Authentication Bypass

A Host header manipulation vulnerability in the h3 Node.js web framework allows attackers to bypass authentication middleware by polluting the event.url object. The vulnerability affects h3 npm package and allows unauthorized access to protected routes by crafting malicious Host headers that trigger internal URL reconstruction logic. A working proof-of-concept exploit is publicly available demonstrating the authentication bypass.

A timing side-channel vulnerability exists in the h3 npm package's `requireBasicAuth` function, where unsafe string comparison using the `!==` operator allows attackers to deduce valid passwords character-by-character by measuring server response times. This affects all versions of h3 that implement this vulnerable authentication mechanism, and while a proof-of-concept exists demonstrating feasibility in local/co-located network environments, the attack requires statistical analysis over multiple requests and is significantly hampered by network jitter in internet-scale scenarios. The CVSS score of 5.9 reflects high confidentiality impact but high attack complexity, placing this in moderate-priority territory despite the linear password recovery capability.

The KiviCare clinic management plugin for WordPress contains a critical privilege escalation vulnerability allowing unauthenticated attackers to create new clinics and administrative users through an unprotected REST API endpoint. All versions up to and including 4.1.2 are affected. With a CVSS score of 8.2 and network-based exploitation requiring no authentication, this represents a significant risk to healthcare data confidentiality and system integrity, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.

The KiviCare Clinic & Patient Management System (EHR) plugin for WordPress contains a critical authentication bypass vulnerability allowing unauthenticated attackers to log in as any patient by simply providing their email address and an arbitrary access token value. All versions up to and including 4.1.2 are affected, exposing sensitive medical records, appointments, prescriptions, and billing information (PII/PHI). The CVSS score of 9.8 reflects the severity of unauthenticated remote exploitation with high impact to confidentiality, integrity, and availability.

The Post SMTP WordPress plugin for versions up to 3.8.0 contains an authorization bypass vulnerability in the Office 365 OAuth redirect handler that allows authenticated subscribers and above to overwrite sensitive SMTP configuration without proper capability checks or nonce validation. An attacker with subscriber-level access can craft a malicious URL to inject attacker-controlled Azure app credentials into the site's Microsoft 365 configuration, potentially causing administrators to unknowingly connect to the attacker's account during Pro wizard setup. This vulnerability has a CVSS score of 5.3 and is classified as CWE-862 (Missing Authorization), with active evidence of the vulnerable code path present in the plugin repository.

The Arturia Software Center on macOS contains insufficient code signature validation in its Privileged Helper component, allowing unauthenticated clients to connect and execute privileged actions without proper authorization. This vulnerability affects all versions of Arturia Software Center and enables local privilege escalation attacks where an unprivileged user can escalate to root or system-level privileges. While no CVSS score or EPSS data is publicly available, the authentication bypass nature and privilege escalation impact classify this as a high-severity issue; no KEV listing or public proof-of-concept has been confirmed at this time.

Jenkins versions 2.442 through 2.554 and LTS 2.426.3 through 2.541.2 contain an origin validation bypass vulnerability in the CLI WebSocket endpoint that allows attackers to conduct DNS rebinding attacks. The vulnerability stems from improper use of Host and X-Forwarded-Host headers to compute expected request origins, enabling attackers to bypass authentication controls and potentially execute arbitrary commands through the CLI WebSocket interface. While no CVSS score, EPSS data, or active exploitation in the wild (KEV) status has been publicly disclosed, the vulnerability affects a critical Jenkins component and was responsibly disclosed by the Jenkins security team.

Frigate video surveillance software contains an authentication bypass vulnerability allowing users with viewer role privileges to delete administrator and other user accounts via an unrestricted API endpoint. The vulnerability affects the Frigate Python package (pkg:pip/frigate) and has been confirmed with a proof-of-concept demonstration successfully deleting the admin user on the demo.frigate.video instance. This leads to denial of service and compromises data integrity by allowing unauthorized account deletions.

Heimdall, an authorization decision API for Envoy proxy, contains a path traversal bypass vulnerability when used in gRPC decision API mode. Attackers can bypass non-wildcard path expression rules by appending query parameters to URLs, which causes incorrect URL encoding that prevents rule matching. A proof-of-concept is publicly available demonstrating the bypass, though exploitation requires heimdall to be configured with an insecure 'allow all' default rule (which is blocked by secure defaults since v0.16.0 unless explicitly disabled).

FileBrowser contains an authorization bypass vulnerability where users with share privileges but without download privileges can still expose and retrieve file content via public share links, enabling unauthorized data exfiltration to unauthenticated users. The vulnerability affects FileBrowser (CPE: pkg:go/https:__github.com_filebrowser_filebrowser) and has been confirmed with a working proof-of-concept demonstrating that restricted users can create shares and access files publicly despite download restrictions. With a CVSS score of 6.5 and an attack vector requiring only low privileges and no user interaction, this represents a significant access control bypass in environments relying on download restrictions for data loss prevention.

An Insecure Direct Object Reference (IDOR) vulnerability exists in the Langflow API key deletion endpoint that allows any authenticated user to delete API keys belonging to other users. The delete_api_key_route() function in langflow version prior to 1.7.2 fails to verify ownership of API keys before deletion, enabling attackers to enumerate and delete arbitrary API keys by manipulating the api_key_id UUID parameter. A patch is available from the vendor as of version 1.7.2, addressing this authentication bypass that could lead to account takeover and denial of service.

An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with grantee privileges to incorrectly update secret content beyond their intended permissions, potentially accessing or modifying other secrets. The vulnerability (CWE-863: Incorrect Authorization) has a CVSS score of 8.8, indicating high severity with network-based exploitation requiring low attack complexity and low privileges. The flaw is particularly dangerous because even when exploitation attempts are logged as errors, the unauthorized secret updates still persist and become visible to both owners and grantees.

An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestration tool, allowing authenticated unit agents to perform unauthorized updates to secret revisions beyond their intended scope. Juju versions 3.1.6 through 3.6.18 are affected, and attackers with sufficient information can poison any existing secret revision within the Vault secret back-end scope. With a CVSS score of 7.6 (High severity) featuring network attack vector, low complexity, and high integrity impact, this represents a significant security concern for Juju deployments using Vault as their secrets back-end, though no active exploitation (KEV) status or EPSS score was provided in available data.

A critical authentication bypass vulnerability exists in LibreChat version 0.8.1-rc2 where the same JWT secret is reused for both user session management and the RAG (Retrieval-Augmented Generation) API authentication. This design flaw allows authenticated users to compromise service-level authentication of the RAG API by leveraging their session tokens to access or manipulate the RAG service beyond intended privileges. No active exploitation (KEV) has been reported, but a detailed security advisory with technical analysis is publicly available from SBA Research.

Contextual Related Posts versions before 4.2.2 contain an authorization bypass vulnerability that allows unauthenticated attackers to access sensitive information by exploiting improperly configured access controls. The vulnerability affects the plugin's ability to enforce proper permission checks, potentially exposing confidential data to unauthorized users. No patch is currently available for this issue.

The Yoast Duplicate Post WordPress plugin through version 4.5 contains a missing capability check vulnerability in the clone_bulk_action_handler() and republish_request() functions, allowing authenticated attackers with Contributor-level access to duplicate restricted posts (private, draft, trashed) and Author-level attackers to overwrite published posts via the Rewrite & Republish feature. The vulnerability carries a CVSS score of 5.4 (medium severity) with ENISA EUVD tracking (EUVD-2026-12800), and Wordfence has documented specific vulnerable code paths in the plugin's bulk handler and post republisher modules.

Spring AI's AbstractFilterExpressionConverter fails to properly escape user-controlled input in JSONPath queries, allowing authenticated attackers to inject arbitrary expressions and bypass access controls in vector store implementations. This impacts applications relying on the converter for multi-tenant isolation, role-based access, or metadata-based document filtering, enabling attackers to access unauthorized documents. No patch is currently available.

This vulnerability in Dahua NVR/XVR devices allows unauthenticated privilege escalation through the serial port console by bypassing shell authentication mechanisms. Affected devices include Dahua NVR2-4KS3, XVR4232AN-I/T, and XVR1B16H-I/T models with build dates prior to March 3, 2026. An attacker with physical access to the device can gain a restricted shell and escalate privileges to access sensitive system functions, though the CVSS 2.4 score reflects the requirement for physical proximity and lack of data availability impact.

The Subscriptions for WooCommerce plugin contains a critical authentication bypass vulnerability in the subscription cancellation function that allows unauthenticated attackers to cancel any active WooCommerce subscription. The vulnerability affects all versions up to and including 1.9.2 of the plugin (CPE: cpe:2.3:a:wpswings:subscriptions_for_woocommerce:*:*:*:*:*:*:*:*) and stems from a missing capability check combined with improper nonce validation. An attacker can exploit this with a simple GET request, requiring no special privileges or user interaction, resulting in unauthorized modification of subscription data with a CVSS score of 5.3 and confirmed active exploitation potential.

Cross-course privilege escalation in Moodle Mod Customcert allows authenticated teachers with certificate management rights in any course to read and modify certificate data across the entire Moodle installation due to missing context validation in the editelement callback and save_element web service. An attacker with mod/customcert:manage permissions in a single course can exploit this to disclose sensitive certificate information from other courses or tamper with their certificate elements. Versions 4.4.9 and 5.0.3 patch the vulnerability, but no patch is currently available for affected versions.

OpenClaw versions prior to 2026.2.26 contain a Time-of-Check-Time-of-Use (TOCTOU) approval bypass vulnerability in the system.run execution function that allows local attackers with low privileges to execute arbitrary commands from unintended filesystem locations. An attacker can exploit a race condition by modifying parent symlinks in the current working directory after command approval but before execution, redirecting execution while maintaining the appearance of a safe working directory. A patch is available from the vendor, and this vulnerability has been documented by both VulnCheck and the OpenClaw security advisory (GHSA-f7ww-2725-qvw2).

OpenClaw versions prior to 2026.2.21 are vulnerable to prototype pollution attacks via the /debug set endpoint, allowing authenticated attackers to inject reserved prototype keys (__proto__, constructor, prototype) and manipulate object prototypes to bypass command gate restrictions. The vulnerability requires authenticated access and has relatively low real-world exploitability due to high attack complexity, but presents a meaningful integrity risk for authorized users who may not be aware of this attack vector. A patch is available from the vendor.

OpenClaw prior to version 2026.3.2 allows local users with standard privileges to write files outside designated directories through insufficient path validation in the browser output handler. An attacker can exploit this path-confinement bypass to place malicious files in arbitrary filesystem locations, potentially leading to privilege escalation or system compromise.

OpenClaw contains an execution approval bypass vulnerability in allowlist mode that allows authenticated attackers to circumvent allow-always grants through unrecognized multiplexer shell wrappers like busybox and toybox. Attackers with low-level privileges can invoke arbitrary payloads under these multiplexer wrappers to satisfy stored allowlist rules while executing unintended commands. This affects all OpenClaw versions prior to 2026.2.23, with a patch now available from the vendor.

OpenClaw Gateway versions prior to 2026.2.22 leak authentication tokens through Chrome DevTools Protocol (CDP) probe traffic on loopback interfaces, allowing local attackers to intercept the x-OpenClaw-relay-token header and reuse it for unauthorized Gateway access. An attacker with local network access or control of a loopback port can capture reachability probes to the /json/version endpoint and escalate privileges by replaying the stolen token as bearer authentication. A vendor patch is available, and this vulnerability has been documented by VulnCheck with references to the official GitHub security advisory and patch commit.

OpenClaw versions prior to 2026.2.22 contain an access control bypass vulnerability in the optional BlueBubbles plugin where empty allowFrom configuration causes the allowlist validation logic to fail, enabling remote attackers to send direct messages to BlueBubbles accounts without proper authorization. The vulnerability stems from improper handling of misconfigured sender authorization checks, allowing attackers to circumvent dmPolicy pairing and allowlist restrictions. Patches are available from the vendor, and this is classified as an authentication bypass issue with a CVSS score of 4.8 indicating moderate severity.

Keycloak contains an authentication bypass vulnerability in its SAML broker functionality that allows remote attackers with low-level privileges to complete IdP-initiated broker logins even when the SAML Identity Provider has been administratively disabled. Red Hat Build of Keycloak versions 26.2 and 26.4 are affected, with patches available in versions 26.2-16, 26.2.14-1, 26.4-12, and 26.4.10-1. The CVSS score of 8.1 reflects high confidentiality and integrity impact, though no evidence of active exploitation (KEV) or public proof-of-concept has been reported at this time.

Keycloak's SAML broker endpoint contains a validation flaw that allows attackers with a valid signed SAML assertion to inject encrypted assertions for arbitrary principals when the overall SAML response is unsigned. This leads to authentication bypass and unauthorized access to protected resources. Red Hat build of Keycloak versions 26.2 and 26.4 are affected, with patches available in versions 26.2-16, 26.2.14-1, 26.4-12, and 26.4.10-1. No evidence of active exploitation (not in CISA KEV) has been reported.

An Insecure Direct Object Reference (IDOR) vulnerability exists in Sentry versions prior to 26.1.0 within the GroupEventJsonView endpoint, allowing attackers to access event data across different organizations without proper authorization checks. This information disclosure vulnerability enables cross-organization data leakage where an authenticated attacker with access to one organization can enumerate and retrieve sensitive error tracking and performance monitoring data belonging to other organizations. The vulnerability has been patched in version 26.1.0, and a proof-of-concept is available via the referenced GitHub Security Lab advisory.

A WiFi Extender model WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) contains hardcoded credential disclosure vulnerabilities in its web administration interface through server-side include (SSI) directives embedded in critical pages such as login.shtml and settings.shtml. These directives dynamically retrieve and expose the web administration password from non-volatile memory during runtime, allowing unauthenticated attackers to obtain administrative credentials and gain full control of the device. A proof-of-concept and detailed technical analysis have been publicly disclosed by security researchers, indicating active awareness and potential exploitation in the wild.

This vulnerability implements a broken authentication mechanism in the WiFi Extender WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) web management interface, allowing attackers to bypass login controls through forced browsing of restricted endpoints without valid session validation. An attacker can directly access administrative functions and sensitive configuration pages by circumventing the authentication layer entirely. A proof-of-concept and detailed technical analysis have been published by security researchers, indicating this is a practical, demonstrable vulnerability affecting consumer-grade networking equipment with no official CVSS scoring yet assigned.

GLPI versions 11.0.0 through 11.0.5 contain an authentication bypass vulnerability that allows an attacker with knowledge of a user's credentials to circumvent multi-factor authentication (MFA) and gain unauthorized account access. This vulnerability affects the GLPI asset and IT management software and is classified as CWE-287 (Improper Authentication), with a CVSS score of 6.5 indicating medium severity. The issue has been patched in version 11.0.6, and while no active KEV listing or public proof-of-concept is noted in available sources, the authentication bypass nature suggests moderate exploitation probability.

Cloud Foundry CAPI Release contains unprotected internal endpoints that allow attackers who have bypassed perimeter firewall controls to replace application droplets and access sensitive application data. The vulnerability affects Cloud Foundry CAPI Release version 1.226.0 and earlier, and CF Deployment version 54.9.0 and earlier across all platforms. This is an authentication bypass issue (CWE-306) with a CVSS score of 7.5, requiring adjacent network access and high attack complexity but no privileges or user interaction.

This is a critical unauthenticated remote code execution vulnerability in Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0. An attacker with network access via HTTP can completely take over the affected system without any authentication, privileges, or user interaction required. The CVSS score of 9.8 reflects maximum impact across confidentiality, integrity, and availability. There is no evidence of active exploitation (not in CISA KEV), and no proof-of-concept code has been publicly identified in the available intelligence.

IBM Sterling B2B Integrator and IBM Sterling File Gateway contain an authentication bypass vulnerability that allows remote unauthenticated attackers to view and delete business partners within communities, as well as delete entire communities. Multiple versions are affected including 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0. While the CVSS score is 7.1 (High), the vulnerability requires low attack complexity and no user interaction, making it straightforward to exploit over the network with low privileges.

A denial of service vulnerability in A cross-origin (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain an improper access control vulnerability (CWE-200) that allows authenticated users to access sensitive application data and administrative functionalities beyond their authorization level. An attacker with valid credentials can leverage this flaw to read confidential planning and analytics data, escalate privileges, or access administrative functions without proper authorization. A vendor patch is available, and this represents a moderate-to-high risk for organizations running affected versions in production environments.

CVE-2026-32842 is a security vulnerability (CVSS 6.5) that allows attackers. Remediation should follow standard vulnerability management procedures.

Edimax GS-5008PL switches running firmware 1.00.54 and earlier contain an authentication bypass in the management interface that allows unauthenticated remote attackers to gain administrative access by exploiting a flawed global authentication flag mechanism. Once bypassed, attackers can modify administrator credentials, upload malicious firmware, and alter device configurations without any authentication required. No patch is currently available for this high-severity vulnerability.

A improper authentication vulnerability exists in Duende IdentityServer 4 affecting the Token Renewal Endpoint at /connect/authorize, where manipulation of the id_token_hint parameter can bypass authentication controls. This vulnerability affects Duende IdentityServer 4 across all versions, allowing remote attackers without credentials to gain unauthorized access with high complexity exploitation requirements. No active exploitation in the wild (KEV status unknown), no public proof-of-concept available, and the vendor has not responded to early disclosure attempts.

Node.js authentication bypass allows unauthenticated account creation when empty authData objects bypass credential validation, enabling attackers to establish authenticated sessions without providing required usernames or passwords. This affects applications where anonymous registration is disabled but authentication checks fail to properly validate the authData parameter. The vulnerability is fixed by treating empty authData as absent data and enforcing mandatory credential validation during user registration.

A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.

PowerShell Universal before version 2026.1.4 contains insufficient authorization validation on gRPC endpoints, allowing any authenticated user to bypass role-based access controls and execute privileged operations. An attacker with valid credentials can exploit this to read sensitive data, modify or delete resources, and disrupt service availability. No patch is currently available.

CVE-2026-33011 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.

CVE-2026-32742 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2026-32878 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Unauthenticated attackers can gain unauthorized access to TIBCO BPM Enterprise 4.x through a misconfigured Java Management Extensions (JMX) interface, potentially allowing full system compromise. This vulnerability affects the availability, integrity, and confidentiality of affected systems with no patch currently available.

The Angeet ES3 KVM device contains an arbitrary file write vulnerability allowing remote, unauthenticated attackers to modify system files including configuration files and binaries, potentially leading to complete system compromise. All versions of the ES3 KVM appear to be affected based on EUVD version data (ES3 KVM 0 <*). This vulnerability has been reported by CISA and documented in their CSAF advisory VA-26-076-01, though no active exploitation (KEV) status has been indicated at this time.

A critical authentication bypass vulnerability in Sipeed NanoKVM KVM-over-IP devices allows unauthenticated remote attackers to hijack Wi-Fi configurations or crash the device through memory exhaustion. The vulnerability affects NanoKVM versions before 2.3.1 and enables attackers with network access to redirect the device to attacker-controlled networks or cause denial of service. While not currently in CISA KEV, the issue has been analyzed by security researchers and a patch is available from the vendor.

The GL-iNet Comet (GL-RM1) KVM lacks authentication enforcement on its UART serial console, allowing unauthenticated access to device management functions after physical access is obtained. This authentication bypass (CWE-306) affects all versions of the Comet KVM product line and enables attackers with physical access to achieve complete system compromise including confidentiality, integrity, and availability violations. While the attack requires opening the device and connecting to UART pins, security research from Eclypsium demonstrates that affordable KVM devices like this one can serve as network pivoting points for lateral movement and reconnaissance.

The kube-router proxy module fails to validate Service externalIPs and LoadBalancer IPs against configured IP ranges, allowing namespace-scoped users to bind arbitrary VIPs on all cluster nodes and hijack traffic to critical services like kube-dns. This affects all kube-router v2.x versions including v2.7.1, primarily impacting multi-tenant clusters where untrusted users have Service creation permissions. A detailed proof-of-concept demonstrates single-command cluster DNS takedown and arbitrary VIP binding with traffic redirection to attacker-controlled pods, though EPSS scoring is not available for this recently disclosed vulnerability.

CVE-2026-29057 is a security vulnerability (CVSS 6.5) that allows request smuggling. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

An Insecure Direct Object Reference (IDOR) vulnerability in Outline's document restoration logic allows any authenticated team member to restore, view, and take ownership of deleted drafts belonging to other users, including administrators. Attackers can access sensitive private information and lock the original owners out of their own content by exploiting the missing ownership validation during the restore process. This vulnerability affects Outline versions prior to 1.4.0 and carries a high CVSS score of 8.1, though no active exploitation or proof-of-concept code has been reported.

OpenCTI versions prior to 6.9.1 contain an authorization bypass vulnerability in the GraphQL mutation 'IndividualDeletionDeleteMutation' that allows authenticated users to delete arbitrary unrelated objects such as analysis reports, not just the intended individual entities. The vulnerability stems from insufficient input validation in the API layer, enabling a user with basic mutation privileges to escalate their impact beyond intended scope. With a CVSS score of 6.5 and authenticated access requirement, this represents a moderate but actionable availability risk for organizations managing threat intelligence with OpenCTI.

A cryptographic authentication bypass vulnerability in ConnectWise ScreenConnect allows remote attackers who gain access to server-level cryptographic material to authenticate as any user and obtain elevated privileges. The vulnerability affects all ScreenConnect versions prior to 26.1 and carries a CVSS score of 9.0, indicating critical severity. While not currently listed in CISA's KEV catalog and with no public proof-of-concept available, the vulnerability's authentication bypass nature and potential for complete system compromise make it a high-priority patching target.

HCL Sametime is vulnerable to broken server-side validation.

CVE-2026-28563 is a security vulnerability (CVSS 4.3) that allows an authenticated user with only dag dependencies permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnerability requiring prompt remediation. Vendor patch is available.

In the Linux kernel, the following vulnerability has been resolved: audit: add missing syscalls to read class The "at" variant of getxattr() and listxattr() are missing from the audit read class.

In the Linux kernel, the following vulnerability has been resolved: audit: add fchmodat2() to change attributes class fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit.

CVE-2026-4208 is a security vulnerability (CVSS 7.7). High severity vulnerability requiring prompt remediation.

CVE-2026-4202 is a security vulnerability (CVSS 2.3). Remediation should follow standard vulnerability management procedures.

Booster for WooCommerce versions prior to 7.11.3 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to exploit misconfigured access controls. This vulnerability could enable attackers to cause service disruptions or access unauthorized functionality within affected WooCommerce installations. No patch is currently available for this vulnerability.

A critical missing authentication vulnerability in DrangSoft's GCB/FCB Audit Software allows unauthenticated remote attackers to directly access certain APIs and create new administrative accounts, effectively granting full system control. The vulnerability has a maximum CVSS score of 9.8 and requires no authentication or user interaction to exploit over the network. While no active exploitation or proof-of-concept has been reported yet, the severity and ease of exploitation make this a high-priority security issue for organizations using this audit software.

A security vulnerability in affected (CVSS 2.3). Remediation should follow standard vulnerability management procedures.

CVE-2026-30707 is a security vulnerability (CVSS 8.1) that allows broken access control. High severity vulnerability requiring prompt remediation.

CVE-2026-32769 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2026-32737 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems. Vendor patch is available.

CVE-2026-32768 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role.

Mattermost versions 11.3.0 and 11.2.2 and earlier fail to properly validate the run_create permission when a playbook ID is empty, allowing authenticated team members to create unauthorized playbook runs through the API. This permission bypass could enable attackers with valid credentials to perform actions they should not be permitted to execute within the platform.

A security vulnerability in Craft CMS (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

The DefaultController->actionLoadContainerData() endpoint in the Microsoft plugin permits unauthenticated attackers possessing a valid CSRF token to enumerate accessible storage buckets and extract sensitive data from Azure error messages. This authorization bypass affects users running unpatched versions prior to 2.1.1, exposing cloud storage infrastructure details and potentially sensitive system information through verbose error responses.

CVE-2026-3644 is a security vulnerability (CVSS 6.0). Remediation should follow standard vulnerability management procedures.

The BucketsController endpoint in this plugin suffers from an information disclosure vulnerability where unauthenticated attackers possessing a valid CSRF token can enumerate the list of accessible buckets. This exposure allows reconnaissance of cloud storage resources available to the plugin without requiring authentication. Update to version 2.2.5 to resolve this issue.

CVE-2026-32638 is a security vulnerability (CVSS 2.7). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

AWS API MCP Server versions 0.2.14 through 1.3.9 contain an improper path protection flaw in the no-access and workdir features that allows local attackers to bypass file access restrictions and read arbitrary files accessible to the MCP client application. An attacker with local access and user interaction can exploit this vulnerability to expose sensitive local file contents. Users should upgrade to version 1.3.9 or later to remediate this issue.

WP EasyPay versions up to 4.2.11 contain an authorization bypass that allows authenticated users to modify plugin settings and functionality beyond their intended access level. An attacker with valid credentials could exploit improperly configured access controls to perform unauthorized actions such as disabling security features or altering payment processing configurations. No patch is currently available for this vulnerability.

A weakness has been identified in La Nacion App 10.2.25 on Android.

A remote code execution vulnerability (CVSS 4.3) that allows guest users without read permissions. Remediation should follow standard vulnerability management procedures.

CVE-2026-22545 is a security vulnerability (CVSS 3.1) that allows an authenticated attacker. Remediation should follow standard vulnerability management procedures.

A remote code execution vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Modern Events Calendar versions up to 7.29.0 contain an access control vulnerability that allows unauthenticated remote attackers to modify data through improperly configured authorization checks. This vulnerability enables attackers to perform unauthorized actions without authentication, affecting all installations of the affected versions. No patch is currently available, requiring organizations to implement alternative mitigation strategies.

Improper access controls in D-Link NAS devices (DNS-120, DNS-323, DNS-345, DNS-1200-05, and others through firmware version 20260205) allow unauthenticated remote attackers to manipulate the cgi_set_wto function in /cgi-bin/system_mgr.cgi, potentially gaining unauthorized access or modifying system settings. Public exploit code exists for this vulnerability, and no patch is currently available.

This vulnerability in Mattermost allows guest users to bypass team-specific file upload permissions through a cross-team file metadata reuse attack. Affected versions include Mattermost 11.3.0, 11.2.x up to 11.2.2, and 10.11.x up to 10.11.10. An authenticated guest user can upload a file in a team where they have upload_file permission, then reuse that file's metadata in POST requests to channels in different teams where they lack upload permission, resulting in unauthorized file posting with potential integrity impact.

This vulnerability in Mattermost allows unauthenticated attackers to achieve remote code execution and exfiltrate sensitive credentials through malicious plugin installation on CI test instances that retain default admin credentials. Affected versions include Mattermost 10.11.x through 10.11.10, 11.2.x through 11.2.2, and 11.3.0, with the core issue stemming from insufficient access controls on plugin installation combined with default credential exposure. An attacker can upload a malicious plugin after modifying the import directory to gain full system compromise and access AWS and SMTP credentials stored in configuration files.

A host header injection vulnerability in Raytha CMS allows attackers to hijack password reset tokens by spoofing X-Forwarded-Host or Host headers, leading to account takeover. The vulnerability affects all versions prior to 1.4.6 and requires only that the attacker knows the victim's email address to initiate the attack chain. With a CVSS 7.5 score and requiring user interaction, this represents a significant authentication bypass risk for organizations using the affected CMS versions.

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the page creation functionality through the FieldValues[0].Value parameter, allowing authenticated attackers with content creation permissions to inject malicious HTML and JavaScript that executes when other users visit the edited page. The vulnerability affects Raytha CMS versions prior to 1.4.6 and has a CVSS score of 5.1 with limited scope impact due to required authentication and user interaction. While not currently listed in CISA's Known Exploited Vulnerabilities catalog, the low attack complexity and availability of vendor patch make this a moderate but manageable risk for deployed instances.

This vulnerability is an improper access control flaw in Mattermost's channel search functionality that allows removed team members to enumerate all public channels within private teams. Affected versions include Mattermost 11.3.x through 11.3.0, 11.2.x through 11.2.2, and 10.11.x through 10.11.10. An authenticated attacker who has been removed from a team can query the channel search API endpoint to discover the complete list of public channels in that private team, resulting in information disclosure without requiring elevated privileges.