Authentication Bypass

Ericsson Indoor Connect 8855 prior to version 2025.Q3 contains an Improper Filtering of Special Elements vulnerability (CWE-790) that allows attackers to bypass input validation controls and achieve unauthorized modification of sensitive information. This vulnerability affects all versions of the Indoor Connect 8855 product line below the 2025.Q3 release. No CVSS score, CVSS vector, EPSS data, or active exploitation status is currently available in public sources, limiting quantitative risk assessment, though the CWE-790 classification suggests the vulnerability involves inadequate sanitization of special characters or metacharacters in user input.

CVE-2026-32326 is a security vulnerability (CVSS 6.9). Remediation should follow standard vulnerability management procedures.

A local privilege escalation vulnerability in Apple's Keychain implementation allows an attacker with local access to bypass permissions checking and retrieve sensitive stored credentials and secrets. The vulnerability affects iOS 18.7.7 and earlier, iPadOS 18.7.7 and earlier, iOS 26.4 and earlier, iPadOS 26.4 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Sonoma 14.8.5 and earlier, macOS Tahoe 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. No public exploitation has been confirmed, and patched versions are now available across all affected platforms.

A path handling vulnerability in iOS and iPadOS allows users with physical access to an iOS device to bypass Activation Lock through improved validation gaps in path handling logic. This authentication bypass affects iOS versions prior to 18.7.7 and 26.2, as well as corresponding iPadOS releases. While no CVSS score or EPSS data is publicly available, the physical access requirement and authentication bypass nature indicate a meaningful risk to device security and stolen device protection.

An authorization flaw in macOS Tahoe allows applications to bypass access controls and retrieve protected user data due to improper state management during permission checks. Apple has addressed this vulnerability in macOS Tahoe 26.4, and all versions prior to 26.4 remain vulnerable. Affected users should prioritize upgrading to the patched version to prevent unauthorized data access by malicious or compromised applications.

A permissions enforcement vulnerability in macOS allows unauthorized applications to access sensitive user data due to insufficient access controls that have been remediated through code removal. The vulnerability affects macOS Sequoia (versions prior to 15.7.5), macOS Sonoma (versions prior to 14.8.5), and macOS Tahoe (versions prior to 26.4). An unprivileged application could potentially read or access protected user information without proper user consent or authorization, representing a confidentiality breach with moderate real-world impact depending on the specific data accessible.

Improper path validation in Apple macOS Tahoe allows unauthenticated remote attackers to read sensitive user data through directory path traversal. The vulnerability requires no user interaction and affects systems prior to macOS Tahoe 26.4. No patch is currently available for this medium-severity issue.

An authorization bypass vulnerability in macOS allows applications to access sensitive user data through improper state management of access controls. The vulnerability affects macOS Sequoia (before 15.7.5), macOS Sonoma (before 14.8.5), and macOS Tahoe (before 26.4). While no CVSS score, EPSS data, or KEV status is currently published, Apple has released patches addressing this issue, indicating it was discovered through internal review rather than active exploitation.

Improper state management in Apple's authentication mechanisms across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS allows attackers positioned on a network to intercept and potentially manipulate encrypted traffic. An attacker with privileged network access can exploit this vulnerability to conduct man-in-the-middle attacks without user interaction, compromising the confidentiality of communications. No patch is currently available for this high-severity flaw.

A privacy vulnerability in macOS Tahoe allows applications to access sensitive user data that should have been protected through proper data isolation. The vulnerability affects macOS versions prior to 26.4, where sensitive data was not adequately segregated from application access. An attacker or malicious application could exploit this flaw to read protected user information without proper authorization, representing a direct information disclosure risk.

This vulnerability allows unauthorized applications to access sensitive user data on affected macOS systems through improved security checks that were insufficient in earlier versions. The issue affects macOS Sequoia (versions prior to 15.7.5), macOS Sonoma (versions prior to 14.8.5), and macOS Tahoe (versions prior to 26.4). An attacker with the ability to execute a malicious application on a vulnerable system could potentially read or exfiltrate sensitive user information that should be protected by macOS security controls. There is no evidence of active exploitation in the wild or public proof-of-concept availability, and the limited disclosure details suggest Apple addressed this proactively before widespread abuse.

This vulnerability is a privacy issue in Apple macOS where improved private data redaction for log entries was not properly implemented, allowing applications to potentially access user-sensitive data that should have been redacted. The vulnerability affects macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4, with no public indicators of active exploitation or proof-of-concept code. While CVSS and EPSS scores are unavailable, the nature of the issue suggests moderate real-world risk due to its reliance on application-level exploitation requiring user interaction or system access.

