Authentication Bypass
Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.
How It Works
Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.
The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.
More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.
Impact
- Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
- Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
- System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
- Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
- Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties
Real-World Examples
CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.
Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.
SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.
Mitigation
- Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
- Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
- Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
- Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
- Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
- Regular security testing — conduct penetration testing specifically targeting authentication logic and flows
Recent CVEs (31263)
Authentication abuse in TR7 Cyber Defense WAF-ASP (versions v1.0.324.900 through v1.4.0.116) lets remote unauthenticated attackers invoke a security-critical function that fails to enforce any authentication check, yielding full compromise of confidentiality, integrity, and availability per the CVSS 9.8 rating. Because WAF-ASP is a web application firewall, abusing this exposed function can subvert the very protection layer meant to shield downstream applications. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; disclosure comes from Turkey's national CERT (TR-CERT).
Cross-tenant authorization bypass in PraisonAI before 0.1.7 allows authenticated users to inject issues into projects belonging to other workspaces by supplying an unvalidated project_id in issue create and update request bodies. The server trusts the client-supplied project_id without verifying it belongs to the workspace identified in the URL, a classic IDOR pattern classified under CWE-639. An attacker can corrupt project statistics aggregation across tenant boundaries, undermining data integrity in multi-tenant deployments. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog.
Missing authorization checks in the Sendcloud Shipping WordPress plugin (versions through 1.0.29) allow unauthenticated remote attackers to perform unauthorized integrity-impacting actions without credentials. Rooted in CWE-862, the plugin fails to enforce capability checks on one or more endpoints or AJAX handlers, enabling access control bypass as tagged by Patchstack. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; EPSS data was not provided, but the unauthenticated network vector (PR:N) lowers the bar for opportunistic probing.
Broken access control in ez Form Calculator Premium WordPress plugin (versions up to and including 2.14.1.2) permits unauthenticated remote attackers to perform restricted plugin actions, resulting in unauthorized integrity modifications. Disclosed by Patchstack and classified under CWE-862 (Missing Authorization), the flaw requires no credentials, no user interaction, and no special configuration, lowering the exploitation barrier significantly. No public exploit code and no CISA KEV listing have been identified at the time of analysis, suggesting limited observed exploitation despite the low attack complexity.
Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-privileged authenticated users (Subscriber role) reach functionality or data they should not, resulting in high confidentiality exposure and limited integrity impact per the CVSS vector. The flaw stems from missing authorization checks (CWE-862) on plugin actions, so any registered site user can abuse it. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the issue was reported through Patchstack.
Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users to access sensitive data they are not authorized to view. The flaw stems from missing authorization checks (CWE-862), enabling privilege escalation beyond the contributor role's intended scope - specifically a high confidentiality impact with no integrity or availability consequence per the CVSS vector. No public exploit code or active exploitation has been identified at time of analysis, though the low attack complexity and network-accessible attack vector lower the bar for abuse by any site user holding a contributor account.
Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level users to access restricted resources or perform actions beyond their intended authorization. The flaw stems from missing authorization checks (CWE-862) on one or more endpoints or actions within the theme, enabling low-privilege WordPress users to retrieve information they should not be permitted to view. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is limited to authenticated users, reducing opportunistic risk.
Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. No public exploit code is identified and the vulnerability is not listed in CISA KEV, but the low-complexity network vector makes it trivially exploitable by any subscriber-level user on affected sites.
Missing authorization in the POS Entegratör WordPress plugin (versions <= 3.7.103, vendor gurmehub) lets unauthenticated remote attackers reach privileged plugin functions that lack capability checks, enabling unauthorized modification of data with limited service disruption. The flaw is remotely reachable with no authentication or user interaction (CVSS 8.2), but has no confidentiality impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Broken access control in Martfury WooCommerce Marketplace WordPress Theme (versions <= 3.2.8) permits authenticated subscriber-level users to invoke functionality restricted to higher-privilege roles, achieving unauthorized integrity modifications. The flaw is rooted in CWE-862 (Missing Authorization), where theme-controlled endpoints or action handlers fail to verify that the requesting user holds sufficient capabilities beyond basic authentication. No public exploit or CISA KEV listing was present in the available data at time of analysis.
Unauthenticated IDOR in the Kirki WordPress customizer toolkit (versions <= 6.0.11) allows remote unauthenticated attackers to reference and manipulate object identifiers they do not own, resulting in unauthorized modification of data and limited availability disruption. The vulnerability carries no confidentiality impact per the CVSS vector (C:N), but the combination of network-exploitability with zero authentication requirements (AV:N/AC:L/PR:N/UI:N) makes it trivially accessible to any internet-facing WordPress installation running an affected version. No public exploit code or CISA KEV listing has been identified at the time of analysis.
Broken access control in the Advanced Contact Form 7 DB WordPress plugin (versions <= 2.0.9) permits subscriber-level authenticated users to read all stored contact form submissions without authorization. The root cause is a missing capability check (CWE-862) on a data retrieval endpoint, exposing names, email addresses, phone numbers, and message content submitted by site visitors. No public exploit or CISA KEV listing exists at time of analysis, but low attack complexity and high confidentiality impact make this a meaningful risk on any WordPress site that permits open user registration.
Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticated users to perform privileged actions they should not be authorized to execute, resulting in high integrity impact. The vulnerability stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers, enabling low-privilege WordPress users to manipulate listing data, settings, or administrative functions beyond their intended role. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and network accessibility make this a realistic threat on any affected WordPress installation.
Broken access control in Link Whisper Premium WordPress plugin versions 2.9.0 and below allows subscriber-level authenticated users to perform privileged actions that should be restricted to higher-capability roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to make unauthorized modifications with high integrity impact. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and network accessibility make this straightforward to exploit for any user holding even a basic WordPress account on the target site.
Broken access control in the NOWPayments for WooCommerce WordPress plugin (versions <= 1.4.0) allows unauthenticated remote attackers to perform actions or modify state that should be restricted, without any authentication. The flaw stems from a missing authorization check (CWE-862) on a network-reachable endpoint, and per its CVSS 3.1 vector it affects integrity only (I:H) with no confidentiality or availability impact. No public exploit has been identified at time of analysis, though the vulnerability was cataloged by Patchstack, a specialist in WordPress plugin security research.
Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticated remote attackers to perform unauthorized actions, resulting in limited integrity and availability impact without requiring any credentials or user interaction. The vulnerability stems from CWE-862 (Missing Authorization), where specific theme functionality fails to enforce permission checks before executing sensitive operations. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated, low-complexity attack profile makes opportunistic exploitation straightforward for any threat actor targeting WordPress installations.
Arbitrary content deletion in the Merkulove 'OpenAI Chatbot for WordPress - Helper' plugin (versions 1.1.4 and earlier) lets remote unauthenticated attackers destroy site content by invoking a plugin action that lacks an authorization check. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H) confirms network-reachable, no-privilege, no-interaction exploitation with high availability impact and no confidentiality or integrity compromise. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated broken access control in Woostify Sites Library WordPress plugin versions up to and including 1.6.2 permits remote, unauthenticated attackers to bypass authorization checks and perform restricted actions against affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making automated scanning and exploitation straightforward. No active exploitation has been identified at time of analysis, and no public exploit code is known.
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.
Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.14) exposes non-public, draft, trashed, and personal calendar events to unauthenticated remote attackers via the 'vcal' iCalendar export endpoint. By enumerating integer occurrence IDs in the 'vcal' parameter, an attacker can retrieve full iCalendar exports containing event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata that site owners explicitly withheld from public view. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and zero authentication requirement make opportunistic enumeration trivially feasible.
Authorization bypass in the JoomSport WordPress plugin (all versions through 5.7.8) permits any subscriber-level authenticated user to create arbitrary season groups or tamper with group names, participant records, and round-type options - sports league data that site administrators should exclusively control. The flaw, identified by Wordfence and rooted in CWE-862 (Missing Authorization), is exploitable by any registered WordPress user who can load a page rendering a JoomSport shortcode to harvest a required nonce. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS 4.3 Medium score accurately reflects a bounded, integrity-only impact with no path to code execution or privilege escalation.
Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.
Unauthorized wp_postmeta enumeration in JetFormBuilder (WordPress plugin, all versions through 3.6.3) allows unauthenticated remote attackers to extract arbitrary post meta values - including WooCommerce billing PII, payment tokens, and third-party plugin credentials - by exploiting a missing authorization check in the plugin's REST API generator endpoint. The flaw exists in the get_from_db generator function, which returns database values without verifying whether the requesting user is permitted to access them. No public exploit has been identified at time of analysis, but the attack is trivially executable against any site where a published JetFormBuilder form with a get_from_db field exists, as all required parameters (form ID, field name, generator ID) are discoverable by browsing the site's public forms.
Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. No public exploit code or CISA KEV listing has been identified, but the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms trivially exploitable, zero-barrier network access against default plugin configurations that utilize service-level access restrictions.
Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the `edit_key` - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer `client_id`, a publicly observable appointment timestamp `start_at`, and an enumerable integer `staff_id`. The unauthenticated REST endpoints for `tryCancel()` perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the attack requires only standard HTTP tooling and basic scripting against any site with cancellation or rescheduling features enabled.
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the `_before_request` authorization handler, so requests reach these endpoints without any validator running. No public exploit has been identified at time of analysis, though a fix commit and huntr bounty report are public.
Unauthenticated curriculum exposure in the Academy LMS WordPress plugin (versions ≤ 3.8.1) allows any internet user to retrieve detailed topic and lesson structures from courses explicitly protected by private, draft, scheduled, or password-protected post statuses. The root cause is the plugin's '/topics' REST API endpoint registering with '__return_true' as its permission callback, entirely bypassing WordPress's built-in post visibility and enrollment enforcement. No exploit code has been publicly identified and the vulnerability is not listed in CISA KEV, but the zero-complexity network vector makes automated course ID enumeration trivially scriptable with standard HTTP tools.
Private content disclosure in the Envo's Templates & Widgets for Elementor and WooCommerce WordPress plugin (versions up to and including 1.4.26) allows authenticated attackers with Author-level access to expose private or draft Elementor-rendered pages and templates to anonymous visitors. The flaw is rooted in the Tabs and Off Canvas widgets passing a user-supplied post ID directly to Elementor's get_builder_content_for_display() without any post-status or capability check, meaning the rendered output of restricted content is served publicly once an Author configures the widget. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, making this a lower-urgency but real information-disclosure risk for WordPress sites with multiple or untrusted Author-level users.
Authorization bypass in the Email Subscribers & Newsletters WordPress plugin (all versions through 5.9.27) allows contributor-level authenticated users to hijack the site's email infrastructure - overwriting sender identity, creating mailing lists, injecting arbitrary contacts, and dispatching mass email to arbitrary external recipients. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity, network-accessible exploitation requiring only a contributor account, which is commonly available on multi-author WordPress sites. No public exploit code has been identified at time of analysis, but the abuse potential - mass phishing campaigns sent through a trusted domain's authenticated mail relay - materially exceeds what the 4.3 CVSS score implies.
Out-of-bounds array access in GeoVision's GeoWebPlayer add-on (also branded 'Web Plugin' for GV-VMS and 'WS Player' for VMS-Cloud) lets an attacker abuse the 'byPass' WebSocket command by supplying an unchecked 'index' value, corrupting memory to achieve high-impact compromise (CVSS 8.3). The bundled component runs a local WebSocket server for GeoVision web interfaces (GV-VMS, GV-Cloud); because the server is reachable from a victim's browser, a malicious web page can drive the flaw with only user interaction and no authentication. No public exploit identified at time of analysis, though a Talos vulnerability report (TALOS-2026-2373) documents the issue.
Missing authentication in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets any web page reach a locally-bound, unauthenticated WebSocket server and invoke sensitive APIs. By chaining the `create` method with `getScreenCapture`, a remote attacker who lures a victim to a malicious site can silently exfiltrate the contents of the user's screen. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; CVSS is 8.8 driven by network reach and a scope change into the browsing user's data.
Improper access control in Craft CMS 5.x allows a low-privileged, authenticated control-panel user to inject content into sections where they hold only read access, bypassing the editorial authorization model. The EntriesController::actionMoveToSection() endpoint validates the destination section using viewEntries permission rather than the required saveEntries permission, enabling an attacker to rewrite an entry's sectionId and persist it into protected sections. No public exploit has been identified at time of analysis, but the fix is available in version 5.9.21.
Authorization bypass in Craft CMS versions 5.0.0-RC1 through 5.9.20 lets a low-privileged authenticated user spoof entry authorship by reassigning an entry's author to an arbitrary user without holding the dedicated peer-author-change permission. Because EntriesController::actionSaveEntry() checks edit permissions before applying request-controlled author changes and never re-runs authorization after mutating the author list, any existing author of an entry can hijack attribution. No public exploit has been identified at time of analysis; the flaw is fixed in 5.9.21.
Broken authorization in Craft CMS lets a low-privilege authenticated user destroy other users' assets on a shared volume. AssetsController::actionDeleteFolder() checks only the deleteAssets:<volume-uid> permission for the target folder but never enforces deletePeerAssets:<volume-uid>, while the underlying Assets::deleteFoldersByIds() cascades deletion to every descendant folder and asset regardless of who uploaded them. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the vendor patched it in 4.17.15 and 5.9.22.
Unauthorized cross-volume asset deletion in Craft CMS versions 4.0.0-RC1 through 4.17.13 and 5.0.0-RC1 through 5.9.20 allows any authenticated user with file-replace permission in one volume to permanently delete assets from other volumes where they hold no delete permission. The flaw stems from a PHP ternary operator short-circuit in AssetsController::actionReplaceFile() that bypasses source-volume authorization when both assetId and sourceAssetId parameters are supplied together. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the low complexity of the attack logic and the CMS's sequential asset IDs make exploitation straightforward for any low-privilege authenticated insider or compromised account.
Access-control bypass in the goshs WebDAV listener (Go package goshs.de/goshs/v2, all releases through v2.0.9) lets an authenticated WebDAV client write, delete, and create files even when the operator started the server with --read-only, --upload-only, or --no-delete. The mode-restriction flags are enforced only on the primary HTTP port, while the WebDAV port (-w/-wp) wires requests straight into golang.org/x/net/webdav.Handler with no guard, so PUT/DELETE/MKCOL/MOVE/COPY succeed regardless of operator intent. A working proof of concept is published in the GitHub Security Advisory (GHSA-3whc-qvhv-xqjp); publicly available exploit code exists, but there is no public exploit identified as being used in active attacks.
Silent authentication downgrade in the OnGres SCRAM Java client (com.ongres.scram:scram-client and scram-common, versions <= 3.2) lets a TLS man-in-the-middle strip SCRAM-SHA-256-PLUS channel binding down to plain SCRAM-SHA-256, defeating clients that explicitly set channelBinding=require. The flaw only manifests when the server certificate uses a modern signature algorithm without a 'WITH' name (e.g., Ed25519 or post-quantum), causing the deprecated getChannelBindingData() API to swallow a NoSuchAlgorithmException and return an empty byte array that the builder misreads as 'no channel binding available.' No public exploit is identified at time of analysis, and it is not listed in CISA KEV; a vendor patch (3.3) is available.
Symlink traversal in oras-go's file content store allows writes outside the intended `workingDir` boundary even when `AllowPathTraversalOnWrite=false`. Applications that pull OCI artifacts from untrusted registries where an attacker controls blob titles (`ocispec.AnnotationTitle`) are at risk if any directory component under `workingDir` is a symlink pointing to an external path. No confirmed active exploitation (not in CISA KEV), but a self-contained proof-of-concept was included in the researcher's disclosure, making reproduction straightforward given the prerequisites.
Incorrect authorization in GitHub Enterprise Server allows an attacker who has obtained a victim's user-to-server token - issued by a GitHub App installation - to perform write operations on any public repository, regardless of whether that installation was explicitly granted access to the target repository. Affected installations span all GHES versions prior to 3.22, with fixes backported to six supported release trains. The CVSS 4.0 score is 5.3 (medium); no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Cross-tenant authorization bypass in Rancher Fleet allows a low-privileged tenant in a multi-tenant environment to read any ConfigMap or Secret across all namespaces of a shared downstream cluster and to deploy cluster-wide resources without being bound to a restricted service account. The flaw (CWE-863, CVSS 9.9) is exploitable by authenticated tenants who abuse valuesFrom in fleet.yaml (via GitRepo) or HelmOp/Bundle resources; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Cross-tenant JWT authentication bypass in Centrifugo (v3 through v6) lets an attacker holding a valid token for one allowed issuer/tenant authenticate as a different issuer/tenant when the server uses dynamic JWKS endpoint templates. The flaw stems from the JWKS cache and singleflight lookup being keyed only by the JWT header 'kid', so a key fetched for tenant A is reused to verify a token claiming tenant B whenever both JWKS documents share the same 'kid' and tenant A's key is cached first. Publicly available exploit code exists in the form of a reporter-supplied Go unit-test PoC; there is no evidence of active exploitation, and the CVSS base score is 8.2 (AC:H, PR:L, scope-changed).
SurrealDB's automatic graph edge cleanup mechanism bypasses edge-table permission clauses, allowing authenticated low-privilege users to delete edge records and observe hidden edge contents they are not authorized to access. When a node is deleted, the `Document::purge_edges` routine fires with permissions explicitly disabled (`opt.clone().with_perms(false)`), meaning the edge table's `PERMISSIONS FOR delete` and `PERMISSIONS FOR select` clauses are never consulted. This is a confirmed authorization bypass (CWE-285) fixed in version 3.1.0; no public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Signature verification policy bypass in the sigstore npm package allows attackers to have unauthorized signing certificates accepted despite explicit OID-based restrictions. The documented `certificateOIDs` verify option - used by `sigstore.verify()` and `createVerifier()` to require specific Fulcio/workload-identity extension OIDs - is silently discarded during policy construction, so those extension constraints are never enforced while callers believe they are. Publicly available exploit code exists (a proof-of-concept in the advisory), but there is no evidence of active exploitation; EPSS/KEV not indicated in the source data.
{table}/{digest}`) allows any authenticated user to read, write, or delete blobs across all blob tables, entirely circumventing the GRANT-based access control that the SQL path correctly enforces. Verified against CrateDB 6.2.7 and present since the blob HTTP handler was introduced, `io.crate.protocols.http.HttpBlobHandler` authenticates the connecting user but never invokes `AccessControl`, making blob operations permissible to any valid credential holder regardless of table-level privileges. A complete end-to-end Docker PoC is included in the report demonstrating both unauthorized read (HTTP 200) and unauthorized delete (HTTP 204) while the SQL path correctly returns a permission error for the same user; no KEV listing and no EPSS data are available at time of analysis.
Sandbox allow-list bypass in the Twig PHP templating engine lets attacker-supplied filters, tags, and functions run unchecked when a shared Environment mixes sandboxed and non-sandboxed renders. The filter/tag/function SecurityPolicy check was computed once in the Template constructor and cached in $loadedTemplates, so any later sandbox state change or a pre-warmed template left a stale (typically empty) verdict, defeating the sandbox. Fixed in Twig 3.27.0; no public exploit identified at time of analysis and it is not in CISA KEV.
