Authentication Bypass

Unauthenticated message injection in PolarLearn 0-PRERELEASE-16 and earlier allows remote attackers to send persistent messages to arbitrary group chats via the WebSocket API without credentials. Public exploit code exists for this vulnerability, which affects all users of vulnerable versions by enabling spam and potential information manipulation within group communications.

PlaciPy has an incorrect authorization allowing privilege escalation — seventh and final critical vulnerability.

PlaciPy has an incorrect authorization vulnerability — fifth of seven critical flaws.

Hollo versions prior to 0.6.20 and 0.7.2 improperly expose direct messages and followers-only posts through the ActivityPub outbox endpoint, allowing unauthenticated remote attackers to access sensitive user communications. Public exploit code exists for this authorization bypass vulnerability, enabling attackers to enumerate and retrieve private content intended for restricted audiences. Patched versions 0.6.20 and 0.7.2 are available to remediate the exposure.

Froshadminer versions up to 2.2.1 is affected by missing authentication for critical function (CVSS 5.3).

PlaciPy has another missing authorization vulnerability — fourth of seven critical security flaws.

PlaciPy has a missing authorization vulnerability — third of seven critical security flaws.

PlaciPy placement system 1.0.0 has an improper authorization vulnerability enabling unauthenticated admin access — second of seven critical PlaciPy vulnerabilities.

PlaciPy is a placement management system designed for educational institutions. [CVSS 6.5 MEDIUM]

Litestar versions before 2.20.0 improperly escape regex metacharacters in the allowed_hosts middleware, allowing attackers to bypass hostname validation by supplying hosts that match the compiled regex pattern but differ from intended literal hostnames. Public exploit code exists for this vulnerability. The flaw affects the ASGI framework's ability to properly restrict incoming requests to authorized hosts.

Unauthenticated directory traversal in FileRise prior to version 3.3.0 allows remote attackers to read arbitrary files from the /uploads directory without authentication by directly accessing guessable file paths. Public exploit code exists for this vulnerability, enabling attackers to expose sensitive data and breach user privacy. No patch is currently available.

Markus versions up to 2.9.1 is affected by authorization bypass through user-controlled key (CVSS 6.5).

Keycloak's invitation token validation fails to cryptographically verify JWT payload modifications, allowing authenticated attackers to alter organization IDs and email addresses to register into unauthorized organizations. This enables unauthorized access to organizations without proper authentication, affecting any Keycloak deployment using the invitation feature. No patch is currently available.

Insufficient permission validation in OpenProject prior to 17.0.2 allows users with the Manage Users permission to lock and unlock application administrators, a capability that should be restricted to administrators only. An authenticated attacker with user management privileges can exploit this to lock out admin accounts and potentially disrupt system administration capabilities. No patch is currently available for affected versions.

Improper permission enforcement in Checkmk versions 2.4.0 versions up to 2.4.0 is affected by missing authorization.

Birtech Information Technologies Industry and Trade Ltd. Co. Senseway is affected by improper authentication (CVSS 7.3).

JetBrains Hub before 2025.3.119807 has an authentication bypass allowing administrative actions without proper credentials.

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. [CVSS 5.3 MEDIUM]

HGiga C&Cm@il email system has a missing authentication vulnerability allowing unauthenticated remote access to email server functions.

A device stores user credentials using AES-ECB encryption with a hard-coded key, allowing any attacker to decrypt all stored passwords.

Insufficient URI validation in CGI endpoints permits unauthenticated attackers to bypass authentication controls through path traversal techniques, enabling direct access to protected administrative functions and configuration files. An attacker can exploit this remotely without credentials to retrieve sensitive data and potentially modify system settings. No patch is currently available for this vulnerability.

Improper server identity validation in Eaton Network M3 firmware upgrade functionality enables man-in-the-middle attacks by network-adjacent threat actors with high privileges. An attacker can intercept and manipulate firmware updates to inject malicious code, compromise system integrity, or disrupt availability. No patch is currently available for this medium-severity issue.

Improper authentication in the CRUD endpoint of code-projects Contact Management System 1.0 allows unauthenticated remote attackers to manipulate ID parameters and bypass access controls. This vulnerability enables unauthorized users to read, modify, or delete sensitive contact data without valid credentials. No patch is currently available.

Unrestricted file upload in Yshopmall up to version 1.9.1 allows authenticated attackers to upload arbitrary files via manipulation of the updateAvatar function in the FileUtil component. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vendor has not yet released a patch despite early notification.

Wekan versions up to 8.20 contain an authorization bypass in the Rules Handler component that allows authenticated remote attackers to access unauthorized information through the rules.js file. The vulnerability requires valid credentials but no user interaction, enabling low-impact confidentiality breaches. Upgrading to version 8.21 resolves this issue.

Wekan before version 8.20 fails to properly validate user permissions on migration functions, allowing authenticated non-admin users to execute unauthorized migration operations. This vulnerability affects any Wekan deployment and could be exploited by low-privileged users to compromise data integrity or availability. A patch is available.

Wekan versions before 8.19 fail to properly enforce the allowPrivateOnly configuration setting during board creation, allowing authenticated users to create public boards when only private boards should be permitted. This authorization bypass enables users to circumvent intended access control policies and expose board data beyond the intended scope. A patch is available for affected installations.

Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. [CVSS 5.4 MEDIUM]

Wekan prior to version 8.19 improperly validates permissions on card update API endpoints, checking only read access instead of requiring write permissions. This allows read-only users to modify cards they should not be able to edit. A patch is available to address this authorization bypass.

Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 7.5).

Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 7.5).

WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. [CVSS 7.5 HIGH]

Advanced Country Blocker (WordPress plugin) versions up to 2.3.1 contains a security vulnerability (CVSS 5.3).

DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. [CVSS 7.5 HIGH]

ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration files. [CVSS 7.5 HIGH]

AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system. [CVSS 7.5 HIGH]

3DP-MANAGER for 3x-ui has hard-coded credentials (CVSS 9.8) in version 2.0.1 that provide automatic access to the management interface.

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. [CVSS 7.4 HIGH]

DeepAudit is a multi-agent system for code vulnerability discovery. [CVSS 6.5 MEDIUM]

Smart Pixelator 2.0's Bluetooth Low Energy interface lacks proper authentication controls, allowing unauthenticated attackers on the local network to manipulate device functionality and potentially compromise confidentiality and integrity. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.

Keylime attestation framework since version 7.12.0 has a TLS authentication flaw where the registrar doesn't enforce client-side certificate validation.

PlaciPy placement management system 1.0.0 uses a hard-coded password, allowing any attacker who discovers it to gain full system access.

Unauthenticated attackers can bypass public link scope verification in OpenCloud Reva versions prior to 2.42.3 and 2.40.3 through a flaw in GRPC authorization middleware. By exploiting the archiver service, an attacker can create archives containing all resources accessible to the public link creator, resulting in unauthorized information disclosure. A patch is available in versions 2.42.3 and 2.40.3.

OpenProject versions prior to 17.0.2 fail to validate meeting section ownership during drag-and-drop operations, allowing authenticated users to inject agenda items into unrelated meetings. While attackers cannot access unauthorized meeting content, they can add arbitrary agenda items to other meetings to cause confusion or disrupt meeting organization. A patch is available in version 17.0.2.

Gogs versions 0.13.3 and earlier fail to enforce write permissions on the repository contents endpoint, allowing attackers with read-only access to modify files, create commits, and execute git push operations. An authenticated user possessing only read permissions can bypass authorization checks and gain unauthorized write access to repository contents. This affects self-hosted Gogs instances and has no patch currently available for affected versions.

Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. [CVSS 7.6 HIGH]

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. [CVSS 8.8 HIGH]

Identity authentication bypass vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 5.9 MEDIUM]

WP Duplicate WordPress plugin has a missing authorization vulnerability leading to arbitrary file deletion that can destroy the WordPress installation.

Collabora Online is a collaborative online office suite based on LibreOffice technology. [CVSS 5.3 MEDIUM]

Azure Arc Elevation of Privilege Vulnerability [CVSS 8.6 HIGH]

Tanium addressed an improper access controls vulnerability in Reputation. [CVSS 4.3 MEDIUM]

Tanium addressed an improper input validation vulnerability in Deploy. [CVSS 8.8 HIGH]

Tanium addressed an improper access controls vulnerability in Deploy. [CVSS 4.3 MEDIUM]

Tanium addressed an improper access controls vulnerability in Patch. [CVSS 4.3 MEDIUM]

Tanium addressed an improper certificate validation vulnerability in Tanium Appliance. [CVSS 3.7 LOW]

Tanium addressed an improper access controls vulnerability in Interact. [CVSS 3.1 LOW]

Command execution in pgAdmin 4 server mode allows authenticated attackers to bypass restore operation restrictions by extracting the restrict key during PLAIN-format dump file operations and injecting malicious payloads to re-enable meta-commands. An attacker with web interface access can race the restore process in real time to achieve reliable code execution on the pgAdmin host. No patch is currently available for this vulnerability.

Critical certificate validation bypass in Go crypto/tls during session resumption. If ClientCAs or RootCAs fields are mutated between creating the config and resuming a session, the TLS stack uses the modified trust store, potentially accepting certificates from unintended CAs. CVSS 10.0, PoC available, patch available.

The Greenshift animation and page builder plugin for WordPress (up to version 12.6) fails to properly validate user capabilities on the greenshift_app_pass_validation() function, allowing authenticated subscribers and above to extract sensitive plugin configuration including stored AI API keys and inject malicious scripts through the custom_css setting. This combination of information disclosure and stored cross-site scripting (XSS) requires only valid WordPress user credentials to exploit, with a partial patch available in version 12.6.

WeKan versions up to 8.20 contain an authorization bypass in the position history tracking functionality that allows authenticated remote attackers to access sensitive information without proper permissions. The vulnerability exists in the server/methods/positionHistory.js file and can be exploited by any user with login credentials. Upgrading to version 8.21 or later resolves this issue.

Wacom WTabletService 6.6.7-3 contains an unquoted service path vulnerability that allows local attackers to execute malicious code with elevated privileges. Attackers can insert an executable file in the service path to run unauthorized code when the service restarts or the system reboots. [CVSS 7.8 HIGH]

OpenSlides versions prior to 4.2.29 allow unauthorized authentication bypass for SAML-synchronized users through the local login form by using the victim's username with a hardcoded trivial password. An attacker can gain complete access to any SAML user account without knowing their actual credentials, potentially compromising sensitive assembly management data including agendas, motions, and election information. A patch is available in version 4.2.29 and should be applied immediately to all affected instances.

The Microsoft Entra ID SSO Login module for Drupal before version 1.0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to escalate privileges through an alternate authentication channel. An attacker can exploit this flaw to gain unauthorized access with elevated permissions on affected Drupal installations. No patch is currently available, and the vulnerability has low exploit probability (EPSS 0.1%).

Bambuddy 3D printer management system has missing authentication (CVSS 9.8) allowing unauthenticated access to printer control and print archive.

A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level. [CVSS 6.5 MEDIUM]

Unauthenticated attackers can manipulate WooCommerce order statuses through an authorization bypass in the Fortis for WooCommerce plugin (versions up to 1.2.0), allowing them to fraudulently mark orders as paid without receiving payment. The vulnerability stems from an inverted nonce validation check in the payment notification handler that fails to properly authenticate requests. This affects all WordPress sites running the vulnerable plugin and has no available patch.

The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. [CVSS 5.3 MEDIUM]

The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. [CVSS 7.5 HIGH]

Loyalty Points and Rewards for WooCommerce versions up to 5.6.0. is affected by missing authorization (CVSS 6.5).

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by...

Android versions up to 13.0 contains a vulnerability that allows attackers to bypass the persistence configuration of the application (CVSS 6.1).

Android versions up to 14.0 contains a vulnerability that allows attackers to interrupt its functioning (CVSS 5.5).

Synectix LAN 232 TRIO serial-to-ethernet adapter exposes its web management interface without authentication (CVSS 10.0), enabling unauthenticated control of serial devices.

MOMA Seismic Station v2.4.2520 exposes its web management interface without authentication, allowing unauthenticated control of seismological monitoring equipment.

Qwik JavaScript framework prior to 1.19.0 has a prototype pollution vulnerability that can lead to server-side code execution in SSR applications.

Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control.

EspoCRM 5.8.5 has an authentication vulnerability allowing attackers to access other user accounts through IDOR in session handling.

Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device. [CVSS 7.5 HIGH]

AdminPando 1.0.1 by Fikir Odalari has a CVSS 10.0 SQL injection in the login functionality allowing complete authentication bypass and database takeover.

Archer Ax53 Firmware versions up to 1.0 contains a vulnerability that allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) a (CVSS 8.1).

HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. [CVSS 3.1 LOW]

HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. [CVSS 3.7 LOW]

Open Eclass Platform versions up to 4.2 is affected by authorization bypass through user-controlled key (CVSS 7.5).

Broken access control in Open eClass Platform versions prior to 4.2 allows authenticated students to create course units, a privilege normally reserved for instructors and administrators. An attacker with valid student credentials can escalate their capabilities within the platform by performing unauthorized administrative actions. Public exploit code exists for this vulnerability, and no patch is currently available.

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 7.8 HIGH]

Broken access control in Open eClass Platform before version 4.2 allows authenticated students to modify course content that should only be editable by instructors and administrators. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. An attacker with valid student credentials can escalate their privileges to alter course materials and potentially disrupt educational content integrity.

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 5.0 MEDIUM]

Dokans SaaS e-commerce platform v3.9.2 has a CVSS 10.0 authentication bypass allowing unauthenticated attackers to obtain sensitive application secrets and tenant data.