A permissions enforcement vulnerability in macOS allows applications to bypass sandbox restrictions and access sensitive user data without proper authorization. The issue affects macOS Sequoia (versions before 15.7.5), macOS Sonoma (versions before 14.8.5), and macOS Tahoe (versions before 26.4). Apple has patched this vulnerability through enhanced permission restrictions, but no public exploit code or active in-the-wild exploitation has been confirmed at this time.

Root-privileged applications on Apple macOS can bypass path validation to delete protected system files due to insufficient input sanitization. This affects macOS Tahoe 26.4 and requires the attacker to already have root-level access, limiting the attack surface to local privilege escalation scenarios. No patch is currently available.

A logging issue in Apple macOS allows applications to access sensitive user data that should have been redacted from logs. The vulnerability affects macOS Sequoia (versions before 15.7.5), macOS Sonoma (versions before 14.8.5), and macOS Tahoe (versions before 26.4). An attacker controlling a malicious app could exploit improper data redaction in system logging to exfiltrate sensitive information that was intended to be masked.

A permissions enforcement vulnerability in Apple's operating systems allows applications to bypass access controls and read protected user data without proper authorization. The issue affects iOS and iPadOS versions prior to 26.3, and macOS Tahoe prior to 26.3. An attacker with a malicious app could exploit insufficient permission restrictions to access sensitive user information such as contacts, location data, photos, or other protected resources that should require explicit user consent.

A privacy vulnerability in macOS allows applications to capture a user's screen through improper handling of temporary files. The issue affects macOS Sequoia versions prior to 15.7.4 and macOS Tahoe versions prior to 26.3, enabling unauthorized screen capture by malicious or compromised applications. This vulnerability represents an information disclosure threat where sensitive user data visible on screen could be exfiltrated without user consent or awareness.

A permissions enforcement vulnerability in Apple operating systems allows unauthorized enumeration of installed applications on a user's device. This information disclosure issue affects iOS 18.7.7 and earlier, iPadOS 18.7.7 and earlier, iOS 26.4 and earlier, iPadOS 26.4 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Sonoma 14.8.5 and earlier, macOS Tahoe 26.4 and earlier, and visionOS 26.4 and earlier. An attacker with the ability to execute code as an installed application could enumerate the complete list of user-installed applications without explicit user permission, enabling targeted attacks, privacy violations, and device profiling.

This vulnerability allows an attacker with physical access to a locked Apple device to view sensitive user information through an authentication bypass. The issue affects iOS and iPadOS versions prior to 26.4, visionOS prior to 26.4, and watchOS prior to 26.4 across all affected device lines. Apple has patched this through improved authentication mechanisms, and while no CVSS score, EPSS data, or known exploits-in-the-wild status are publicly disclosed, the physical access requirement and information disclosure impact characterize this as a moderate-priority security update for users in environments with theft or unauthorized device access risks.

A bypass vulnerability exists in iOS and iPadOS Stolen Device Protection that allows an attacker with physical access to an iOS device to circumvent biometric authentication and access protected apps using only the device passcode. This vulnerability affects devices running iOS and iPadOS versions prior to 26.4, where Stolen Device Protection is enabled. An attacker gaining physical possession of a locked device can exploit this flaw to access biometrics-gated Protected Apps, effectively defeating the intended security mechanism that requires biometric verification (Face ID or Touch ID) in addition to the passcode for sensitive app access.

Improper path validation in Apple's operating systems (iOS, iPadOS, macOS, and visionOS) allows applications to bypass directory access restrictions and read sensitive user data without user interaction. An attacker with a malicious app could exploit this parsing weakness to access confidential information across affected Apple devices. No patch is currently available, though Apple has released fixed versions across its product line.

A validation flaw in macOS entitlement verification allows applications to bypass privilege checks and gain elevated system privileges. The vulnerability affects macOS Sequoia 15.7.4 and earlier, macOS Sonoma 14.8.4 and earlier, and macOS Tahoe 26.3 and earlier. Apple has addressed this issue through improved validation of process entitlements in patched versions (15.7.5, 14.8.5, and 26.4 respectively), but no CVSS score, EPSS data, or KEV inclusion status is currently available, limiting immediate risk quantification.

A logic flaw in macOS Tahoe allows applications to bypass security controls and access sensitive user data without proper authorization. The vulnerability affects macOS versions prior to 26.4 and is addressed through improved input validation and access control checks. While CVSS scoring data is unavailable, Apple has released a patch indicating this is a genuine security concern requiring immediate attention.

A permissions validation flaw in macOS Tahoe allows applications to circumvent Gatekeeper security checks, potentially enabling execution of untrusted or malicious code that would normally be blocked by Apple's code signing and notarization mechanisms. This vulnerability affects macOS Tahoe versions prior to 26.4 and is fixed in the 26.4 release. An attacker with the ability to distribute a specially crafted application could bypass endpoint security controls designed to protect users from unsigned or malicious software.