Authentication bypass in the Wikimedia Foundation's WikiLambda extension for MediaWiki allows unauthenticated remote attackers to circumvent access controls via improper neutralization of input terminator characters (CWE-288). Affected are all WikiLambda deployments running versions prior to 1.43.9, 1.44.6, and 1.45.4 across the supported MediaWiki release branches. No public exploit or CISA KEV listing has been identified at time of analysis, though the network-accessible, zero-prerequisite attack vector warrants prompt patching.
Authorization bypass and information disclosure in GeoNetwork 4.x (4.0.0-alpha.1 through 4.4.10) lets an unauthenticated remote user retrieve restricted metadata records through the Elasticsearch-backed search API. Under certain request conditions the proxy layer skips the step that injects GeoNetwork's access-control filters, so requests reach the index without group-visibility, ownership, draft-exclusion, or portal filtering applied. There is no public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable on any public-facing instance, making disclosure of non-public catalog records trivial once the triggering condition is known.
Missing authorization controls in the ApplyOnline WordPress plugin (versions through 2.6.7.6) by WP Reloaded allow unauthenticated remote attackers to perform unauthorized write-level actions by exploiting incorrectly configured access control security levels. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction against any network-accessible WordPress installation running this plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low complexity and zero-auth requirement make this straightforward to abuse.
Missing authorization in the ThumbPress WordPress plugin (Codexpert Inc) through version 6.3.2 allows low-privileged authenticated users to invoke restricted plugin functionality, resulting in limited availability impact against thumbnail or image-size management operations. The CVSS vector (PR:L, A:L) confirms exploitation requires an authenticated session but no elevated role, and produces no confidentiality or integrity loss - only partial disruption. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Incorrect Authorization (CWE-863) in Elastic Defend exposes response action data to low-privileged authenticated users who should not have access to it. The flaw, classified under CAPEC-1, arises because access controls on specific functionality are not properly enforced, allowing a user with minimal privileges to read security response action data belonging to other users or roles. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, but the High confidentiality impact (CVSS C:H) means sensitive endpoint response data - such as isolation actions, process kills, or file retrieval outputs - could be disclosed.
Unauthenticated remote attackers can bypass access controls in the Webba Booking WordPress plugin (all versions through 6.4.13) due to missing server-side authorization checks on one or more booking-related endpoints, enabling unauthorized integrity-affecting actions such as creating, modifying, or canceling bookings. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero-friction exploitation requiring no credentials or user interaction against any internet-facing WordPress site running the affected plugin. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.
Default-credential authentication bypass in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets attackers log in to the anyka_ipc HTTP service on port 80 using the built-in admin username with an empty password, granting full access to snapshots, live video, network configuration, and factory-level API endpoints. Because the same interface exposes a SetMAC command-injection surface, this trivial access can be pivoted toward device-level code execution. Publicly available exploit code exists (published by VulnCheck), though this CVE is not listed in CISA KEV and no active exploitation is confirmed.
Authentication API endpoints and Special pages in MediaWiki expose low-severity confidentiality and integrity weaknesses exploitable by unauthenticated remote attackers who can induce victim user interaction. Five files spanning account-linking and credential management operations - ApiChangeAuthenticationData, ApiLinkAccount, ApiRemoveAuthenticationData, SpecialLinkAccounts, and SpecialUnlinkAccounts - are affected across all MediaWiki releases prior to the fixed branches 1.43.9, 1.44.6, 1.45.4, and the forthcoming 1.46.0. No public exploit code and no active exploitation have been identified at time of analysis; real-world risk is constrained by the user-interaction prerequisite and the limited impact scope.
Authentication bypass in NVIDIA AIStore, a scalable distributed object-storage framework for AI/ML data pipelines, lets a remote attacker circumvent access controls (CWE-290) and reach protected functionality without valid credentials. Because the flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8), successful exploitation can enable information disclosure of stored datasets, tampering with training data, privilege escalation, and denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Unauthenticated remote code execution as SYSTEM affects Hyland PACSgear MediaWriter 5.2.1, which exposes an unauthenticated .NET Remoting TCP service (PacsgearMediaServerEngine.dll) on port 9000. Remote attackers abuse the MarshalByRefObject unmarshalling technique against the default ObjectURIs (RemoteObj/UIRemoteObj) to gain an arbitrary file read/write primitive, then chain it with DLL hijacking to execute code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck), making this a high-priority issue despite no CISA KEV listing at time of analysis.
Unauthenticated remote code execution in Hyland PACSgear PACS Scan 5.2.1 lets remote attackers gain SYSTEM-level control of medical imaging servers by abusing an exposed .NET Remoting TCP service (PGImageExchQueue.exe) on port 22222. The exposed service grants arbitrary file read/write with no authentication, which is chained with a DLL hijack in the PGImageExchangeQueueSvc.exe service to run code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck); there is no public exploit identified as actively exploited, as it is not listed in CISA KEV.
