Authentication Bypass

WWBN AVideo versions up to and including 26.0 contain an authentication bypass vulnerability in the standalone live stream control endpoint. The endpoint accepts a user-supplied 'streamerURL' parameter that redirects token verification to an attacker-controlled server, allowing complete bypass of authentication without any user interaction. With a CVSS score of 9.4, an attacker gains unauthenticated control over any live stream including the ability to drop publishers, manipulate recordings, and probe stream existence.

WWBN AVideo versions up to and including 26.0 contain an IP address spoofing vulnerability in the getRealIpAddr() function that trusts user-controlled HTTP headers to determine client IP addresses. This allows attackers to bypass IP-based access controls and audit logging mechanisms by forging headers such as X-Forwarded-For or X-Real-IP without authentication or user interaction. The vulnerability carries a CVSS score of 5.3 (medium severity) with low attack complexity, and a patch is available via commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c, though no public exploit code or KEV designation has been confirmed at this time.

WWBN AVideo versions up to 26.0 expose advertising analytics data through an unauthenticated JSON API endpoint that lacks access controls, allowing attackers to retrieve sensitive information including video titles, user identifiers, channel names, and ad campaign performance metrics. While the HTML and CSV export functions properly enforce admin authentication, the JSON variant was left unprotected, enabling unauthorized data disclosure with no authentication required. A patch is available in commit daca4ffb1ce19643eecaa044362c41ac2ce45dde.

Privilege escalation in WWBN AVideo up to version 26.0 allows users with "Videos Moderator" permissions to gain full video management capabilities, including transferring ownership and deleting any video, by exploiting inconsistent authorization checks between the video editing and deletion endpoints. An authenticated attacker can chain an ownership transfer with deletion operations to compromise videos outside their legitimate scope. A patch is available in commit 838e16818c793779406ecbf34ebaeba9830e33f8.

WWBN AVideo versions up to and including 26.0 contain an unauthenticated API endpoint that allows arbitrary decryption of ciphertext. Attackers can exploit the decryptString action in the API plugin without authentication to decrypt publicly-issued ciphertext (such as from view/url2Embed.json.php), allowing recovery of protected tokens and metadata. The CVSS score of 7.5 reflects high confidentiality impact with network accessibility and no authentication required.

A missing authentication check in the HTTP server of TP-Link Archer NX-series routers (NX200, NX210, NX500, NX600) allows unauthenticated attackers to access privileged CGI endpoints intended for authenticated administrators. An attacker can perform critical operations including firmware upload and configuration changes without providing valid credentials, effectively gaining administrative control over the device. A vendor patch is available, and this vulnerability represents a direct authentication bypass with severe real-world exploitation potential.

Improper authentication in the two-factor authentication verification function of Kalcaddle Kodbox 1.64 allows remote attackers to bypass login controls with high complexity exploitation. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected users should implement network-level access controls while awaiting a vendor update.

Hard-coded credentials embedded in Klinika XP and KlinikaXP Insertino applications allow unauthorized attackers to gain access to internal services, most critically the FTP server hosting application update packages. An attacker exploiting these credentials could upload malicious update files that would be distributed to client machines as legitimate updates, enabling supply-chain compromise and widespread system compromise. The vulnerability affects KlinikaXP versions before 5.39.01.01 and KlinikaXP Insertino versions before 3.1.0.1; no CVSS score, EPSS data, or active KEV status is currently available, but the attack complexity is low and requires no privileges, making this a high-priority issue despite the missing CVSS assessment.

The Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 contains an authentication bypass vulnerability where administrative credentials are stored in the ecos_pw cookie using reversible Base64 encoding with a static suffix, allowing attackers who obtain this cookie to forge valid administrative sessions and gain unauthorized device access. The vulnerability affects a network appliance product line and represents a critical authentication control failure. No CVSS score or EPSS data is currently available, and KEV/active exploitation status is unknown; however, the reversible encoding mechanism and static suffix suggest this is likely highly exploitable in practice.

An unauthenticated credential disclosure vulnerability exists in the /goform/ate endpoint of Nexxt Solutions Nebula 300+ firmware (including Tenda F3 v2.0 rebranded variants) through version 12.01.01.37, allowing adjacent network attackers to retrieve the Base64-encoded administrator password without authentication. The recovered credentials enable full device authentication and privilege escalation, facilitating further compromise when combined with other firmware weaknesses. No active KEV listing or public POC availability is currently documented, though the CVSS 6.5 score reflects the significant confidentiality impact despite network-adjacency requirement.

This vulnerability is an authentication bypass in the Bluetooth Handler component of Shenzhen HCC Technology MPOS M6 PLUS version 1V.31-N, exploitable via capture-replay attacks. An unauthenticated attacker on the local network can manipulate Bluetooth communications to bypass authentication mechanisms and gain unauthorized access with high attack complexity. A proof-of-concept exploit is publicly available on GitHub, and the vendor has not responded to disclosure attempts, leaving affected systems without an official patch.