N2W versions prior to 4.3.2 and 4.4.0 prior to 4.4.1 contain improper validation of API request parameters that enables unauthenticated remote code execution. An attacker can craft malicious API requests to bypass input validation and achieve arbitrary code execution on affected systems. This vulnerability affects cloud backup and disaster recovery infrastructure and poses critical risk to data protection environments.

N2W versions before 4.3.2 and 4.4.x before 4.4.1 contain a spoofing vulnerability that enables remote code execution and account credential theft. The vulnerability allows attackers to impersonate legitimate entities, potentially leading to arbitrary code execution on affected systems and unauthorized access to sensitive credentials. No CVSS score, EPSS data, or active KEV designation is currently available, limiting immediate risk quantification.

The Ech0 application exposes an unauthenticated API endpoint GET /api/allusers that returns a complete list of user records including usernames, email addresses, and account metadata without requiring authentication. This allows remote attackers to enumerate all system users and gather profile information for reconnaissance and targeted attacks. A working proof-of-concept exists demonstrating the vulnerability, and a patch is available in version 4.2.0.

NATS.io nats-server contains an authentication bypass vulnerability in its mTLS client identity verification when using the verify_and_map feature to derive NATS identities from TLS client certificate Subject DN patterns. An authenticated attacker with a valid certificate from a trusted CA can exploit certain RDN (Relative Distinguished Name) patterns to bypass intended identity mapping controls, potentially gaining unauthorized access to message queues. The vulnerability requires both a valid certificate and specific DN construction patterns, making it a low-probability but credible threat for sophisticated deployments; no public POC or active exploitation has been documented, and the CVSS score of 4.2 reflects the high attack complexity and privilege requirement.

NATS-server versions prior to v2.12.6 or v2.11.15 are vulnerable to authentication bypass through spoofed Nats-Request-Info headers in leafnode connections. An attacker with low privileges and network access can craft malicious messages with forged identity claims that propagate through untrusted leafnode connections, allowing clients that rely on this header for trust decisions to be deceived about message origins. This affects downstream NATS clients making security decisions based on the header, potentially compromising confidentiality and integrity of message-based applications.

NATS-server versions prior to v2.12.6 or v2.11.15 contain an authentication bypass vulnerability where the Nats-Request-Info message header, intended to guarantee request identity, is not fully stripped from inbound client messages. An attacker with valid credentials to any regular client interface can spoof their identity to downstream services that rely on this header for authorization decisions, potentially leading to unauthorized access or impersonation. While no confirmed active exploitation or public proof-of-concept is documented, the low attack complexity and low privilege requirements (any authenticated user) combined with the CVSS 6.4 score indicate moderate real-world risk, particularly in environments where message header-based identity verification is critical.

NATS JetStream before v2.11.15 and v2.12.6 allows authenticated users with admin API access to bypass stream-level restore restrictions and restore backups to unauthorized streams, enabling unauthorized data manipulation. An attacker with JetStream admin credentials can exploit this privilege escalation vulnerability to access or modify streams they should not have permission to alter. No patch is currently available, requiring administrators to temporarily revoke JetStream restore permissions as a mitigation.

An access control list (ACL) bypass vulnerability exists in NATS.io nats-server that allows authenticated MQTT clients to bypass subject-based authorization controls. Affected versions include all nats-server releases before v2.12.6 and v2.11.15. When ACLs are configured to restrict access to message subjects, these controls are not enforced within the $MQTT.> namespace, enabling low-privileged MQTT users to publish or subscribe to subjects they should not have access to.

NATS-Server versions prior to 2.11.15 and 2.12.5 contain an authentication bypass vulnerability in the MQTT client interface that allows attackers to hijack sessions and messages through malicious MQTT Client ID manipulation. The vulnerability affects all versions of nats-server using the affected version ranges and has a CVSS score of 6.5 (medium-high severity) due to the combination of high confidentiality impact and low availability impact. No known public exploits or active exploitation in the wild has been confirmed, but the authentication bypass nature (CWE-287) and patch availability indicate this is a practical, exploitable issue that requires immediate attention for organizations running affected versions.

A valid NATS client using message tracing headers can be exploited to send trace messages to arbitrary subjects, bypassing publish permission controls. This affects NATS Server versions prior to 2.12.6 and 2.11.15, allowing authenticated clients to violate authorization policies. While the injected payload is limited to valid trace messages rather than arbitrary content, the capability to publish to unauthorized subjects represents an integrity violation and potential information disclosure risk.

HCL Traveler contains a weak default HTTP header validation vulnerability (CWE-346) that allows authenticated attackers to bypass additional authentication checks and gain unauthorized access to sensitive functionality. The vulnerability affects HCL Traveler across multiple versions and requires only network access and valid credentials to exploit. While the CVSS score is moderate (6.3) and no active exploitation in the wild has been documented in KEV databases, the authentication bypass nature of this issue presents a real risk to organizations relying on Traveler for secure communications.

CVE-2026-33621 is a security vulnerability (CVSS 4.8). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

PinchTab versions 0.8.3 through 0.8.5 contain a security-policy bypass that allows arbitrary JavaScript execution through the POST /wait endpoint's fn mode, even when the security.allowEvaluate setting is explicitly disabled. While the /evaluate endpoint correctly enforces the allowEvaluate guard, the /wait endpoint fails to apply the same policy check before evaluating caller-supplied JavaScript expressions, enabling authenticated users with an API token to execute arbitrary code in browser tab contexts despite the operator's intention to disable JavaScript evaluation. A proof-of-concept demonstrating this bypass has been published by the vendor, showing that side effects can be introduced in page state and confirmed through subsequent requests.

PinchTab versions 0.7.8 through 0.8.3 accept API authentication tokens via URL query parameters (?token=...) in addition to the Authorization header, creating an unsafe credential transport pattern that exposes tokens through intermediary logs, browser history, shell history, and clipboard history. While this is not a direct authentication bypass-an attacker must obtain the token from a secondary source-the vulnerability is compounded by first-party dashboard setup flows that generate and consume tokenized URLs, increasing practical exposure likelihood. The issue was resolved in version 0.8.4 by removing query-string token authentication entirely and enforcing header-based authentication.

Solidtime prior to version 0.11.6 contains an authorization bypass vulnerability in its project detail endpoint that allows any authenticated employee to access private projects they are not members of by directly querying the GET /api/v1/organizations/{org}/projects/{project} endpoint with a project UUID. The vulnerability stems from inconsistent authorization scope application between the index() and show() methods, enabling confidentiality breach of sensitive project data. A security patch is available in version 0.11.6 and the vulnerability has been disclosed via GitHub Security Advisory GHSA-354j-rx28-jjxm.

A broken access control vulnerability in FileRise's ONLYOFFICE integration allows authenticated users with read-only permissions to overwrite files with malicious content by forging ONLYOFFICE save callbacks using legitimately obtained signed callbackUrls. FileRise versions prior to 3.10.0 are affected. There is no evidence of active exploitation (not in CISA KEV), but proof-of-concept details are available through the GitHub Security Advisory GHSA-6c3j-f4x4-36m3.

Ubiquiti UniFi Network Server versions 10.1.85 and earlier are vulnerable to account takeover through improper input validation when users click malicious links in social engineering attacks. An attacker can gain unauthorized account access with high impact on confidentiality, integrity, and availability. Users should upgrade to version 10.1.89 or later to remediate this vulnerability.

pyLoad versions 0.4.20 through 0.5.0b3.dev96 contain an authentication bypass vulnerability in the ClickNLoad feature's local_check decorator that allows remote attackers to spoof the HTTP Host header and access localhost-restricted endpoints without authentication. This vulnerability enables unauthenticated remote users to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code with the privileges of the pyLoad process. The vulnerability has been patched in version 0.5.0b3.dev97, and exploitation appears feasible given the straightforward nature of HTTP header manipulation.

The @astrojs/vercel serverless adapter in Astro versions prior to 10.0.2 contains an unauthenticated path traversal vulnerability that allows attackers to bypass platform-level security restrictions by manipulating the x-astro-path header and x_astro_path query parameter. Any remote attacker without authentication can rewrite internal request paths to access restricted endpoints such as /admin/*, with the attack preserving the original HTTP method and request body, enabling POST, PUT, and DELETE operations against protected resources. The vulnerability has been patched in version 10.0.2, and proof-of-concept code is available via the referenced GitHub security advisory and pull request.

Unauthenticated remote code execution in Pharos Controls Mosaic Show Controller firmware 2.15.3 enables attackers to bypass authentication and execute arbitrary commands with root privileges without user interaction. This critical vulnerability affects all instances exposed to network access with no available patch. The extremely low EPSS score suggests limited real-world exploitation despite the severe technical impact.

An authorization bypass vulnerability exists in Craft CMS that allows authenticated control panel users with minimal accessCp permission to move entries across sections without possessing the required saveEntries:{sectionUid} permissions for either source or destination sections. The vulnerability affects Craft CMS versions prior to 5.9.14 and results from missing authorization enforcement in the POST /actions/entries/move-to-section endpoint, enabling low-privileged users to perform unauthorized content modifications that violate integrity controls and potentially disrupt editorial workflows and content routing. A patch is available from the vendor.

An unauthenticated user can exploit the `/assets/generate-transform` endpoint in Craft CMS to generate valid transform URLs for private assets without authorization checks, allowing anonymous access to transformed image content that should be restricted. This authentication bypass affects Craft CMS versions prior to 4.17.8 and 5.9.14, enabling attackers to derive and view content from private assets through the publicly accessible transform endpoint. The vulnerability has a published patch and advisory available from the vendor.

Unauthenticated guests can access Config Sync updater endpoints to retrieve signed state data and execute privileged state-changing actions such as YAML regeneration and application without authentication. This vulnerability in ConfigSyncController stems from insufficient access controls on the base updater interface, allowing attackers to reuse captured signed data in subsequent requests to modify system configuration. A patch is available to address this authentication bypass.

An authenticated Insecure Direct Object Reference (IDOR) vulnerability in Craft CMS allows low-privileged users to read private asset content by calling the assets/edit-image endpoint with an arbitrary assetId parameter they are not authorized to view. The endpoint fails to enforce per-asset authorization checks before returning image bytes or preview redirects, enabling unauthorized disclosure of sensitive files. A patch is available from the vendor for affected versions (Craft CMS 4.17.8 and 5.9.14), and the vulnerability affects all Craft CMS installations where private assets exist and low-privileged authenticated users have access.

An authenticated user can manipulate server-generated session fields (expiresAt and createdWith) when updating their own session via the Parse Server REST API, allowing them to extend or indefinitely prolong their session validity and bypass the server's configured session lifetime policies. This authentication bypass affects Parse Server (npm:parse-server) on both version 8 and 9 branches, enabling a low-complexity attack that requires only valid user credentials. No public exploit or active exploitation in the wild has been documented, but patches are available from the vendor.

A critical Server-Side Request Forgery (SSRF) vulnerability exists in the LoLLMs WEBUI application, allowing unauthenticated remote attackers to force the server to make arbitrary GET requests through the `/api/proxy` endpoint. All known existing versions of lollms-webui are affected, and as of publication, no patched version is available. Attackers can exploit this to access internal services, scan local networks, or exfiltrate sensitive cloud metadata such as AWS or GCP IAM tokens.

Vikunja prior to version 2.2.1 contains an authorization bypass vulnerability in the DELETE /api/v1/projects/:project/shares/:share endpoint that fails to verify link share ownership. An attacker with administrative access to any project can delete link shares from arbitrary other projects by combining their own project ID with a target share ID, effectively allowing cross-project share manipulation. This is a privilege escalation and denial-of-service vector affecting self-hosted Vikunja deployments where multiple projects exist.

Vikunja, an open-source self-hosted task management platform, contains an authorization bypass vulnerability that allows attackers with read-only link share access to escalate privileges to full admin access. The ReadAllWeb handler fails to enforce proper access controls when listing link shares, exposing secret hashes for higher-privilege shares. Versions prior to 2.2.2 are affected, and a patch is available in version 2.2.2.

Vikunja, an open-source self-hosted task management platform, contains an insecure direct object reference (IDOR) vulnerability that allows any authenticated user to access or delete attachments belonging to other users' tasks. The vulnerability affects all versions prior to 2.2.1, enabling attackers to enumerate and download attachments by combining their own valid task ID with sequential attachment IDs. With a CVSS score of 8.1 (High severity), this represents a significant confidentiality and integrity risk, though no evidence of active exploitation (KEV) or public proof-of-concept has been reported.

Vikunja prior to version 2.2.1 suffers from an information disclosure vulnerability where the API returns full task object details in the `related_tasks` field without validating the requesting user's read permissions on the related tasks' projects. An authenticated attacker can exploit cross-project task relationships to enumerate sensitive task metadata (titles, descriptions, due dates, priorities, completion percentages, project IDs) from projects they have no access to, achieving a high-confidence information disclosure with CVSS 6.5 and no active exploitation reported in known exploit databases.

Vikunja versions 0.18.0 through 2.2.0 contain an authentication bypass vulnerability where disabled or locked user accounts can continue accessing the system through alternative authentication mechanisms. The vulnerability affects the go-vikunja/vikunja product across all matching versions, allowing attackers with knowledge of valid but disabled account credentials to maintain API access, CalDAV synchronization, and OpenID Connect sessions despite administrative account lockdown. While no CVSS score or EPSS data is available from official sources, the vulnerability represents a critical authorization control failure (CWE-285) with high real-world impact in multi-tenant or regulated environments where account disabling is a primary access revocation mechanism.

NGINX Plus and NGINX Open Source contain an authentication bypass vulnerability in the ngx_stream_ssl_module where revoked certificates are incorrectly accepted during TLS handshakes despite OCSP checking. When ssl_verify_client and ssl_ocsp are both enabled, the module fails to properly enforce certificate revocation status, allowing clients with revoked certificates to establish connections. This affects both commercial NGINX Plus and open-source NGINX deployments with a CVSS score of 5.4 (Medium), representing a localized confidentiality and integrity impact requiring authenticated attackers.

A spoofing vulnerability exists in Firefox's Privacy: Anti-Tracking component that allows attackers to deceive users or bypass security mechanisms through fraudulent representation. Firefox versions prior to 149 are affected. While specific exploit details are limited in available intelligence, the spoofing nature suggests attackers could impersonate legitimate content or services, potentially leading to credential theft, phishing success, or privacy compromise. No CVSS score, EPSS data, or confirmed KEV status is currently available, limiting real-time risk quantification.

This vulnerability is a mitigation bypass in Firefox's HTTP networking component that allows attackers to circumvent existing security controls. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected, enabling attackers to bypass authentication or other HTTP-level protections. While specific CVSS and EPSS scores are not provided, the mitigation bypass classification and Mozilla's issuance of security advisories indicate this requires prompt patching.

Checkmk exposes its session signing secret in configurations synchronized between remote and central sites, allowing a remote site administrator to forge valid session cookies and hijack user sessions on the central monitoring instance. This vulnerability affects Checkmk versions prior to 2.4.0p23, 2.3.0p45, and all 2.2.0 releases when configuration synchronization is enabled. An attacker with administrative privileges on a remote Checkmk site can leverage this exposure to impersonate any user, including central site administrators, potentially gaining complete control over the monitoring infrastructure.

Apache Artemis before version 2.52.0 contains an authentication bypass vulnerability (CVE-2026-27446) that allows attackers to read all messages exchanged via the broker and inject new messages. KNIME Business Hub, which embeds Apache Artemis, is affected across all versions, though exploitation requires an authenticated user with workflow execution privileges who can register a federated mirror without authenticating to the underlying Artemis instance. While no public exploit code has been disclosed and CVSS scoring is unavailable, the vulnerability represents a significant insider threat with direct impact on message confidentiality and integrity.

An incorrect authorization vulnerability exists in Apache Artemis and Apache ActiveMQ Artemis where the OpenWire protocol fails to properly enforce permission checks when creating non-durable JMS topic subscriptions on non-existent addresses. A user with only 'createDurableQueue' permission but lacking 'createAddress' permission can bypass authorization controls to create temporary addresses that should be denied, circumventing the intended security model when address auto-creation is disabled. This authentication bypass persists until the OpenWire connection closes and the temporary address is cleaned up.

The WP DSGVO Tools (GDPR) plugin for WordPress contains an authentication bypass vulnerability that allows unauthenticated attackers to permanently destroy any non-administrator user account. Attackers can trigger immediate and irreversible account anonymization (randomizing passwords, overwriting usernames/emails, stripping roles, anonymizing comments, and wiping sensitive metadata) by submitting a victim's email address with a publicly available nonce. All versions up to and including 3.1.38 are affected, with a CVSS score of 9.1 indicating critical severity.

The Product Filter for WooCommerce by WBW plugin for WordPress (versions up to 3.1.2) contains a critical authentication bypass vulnerability that allows unauthenticated attackers to permanently delete all filter configurations by truncating the wp_wpf_filters database table. The vulnerability stems from the plugin's MVC framework registering unauthenticated AJAX handlers without capability checks, combined with a magic method that forwards calls to the model layer and a permission check that defaults to true. An attacker can exploit this with a single crafted AJAX request, resulting in complete data loss and service disruption for WooCommerce installations using this plugin.

Vitals ESP, a software product developed by Galaxy Software Services, contains a Missing Authentication vulnerability that allows unauthenticated remote attackers to execute certain functions and obtain sensitive information. The vulnerability has a CVSS score of 7.5 (High) with network-based attack vector requiring no privileges or user interaction, resulting in high confidentiality impact. This issue was reported by Taiwan CERT (twcert) and is classified as an Authentication Bypass vulnerability.

Vitals ESP, a healthcare software product developed by Galaxy Software Services, contains an incorrect authorization vulnerability that allows authenticated remote attackers with low-level privileges to escalate their access and perform administrative functions. The vulnerability has a CVSS score of 8.8 (High), indicating network-based exploitation with low attack complexity requiring only low-level authentication. No KEV listing or EPSS data is currently available, though Taiwan CERT (TWCERT) has published advisories on this issue.

SourceCodester Patients Waiting Area Queue Management System 1.0 contains an improper authorization flaw in the ValidateToken function of the Patient Check-In Module that allows unauthenticated remote attackers to bypass access controls. Public exploit code is available for this vulnerability, and no patch has been released. The attack requires no user interaction and could enable unauthorized access to patient check-in functionality.

SQL injection in the password reset function of ESICLivre v0.2.2 and earlier allows unauthenticated attackers to extract sensitive data by manipulating the cpfcnpj parameter. The vulnerability requires no user interaction and can be exploited remotely over the network, though no patch is currently available.

The Contest Gallery plugin for WordPress contains an authentication bypass vulnerability that allows unaattacked attackers to take over administrator accounts and gain complete site control. All versions up to and including 28.1.5 are affected when the non-default RegMailOptional=1 setting is enabled. The vulnerability exploits MySQL type coercion by registering with specially crafted email addresses to overwrite admin activation keys, then using an unauthenticated login endpoint to authenticate as the target user. With a CVSS score of 8.1 and high attack complexity (AC:H), this represents a critical risk for sites using the vulnerable configuration.

The User Registration & Membership plugin for WordPress contains an insufficient capability check vulnerability in its Content Access Rules REST API endpoints, allowing authenticated contributors and above to bypass intended administrative restrictions. Versions 5.0.1 through 5.1.4 are affected, enabling attackers to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access. The vulnerability has a CVSS score of 5.4 with low attack complexity and low privilege requirements, making it readily exploitable by any authenticated user with contributor-level access or higher.

The LearnPress WordPress LMS Plugin contains a missing capability check vulnerability in the delete_question_answer() function that allows authenticated attackers with Subscriber-level privileges to delete quiz answer options without authorization. Affected versions include 4.3.2.8 and earlier; the vulnerability was patched in version 4.3.3. While the CVSS score is moderate (4.3), the attack requires only low-privilege authentication and no user interaction, making it practical for any authenticated site user to exploit.

The Smart Custom Fields WordPress plugin contains an authorization bypass vulnerability in the relational_posts_search() AJAX function that allows authenticated contributors and above to access private and draft posts from other authors. Affected versions through 5.0.6 fail to perform per-post capability checks, instead relying only on a generic edit_posts check, enabling unauthorized information disclosure of sensitive post content. With a CVSS score of 4.3 and low attack complexity requiring only network access and contributor-level credentials, this vulnerability poses a moderate risk to multi-author WordPress installations.

Synology OpenClaw versions prior to 2026.2.24 contain an authorization bypass in the synology-chat channel plugin where misconfigured allowlist policies with empty user IDs fail to enforce access controls. Authenticated attackers with Synology sender privileges can exploit this flaw to send unauthorized messages through downstream agents and tools. A patch is available.

OpenClaw versions prior to 2026.3.1 contain an approval bypass vulnerability in the system.run function that allows attackers to execute a different binary than the one approved by an operator. The vulnerability stems from non-path-like argv[0] tokens failing to bind to executable identity, enabling post-approval PATH manipulation to redirect execution to attacker-controlled binaries. With a CVSS score of 7.3 and requiring local access with low privileges and user interaction, this represents a significant privilege escalation and integrity bypass risk in environments using OpenClaw's execution approval mechanisms.

OpenClaw before version 2026.2.26 contains an authorization bypass vulnerability in group allowlist policy evaluation that improperly accepts sender identities from DM pairing-store approvals. Attackers with low privileges can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized access to restricted groups. The vulnerability carries a moderate CVSS score of 4.6 with user interaction required, and patches are available from the vendor.

OpenClaw before version 2026.2.22 contains an authorization bypass vulnerability in allowlist mode that allows attackers with high privileges to approve benign wrapped system.run commands and subsequently execute arbitrary commands without requiring additional approval on gateway and node-host execution flows. This vulnerability exploits allow-always persistence at the wrapper level to broaden trust boundaries beyond the initial approval scope. The vulnerability has a CVSS score of 6.4 with high impact on confidentiality, integrity, and availability, though exploitation requires high privilege level and user interaction.

OpenClaw before version 2026.2.22 contains a critical allowlist bypass vulnerability in the system.run function that allows authenticated local attackers to execute arbitrary commands by circumventing security controls. An attacker with local access and low privileges can inject shell line-continuation sequences and command substitution syntax within double quotes to fold malicious payloads into executable subcommands, effectively bypassing the intended command allowlist. This vulnerability enables privilege escalation and arbitrary code execution on affected systems.

OpenClaw before version 2026.2.22 contains an allowlist bypass vulnerability in its system.run exec analysis functionality that fails to properly unwrap environment variable and shell-dispatch wrapper chains. Attackers with local access and limited privileges can exploit this to route command execution through wrapper binaries such as env or bash, allowing them to smuggle payloads past the intended allowlist restrictions. This vulnerability enables privilege escalation and integrity compromise on affected systems.

OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn slash-command that allows authorized sandboxed users to initialize host-side ACP runtime and bypass sandbox restrictions. An attacker with low privileges and sandboxed chat access can invoke the vulnerable command to cross from isolated chat context into unrestricted host-side ACP session initialization when ACP is enabled, potentially escalating their capabilities beyond intended boundaries. The vulnerability has been assigned a CVSS score of 5.3 (medium severity) with a published patch available from the vendor.

OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability that allows local attackers with limited privileges to execute arbitrary shell commands by circumventing security approval controls. The vulnerability exploits a depth-boundary mismatch between the approval classifier and execution planner, permitting exactly four transparent dispatch wrappers (such as repeated env invocations) to bypass the security=allowlist approval requirement. While not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the CVSS 4.5 score and publicly available patch indicate this is a real but lower-priority vulnerability with moderate real-world risk depending on deployment context.

Blinko, an AI-powered card note-taking application, contains an authentication bypass vulnerability in its comment management endpoints that allows unauthenticated attackers to create and view comments on any note, including private notes that have not been publicly shared. Versions prior to 1.8.4 are vulnerable, and a patch has been released and is available via the official GitHub repository. The vulnerability has a CVSS 4.0 score of 6.9 with a network attack vector requiring no privileges or user interaction, making it trivial to exploit.

An Insecure Direct Object Reference (IDOR) vulnerability in Blinko versions prior to 1.8.4 allows authenticated attackers to leak the superadmin token through the user.detail endpoint by manipulating user identifiers. This authentication bypass vulnerability has a CVSS score of 6.0 and affects the Blinko AI-powered note-taking application. A patch is available in version 1.8.4, and proof-of-concept information is available via the official GitHub security advisory.

Improper authorization in the My Page profile update feature allows authenticated attackers to modify arbitrary user profiles and passwords, potentially leading to account takeover. Affected versions include 1.x through 1.41.0 and 2.x through 2.41.0; patches are available in versions 1.41.1 and 2.41.1. Exploitation requires valid authentication but no additional privileges or user interaction.

Insufficient authorization checks in the page content retrieval feature (versions 1.x <= 1.41.0 and 2.x <= 2.41.1) allow unauthenticated attackers to access non-public page contents and attachments. An attacker can retrieve sensitive information from restricted pages without proper credentials. Users must upgrade to version 1.41.1 or 2.41.1 to remediate this vulnerability.

Citrix NetScaler ADC and Gateway instances configured for SSL VPN, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers are vulnerable to a race condition that enables authenticated attackers to hijack other users' sessions. An attacker with valid credentials can exploit timing-dependent conditions to cause session mixup between concurrent users, potentially gaining unauthorized access to sensitive resources or impersonating other authenticated users. No patch is currently available for this high-severity vulnerability.

A logic flaw in New API's universal secure verification flow allows authenticated users with registered passkeys to bypass WebAuthn assertion completion, effectively circumventing step-up authentication for privileged actions. This affects New API versions 0.10.0 and later, enabling authenticated attackers with passkey enrollment to access sensitive functionality without completing proper cryptographic verification. No patched versions are currently available, making this an unresolved authentication bypass affecting all current deployments.

An Insecure Direct Object Reference (IDOR) vulnerability exists in New API versions prior to 0.11.4-alpha.2, a large language model gateway and AI asset management system. Authenticated users can bypass authorization checks on the video proxy endpoint (GET /v1/videos/:task_id/content) to access video content belonging to other users and cause the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The vulnerability stems from a single unguarded function call that queries tasks by task_id alone without validating user ownership, contrasting sharply with all other task-lookup functions in the codebase that properly enforce ownership checks.

MantisBT versions prior to 2.28.1 contain an authentication bypass vulnerability in the SOAP API caused by improper type checking on the password parameter when running on MySQL family databases. An attacker who knows a victim's username can log in to the SOAP API without knowing the correct password and execute any API function available to that account. While a CVE CVSS score is not yet assigned, the vulnerability is patched in version 2.28.1, and disabling the SOAP API reduces but does not eliminate the risk.

WWBN AVideo video platform up to and including version 26.0 contains an authentication bypass vulnerability in the CDN plugin that allows unauthenticated remote attackers to completely modify CDN configuration settings including storage credentials and authentication keys. The vulnerability stems from the CDN plugin's default empty string authentication key, which causes validation checks to be bypassed entirely when the plugin is enabled but not properly configured. The CVSS score of 8.6 reflects high integrity impact with network-based exploitation requiring no privileges or user interaction.

WWBN AVideo versions up to and including 26.0 contain an authentication bypass vulnerability in the standalone live stream control endpoint. The endpoint accepts a user-supplied 'streamerURL' parameter that redirects token verification to an attacker-controlled server, allowing complete bypass of authentication without any user interaction. With a CVSS score of 9.4, an attacker gains unauthenticated control over any live stream including the ability to drop publishers, manipulate recordings, and probe stream existence.

WWBN AVideo versions up to and including 26.0 contain an IP address spoofing vulnerability in the getRealIpAddr() function that trusts user-controlled HTTP headers to determine client IP addresses. This allows attackers to bypass IP-based access controls and audit logging mechanisms by forging headers such as X-Forwarded-For or X-Real-IP without authentication or user interaction. The vulnerability carries a CVSS score of 5.3 (medium severity) with low attack complexity, and a patch is available via commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c, though no public exploit code or KEV designation has been confirmed at this time.