Authentication bypass in @acastellon/auth (npm package, aka antonio-castellon/module-auth) before 2.3.0 lets a remote unauthenticated attacker impersonate a trusted internal service by sending spoofed 'auth-user' and 'Host' request headers. The validateToken() middleware short-circuits its own token check when auth-user equals 'service-brother' and the Host header starts with the configured hostname - both fully client-controllable - so an attacker skips legacy/JWT/OIDC validation entirely. No public exploit identified at time of analysis, but the flaw is trivially reproducible from the advisory and carries CVSS 4.0 8.7 (high).
Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding host-edit permissions to retrieve sensitive infrastructure metadata from organizations and locations they are not authorized to access. The root cause is the taxonomy_scope controller method accepting organization and location IDs from nested request parameters without validating them against the caller's authorized tenancy scope, implementing a textbook CWE-639 authorization bypass through user-controlled key. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code is identified at time of analysis; however, the low attack complexity and lack of user interaction make this straightforward to exploit for any low-privileged authenticated user in multi-tenant Satellite deployments.
Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host-edit permissions to retarget an existing lookup value override to hosts outside their authorized organizational or location scope. The flaw stems from insufficient authorization enforcement on the match field when modified via nested host attributes, allowing an attacker to effectively write configuration overrides to managed hosts they are not permitted to administer. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_keypairs' permission to bypass taxonomy scoping and retrieve private SSH keys belonging to foreign organizations by directly querying key pair IDs via the API. The flaw is an IDOR (CWE-639) at the multi-tenancy enforcement layer, meaning the isolation contract between tenant organizations is broken for any user granted that permission. No CISA KEV listing or public exploit code has been identified at time of analysis; impact is strictly confidentiality - no write or destructive capability is exposed through this path.
Local privilege escalation in Cato Client on macOS allows an authenticated low-privileged user to gain root by chaining two flaws in the PrivilegedHelperTool XPC service: improper certificate validation (CWE-295) that accepts self-signed certificates to bypass XPC caller verification, and a TOCTOU race condition exploitable via symlink swap during package installation. All Cato Client (SDP Client) versions prior to 5.13.1 on macOS are affected. A proof-of-concept exists per the CVSS 4.0 supplemental metric E:P, and the AU:Y (Automatable) tag indicates the exploit chain can be scripted - elevating practical urgency despite the absence of a CISA KEV listing.
Arbitrary file write in the Feast Feature Server's `/save-document` endpoint lets an unauthenticated remote attacker write attacker-controlled JSON to the host filesystem, bypassing the endpoint's path restrictions to overwrite application configuration or startup scripts. Because no credentials are required (CVSS 9.1, PR:N), any network-reachable attacker can corrupt system integrity, cause denial of service through disk exhaustion, or potentially achieve remote code execution. This flaw also ships in Red Hat OpenShift AI (RHOAI), which bundles Feast; there is no public exploit identified at time of analysis and it is not in CISA KEV.
Unauthorized cross-user data access in Dassault Systèmes BIOVIA Workbook (Release 2021 through Release 2026) stems from a race condition that lets one authenticated low-privilege user read data belonging to another user. Vendor 3DS tags the flaw as an authentication bypass, and its CVSS 3.1 score of 8.1 (AV:N/AC:L/PR:L) reflects network-reachable exploitation by any authenticated account with high confidentiality and integrity impact. There is no public exploit identified at time of analysis and no EPSS or KEV signal supplied.
MCO's compliance management platform exposes administrator ACL tree structures to any authenticated low-privileged user via a missing authorization check on the `/customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure` web API endpoint. Confirmed by CERT-PL in version 25.3.3.1, the flaw allows low-privileged users to retrieve permission hierarchies and internal configuration details intended only for administrators. No active exploitation has been identified, no public exploit code exists, and vendor contact attempts were unsuccessful, leaving the patch timeline and full version impact unresolved.
Insecure Direct Object Reference in MyComplianceOffice MCO version 25.3.3.1 allows authenticated users to retrieve trading document PDFs belonging to other customers by manipulating a user-supplied document identifier at the fetchPdfStatement API endpoint. The application performs no ownership or authorization check beyond confirming the user is logged in, enabling horizontal privilege escalation across customer accounts. No public exploit code or active exploitation has been identified at time of analysis, but predictable document ID patterns make automated enumeration feasible, raising real-world risk in financial compliance environments where trading statements contain sensitive regulatory and transactional data.
Authentication and authorization bypass in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers reach protected parameterized route handlers by placing an encoded slash (%2F) in a path parameter. The middleware layer decodes %2F before matching while Fastify's router preserves the encoding, so the two disagree on the canonical path and any middie-based auth, authz, rate-limiting, or auditing middleware silently fails to run while the route handler still fires. No public exploit identified at time of analysis; the flaw is method-agnostic and requires no special preconditions, and the vendor rates it CVSS 9.1.
Broken access control in the WofficeIO Woffice WordPress theme (all versions before 5.4.33) permits unauthenticated remote attackers to exploit incorrectly configured access control security levels, achieving low-impact unauthorized write actions without credentials or user interaction. Discovered and disclosed by Patchstack, the flaw stems from CWE-862 (Missing Authorization), where the theme fails to enforce proper capability checks on specific endpoints. No public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated and low-complexity attack vector broadens the exposure surface beyond what the medium CVSS score alone conveys.
Unauthenticated command execution in BMC Control-M/Server (versions 9.0.20.x through 9.0.21.200) arises because a Control-M/Server communication command fails to sufficiently filter or sanitize user-supplied input, allowing an attacker to run unauthorized commands and potentially fully compromise the affected server. The flaw carries a critical CVSS 4.0 base score of 9.5 and is classified as an authentication bypass by Airbus, who reported it. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. No public exploit has been identified at time of analysis, though the issue was disclosed by Wordfence and carries a 9.8 CVSS rating.
Insecure Direct Object Reference in the Qi Blocks WordPress plugin (all versions ≤ 1.4.9) allows any authenticated user with Author-level access to overwrite the stored global styles of arbitrary posts, templates, or widgets they do not own by manipulating the unvalidated 'page_id' parameter. Critically, the reserved 'template' and 'widget' page_id values expose site-wide surfaces, enabling an Author to deface, hide content on, or visually degrade any page across the entire WordPress installation. The permission_callback validates only generic edit_posts and publish_posts capabilities rather than post ownership, meaning the built-in Author role is sufficient for exploitation. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Authorization bypass in the Motors - Car Dealership & Classified Listings Plugin for WordPress allows authenticated subscriber-level users to arbitrarily mark any other user's vehicle listing as sold by replaying a harvested nonce against a victim's post ID. All plugin versions up to and including 1.4.111 are affected. An attacker exploiting this flaw can silently deface competitor or victim listings with a site-wide 'Sold' badge while also stripping the `special_car` featured post meta, causing business harm on dealership or classifieds sites. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
Missing authorization on an AJAX endpoint in the Salon Booking System WordPress plugin (all versions before 10.30.20) allows any authenticated subscriber-level user to modify plugin settings and disable the manual approval workflow for new bookings. A publicly available proof-of-concept exists per WPScan's disclosure, making exploitation straightforward for any registered user on affected sites. No public exploitation (CISA KEV) has been confirmed, and SSVC assessment classifies technical impact as partial with exploitation not yet automated.
Two-factor authentication bypass in the WebAuthn Provider for Two Factor WordPress plugin (all versions before 2.5.6) lets an attacker who already possesses a valid user's password defeat the WebAuthn second factor by submitting a malformed authentication response that the plugin fails to validate. This neutralizes the plugin's core protection, effectively reducing account security back to single-factor (password-only). Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as being used in active attacks and the issue is not listed in CISA KEV.
Unauthenticated information disclosure in the Product Configurator for WooCommerce WordPress plugin (versions before 1.7.3) exposes sensitive product data through a public AJAX action that skips authorization and post-status checks. By supplying only a product ID, remote unauthenticated users can read titles, prices, weights, stock status, and configurator option pricing/SKUs of private and draft products, bypassing WordPress post-visibility controls. Publicly available exploit code exists (reported by WPScan), though there is no indication of active exploitation.
Broken access control in the Ninja Forms WordPress plugin (all versions through 3.14.1) lets unauthenticated remote attackers read stored form submissions via the 'ninja-forms-views/token/refresh' REST callback, which lacks an authorization check. Because Ninja Forms submissions frequently capture PII, contact details, and other sensitive user-entered data, this exposes potentially confidential information to anyone who can reach the site. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-auth nature makes it straightforward to abuse.
Authentication bypass in the Delta Electronics AS228T programmable logic controller allows remote attackers to circumvent authentication controls and gain unauthorized access to controller functions over the network, threatening the integrity and availability of the industrial process it governs. The CVSS 3.1 base score is 7.4 (High), driven by high integrity and availability impact (I:H/A:H) with no confidentiality loss, but tempered by high attack complexity (AC:H). At the time of analysis there is no public exploit identified and the flaw is not listed in CISA KEV; no EPSS value was supplied.
CRLF injection in WPForms plugin for WordPress (all versions up to and including 1.10.2) enables unauthenticated attackers to silently blind-copy all site notification emails to an attacker-controlled address. The flaw originates from `get_reply_to_address()` applying the wrong smart-tag expansion context, allowing CR/LF characters preserved by `wpforms_sanitize_textarea_field()` to pass unstripped into raw mail header concatenation. Exploitation requires a specific non-default site configuration but demands no authentication or elevated interaction beyond a standard form submission; no public exploit code or CISA KEV listing has been identified at time of analysis.
Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated subscribers to read the course progress and completion records of any instructor or administrator by supplying an arbitrary value to the `userId` REST API parameter. The lazy load controller accepts the caller-supplied key without verifying ownership, bypassing authorization for LP_TEACHER_ROLE and administrator accounts while a partial guard correctly blocks subscriber-to-subscriber cross-access. No public exploit code or active exploitation has been identified at time of analysis, but exploitation requires only a subscriber-level account, making the real-world barrier low on sites with open user registration.
Sensitive PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.02) allows any authenticated user with contributor-level access to retrieve customer booking records - including names, email addresses, phone numbers, and appointment comments - via the unprotected `cpabc_appointments_filter_list` AJAX action. The root cause is CWE-862 (Missing Authorization): the endpoint performs no capability check before returning data, meaning the attacker's only prerequisite is a valid WordPress login at contributor tier or above. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but a source-level fix appears committed in the plugin's SVN repository (changeset 3581633).
Authorization bypass in the Kadence Blocks WordPress plugin (all versions through 3.7.7) allows authenticated contributors to create arbitrary Media Library attachments by fetching remote images via internal WordPress functions, bypassing the upload_files capability boundary. The flaw resides in class-kadence-blocks-prebuilt-library.php at multiple call sites where wp_upload_bits() and wp_insert_attachment() are invoked without verifying the requesting user's authorization. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
{chart}/{type}/ REST route. The plugin route skips the capability checks that WordPress's core REST endpoint for this non-public custom post type enforces (which correctly returns HTTP 401), exposing otherwise-restricted data. Rated CVSS 7.5 (confidentiality-only); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Kadence Blocks WordPress plugin versions up to and including 3.7.7 allows authenticated Contributor-level users to read or delete optimizer analysis records belonging to posts they do not own, by exploiting a parameter mismatch in four REST API endpoints of the Optimize_Rest_Controller. The authorization check binds to a user-supplied post_id while the storage layer retrieves records by sha256 of a separately supplied, attacker-controlled post_path, with no enforcement that these two parameters refer to the same post. No public exploit code or CISA KEV listing exists at time of analysis; however, the low barrier to exploitation - any registered Contributor can leverage this - makes it relevant for multi-author WordPress sites. EPSS data was not provided in the input.
Arbitrary group deletion in the JoomSport WordPress plugin (versions ≤5.7.8) is achievable by any authenticated subscriber-level user due to a missing capability check in the joomsport_season_groupdel() AJAX handler. The handler validates a WordPress nonce - preventing CSRF - but never calls current_user_can() or equivalent, allowing any logged-in user to supply attacker-controlled group IDs to an unguarded DELETE query. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; real-world risk is bounded by the requirement for a valid WordPress account and the limited scope of impact (group record deletion only).
Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can reach the HTTP administration port (default TCP 80) log in as administrator. On a fresh or unmodified install where settings2.txt is absent, the repeater writes the literal password 'adminadmi2', and the Basic-auth handler enforces no rate-limiting or lockout, so a single well-known credential yields full control over allow/deny rules and session visibility. Rated CVSS 9.1 (CWE-798); no public exploit identified at time of analysis, though the credential itself is disclosed in the advisory.
Credential exposure in StoneFly Storage Concentrator (SC) and its virtual machine variant (SCVM) lets an attacker recover plaintext credentials for numerous internal services from a configuration file where they are stored using reversible encoding rather than encryption. The hardcoded accounts cover databases, licensing, replication, and third-party integrations, so recovering them grants pivoting access across multiple interconnected systems. Reported to NVD via CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis and the vector is local (AV:L).
Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Cross-origin data leakage in Google Chrome prior to 150.0.7871.47 exposes sensitive user data from other origins when a victim visits a specially crafted HTML page that exploits insufficient policy enforcement in the StorageAccessAPI. The API, designed to manage third-party storage access in privacy-restricting browser contexts, fails to enforce cross-origin boundaries correctly, allowing an attacker to read data belonging to unrelated origins. No active exploitation has been confirmed - CVE is absent from CISA KEV, EPSS rates exploitation likelihood at 0.17% (7th percentile), and SSVC classifies exploitation status as none - though the CVSS confidentiality impact is rated High.
Same-origin-policy bypass in Google Chrome's Speech component before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page cross origin boundaries via insufficient policy enforcement. No public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); notably, Google's own Chromium team rated this Low severity even though NVD scored it CVSS 9.6, a significant conflict defenders should weigh. Requires user interaction (visiting the page) and affects all Chrome desktop builds prior to the fixed stable release.
Navigation restriction bypass in Google Chrome for Android (prior to 150.0.7871.47) allows a remote attacker to circumvent browser navigation controls through crafted malicious network traffic targeting the TabSwitcher component. The flaw stems from insufficient input validation (CWE-20) in the tab management UI and requires user interaction to trigger, limiting its practical reach. With an EPSS score of 0.17% (7th percentile), no public exploit code, no CISA KEV listing, and Chromium's own internal severity rating of Low, real-world exploitation risk is minimal despite network reachability.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- auth
- Total CVEs
- 31263