. Microsoft self-reported and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high attack complexity (AC:H) and required user interaction (UI:R) temper an otherwise network-reachable, unauthenticated attack surface.

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 1% CVSS 8.3
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run arbitrary code when a victim is lured to a malicious web page, via a type-confusion flaw (CWE-843) in the browser engine. The CVSS:3.1 score is 8.3 with a scope change (S:C), indicating a likely sandbox/renderer boundary escape, though exploitation carries high attack complexity and requires user interaction. There is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none, with EPSS at 0.53% (41st percentile).

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker misrepresent trusted UI or content to a victim by abusing improper access control (CWE-284), per Microsoft's own advisory (MSRC CVE-2026-58286). The high CVSS 8.1 is driven by a scope-changed impact (S:C) with high integrity effect, though the AC:H rating signals the attack is not trivially reliable. Currently there is no public exploit identified at time of analysis and no CISA KEV listing, so this is a proactively-patched issue rather than one under active exploitation.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attacker run arbitrary code when a victim is lured to malicious web content. The CVSS 3.1 base score is 8.3 with a scope change, reflecting a likely renderer-to-sandbox impact, but exploitation requires user interaction and has high attack complexity. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available via Microsoft's MSRC update guide.

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to break out of the browser's security boundary and run arbitrary code when a victim is lured to malicious web content. Rooted in an improper authorization flaw (CWE-285) with a scope-changing CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C), exploitation requires user interaction and high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV, so exploitation is currently theoretical rather than observed.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

UI misrepresentation in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled web content. The browser fails to accurately present critical security information - such as origin indicators, security status, or authentication prompts - allowing an unauthenticated remote attacker to deceive victims into believing they are interacting with a trusted source. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and a vendor patch is available.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge for Android (Chromium-based) arises from a time-of-check to time-of-use (TOCTOU) race condition that an unauthenticated network attacker can win to run arbitrary code, though success requires the victim to interact (UI:R) and the timing window makes exploitation high-complexity. Microsoft (self-reported) has shipped an official fix, and the temporal signals (E:U, RC:C) indicate no public exploit identified at time of analysis despite confirmed technical validity. The flaw is credited to Microsoft/Google collaboration and tagged as an authentication-bypass-class issue.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) stems from a type-confusion memory-safety defect (CWE-843) that a remote, unauthenticated attacker can leverage over the network to misrepresent content or origin to the victim. Microsoft rates it CVSS 8.1 with a changed scope, driven largely by high integrity impact, though the CVSS vector's high attack complexity (AC:H) signals non-trivial exploitation. There is no public exploit identified at time of analysis (CVSS E:U), and it is not listed in CISA KEV; Microsoft has already shipped an official fix (RL:O).

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker bypass an origin/security-context access control (CWE-284) to misrepresent trusted content or UI over a network. The flaw carries CVSS 8.1 with a scope-changed vector and high integrity impact, meaning a successful spoof can influence resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has shipped an official fix.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote attacker to run arbitrary code when a victim is lured into loading attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and carries a high-severity CVSS of 8.8, though it requires user interaction and has no public exploit identified at time of analysis. EPSS risk is low (0.42%, 34th percentile) and CISA SSVC currently rates exploitation status as none.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticated attacker circumvent a browser security control over the network via improper authorization (CWE-285). Microsoft rates it CVSS 10.0 with a changed scope, meaning a successful bypass can affect resources beyond the browser's original security boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation as 'none', so this is a high-severity but not currently-exploited issue with a vendor patch already available.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a type-confusion flaw (CWE-843) that an unauthenticated attacker can trigger when a victim visits a malicious web page. Microsoft has released an official fix, and while exploit maturity is currently unproven (no public exploit identified at time of analysis), the high confidentiality, integrity, and availability impact combined with network reach makes it a meaningful browser patch. The CVSS 3.1 base score is 7.5 with high attack complexity and required user interaction, tempering real-world exploitability.

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds general repository access but has NOT been granted the Code unit permission read private source content by reusing Git LFS objects to authorize otherwise-restricted source objects. The flaw (CWE-639, tracked as GHSA-2m9v-5q2g-58vq) enables horizontal privilege escalation to confidential code within a repository. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch shipped in 1.26.3.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Branch-protection bypass in Gitea's self-hosted Git server (all versions before 1.26.0) allows a user with push access to circumvent pre-receive hook enforcement by supplying oversized hook input that trips a bufio.Scanner error the code fails to handle safely. Because Gitea does not fail closed on the scanner error, the protection check is silently skipped and the push is accepted. No public exploit identified at time of analysis; EPSS is low (0.17%, 7th percentile) and this is not in CISA KEV, but a vendor patch (v1.26.0) is available.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Canonical URL spoofing in Gitea before 1.25.5 lets remote attackers inject malformed X-Forwarded-Proto values that the server trusts when computing its public-facing URL, causing it to emit attacker-controlled canonical links (e.g. in emails, redirects, and generated absolute URLs). No public exploit identified at time of analysis, and the low EPSS score (0.17%, 6th percentile) reflects minimal in-the-wild interest, but a vendor patch is available in v1.25.5. Note that the published CVSS vector claims availability impact (A:H) while the description describes URL spoofing (an integrity concern), a discrepancy worth verifying with the vendor.

Authentication Bypass Canonical Gitea +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Gitea 1.25.5 lets a user holding a per-branch maintainer-edit grant reuse that write permission against other refs and obtain full repository write access. The flaw stems from a branch-specific permission result being cached and incorrectly reused across multiple refs within a single pre-receive hook session. It is an authenticated authorization-bypass (CWE-863) fixed in Gitea 1.26.3; no public exploit has been identified and EPSS exploitation probability is low (0.20%).

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 41% 4.4 CVSS 8.2
HIGH POC PATCH THREAT Act Now

Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers read private or internal Composer package source links they should not be authorized to see, leaking internal repository/source metadata. The flaw is a missing-authorization (CWE-862) issue reported by the Gitea project itself and fixed in v1.26.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. With a CVSS 3.0 base score of 8.2 driven by high confidentiality impact, the practical effect is unauthorized disclosure of otherwise-private package sourcing information.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Gitea's repository RSS and Atom feed endpoints fail to enforce API token scope checks, exposing private repository commit metadata to any holder of a valid but under-privileged API token. Versions up to and including 1.26.2 are affected; the flaw is classified as CWE-863 (Incorrect Authorization) with a CVSS score of 4.3. No public exploit code or CISA KEV listing exists at time of analysis; vendor-released patches are available in v1.26.3 and v1.26.4.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Gitea versions before 1.25.5 allow a user to change another user's primary email address.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.

Authentication Bypass Microsoft Gitea +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
Prev Page 9 of 347 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy