Skip to main content

Authentication Bypass

auth CRITICAL

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.

How It Works

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.

The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.

More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.

Impact

  • Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
  • Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
  • System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
  • Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
  • Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties

Real-World Examples

CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.

Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.

SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.

Mitigation

  • Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
  • Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
  • Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
  • Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
  • Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
  • Regular security testing — conduct penetration testing specifically targeting authentication logic and flows

Recent CVEs (31271)

EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Authentication bypass in AdGuard Home prior to v0.107.77 allows unauthenticated remote attackers to gain full admin access when the binary is launched with the --glinet flag, by injecting a path traversal sequence into the Admin-Token cookie. The flaw lives in the authglinet middleware, which concatenates the cookie value into a file path without sanitization, letting attackers redirect token reads to arbitrary files. No public exploit identified at time of analysis, but the vendor advisory and a community-disclosed root cause make weaponization straightforward.

Authentication Bypass Path Traversal Adguardhome
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Privilege escalation via authorization bypass in Snipe-IT versions prior to 8.6.0 allows any authenticated user holding only the granular `users.edit` permission to disable administrator and superuser accounts through the bulk-edit endpoint, effectively locking all admins out of the instance. By toggling the `activated` and `ldap_import` flags on admin targets, a low-privileged actor denies admins both interactive login and password-reset recovery. No public exploit identified at time of analysis, but the upstream fix and detailed advisory disclose the exact attack surface.

Authentication Bypass Snipe It
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-workspace tenant isolation bypass in FlowiseAI versions prior to 3.1.2 allows authenticated low-privileged users to reassign assistant resources to arbitrary workspaces by manipulating server-controlled fields in the assistant update endpoint. The flaw is a mass assignment issue (CWE-284) tracked as EUVD-2026-35109, with publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as widely deployed exploitation. SSVC indicates total technical impact but non-automatable exploitation.

Authentication Bypass Flowise
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authentication bypass in Bludit CMS versions prior to 3.22.0 allows deactivated user accounts to retain authenticated access through persistent 'Remember Me' cookies, because the disable-account workflow fails to invalidate tokenAuth and tokenRemember values stored in the JSON database. Any user who previously logged in with the persistent session option can continue to act with their original privileges even after an administrator disables them. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Bludit
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Broken access control in Bludit CMS versions prior to 3.22.0 allows deleted user accounts to retain full authenticated access through pre-existing 'Ghost Sessions' that are never invalidated upon account removal. An authenticated attacker whose account is subsequently revoked can continue performing privileged operations until the session naturally expires. No public exploit identified at time of analysis, though the fix commit on GitHub publicly discloses the exact root cause.

Authentication Bypass Bludit
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Mohammed-eid35's bank-management-system-springboot exposes the Transaction Endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to or manipulation of financial transaction records belonging to other users. All versions up to commit 7b9bcc65ad7df3db29af71aed9bb500e5f24d948 are affected, with publicly available exploit code disclosed via GitHub issue #8. No patch has been released - the maintainer has not responded to the responsible disclosure report - making this an unresolved risk for any organization running this application.

Authentication Bypass Java
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Improper authorization in SourceCodester Inventory System 1.0 allows authenticated remote attackers to manipulate the ROLE parameter in the account creation API endpoint, bypassing role-based access controls to create or modify accounts with elevated privileges beyond what is authorized. The affected component is /Product_Inventory/api/users_handler.php, a PHP endpoint that fails to enforce server-side authorization on the ROLE argument during account creation. A publicly available proof-of-concept exploit exists (CVSS temporal E:P), lowering the barrier for opportunistic abuse. No patch has been identified at time of analysis.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Incorrect authorization in Checkmk's User Messages dashboard widget exposes the dashboard creator's personal messages to any party possessing a valid public dashboard share token. The message-fetching endpoints resolve messages using the dashboard creator's identity rather than the requesting party's identity, meaning that direct API calls with a share token return the issuer's private messages regardless of whether the User Messages widget is actually present on the shared dashboard. All Checkmk deployments running versions prior to 2.5.0p5 that use the public dashboard sharing feature are affected. No public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Checkmk
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

{realm}/partialImport endpoint to bypass Fine-Grained Admin Permissions (FGAP) and promote themselves to full realm administrator. The flaw is an improper authorization check (CWE-863) on imported users carrying realm-admin role mappings. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Data Grid 8 +3
NVD GitHub VulDB
EPSS 0% 5.8 CVSS 9.3
CRITICAL POC KEV THREAT Emergency

Authentication bypass in Check Point Quantum Security Gateway and Spark Firewalls allows unauthenticated remote attackers to establish Remote Access and Mobile Access VPN sessions without valid credentials by abusing a logic flaw in deprecated IKEv1 certificate validation. The flaw (CVSS 9.3, CWE-287) was reported by Check Point themselves and publicly available exploit code exists, though EPSS exploitation probability remains very low (0.01%) and the issue is not currently listed in CISA KEV. Affected deployments include multiple Quantum R80.40-R82.10 trains and Spark R80.20.X-R82.00.X firmware.

Authentication Bypass Microsoft
NVD VulDB GitHub
EPSS 0% CVSS 7.4
HIGH Act Now

Certificate validation bypass in Check Point Quantum Security Gateway and Spark Firewalls allows network-positioned attackers to subvert IKEv1 certificate-based authentication in site-to-site VPN tunnels. A man-in-the-middle adversary can intercept or modify traffic traversing the tunnel without possessing valid credentials. No public exploit identified at time of analysis, and the issue is constrained to the deprecated IKEv1 protocol path.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Authorization bypass in Weaviate's Static API Key Handler (versions 1.37.0-1.37.7) stems from the validateConfig function failing to reject duplicate API keys mapped to distinct users, allowing key-to-user resolution to resolve ambiguously. An authenticated low-privilege attacker holding a duplicated key can authenticate to Weaviate and be resolved as an unintended user identity, bypassing user-level authorization controls. Publicly available exploit code exists (GitHub issue #11392), though the CVSS 4.0 score of 1.3 reflects high attack complexity and the authenticated, misconfiguration-dependent nature of the attack - no public exploitation or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Weaviate
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

Privilege escalation in Kushan2k student-management-system allows authenticated remote attackers to grant themselves administrator rights by manipulating the `isadmin` parameter in the Profile Update Endpoint. The `edit-admin` function in `controllers/AdminController.php` performs no server-side authorization check on this parameter, enabling any low-privileged account holder to self-elevate to admin. A publicly available exploit exists per VulDB and a GitHub issue disclosure; the vendor has not yet responded, and no patch has been released under the rolling-release model.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Improper access control in zilliztech deep-searcher up to version 0.0.2 allows authenticated remote attackers to bypass collection-level authorization in the vector database layer. The CollectionRouter.invoke function in collection_router.py lists and queries all vector database collections without filtering by the caller's authorized scope, meaning a low-privileged user can retrieve data from collections they should not have access to. No public exploit identified via CISA KEV, but publicly available exploit code (POC) exists per the GitHub issue tracker and the CVSS 4.0 E:P modifier confirms this.

Authentication Bypass Deep Searcher
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Improper authorization in the BeikeShop e-commerce platform (versions up to 1.6.0.22) allows remote unauthenticated attackers to forge Stripe payment webhook callbacks and mark unpaid orders as paid. The flawed `callback` function in `plugins/Stripe/Controllers/StripeController.php` accepts arbitrary request bodies without verifying the Stripe-Signature header, and publicly available exploit code exists on GitHub. CVSS is 7.3 with EPSS not provided; the issue is not in CISA KEV but has a public POC, raising the practical risk for any internet-exposed BeikeShop store.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Authorization bypass in NousResearch hermes-agent up to 0.12.0 allows remote low-privileged authenticated attackers to access or manipulate sessions belonging to other users by supplying an arbitrary session title to the resume endpoint's `resolve_session_by_title` function without ownership verification. A public proof-of-concept exploit has been disclosed via GitHub Gist, and the vendor did not respond to pre-disclosure contact, meaning no patch is currently available. With CVSS 6.3 and a temporal exploit-partial modifier, this presents elevated practical risk in multi-tenant or shared-instance deployments where session isolation is a security boundary.

Authentication Bypass Hermes Agent
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in OneDev's Pull Request Handler allows authenticated remote attackers to bypass issue access controls. The `canAccessIssue` function in the `/issues/` endpoint of theonedev/onedev versions through 15.0.5 fails to correctly enforce authorization, enabling a low-privileged user to access issues they should not be permitted to view or modify. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 15.0.6.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

{projectId}/default-branch` endpoint. All OneDev versions through 15.0.5 are affected; the CVSS vector (PR:L) confirms a low-privilege authenticated user is sufficient to trigger the flaw remotely with no user interaction required. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; vendor-released patch v15.0.6 is available.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in theonedev OneDev versions up to 15.0.5 allows authenticated low-privileged users to manipulate the `project.parentId` parameter in the `/projects/` Parent Project Handler endpoint, bypassing access controls on project hierarchy operations. The CVSS vector (PR:L/AV:N/AC:L) confirms this is a network-exploitable flaw requiring only a low-privilege account with no user interaction. Although the base impact scores are uniformly low (C:L/I:L/A:L), in a self-hosted DevOps platform context - where projects may contain source code, CI/CD pipelines, and secrets - the real-world risk to sensitive deployments exceeds what the 6.3 CVSS score alone conveys. No public exploit or CISA KEV listing exists at time of analysis; an official patch is available as v15.0.6.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in theonedev OneDev up to version 15.0.5 allows authenticated remote attackers to bypass access controls by manipulating the `project.forkedFromId` argument in requests to the `/projects` endpoint. The flaw, classified under CWE-285, enables low-privileged users to perform actions or access project data beyond their authorization scope. No public exploit code has been identified at time of analysis, and a vendor-released patch (v15.0.6) is available.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in the Booking Package plugin for WordPress (versions up to and including 1.7.16) allows authenticated attackers with Editor-level access or above to take over any account, including Administrator accounts, by abusing the 'updateUser' branch of the package_app_action AJAX endpoint. The handler validates only a nonce and passes a hard-coded administrator flag to Schedule::updateUser(), letting attackers supply arbitrary target user IDs to wp_update_user() and reset the email and password of any account. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and results in full site compromise once an Editor account is obtained.

Authentication Bypass Privilege Escalation WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Klamra Paycal for Aspaclaria WordPress plugin (all versions through 1.1.4) allows authenticated attackers with subscriber-level access to download invoices belonging to other customers by enumerating sequential WordPress post IDs via the unvalidated 'invoice_id' parameter. Exposed data includes full name, email address, phone number, order total, line items, and customer notes - constituting a significant billing PII breach for any e-commerce site running this plugin. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the low attack complexity and sequential enumeration method make mass harvesting of customer data straightforward for any authenticated user.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

{mapid}` endpoint - harvesting POI titles, addresses, geolocation coordinates, and body content - because the permission callback is hardcoded to `__return_true`. Separately, any authenticated user with at least Contributor-level WordPress access can issue write operations (update, delete, trash/restore, clone) against maps owned by other authors, because write endpoints gate only on the generic `edit_posts` capability and the model layer (`Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, `empty_trash()`) performs no ownership validation at any depth. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Squirrly SEO WordPress plugin (all versions through 12.4.16) allows authenticated attackers with contributor-level access to invoke privileged Squirrly cloud API operations reserved for administrators, including revoking the site's Google Search Console and Google Analytics integrations via the `api/gsc/revoke` and `api/ga/revoke` endpoints. The flaw stems from the plugin's failure to verify the `sq_manage_settings` capability before processing these state-changing cloud API calls, meaning any contributor can silently destroy critical SEO and analytics data connections without administrator knowledge. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Google WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Sensitive information exposure in LearnPress WordPress LMS Plugin (all versions through 4.3.6) allows unauthenticated remote attackers to extract plaintext passwords and unpublished course content via a crafted REST API request. The /wp-json/lp/v1/courses/archive-course endpoint accepts two query parameters - c_status=all and return_type=json - that together bypass a publish-only post_status filter and suppress a safe DISTINCT(ID) field override, triggering an unrestricted SELECT * fallback query against the WordPress posts table. Exposed data includes post_password in plaintext for password-protected courses, and post_content, post_author, and post_name for draft, private, and pending courses. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector makes it trivially scriptable at scale.

Authentication Bypass Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Information exposure in Essential Addons for Elementor (all versions ≤ 6.6.4) allows unauthenticated remote attackers to extract content from password-protected, private, and draft WordPress posts via the plugin's ajax_load_more AJAX endpoint. The root cause (CWE-639) is that user-controlled query parameters are accepted without enforcing WordPress native post-visibility access controls, bypassing the platform's built-in confidentiality model. No public exploit code has been identified at time of analysis, but the zero-authentication, zero-complexity attack surface on one of the most widely deployed Elementor add-ons makes this a realistic target for automated scanning campaigns.

Authentication Bypass Information Disclosure WordPress +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the Page-list WordPress plugin (all versions up to and including 6.2) allows authenticated contributors to read private and draft page content beyond their intended access scope. The [pagelist_ext] shortcode in the pagelist_unqprfx_ext_shortcode() function passes attacker-supplied post_status, post_type, and show_meta_key attributes directly into get_pages() and get_post_meta() with no capability check, and a critical amplification trigger - when no child pages exist, the query falls back to child_of => 0, broadening scope to every matching page on the entire site. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and straightforward exploitation path via shortcode injection make this a meaningful insider-threat risk on sites with sensitive unpublished content.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the RSS Aggregator by Feedzy WordPress plugin (all versions through 5.1.7) allows authenticated contributors to perform privileged import management actions - including force-deleting all posts tied to any import job, creating and executing RSS imports, clearing error logs, and enumerating taxonomy terms and post meta keys. The attack surface is widened by a nonce leak: the required nonce is exposed to any user holding the edit_posts capability via the feedzyjs localized script injected into the WordPress block editor, eliminating the need for any separate token-theft step. No public exploit has been identified at time of analysis, and CISA KEV listing is absent.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Arbitrary Media Library attachment deletion in the Charitable donation plugin for WordPress (versions through 1.8.11.1) is achievable by any authenticated user with Subscriber-level access or above via a two-stage IDOR exploit chain in the profile avatar update flow. The attack chains two weak points: Charitable_Data_Processor::process_picture() returns a raw user-supplied attachment ID verbatim when no file is uploaded, allowing an attacker to poison their own avatar user meta with any arbitrary attachment ID, which save_avatar() then blindly passes to wp_delete_attachment() without verifying that the target attachment belongs to the requesting user. No public exploit has been identified at time of analysis, and exploitation is constrained to authenticated users on sites with active user registration.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to execute privileged operations they are not entitled to perform. By abusing the device API's legitimate method mapping behavior, an authenticated low-privilege attacker on the adjacent network can disguise sensitive calls as whitelisted ones, leading to integrity loss and high availability impact including device resets and configuration changes. No public exploit identified at time of analysis, and the issue was reported by TP-Link itself with a vendor patch available.

Authentication Bypass Tapo C520Ws V2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Alba Board WordPress plugin (all versions through 2.1.3) exposes private project card data to unauthorized access. Despite the CVSS vector assigning PR:L (low privileges required), the vulnerability description explicitly reveals a more severe exploitation path: the AJAX handler is registered under the wp_ajax_nopriv_ hook, and the required nonce is broadcast to all site visitors via wp_localize_script on any page rendering the [alba_board] shortcode - enabling fully unauthenticated access to private alba_card records including titles, descriptions, assignees, due dates, tags, and comments. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, though the vulnerable code path is publicly browsable in the WordPress plugin repository.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sandbox policy bypass in Twig templating engine versions 3.25.0 and earlier allows sandboxed template authors to invoke arbitrary `__toString()` methods on any `Stringable` object reachable in the render context, even when those methods are not allowlisted by `SecurityPolicy::checkMethodAllowed()`. The flaw stems from `SandboxNodeVisitor` only wrapping a hardcoded subset of AST nodes in `CheckToStringNode`, leaving many string-coercion points (conditional expressions, comparison/`matches` operators, tests, ranges, includes, spread arguments) unguarded - and the comparison-operator vector enables byte-by-byte oracle recovery of sensitive object string forms. No public exploit identified at time of analysis; fix shipped in Twig 3.26.0 (also referenced by Symfony's advisory page).

PHP Authentication Bypass Oracle
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Session variable manipulation in Open XDMoD prior to version 11.0.3 enables low-privileged authenticated remote attackers to bypass access control logic by submitting a crafted HTTPS POST request that overrides a session variable governing authorization decisions. Exploitation is contingent on the optional Job Performance (SUPReMM) module being installed; without it, the vulnerable code path is not reachable. No public exploit code exists and no active exploitation has been identified at time of analysis; the vendor released a fix in v11.0.3 on 2026-05-12 following private disclosure on 2026-04-06.

Authentication Bypass Xdmod
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Persistent session token access in HAX CMS (haxtheweb) prior to version 26.0.0 allows attackers who possess a valid authentication token to retain access to CMS administrative functions and metadata even after the legitimate user has logged out. The root cause is CWE-613 (Insufficient Session Expiration): authentication tokens are not invalidated server-side upon logout, meaning the session termination mechanism is cosmetic rather than functional. Both PHP and NodeJS backend deployments are affected. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, but the fix is available in version 26.0.0.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-reachable attacker to forge signed Vault download URLs using a hard-coded key shipped identically across all installations. Chained with a co-located path traversal in the same download endpoint (and optionally CVE-2026-9152 for enumeration), an attacker can read arbitrary server-side files including configuration and key material, leading to full server compromise. No public exploit identified at time of analysis; CVSS 4.0 score is 10.0 and Altium 365 SaaS is not affected because cloud deployments use object storage rather than the local filesystem.

Authentication Bypass Path Traversal Hashicorp +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in WP Captcha PRO (and the free Advanced Google reCAPTCHA plugin sharing the same slug) for WordPress versions through 5.38 allows authenticated Subscriber-level users to log in as any account, including Administrator. The flaw chains a missing capability check in the ajax_run_tool() AJAX handler with the create_temporary_link tool that issues passwordless login links for arbitrary users, enabling full account takeover. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass Google WordPress
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated administrator account takeover in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) allows remote attackers to reset any user's password - including the site administrator's - by sending a single crafted POST request to a cloned REST route. The root cause is a logic conflation in HippooPermissions::get_user_permissions() that returns the same null sentinel for both administrators and anonymous visitors, which is then interpreted as full admin access. No public exploit identified at time of analysis, but the trivial exploitation path and 9.8 CVSS score make this an urgent patch priority for any WordPress site running the plugin.

Authentication Bypass WordPress Hippoo Mobile App For Woocommerce
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated repository exposure in HAX CMS PHP (versions 2.0.0 through 25.x) allows any remote attacker to browse git repositories and full commit history via the unprotected gitlist plugin. The CVSS 4.0 vector confirms no authentication, no user interaction, and network-level access with low complexity, making exploitation trivially achievable against any public-facing instance. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the absence of access controls on the gitlist endpoint represents a direct confidentiality risk for any sensitive data stored in or committed to those repositories.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows remote unauthenticated attackers to obtain OAuth2 tokens for any Keycloak client using the client-kubernetes-secret authenticator by submitting an arbitrary client_secret value. A logic flaw in the custom authenticator overwrites the submitted secret with the mounted Kubernetes secret prior to comparison, rendering the comparison meaningless. With EPSS at 0.04% there is no public exploit identified at time of analysis, but the SSVC technical impact is rated total and exploitation is automatable, making this a high-priority patch for UDS Core operators.

Authentication Bypass Kubernetes Uds Identity Config
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an authenticated low-privileged user to hijack another user's active File Manager session by tampering with a client-supplied sessionId, gaining full read/write/execute access to that victim's remote VPS over their established SSH connection. The CVSS 9.0 score reflects scope change (the compromised session crosses the trust boundary into the victim's separate VPS) and high impact across CIA. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the trivial nature of incrementing/guessing an unvalidated identifier makes exploitation straightforward once a foothold account exists.

Authentication Bypass Termix
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control another user's connected SSH host via predictable session identifiers. Sixteen file-manager endpoints fail to verify ownership of the `sessionId` parameter, enabling read, write, delete, download, and execute operations on victim hosts. No public exploit identified at time of analysis, but the multi-tenant deployment model and low attack complexity make this a high-priority issue for shared installations.

Authentication Bypass Termix
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Unauthenticated administrative access in Riello UPS NetMan 204 network management cards allows remote attackers to read sensitive configuration and invoke privileged power-control commands by requesting administrative pages directly. With CVSS 4.0 score 9.3, publicly available exploit code exists (Exploit-DB 52183), enabling attackers to trigger UPS shutdown, reboot, bypass-switching, and battery tests against the protected infrastructure without any credentials.

Authentication Bypass Netman 204
NVD Exploit-DB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Remote unauthenticated administrative access to Riello UPS NetMan 204 devices is possible via a hard-coded backdoor account ('eurek'/'eurek') exposed through the cgi-bin/login.cgi endpoint. The flaw (CWE-798) carries a CVSS 4.0 base of 9.3 and publicly available exploit code exists (Exploit-DB 52183, VulnCheck advisory), enabling full takeover of UPS management functions including configuration changes and enabling telnet/SSH. No public exploit identified at time of analysis as actively exploited in CISA KEV, but the trivially abusable static credential makes opportunistic exploitation highly likely.

Authentication Bypass Netman 204
NVD Exploit-DB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform before 0.1.4 allows any authenticated workspace member to read, modify, or delete AI agents belonging to entirely different workspaces by supplying a foreign agent UUID to the CRUD endpoints. The membership authorization gate checks only whether the caller belongs to the workspace in the URL path - it never verifies that the target agent actually resides in that workspace - so an attacker with any valid JWT can pivot across tenant boundaries. In multi-tenant deployments where agents store LLM API keys in runtime_config (BYOK), this also becomes a credential theft vector. No public exploit is identified at time of analysis, though GHSA-7p8g-6c6g-h9w7 publishes a complete step-by-step exploit chain.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Unauthorized cross-tenant file read in NocoDB's MCP readAttachment tool allows any low-privilege MCP token holder to stream arbitrary attachment files from shared storage, including those belonging to unrelated bases and workspaces. Affected versions are all NocoDB releases up to and including 2026.05.0 (npm/nocodb). The root cause is CWE-639: the tool accepted caller-supplied path or URL values and streamed them directly without verifying that the referenced file's base_id matched the caller's MCP context. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-workspace tenant isolation bypass in NocoDB exposes database integration credentials across organizational boundaries via the testConnection endpoint. Any authenticated user holding a creator or owner role on any base in any workspace can supply a foreign workspace's integration ID to invoke its connection test, gaining access to that workspace's stored database credentials and the ability to drive its underlying database. No public exploit code is identified at time of analysis, but vendor-released patch 2026.05.1 is available and resolves the issue.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Hidden column exposure in NocoDB public shared-view endpoints allows unauthenticated attackers holding only a shared-view UUID to read data that view owners explicitly marked as hidden. Three independent bypass paths exist: groupBy parameters accept arbitrary column names and return raw cell values, filter and sort arrays accept hidden column IDs enabling boolean-blind row-count extraction, and the related-data list endpoint accepts link-column IDs from unrelated tables in the same base - leaking records beyond the intended view scope. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV, but the attack requires no credentials and targets a commonly shared URL, making any NocoDB deployment with public shared views and hidden sensitive columns an immediately addressable risk.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Hidden LTAR column exposure in NocoDB's public shared-view API allows anyone holding a valid share UUID to read linked records from columns the view owner explicitly hid. The handlers `publicMmList`, `publicHmList`, and `relDataList` enforced column-to-view-model membership but omitted a check on the per-column `show` flag, creating a gap between the public `/rows` response (which correctly omits hidden columns) and the relation sub-endpoints (which did not). All nocodb npm package versions up to and including 2026.05.0 are affected; a vendor-released patch is available in 2026.05.1. No public exploit code or CISA KEV listing is identified at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

File truncation bypass in wasmtime-wasi allows guest WebAssembly modules to truncate (destroy contents of) host files that should be read-only, by invoking the wasip2 `descriptor.open-at` or wasip1 `path_open` interfaces with only the `OpenFlags::TRUNCATE` flag set. The bug affects embeddings that combine `DirPerms::MUTATE` with `FilePerms::READ` (read-only file permissions plus directory mutation), defeating the host's enforced `FilePerms::WRITE` access control. No public exploit identified at time of analysis; CVSS 7.5 reflects the integrity-only impact (C:N/I:H/A:N).

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in tittuvarghese CollegeManagementSystem exposes the Admin Interface to privilege escalation by low-privileged authenticated users who can manipulate the UserAuthData parameter in dashboard_page/admin_page.php. A publicly available exploit exists (referenced in GitHub issue #5), raising practical risk above what the mid-range CVSS score of 6.3 alone would suggest. The vendor has not responded to the responsible disclosure, and no patch has been released; all deployed instances across the rolling release track remain exposed.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 9.1
CRITICAL Act Now

Authorization bypass in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access restricted functionality and sensitive geospatial tracking data due to missing ACL enforcement. The CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) vector and CWE-284 classification indicate trivially exploitable broken access control affecting confidentiality and integrity of tracked entities. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Geographic Tracking System
NVD VulDB
CVSS 9.1
CRITICAL Act Now

Authorization bypass in HAVELSAN Inc. Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access or modify other users' data by manipulating user-controlled identifiers. The CVSS 9.1 score reflects high confidentiality and integrity impact achievable over the network without authentication, though no public exploit identified at time of analysis. The flaw was reported by TR-CERT (Turkey's national CERT), suggesting coordinated disclosure for a regionally deployed product.

Authentication Bypass Geographic Tracking System
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-tenant comment access in linqi BPM platform versions through 1.4.8.5 allows any authenticated user to read and write comments on arbitrary process objects across all business units by supplying a chosen GUID to the /api/Comment endpoints. The flaw stems from missing authorization checks on the relatedObjectId parameter and carries a CVSS 4.0 score of 7.1 with no public exploit identified at time of analysis. Because exploitation requires only low-privilege credentials and no user interaction, it is well-suited to insider abuse or post-compromise lateral movement within multi-tenant deployments.