Unauthenticated Bluetooth access in the Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N allows attackers on the local network to manipulate the device's Bluetooth functionality, compromising confidentiality and integrity. Public exploit code exists for this vulnerability, though exploitation requires complex local network positioning and timing. No patch is currently available from the vendor.

Keycloak's User-Managed Access endpoint fails to properly enforce access control on PUT operations, permitting authenticated attackers to modify protected resources despite the allowRemoteResourceManagement restriction being disabled. This access control bypass affects data integrity and impacts any organization using Keycloak for identity and access management. The vulnerability requires valid credentials to exploit and currently has no available patch.

The ReviewX WordPress plugin for WooCommerce contains an unauthenticated sensitive information exposure vulnerability in the allReminderSettings function that allows attackers to obtain authentication tokens and bypass admin restrictions. Affected versions up to 2.2.12 expose critical customer data including order details, names, emails, addresses, phone numbers, and user information. With a CVSS score of 5.3 and network-based attack vector requiring no authentication or user interaction, this vulnerability poses a moderate but immediate risk to any WordPress installation using the plugin.

The ReviewX plugin for WordPress contains an improper authorization vulnerability in the userAccessibility() function that allows unauthenticated attackers to bypass authentication checks and access protected REST API endpoints. Affected versions through 2.2.10 permit unauthorized extraction and modification of user data and plugin configuration, posing a direct threat to WooCommerce installations relying on this review management solution. With a CVSS score of 6.5 and network-based attack vector requiring no user interaction or privileges, this vulnerability presents a moderate-to-significant risk for any WordPress site using the affected plugin.

An authorization bypass vulnerability exists in MacCMS up to version 2025.1000.4052 within the Member Order Detail Interface component, specifically in the order_info function of application/index/controller/User.php. An authenticated attacker can manipulate the order_id parameter to access order information belonging to other users, disclosing sensitive data. A public proof-of-concept exploit is available, elevating the risk of active exploitation despite the moderate CVSS 4.3 score.

MacCMS version 2025.1000.4052 contains a missing authentication vulnerability in the Timming API endpoint (application/api/controller/Timming.php). An unauthenticated remote attacker can access protected functionality, potentially leading to unauthorized data access, modification, or service disruption. A public proof-of-concept exploit is available on GitHub, significantly increasing the risk of active exploitation in the wild.

An authorization bypass vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the openCustomerPortal function of the Stripe API integration component. Authenticated users with low privileges can bypass authorization controls to access Stripe customer portal functionality they should not be permitted to access, potentially gaining unauthorized view access to sensitive customer data. While the vulnerability requires authentication and has high attack complexity, exploitation is considered difficult but possible; no evidence of active exploitation in the wild or public proof-of-concept code has been reported.

Improper authorization in mickasmt next-saas-stripe-starter 1.0.0 allows authenticated users to manipulate userId and role parameters in the updateUserRole function, enabling unauthorized modification of user permissions. An attacker with valid credentials can exploit this vulnerability remotely to escalate privileges or modify other users' roles. No patch is currently available.

OmniPEMF NeoRhythm contains a missing authentication vulnerability in its Bluetooth Low Energy (BLE) interface that allows unauthenticated local network attackers to achieve limited unauthorized access. The vulnerability affects all versions up to and including 20260308 and requires high attack complexity but results in confidentiality, integrity, and availability impacts. While the CVSS score is moderate at 5.0, the vendor has failed to respond to early disclosure notifications, leaving affected users without official patches or timeline guidance.

PbootCMS versions up to 3.2.12 contain an improper access control vulnerability in the Backend UserController component that allows authenticated attackers to manipulate the Field argument and bypass access restrictions. An attacker with login credentials can exploit this to gain unauthorized access to sensitive user data or system functions. A proof-of-concept exploit has been publicly disclosed on GitHub and the vulnerability carries a moderate CVSS score of 6.3 with documented exploitation capability.

The Expire Users plugin for WordPress versions up to and including 1.2.2 contains a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to elevate their privileges to administrator level. This occurs because the plugin improperly allows users to update the 'on_expire_default_to_role' meta field through the 'save_extra_user_profile_fields' function without proper authorization checks. With a CVSS score of 8.8 (High severity), this represents a critical security issue for affected WordPress installations, though no active exploitation (KEV) or EPSS data has been reported at this time.

The Hr Press Lite WordPress plugin (versions up to 1.0.2) contains a missing capability check vulnerability in the hrp-fetch-employees AJAX action that allows authenticated attackers with Subscriber-level access to retrieve sensitive employee information including names, email addresses, phone numbers, salary data, employment dates, and employment status. This represents a clear privilege escalation and information disclosure flaw with a CVSS score of 6.5 (Medium severity, high confidentiality impact) affecting all versions of the plugin distributed through the WordPress plugin repository.

The Punnel - Landing Page Builder WordPress plugin contains a critical missing authorization vulnerability in the save_config() AJAX function that allows authenticated attackers with Subscriber-level privileges to overwrite the plugin's configuration and API key without proper capability checks or nonce verification. Combined with an insecure public API endpoint (sniff_requests()) that only validates requests via token comparison, attackers can subsequently create, update, or delete arbitrary posts, pages, and products on affected WordPress installations. The vulnerability affects all versions up to and including 1.3.1 and has been documented by Wordfence with publicly available code references.

UiPress lite plugin for WordPress through version 3.5.09 fails to validate user permissions on the global settings modification function, allowing authenticated subscribers and higher-privileged users to arbitrarily alter plugin configurations. This insufficient access control enables attackers to modify sensitive settings despite lacking administrative rights. A patch is not currently available.

The Group Chat & Video Chat by AtomChat WordPress plugin (versions up to 1.1.7) contains a missing capability check vulnerability in the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' AJAX handlers, allowing authenticated Subscriber-level users and above to arbitrarily modify plugin options including API keys and authentication credentials. With a CVSS score of 5.3 and network-based attack vector requiring only authentication (not admin privileges), this represents a medium-severity privilege escalation and configuration tampering issue affecting WordPress installations using this plugin. No evidence of active exploitation in the wild has been documented at this time, though the straightforward nature of the vulnerability (missing capability checks) suggests proof-of-concept code could be easily developed.

The Build App Online WordPress plugin contains an authentication bypass vulnerability in the 'build-app-online-update-vendor-product' AJAX action that allows unauthenticated attackers to modify post metadata without authorization. Affected versions are up to and including 1.0.23 as confirmed via CPE (cpe:2.3:a:hakeemnala:build_app_online). Attackers can orphan posts by setting the post_author field to 0 or, if authenticated, claim ownership of arbitrary posts by reassigning authorship, resulting in unauthorized content modification with medium integrity impact (CVSS 5.3).

The Company Posts for LinkedIn WordPress plugin (versions up to 1.0.0) contains a missing authorization vulnerability in the linkedin_company_post_reset_handler() function that allows authenticated attackers with Subscriber-level privileges to delete LinkedIn post data from the site's options table without proper capability checks. This is a privilege escalation flaw where low-privileged users can perform administrative actions. While the CVSS score is moderate at 4.3 and reflects limited integrity impact without confidentiality or availability concerns, the vulnerability enables unauthorized modification of site configuration data by any authenticated user.

The Speedup Optimization plugin for WordPress contains a missing authorization vulnerability in the `speedup01_ajax_enabled()` AJAX handler that fails to verify user capabilities or nonce tokens, allowing authenticated attackers with Subscriber-level privileges to enable or disable the site's optimization module. Affected versions include all releases up to and including 1.5.9, as documented by Wordfence. While the CVSS score of 5.3 is moderate, the vulnerability represents a clear authorization bypass that could allow low-privileged attackers to degrade site performance or disable security-relevant optimization features.

The WP-Chatbot for Messenger WordPress plugin versions up to 4.9 contains an authorization bypass vulnerability that allows unauthenticated attackers to overwrite critical chatbot configuration options, specifically the MobileMonkey API token and company ID. This enables attackers to hijack the site's chatbot functionality and redirect visitor conversations to attacker-controlled accounts without requiring any authentication or user interaction. The vulnerability has a CVSS score of 5.3 with a network attack vector and no privilege requirements, making it readily exploitable by any remote attacker.

The Linksy Search and Replace plugin for WordPress versions up to 1.0.4 contains a missing capability check vulnerability that allows authenticated attackers with subscriber-level access or higher to modify arbitrary database tables. Attackers can exploit this to elevate their privileges to administrator by modifying the wp_capabilities field, achieving complete site takeover. With a CVSS score of 8.8 (High), this represents a critical privilege escalation vulnerability affecting authenticated users with minimal access.

The Canto plugin for WordPress (versions up to 3.1.1) contains a critical missing authorization vulnerability in the copy-media.php file and related endpoints that allows unauthenticated attackers to upload arbitrary files to the WordPress uploads directory. The vulnerability stems from multiple PHP files being directly accessible without authentication, nonce validation, or authorization checks, while also accepting attacker-controlled parameters for API endpoints and domain configuration. An attacker can exploit this to upload malicious files (within WordPress MIME type constraints) or redirect legitimate file operations to attacker-controlled infrastructure, potentially leading to remote code execution or site compromise.

The Smarter Analytics WordPress plugin (all versions up to 2.0) contains an authentication bypass vulnerability that allows unauthenticated attackers to reset plugin configuration and delete all analytics settings via the 'reset' parameter in the global scope of smarter-analytics.php. This is a missing authentication and capability check vulnerability (CWE-862) with a CVSS score of 5.3, classified as moderate severity with low attack complexity and no authentication required. The vulnerability is publicly documented via Wordfence threat intelligence with direct references to the vulnerable code in the WordPress plugin repository, though no active exploitation in the wild or public proof-of-concept has been widely reported.

OpenClaw fails to consistently apply sender-policy checks to reaction and pin event handlers, allowing authenticated attackers to bypass configured direct message policies and channel user allowlists by injecting unauthorized events from restricted senders. The vulnerability affects OpenClaw versions prior to 2026.2.25, requires low privileges (authenticated user), and enables unauthorized event injection with moderate severity (CVSS 4.3). A patch is available from the vendor, and the vulnerability has been documented in the VulnCheck advisory and GitHub Security Advisory GHSA-rm2p-j3r7-4x4j.

OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP (Approval Control Panel) client that automatically approves tool calls based on untrusted metadata and overly permissive heuristics. An authenticated attacker with PR (privileges required) can bypass interactive approval prompts for read-class operations by spoofing toolCall.kind metadata or using non-core read-like function names to reach auto-approve execution paths. This vulnerability enables unauthorized information disclosure and modification without user interaction, and while not currently listed as actively exploited in KEV, proof-of-concept demonstrations are available via vendor security advisories.

OpenClaw versions prior to 2026.2.21 contain a passwordless fallback authentication bypass in the BlueBubbles webhook handler that allows attackers to send unauthenticated webhook events by exploiting loopback or reverse-proxy heuristics. The vulnerability affects the BlueBubbles plugin component and has a CVSS score of 4.8 (medium severity) with low attack complexity, enabling both confidentiality and integrity impact without requiring authentication or user interaction. A vendor patch is available, and the vulnerability is documented in public advisories from VulnCheck and GitHub Security.

OpenClaw versions prior to 2026.2.26 contain an authentication bypass vulnerability in their Slack system event handlers that fails to properly enforce sender authorization checks. Attackers with low-privilege access (PR:L in CVSS vector) can craft and send unauthorized system events through message_changed, message_deleted, and thread_broadcast event types to bypass Slack DM allowlists and per-channel user allowlists. The vulnerability has a moderate CVSS score of 5.4 with low confidentiality and integrity impact; no KEV or active exploitation has been publicly disclosed, but a patch is available from the vendor.

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control mechanism for direct message pairing policies, allowing attackers to reuse pairing approvals across multiple accounts in multi-account deployments. An authenticated attacker (PR:L) who has been approved as a sender in one account can be automatically accepted in another account without explicit re-approval, effectively bypassing authorization boundaries between accounts. The vulnerability has a CVSS score of 3.7 with medium attack complexity and low confidentiality and integrity impacts; no active exploitation in the wild (KEV) or public proof-of-concept has been confirmed, but patches are available from the vendor.

OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in the system.run function where the rendered command text displayed to approvers has whitespace trimmed from argv tokens, but the actual runtime execution uses the raw, untrimmed argv. An attacker with the ability to influence command arguments and reuse an approval context can craft a trailing-space executable token to execute a different binary than what was approved, resulting in arbitrary command execution under the OpenClaw runtime user. The CVSS score of 4.8 reflects the requirement for local privileges and user interaction, though the integrity impact is marked as high due to the ability to execute unauthorized commands.

OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, allowing any attacker with access to the host's loopback interface to view or interact with sandboxed browser sessions without credentials. All OpenClaw versions prior to 2026.2.21 are affected. This vulnerability has been publicly disclosed with patches available from the vendor, though no EPSS score, KEV status, or public POC references were provided in the intelligence data.

OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness that allows attackers to reuse previously approved system.run execution requests with modified environment variables, bypassing approval-enabled workflow integrity controls. An attacker with access to an approval ID can exploit this vulnerability to execute commands with different environment settings than originally approved, effectively circumventing execution-integrity safeguards. The vulnerability requires local/network access and user interaction, resulting in a low CVSS score of 2.6, but represents a meaningful integrity violation in approval workflows where execution consistency is critical.

OpenClaw versions before 2026.2.25 allow authenticated attackers with node role permissions to bypass device pairing requirements in the Control UI by spoofing the control-ui client identifier, enabling unauthorized access to node event execution flows. Public exploit code exists for this authentication bypass vulnerability. The vulnerability requires prior authentication and has moderate integrity impact potential.

OpenClaw versions prior to 2026.2.23 contain a webhook event deduplication bypass vulnerability where normalized Twilio event IDs are randomized on each parse, allowing attackers to replay webhook events and circumvent the manager's deduplication checks. An unauthenticated remote attacker can exploit this over the network to trigger duplicate or stale call-state transitions, potentially causing incorrect call handling and state corruption. While no CVSS modifier for active exploitation or public POC is explicitly confirmed in the provided intelligence, the CVSS 6.5 score reflects moderate integrity and availability impact with low attack complexity.

An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.write scope to escalate privileges and execute owner-only administrative functions including gateway and cron management through agent runs in scoped-token deployments. This is a privilege escalation issue affecting deployments using scoped authentication tokens, where write-level access can be exploited to perform control-plane operations reserved for owners. With a CVSS score of 8.8 and network-accessible attack vector, this represents a significant authorization bypass, though no KEV listing or public exploitation indicators are currently available.

OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in the signal reaction notification handling mechanism that allows unauthenticated attackers to enqueue status events before authorization checks are performed. Attackers can exploit the reaction-only event path in event-handler.ts to inject signal reaction status lines into sessions without validating proper DM or group access permissions, resulting in integrity compromise. The vulnerability has a CVSS score of 3.7 (low-to-moderate severity) with an attack vector of network, high complexity, and no privileges required, though no active exploitation or public proof-of-concept has been confirmed in known exploit databases.

OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low privileges to bypass runtime confinement restrictions. Attackers can exploit a flaw in cross-agent sessions_spawn operations to create child processes under unsandboxed agents, effectively disabling sandbox protections by setting sandbox.mode to off. While the CVSS score is 7.5 (High), there is no evidence of active exploitation (not in CISA KEV), though the vulnerability has been publicly disclosed through GitHub Security Advisories and VulnCheck, increasing the likelihood of proof-of-concept development.

OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in HTTP gateway routes due to incorrect application of tokenless Tailscale header authentication. Attackers on trusted networks can access HTTP gateway routes without providing required token or password credentials, potentially exposing sensitive functionality. A patch is available from the vendor, and this vulnerability has been disclosed publicly via GitHub Security Advisory GHSA-hff7-ccv5-52f8.

OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use (TOCTOU) vulnerability in the approval-bound system.run execution function where the current working directory (cwd) parameter is validated at approval time but resolved at execution time, allowing attackers with local access and limited privileges to retarget symlinked directories between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts. The vulnerability has a CVSS score of 6.5 with medium attack complexity but high integrity and availability impact, making it a notable local privilege escalation vector that requires user interaction in the approval workflow.

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated attackers to bypass device pairing requirements and self-assign elevated operator.admin scopes. Attackers with valid shared gateway authentication credentials can present self-signed unpaired device identities to obtain administrator privileges before pairing approval is granted. This is a high-severity vulnerability (CVSS 8.8) with a patch available from the vendor.

A security vulnerability in for WordPress is vulnerable to unauthorized access in all (CVSS 5.3) that allows any authenticated user. Remediation should follow standard vulnerability management procedures.

An authorization bypass vulnerability exists in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, where non-staff users with elevated group membership can access deleted posts belonging to any user through an overly permissive authorization check on the deleted posts index endpoint. This is a CWE-863 (Incorrect Authorization) vulnerability that allows unauthorized information disclosure of deleted content. No public exploit or active exploitation in the wild has been reported, but patches are available and no workarounds exist.

Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an authorization page spoofing vulnerability that allows unauthenticated attackers to inject attacker-controlled domains into legitimate Discourse authorization pages, enabling social engineering attacks. This CWE-862 (Missing Authorization) class vulnerability affects all affected Discourse installations and requires no authentication or special privileges to exploit. No active exploitation in the wild (KEV status) has been reported, but the attack surface is broad given Discourse's widespread use as an open-source discussion platform.

WebCTRL Premium Server systems contain an authentication bypass vulnerability arising from BACnet protocol's inherent lack of network layer authentication, compounded by WebCTRL's failure to implement additional validation. An attacker with network access can spoof BACnet packets targeting either the WebCTRL server or associated AutomatedLogic controllers, which will process the spoofed packets as legitimate traffic. This vulnerability has a CVSS score of 7.5 with high integrity impact and is disclosed through ICS-CERT advisory ICSA-26-078-08.

Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an authorization bypass vulnerability where users with tag-editing permissions can edit and create tag synonyms for tags within restricted tag groups, even when those users lack visibility into the restricted tags themselves. This represents a broken access control issue (CWE-862) with low CVSS score (3.5) due to high privilege requirement and limited impact scope, though it enables unauthorized information disclosure and tag manipulation within the platform. No public exploit code or active exploitation in the wild has been reported at this time.

Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an access control bypass vulnerability where attackers can grant invites to private message topics even after losing direct access to those conversations. This authentication bypass (CWE-863) allows unauthorized lateral privilege escalation within discussion communities. No public exploit code has been widely reported, but the vulnerability is patched across multiple release branches, indicating vendor awareness of active exploitation risk.

A privilege escalation vulnerability in Discourse allows staff members to arbitrarily modify group notification levels for any user without proper authorization checks. This affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, enabling authenticated staff users to alter notification settings for other users in ways they should not be permitted to do. While no CVSS score or EPSS data is available and no known public exploits have been confirmed, the vulnerability is classified under CWE-862 (Missing Authorization) and has been assigned a GitHub Security Advisory (GHSA-qggq-wr6h-vhrg) with patches available.

A session management vulnerability exists in the WebSocket backend of IGL Technologies' eparking.fi platform that allows multiple endpoints to connect using the same charging station identifier. An unauthenticated remote attacker can hijack legitimate charging station sessions by connecting with predictable session identifiers, enabling them to intercept backend commands, authenticate as other users, or cause denial-of-service by overwhelming the backend with concurrent session requests. This vulnerability affects operational technology (OT) infrastructure and has been disclosed by CISA ICS-CERT.

The WebSocket API in iGL Technologies' eparking.fi platform lacks rate limiting on authentication requests, enabling attackers to conduct brute-force attacks to gain unauthorized access or launch denial-of-service attacks that suppress or mis-route legitimate electric vehicle charger telemetry data. This vulnerability affects internet-accessible systems with no authentication required and low attack complexity (CVSS 7.5). There is no current evidence of active exploitation (not in CISA KEV) or public proof-of-concept code, though the issue has been disclosed through CISA ICS-CERT advisory ICSA-26-078-08.

A broken access control vulnerability in Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows moderators to create Zendesk support tickets for topics they lack permission to view, bypassing intended access restrictions. This affects all Discourse forums utilizing the Zendesk plugin integration. The vulnerability is classified as CWE-863 (Incorrect Authorization) and has no publicly disclosed active exploitation or proof-of-concept code, though patches are available from the vendor.

Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. No patch is currently available for this critical vulnerability affecting EV charging systems.

An authorization bypass vulnerability in Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows authenticated users to accept or unaccept solutions in hidden Solved topics without proper authorization checks. The vulnerability affects the open-source Discourse discussion platform and permits users with valid credentials to manipulate solution status across topics they should not have access to, resulting in information disclosure and integrity violations. This is a low-to-moderate severity issue with a CVSS score of 5.4 that requires prior authentication but carries exploitation risk in multi-tenant or federated Discourse installations.

A session management vulnerability in CTEK ChargePortal's WebSocket backend allows attackers to hijack charging station sessions by connecting with the same predictable session identifier used by legitimate stations. This enables authentication bypass, interception of backend commands intended for legitimate charging stations, and denial-of-service through session flooding. The vulnerability affects CTEK ChargePortal with a CVSS score of 7.3 and is documented in ICS-CERT advisory ICSA-26-078-06, though no active exploitation (KEV) or public POC has been reported.

The CTEK ChargePortal WebSocket API contains a critical rate limiting vulnerability that permits unlimited authentication attempts. This flaw enables attackers to either launch denial-of-service attacks by overwhelming the system with authentication requests that suppress legitimate charger telemetry data, or conduct brute-force attacks to compromise user credentials and gain unauthorized system access. With a CVSS score of 7.5 and network-based attack vector requiring no privileges, this poses significant risk to electric vehicle charging infrastructure operators.

Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against EV charging infrastructure without credentials. By connecting with a known station identifier, threat actors can manipulate charging operations, escalate privileges, and corrupt backend network data. No patch is currently available for this critical vulnerability affecting charging station deployments.

An unauthenticated information disclosure vulnerability exists in the AVideo Permissions plugin endpoint `list.json.php`, which exposes the complete permission matrix mapping user groups to installed plugins without any authentication check. The vulnerability affects AVideo instances with the Permissions plugin enabled and allows unauthenticated attackers to enumerate all user groups, plugins, and their permission assignments-information that significantly aids targeted privilege escalation attacks. A proof-of-concept curl command exists, and this represents a clear authentication bypass in a sensitive administrative endpoint.

Parse Server is vulnerable to a permanent denial-of-service attack that bypasses the previous CVE-2026-32944 fix. An unauthenticated attacker can send a specially crafted HTTP request containing deeply nested query structures with logical operators to permanently hang the Parse Server process, requiring manual restart. This affects parse-server npm package installations, and patches are available from the vendor.

Ory Oathkeeper contains a cache key confusion vulnerability in its oauth2_introspection authenticator that allows attackers to bypass authentication by reusing tokens across different introspection servers. Attackers with a valid token for one configured introspection server can exploit the cache mechanism to gain unauthorized access to resources protected by different introspection servers. This vulnerability requires the specific precondition of multiple oauth2_introspection authenticators with caching enabled, and a patch is available from the vendor.

Ory Oathkeeper improperly trusts the X-Forwarded-Proto header regardless of the serve.proxy.trust_forwarded_headers configuration setting, allowing attackers to bypass protocol-based access controls. This affects deployments of pkg:go/github.com_ory_oathkeeper where distinct HTTP and HTTPS rules are configured, enabling an attacker to craft requests with spoofed X-Forwarded-Proto headers to trigger unintended authorization rules. A vendor patch is available and exploitation requires specific preconditions (protocol-differentiated rules and ability to trigger one rule but not the other), limiting real-world impact despite the CVSS 6.5 score.

Kysely, a TypeScript SQL query builder for Node.js, contains a SQL injection vulnerability in its MySQL dialect due to incomplete string escaping in the DefaultQueryCompiler.sanitizeStringLiteral() method. Applications using kysely (npm package) with MySQL that pass user-controlled input to CreateIndexBuilder.where() or CreateViewBuilder.as() methods are vulnerable to SQL injection attacks that can lead to data exfiltration, modification, or authentication bypass. A proof-of-concept exploit is publicly available demonstrating how backslash-escaped single quotes bypass the sanitization logic when NO_BACKSLASH_ESCAPES is disabled (MySQL default).

This is an authentication and authorization bypass vulnerability in etcd's gRPC API layer that allows unauthorized users to execute privileged operations when etcd auth is enabled. Affected are etcd versions prior to 3.4.42, 3.5.28, and 3.6.9 (specifically the Go packages go.etcd.io/etcd/v3 and go.etcd.io/etcd). Attackers can enumerate cluster topology via MemberList, trigger denial of service through Alarm APIs, manipulate Lease operations affecting TTL-based keys, and force compaction to permanently delete historical data. Standard Kubernetes deployments are not affected as they do not rely on etcd's built-in authentication. No EPSS score or KEV listing is currently available, and the vulnerability was responsibly disclosed by multiple security researchers.

The Langflow Python package contains an authentication bypass vulnerability in its image file download endpoint that allows unauthenticated attackers to access image files uploaded by any user. Langflow, a visual framework for building AI applications, fails to enforce authentication and ownership checks on the /api/v1/files/images/{flow_id}/{file_name} endpoint, while all other file operation endpoints properly implement these security controls. A proof-of-concept exploit exists demonstrating that any attacker with knowledge of a flow UUID and filename can retrieve sensitive image data without credentials, posing a critical risk in multi-tenant deployments where cross-tenant data leakage can occur.

Parse Server's LiveQuery WebSocket interface contains an authorization bypass vulnerability that allows any authenticated user to subscribe to real-time object updates regardless of Class-Level Permission pointer field restrictions. Affected products include the parse-server npm package, where authenticated attackers can receive real-time updates for all objects in classes that should be restricted by readUserFields and pointerFields CLP settings, bypassing intended access controls that are correctly enforced in the REST API. No public proof-of-concept or active exploitation (KEV) has been reported at this time.

An unauthenticated directory traversal vulnerability exists in Siyuan kernel's /appearance/ endpoint, allowing remote attackers to read arbitrary files accessible to the server process without authentication. The vulnerability affects the Go-based Siyuan note-taking application (github.com/siyuan-note/siyuan/kernel) and has been assigned a CVSS score of 7.5 (High). A working proof-of-concept exploit is publicly available demonstrating successful file retrieval via crafted URLs containing path traversal sequences, and a patch has been released by the vendor.

A time-based one-time password (TOTP) reuse vulnerability exists in Vikunja's authentication implementation where a valid TOTP code can be used multiple times within its 30-second validity window, allowing an attacker who captures or obtains a valid code to authenticate as a targeted user. This affects all users who have enabled two-factor authentication (2FA) on Vikunja instances, and while the CVSS score of 5.7 reflects moderate severity, the vulnerability undermines a critical layer of the defense-in-depth authentication model. A proof-of-concept demonstrating the reuse attack has been publicly disclosed.

An authenticated user with restricted RBAC permissions on specific key ranges in etcd can use nested transactions to completely bypass key-level authorization controls and access the entire etcd data store. This affects etcd versions 3.4.x before 3.4.42, 3.5.x before 3.5.28, and 3.6.x before 3.6.9. While Kubernetes deployments are typically protected because Kubernetes handles authentication and authorization at the API server layer rather than relying on etcd's built-in controls, direct etcd deployments with RBAC restrictions are at significant risk.

Node.js applications using Effect library versions 3.19.15 and earlier with @effect/rpc 0.72.1 and @effect/platform 0.94.2 are vulnerable to context confusion due to improper AsyncLocalStorage handling in the MixedScheduler, allowing attackers to access sensitive data from other concurrent requests through race conditions. An attacker can exploit the batching mechanism to read or modify context belonging to different requests processed in the same microtask cycle, potentially leading to data leakage between users in multi-tenant environments. No patch is currently available.

A mass assignment vulnerability in Checkmate's user profile update endpoint allows any authenticated user to escalate their privileges to superadmin level, bypassing all role-based access controls. Checkmate versions 3.5.1 and prior are affected, an open-source self-hosted server monitoring tool from Bluewave Labs. Attackers can gain complete administrative access to view all users, modify critical configurations, and access sensitive system data, though no public patches are currently available.

Vikunja task management application contains an authentication bypass vulnerability in its password reset logic that allows disabled user accounts to be reactivated without authorization. The ResetPassword() function unconditionally sets user status to 'Active' after password reset completion, enabling disabled users to regain full access by requesting a password reset token and completing the reset process. A working proof-of-concept Python script is publicly available demonstrating automated exploitation of this vulnerability.

The Vikunja todo application contains an authentication bypass vulnerability in its CalDAV endpoint that allows attackers to circumvent two-factor authentication (2FA) protections by using basic HTTP authentication. An attacker with valid username and password credentials can access CalDAV endpoints without providing a TOTP token, gaining unauthorized access to protected project information including names, descriptions, and task details. A proof-of-concept exploit has been publicly documented, and patches are available from the vendor.

An authenticated user in Vikunja can read any task comment by its ID without proper authorization checks, regardless of whether they have access to the task that comment belongs to. The vulnerability exists in the `GET /api/v1/tasks/{taskID}/comments/{commentID}` endpoint, which validates access against the attacker-controlled task ID in the URL but then loads the comment by ID alone, bypassing task ownership verification. Any authenticated attacker with read access to at least one task can enumerate and retrieve comments from arbitrary tasks and private projects, leading to unauthorized information disclosure.

An improper restriction of communication channel to intended endpoints vulnerability (CWE-923) has been identified in QNAP QHora devices, allowing attackers with physical access to exploit insufficient endpoint validation and gain privileges intended for legitimate endpoints. The vulnerability affects QHora/QuRouter products prior to version 2.6.3.009. While no CVSS score or EPSS data is currently available and the vulnerability does not appear in active exploitation databases (KEV), the physical access requirement significantly constrains real-world exploitability, though the privilege escalation impact remains concerning for organizations with physical security controls.

QVR Pro contains a missing authentication vulnerability (CWE-306) that allows remote attackers to access critical functions without proper credential validation, potentially gaining unauthorized system access. All versions prior to QVR Pro 2.7.4.14 are affected. This authentication bypass vulnerability enables unauthenticated remote exploitation of a surveillance management platform, representing a direct threat to organizations relying on QVR Pro for video recording and system administration.

QuNetSwitch contains hard-coded credentials that allow remote attackers to bypass authentication and gain unauthorized access to affected systems. This vulnerability affects QuNetSwitch versions prior to 2.0.5.0906, where credentials are embedded in the application code rather than properly managed through secure credential storage mechanisms. Remote attackers can exploit this weakness without requiring valid user credentials, leading to complete compromise of the network switch management interface.

OpenClaw contains an authorization bypass vulnerability in its WebSocket connection handling that allows authenticated users with low-privilege shared-token or password credentials to falsely declare elevated administrative scopes without proper server-side validation. Attackers with basic authentication can escalate privileges to operator.admin level and execute administrative gateway operations. With a CVSS score of 9.9 (Critical) and low attack complexity, this represents a severe privilege escalation risk, though no KEV listing or EPSS data is currently available to confirm active exploitation.

A permission-check bypass vulnerability exists in Vikunja versions 0.20.2 through 2.1.x where the DELETE /api/v1/projects/:project/background endpoint incorrectly validates CanRead permissions instead of CanUpdate permissions, allowing read-only project members to permanently delete a project's background image. This affects the go-vikunja:vikunja product family, and the vulnerability has been patched in version 2.2.0 as documented in the GitHub security advisory GHSA-564f-wx8x-878h.

Traefik reverse proxy and load balancer contains an mTLS authentication bypass vulnerability that allows attackers to circumvent mutual TLS certificate requirements by sending fragmented TLS ClientHello packets. Affected versions include Traefik 2.11.40 and below, 3.0.0-beta1 through 3.6.10, and 3.7.0-ea.1. When ClientHello messages are fragmented across multiple TLS records, SNI extraction fails with an EOF error, causing the TCP router to fall back to default TLS configuration without client certificate validation, enabling unauthorized access to services that should require mTLS authentication.

Frigate versions prior to 0.17.0-beta1 contain an authentication weakness that allows any authenticated user to change another user's password without verifying the current password via the /users/{username}/password endpoint, combined with a failure to invalidate existing JWT tokens upon password change and absence of password strength validation. An attacker who obtains a valid session token through XSS, accidental exposure, cookie theft, compromised device, or unencrypted HTTP sniffing can permanently hijack victim accounts by changing their password while maintaining session access through non-invalidated tokens. This vulnerability has not been reported as actively exploited in the wild (KEV status unknown), but the straightforward nature of the attack and the common exposure vectors for JWT tokens make this a practical threat requiring immediate patching.

FileRise, a self-hosted web file manager and WebDAV server, contains a critical hardcoded encryption key vulnerability in versions prior to 3.9.0. The default key 'default_please_change_this_key' is used for all cryptographic operations including HMAC token generation, AES configuration encryption, and session tokens, allowing unauthenticated attackers to forge upload tokens for arbitrary file upload and decrypt sensitive admin configuration data such as OIDC client secrets and SMTP passwords. No evidence of active exploitation (not in CISA KEV) is currently available, though the vulnerability is straightforward to exploit given the hardcoded nature of the default key.

The RockPress WordPress plugin (versions up to 1.0.17) contains a Missing Authorization vulnerability in five AJAX actions that allows authenticated users with Subscriber-level privileges to trigger privileged operations intended for administrators. The vulnerability stems from a combination of missing capability checks (current_user_can() calls) in AJAX handlers and exposure of an admin nonce to all authenticated users via an unconditionally enqueued script. Attackers can extract the nonce from the HTML source and use it to trigger resource-intensive imports, reset import data, check service connectivity, and read import status information without administrative privileges.

FileRise, a self-hosted web file manager and WebDAV server, contains a missing-authentication vulnerability in the deleteShareLink endpoint that allows unauthenticated attackers to delete arbitrary file share links by providing only the share token, resulting in denial of service to legitimate users accessing shared files. All versions prior to 3.8.0 are affected. While the CVSS score is moderate at 3.7 due to high attack complexity, the vulnerability has a published proof-of-concept via the GitHub security advisory and represents a trivial attack surface requiring only knowledge of a share token.