Authentication Bypass Linqi
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the ValidateAnonFileAccess authorization check by supplying an 'AnonFile' query parameter of exactly 256 characters. Despite the CVSS 4.0 score of 6.9 and a PR:N/AC:L attack vector suggesting easy, unauthenticated exploitation, the vendor's own advisory explicitly confirms the security impact is negligible: the only resources accessible via this bypass are minified JavaScript and CSS files already served publicly through a CDN. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing.

Authentication Bypass Information Disclosure Linqi
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Improper authorization in Samsung Internet (Android browser) prior to version 30.0.0.39 allows a local attacker with low-level privileges to access sensitive information stored or processed by the browser, with downstream high-severity impact on subsequent systems as reflected in the CVSS 4.0 SC:H/SI:H/SA:H scores. The vulnerability requires only local access and no user interaction, making it exploitable by any co-resident low-privileged app or user account on the device. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and Samsung Mobile has released a patched version.

Samsung Authentication Bypass Samsung Internet
NVD VulDB
EPSS 0% CVSS 5.2
MEDIUM This Month

Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged attacker to launch arbitrary Android Activities without proper permission checks. Exploitation requires passive user interaction (CVSS 4.0 UI:P) and local device access, but the confidentiality impact on the vulnerable system is rated High (VC:H), consistent with the reported Information Disclosure tag. No public exploit code exists and the vulnerability is not listed in CISA's KEV catalog at time of analysis; Samsung has released a patch in SMR Jun-2026 Release 1.

Authentication Bypass Samsung Mobile Devices
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in DTS Electronics Redline WR3200 firmware versions 7.1.3 through 7.1.7 allows remote unauthenticated attackers to access functionality not properly constrained by ACLs, leading to full compromise of the device. The CVSS 9.8 rating reflects network-reachable exploitation with no privileges or user interaction required, though no public exploit identified at time of analysis. The flaw maps to CWE-287 (Improper Authentication) and was reported through Turkey's national CERT (USOM).

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC KEV EUVD KEV THREAT Act Now

Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create editor profiles without authentication, then leverage that capability to upload and execute arbitrary PHP code on the server. With a CVSS 4.0 score of 10.0 and the CVSS:4.0 'U:Red' urgency flag set by the vendor, this represents a critical broken-access-control flaw, though no public exploit has been identified at time of analysis.

PHP Authentication Bypass Joomla Content Editor Jce Extension For Joomla
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient policy enforcement in Google Chrome for iOS (prior to 149.0.7827.53) allows remote unauthenticated attackers to bypass discretionary access controls via a crafted HTML page, resulting in limited integrity impact. User interaction is required, and exploitation probability is extremely low - EPSS sits at 0.02% (4th percentile). No public exploit identified at time of analysis, and Chromium's own security team rated this as 'Low' severity, consistent with the CVSS 4.3 score and SSVC's 'partial' technical impact assessment.

Apple Authentication Bypass Google +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome on iOS prior to 149.0.7827.53 allows a remote, unauthenticated attacker to violate cross-origin isolation by delivering a crafted HTML page to a victim. The flaw stems from an inappropriate implementation (CWE-346) in the iOS-specific Chrome codebase, meaning the iOS browser incorrectly validates origin boundaries in a way the desktop build does not. No active exploitation is confirmed (no CISA KEV listing), EPSS is 0.02% (4th percentile), and SSVC rates exploitation as none - placing this firmly in a routine patching priority rather than an emergency response.

Apple Authentication Bypass Google +1
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Navigation restriction bypass in Google Chrome on Android prior to 149.0.7827.53 allows a local attacker to circumvent Reader Mode input validation by supplying a malicious file. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (4th percentile), but Google has released a fix in the stable channel. Chromium internally rates this as Low severity despite the elevated NVD CVSS of 7.7.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.53) enables unauthenticated remote attackers to circumvent CSP directives by delivering a crafted HTML page that requires only a user visit to trigger. The impact is confined to low-severity integrity violations (CVSS I:L) with no confidentiality or availability consequences, consistent with Chromium's own Low severity rating. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) reflects negligible near-term exploitation probability.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Android Autofill implementation allows remote unauthenticated attackers to perform limited cross-origin integrity violations by delivering a crafted HTML page to a victim user. Affected are all Chrome for Android versions prior to 149.0.7827.53. Impact is constrained to integrity (I:L) with no confidentiality or availability consequence, consistent with Chromium's own 'Low' severity rating. No public exploit code exists and no active exploitation has been confirmed; EPSS exploitation probability sits at 0.02% (4th percentile), making this a low operational priority despite being network-reachable.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation policy bypass in Google Chrome on Android (prior to 149.0.7827.53) enables a remote attacker who has already achieved renderer process compromise to circumvent navigation restrictions through a specially crafted HTML page. The vulnerability carries a CVSS integrity impact of High (I:H) with no confidentiality or availability impact, indicating the primary risk is unauthorized navigation to restricted targets - a technique commonly used to chain into further exploitation. No public exploit identified at time of analysis, and EPSS of 0.02% (6th percentile) reflects negligible current exploitation probability; however, its value as a chaining primitive in multi-stage browser attacks warrants attention.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Shortcuts feature on macOS allows remote attackers to circumvent Chrome's internal URL filtering or navigation controls via a crafted malicious file. Affected versions are all Chrome releases on Mac prior to 149.0.7827.53. The CVSS vector (PR:N, UI:R, I:H) indicates no attacker authentication is required but user interaction with the malicious file is mandatory; EPSS at 0.02% (4th percentile) and no public exploit identified at time of analysis confirm low exploitation probability, consistent with Chromium's own 'Low' severity rating.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient policy enforcement in Google Chrome for iOS (prior to 149.0.7827.53) enables remote attackers to bypass discretionary access controls by directing a victim to a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the attack is network-reachable, requires no authentication, and produces a limited integrity impact with no confidentiality or availability consequences. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects very low exploitation probability; Chromium internally rated this Low severity.

Apple Authentication Bypass Google +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for Android's Page Info component (prior to 149.0.7827.53) enables an attacker who has already compromised the renderer process to circumvent Chrome's navigation controls via a specially crafted HTML page. This is a chained exploitation scenario: the vulnerability cannot be triggered standalone but requires a prior renderer compromise as a prerequisite, limiting its practical threat surface. No public exploit has been identified at time of analysis, EPSS is negligible at 0.02%, and the vulnerability is not listed in CISA KEV. Google rates its internal severity as Low.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's DOM Distiller component on iOS allows a remote attacker to circumvent page navigation controls by serving a specially crafted HTML page. Affected users are running Chrome on iOS prior to version 149.0.7827.53, and exploitation requires the victim to visit an attacker-controlled page. No public exploit identified at time of analysis and EPSS probability sits at 0.02% (4th percentile), consistent with the vendor's own 'Low' severity classification - real-world impact is limited to integrity degradation with no confidentiality or availability consequence.

Apple Authentication Bypass Google +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 149.0.7827.53 allows a remote attacker who convinces a victim to install a crafted malicious extension to circumvent CSP protections on web pages, enabling unauthorized content injection. The flaw stems from insufficient policy enforcement in Chrome's Extensions subsystem (CWE-602), rated Low severity by the Chromium security team with a CVSS base score of 4.3. No public exploit code exists and no active exploitation has been confirmed; EPSS is 0.01% (1st percentile), reflecting minimal real-world exploitation pressure at time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

SafeBrowsing protection mechanism bypass in Google Chrome prior to version 149.0.7827.53 allows remote unauthenticated attackers to deliver malicious files that evade Chrome's built-in phishing and malware detection layer. The bypass is triggered through user interaction - such as visiting a crafted page or downloading a manipulated file - without requiring any special privileges or configuration. No public exploit has been identified and EPSS is 0.02% (4th percentile), indicating low current exploitation probability; however, successful exploitation silently removes a critical user-facing protection layer, enabling downstream malware delivery.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to version 149.0.7827.53 enables remote attackers to circumvent CSP protections via a crafted HTML page, with the victim's browser failing to enforce declared content restrictions. The vulnerability requires user interaction (UI:R) and produces limited integrity impact (I:L) only - no confidentiality or availability loss. EPSS at 0.02% (4th percentile) and no CISA KEV listing indicate negligible current exploitation activity; Chromium has internally rated this Low severity, aligning with the constrained impact scope.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 149.0.7827.53 stems from an inappropriate implementation in the browser's Permissions subsystem, enabling a remote attacker to circumvent CSP restrictions through a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the impact is limited to a partial integrity violation - no confidentiality or availability consequences are indicated. No public exploit identified at time of analysis; EPSS at 0.01% (2nd percentile) and Chromium's own 'Low' severity rating together indicate very low near-term exploitation likelihood.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Cast component exposes users to limited cross-origin integrity violations via a crafted HTML page, affecting all desktop Chrome versions prior to 149.0.7827.53. An unauthenticated remote attacker can circumvent the browser's fundamental cross-origin boundary by exploiting insufficient input validation in the Cast subsystem, achieving a low-severity integrity impact against a visiting user. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) combined with Chromium's own 'Low' severity rating indicate minimal real-world exploitation risk.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

File System Access API in Google Chrome prior to 149.0.7827.53 allows a remote attacker to bypass discretionary access control (DAC) by convincing a user to perform specific UI gestures on a crafted HTML page. The CVSS vector (I:H, C:N, A:N) confirms the impact is limited to unauthorized file integrity compromise - an attacker could write or modify local files beyond what the user explicitly permitted. No public exploit code exists and EPSS is 0.02% (4th percentile), aligning with Chromium's own internal 'Low' severity rating, indicating limited real-world exploitation likelihood at time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 149.0.7827.53 allows a remote unauthenticated attacker to circumvent browser-enforced navigation controls by delivering a crafted HTML page to a victim. The flaw is classified by Google as an inappropriate implementation in the browser component, carrying a CVSS 4.3 (Medium) with limited integrity impact and no confidentiality or availability consequence. No public exploit has been identified at time of analysis, EPSS exploitation probability stands at 0.02% (4th percentile), and Google's internal Chromium severity rating is Low - consistent signals pointing to a low-urgency, routine-patch item outside of specialized deployment contexts.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Settings policy enforcement bypass in Google Chrome prior to 149.0.7827.53 enables remote attackers to circumvent discretionary access control by delivering a crafted HTML page to a victim who must interact with it. Rooted in CWE-284 (Improper Access Control), the flaw affects Chrome's Content Settings subsystem - which governs site-level permissions such as cookies, notifications, and script access - yielding a limited integrity impact with no confidentiality or availability consequences. No public exploit has been identified and the vulnerability is absent from CISA KEV; the vendor itself rates this as Low severity, consistent with the CVSS 4.3 base score.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient policy enforcement in Google Chrome's Password Manager (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to bypass discretionary access control via a crafted HTML page, resulting in limited confidentiality exposure. This is a chained vulnerability: exploitation is contingent on a prior renderer process compromise, which substantially elevates attack complexity and limits realistic blast radius. No public exploit code exists and this CVE is not listed in the CISA KEV catalog. Google has rated this Low severity and released a fix in Chrome 149.0.7827.53.

Authentication Bypass Google Chrome
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Navigation restriction bypass in Google Chrome's Lens component prior to version 149.0.7827.53 allows a remote attacker to circumvent browser security boundaries via a crafted HTML page. The flaw requires user interaction (UI:R) to trigger, but no authentication, and Google classifies the Chromium security severity as Low despite the NVD CVSS of 8.8. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's IndexedDB implementation affects all versions prior to 149.0.7827.53, enabling an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. The integrity-only impact (C:N/I:H/A:N) means a successful exploitation could allow unauthorized writes or data manipulation across origins, but does not directly expose confidential data. No public exploit code has been identified at time of analysis, and Google's own Chromium security team rated this Low severity; a vendor-released patch is available at version 149.0.7827.53.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Same-origin policy bypass in Google Chrome's WebAuthentication component affects all Chrome versions prior to 149.0.7827.53, exploitable only by a remote attacker who has already compromised the renderer process. Insufficient input validation in the WebAuthn subsystem allows crafted HTML pages to circumvent same-origin restrictions, resulting in limited confidentiality disclosure (C:L). Chromium's own severity classification is Low, consistent with the CVSS 3.1 score of 3.1, and no public exploit or CISA KEV listing has been identified at time of analysis. The mandatory prerequisite of renderer process compromise significantly constrains the realistic attacker population to sophisticated, multi-stage threat actors.

Authentication Bypass Google Chrome
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Downloads subsystem prior to version 149.0.7827.53 enables a remote unauthenticated attacker to circumvent browser navigation controls by luring a user to a crafted HTML page. The flaw is rooted in an inappropriate implementation classified as CWE-346 (Origin Validation Error), meaning Chrome fails to properly validate the origin of requests or data within the Downloads flow. Rated Medium by CVSS (5.4) and Low by Chromium's own severity scale, no public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Site isolation bypass in Google Chrome's Loader component (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape Chrome's cross-site data boundary via a crafted HTML page. The vulnerability stems from insufficient validation of untrusted input in the Loader, enabling a post-exploitation primitive that leaks limited confidentiality data across site boundaries. With a CVSS score of 3.1 (Low), EPSS at 0.02% (6th percentile), no CISA KEV listing, and Chromium's own classification as Low severity, this represents a low-urgency chained-exploit stepping stone rather than a standalone critical threat; no public exploit identified at time of analysis.

Authentication Bypass Google Chrome
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Inappropriate implementation in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a crafted Chrome Extension to access and read sensitive data from process memory. Exploitation requires social engineering a target user into installing a malicious extension, after which the extension can invoke under-guarded DevTools APIs to extract potentially sensitive in-memory content such as credentials, tokens, or session data. No public exploit has been identified at time of analysis, and the EPSS score of 0.01% indicates very low observed exploitation probability; however, the confidentiality impact is rated High by CVSS.

Authentication Bypass Google Red Hat +2
NVD
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenAI Atlas before 1.2025.288.15 improperly exposed privileged browser APIs - including browser history access and tab open/close controls - to any web content loaded from *.openai.com origins, including the publicly accessible forum.openai.com. Because forum.openai.com harbored an independent cross-site scripting vulnerability, an attacker could chain the two weaknesses: inject a script via the forum XSS, which then silently invokes Atlas's privileged APIs against a visiting victim. No public exploit or CISA KEV listing has been confirmed at time of analysis, though a public security research blog (hacktron.ai) describes the attack surface; the EPSS score of 0.02% (4th percentile) reflects low observed exploitation probability.

Authentication Bypass XSS Openai Atlas
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

CORS origin allowlist bypass in sanic-cors 2.2.0 and prior enables cross-origin access to authenticated resources by exploiting an unanchored regular expression in the origin-matching logic. The library's try_match() function in sanic_cors/core.py uses Python's re.match() - which matches only from the start of a string, not the full string - allowing an attacker who controls a domain prefixed with a trusted origin (e.g., trusted.example.com.attacker.com) to satisfy the allowlist check. Exploitation requires a victim user to visit an attacker-controlled page, placing this in a network-accessible, user-interaction-required threat model. No public exploit code has been identified at time of analysis, and no KEV listing exists.

Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's FoldableAPIs component allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The vulnerability carries a CVSS 4.3 score, an EPSS of 0.02% (4th percentile), is not listed in CISA KEV, and no public exploit has been identified - consistent with Chromium's own 'Low' severity rating. A vendor-released patch (149.0.7827.53) is available.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's FoldableAPIs component (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data by delivering a crafted HTML page. Rated Medium (CVSS 4.7) with a Changed scope, this is a second-stage exploit primitive - not a standalone critical - requiring a pre-existing renderer compromise before it is triggerable. EPSS at 0.02% (6th percentile), SSVC exploitation status of 'none', and Google's internal 'Low' severity rating collectively confirm this is a patch-on-schedule rather than emergency-response priority. No public exploit identified at time of analysis.

Authentication Bypass Google
NVD VulDB
Prev Page 27 of 348 Next

Quick Facts

Typical Severity
CRITICAL
Category
auth
Total CVEs
31271

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy