Authentication Bypass

DOM security bypass in Firefox and Thunderbird allows remote attackers to circumvent protective mitigations through user interaction, affecting multiple versions across both products. An attacker can exploit this to achieve high-impact compromise of confidentiality and integrity without requiring authentication. Currently no patch is available for affected users.

Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality. [CVSS 8.1 HIGH]

ManageEngine ADSelfService Plus before 6519 has an authentication bypass due to improper filter configurations. As a self-service password management tool for Active Directory, compromise enables mass password resets across the enterprise. Patch available.

An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with scope change. Requires knowledge of a legitimate user's identity.

Netweaver Application Server Abap versions up to 700 is affected by missing authorization (CVSS 8.1).

Opencode versions up to 1.0.216 is affected by missing authentication for critical function (CVSS 8.8).

WebErpMesV2 versions prior to 1.19 expose unauthenticated API endpoints that allow remote attackers to read sensitive manufacturing and business data including orders, quotes, and tasks without credentials. Public exploit code exists for this vulnerability, and attackers can additionally create company records and manipulate collaboration whiteboards. A patch is available in version 1.19 and should be applied immediately to restrict API access.

GYM-MANAGEMENT-SYSTEM 1.0 has multiple SQL injection vulnerabilities in search and payment endpoints (member_search, trainer_search, gym_search, payment_search). PoC available.

Gym Management System PHP 1.0 has multiple SQL injection vulnerabilities across three files (submit_contact.php, secure_login.php, change_s_pwd.php) through seven parameters. Authentication bypass and data extraction possible.

Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId. [CVSS 8.2 HIGH]

Lychee photo management tool versions before 7.1.0 contain an authorization bypass in the album password unlock mechanism that allows authenticated users to access multiple password-protected albums by unlocking just one that shares the same password. Public exploit code exists for this vulnerability. Administrators should upgrade to version 7.1.0 or later to prevent unauthorized access to protected photo collections.

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through the MCP stdio transport. A single API request is sufficient for root code execution. PoC available, patch available.

Ontap versions up to 9.16.1 is affected by authorization bypass through user-controlled key (CVSS 4.3).

Acora CMS v10.7.1 uses a static, predictable password reset token. Attackers can replay this token to reset any user's password and take over their account, including admin accounts. Maximum CVSS 10.0 with scope change.

Automai BotManager v25.2.0 allows unauthenticated remote code execution via the BotManager.exe component due to improper certificate validation. Attackers can execute arbitrary code on systems running the bot management agent.

An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges and obtain sensitive information via a crafted js file [CVSS 8.2 HIGH]

Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating other users of the application in the generation and signing of documents. [CVSS 8.1 HIGH]

IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. [CVSS 8.1 HIGH]

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. [CVSS 8.1 HIGH]

Improper Authentication vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Authentication Bypass.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. [CVSS 7.5 HIGH]

Flycatcher Toys smART Sketcher versions up to 2.0 lack authentication in the Bluetooth Low Energy interface, allowing unauthenticated attackers on the local network to manipulate device functionality and potentially access sensitive data. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. No patch is currently available.

Authentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. [CVSS 8.1 HIGH]

Operation And Maintenance Security Management System versions up to 3.0.8. is affected by improper access control (CVSS 7.3).

Cosign's bundle verification mechanism fails to properly validate that embedded Rekor entries reference the correct artifact digest, signature, and public key, allowing an attacker with a compromised signing identity to forge valid bundles and bypass transparency log verification. A malicious actor could exploit this to create counterfeit signatures that pass validation checks, affecting users relying on Cosign for container and binary code signing verification. Public exploit code exists for this vulnerability; patches are available in versions 2.6.2 and 3.0.4.

OpenProject versions before 16.6.3 allow authenticated users with View Meetings permission to bypass access controls and view meeting details from projects they lack authorization to access. This permission-based access control flaw enables information disclosure across project boundaries for low-privileged users. A patch is available in version 16.6.3 and later.

On October 1, 2025, Palantir discovered that images uploaded through the Dossier front-end app were not being marked correctly with the proper security levels. The regression was traced back to a change in May 2025, which was meant to allow file uploads to be shared among different artifacts (e.g. [CVSS 3.5 LOW]

A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. [CVSS 4.3 MEDIUM]

A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack. [CVSS 6.5 MEDIUM]

A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. [CVSS 8.2 HIGH]

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compr...

The firmware in KAON CG3000TC and CG3000T routers contains hard-coded credentials in clear text (shared across all routers of this model) that an unauthenticated remote attacker could use to execute commands with root privileges.

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface.

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface.

Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. [CVSS 5.9 MEDIUM]

The WP Table Builder - Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. [CVSS 4.3 MEDIUM]

Android versions up to 13.0 contains a vulnerability that allows attackers to bypass Carrier Relock (CVSS 4.6).

Android versions up to 15.0 contains a vulnerability that allows attackers to execute the privileged APIs (CVSS 7.8).

KAYSUS KS-WR3600 router (firmware 1.0.5.9.1) has session validation bypass – if any user is logged in, endpoints accept unauthenticated requests. Attackers piggyback on active sessions to execute privileged actions. PoC available.

Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. [CVSS 7.5 HIGH]

Soft Serve versions prior to 0.11.2 contain an authorization bypass in the LFS lock deletion endpoint that allows authenticated users to forcibly delete locks owned by other users by exploiting improper validation order. Any user with repository write access can leverage this vulnerability to disrupt collaborative workflows by removing locks created by teammates. A public exploit exists and patches are available.

Ecase Ecomplaint versions up to 9.0.45.0 is affected by authorization bypass through user-controlled key (CVSS 7.5).

OPEXUS eCasePortal before 9.0.45.0 allows unauthenticated access to the Attachments.aspx endpoint with predictable formid values. Attackers can download, delete, or upload files without authentication.

OPEXUS eCASE Audit contains an access control bypass that allows authenticated users to circumvent administrative restrictions by manipulating client-side JavaScript or crafting direct HTTP requests to re-enable disabled functions and buttons. This vulnerability affects eCASE Platform versions prior to 11.14.1.0 and could enable attackers to perform unauthorized actions that administrators have explicitly blocked. No patch is currently available for affected deployments.

Kirby CMS versions 5.0.0-5.2.1 fail to enforce permission checks in the content changes API, allowing authenticated users with restricted roles to modify site content despite having update permissions disabled. This affects only installations with custom permission configurations designed to prevent write access for specific user roles. A patch is available in version 5.2.2.

Munir Kamal Block Slider through version 2.2.3 fails to properly enforce access control, allowing authenticated users to access sensitive information they should not have permission to view. An attacker with valid credentials could exploit this missing authorization check to read confidential data. No patch is currently available for this vulnerability.

Docket Cache versions through 24.07.04 contain an access control bypass that allows authenticated users to perform unauthorized actions due to improper permission validation. An attacker with valid credentials can exploit this vulnerability to cause denial of service or access restricted functionality. No patch is currently available.

Wptexture Image Slider Slideshow versions through 1.8 contain an authorization bypass flaw that allows authenticated users to modify content by manipulating access control parameters. An attacker with user-level access could exploit incorrectly configured security controls to perform unauthorized actions beyond their assigned privileges. No patch is currently available for this vulnerability.

Inadequate access control in IdeaBox Creations Dashboard Welcome for Beaver Builder (versions through 1.0.8) permits unauthorized users to modify data without proper authentication. An unauthenticated attacker can exploit misconfigured security levels to perform unauthorized actions over the network with no user interaction required. No patch is currently available to address this vulnerability.

Baqend Speed Kit versions through 2.0.2 contain an authorization bypass that allows authenticated users to modify data by exploiting misconfigured access control levels. An attacker with valid credentials could escalate privileges to alter information they should not have permission to change. No patch is currently available.

The Hakob Re Gallery & Responsive Photo Gallery Plugin through version 1.17.18 contains an authorization bypass that permits unauthenticated attackers to modify gallery content due to improperly enforced access controls. This vulnerability affects all installations of the plugin and could allow attackers to alter or deface photo galleries without authentication. No patch is currently available.

Ax1800 Firmware versions up to 4.2.0 is affected by improper restriction of excessive authentication attempts (CVSS 6.5).

Ax1800 Firmware versions up to 4.2.0 is affected by improper restriction of excessive authentication attempts (CVSS 5.1).

A Improper Authorization vulnerability in Foomuuri llows arbitrary users to influence the firewall configuration.This issue affects Foomuuri: from ? before 0.31.

Asseco ADMX system is used for processing medical records. It allows logged in users to access medical files belonging to other users through manipulation of GET arguments containing document IDs.

ZimaOS (fork of CasaOS) through 1.5.0 has an authentication bypass where passwords for system service accounts are not properly validated during login. Attackers can access the system using known service account names with any password. PoC available, EPSS 13.6%.

Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control.

n8n versions 0.150.0 through 2.2.1 lack webhook signature verification in the Stripe Trigger node, enabling unauthenticated attackers to forge Stripe events and trigger workflows by sending crafted POST requests to known webhook URLs. Affected users with active Stripe Trigger workflows could experience unauthorized execution of automation logic, potentially allowing attackers to simulate fraudulent payment or subscription events. A patch is available in version 2.2.2 and later.

G5Theme Zorka versions up to 1.5.7 contain a missing authorization vulnerability that allows unauthenticated remote attackers to modify data through incorrectly configured access controls. An attacker can exploit this to perform unauthorized state-changing operations without proper authentication or user interaction. No patch is currently available for this vulnerability.

Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through <= 1.10.4. [CVSS 8.8 HIGH]

WofficeIO Woffice Core woffice-core is affected by authorization bypass through user-controlled key (CVSS 8.1).

Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through <= 3.2.6. [CVSS 8.1 HIGH]

Timetics WordPress plugin (through 1.0.46) allows authentication bypass via alternate path, enabling unauthenticated admin access to the booking system.

Aruba HiSpeed Cache WordPress plugin (before 3.0.3) has missing authorization allowing unauthenticated access to cache management functions with full CIA impact.

Felan Framework for WordPress (through 1.1.3) allows authentication bypass through an alternate path, enabling unauthenticated admin access.

Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. [CVSS 8.1 HIGH]

Blockons WordPress plugin (through 1.2.15) has missing authorization allowing unauthenticated access to restricted functionality with full CIA impact.

REHub Framework for WordPress (through 19.9.5) has missing authorization allowing unauthenticated access to restricted functionality with full CIA impact.

When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. [CVSS 5.9 MEDIUM]

Kanboard project management (through 1.2.48) has an authentication bypass when REVERSE_PROXY_AUTH is enabled. The application trusts HTTP headers for authentication without verifying the request came from the reverse proxy. Any attacker can impersonate any user including admins. PoC available, patch available.

Unauthorized access control in Titra versions 0.99.49 and earlier enables authenticated users to view and modify time entries belonging to other users in private projects without proper authorization. Public exploit code exists for this vulnerability, affecting deployments that have not upgraded to version 0.99.50. The flaw allows authenticated attackers to compromise data integrity and confidentiality of other users' tracked time information.

Facesentry Access Control System Firmware versions up to 5.7.0 is affected by cleartext transmission of sensitive information (CVSS 5.9).

FLIR Thermal Camera F/FC/PT/D Stream firmware version 8.0.0.64 contains an unauthenticated vulnerability that allows remote attackers to access live camera streams without credentials. [CVSS 7.5 HIGH]

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. [CVSS 4.3 MEDIUM]

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. [CVSS 7.1 HIGH]

Tarkov Data Manager's login endpoint can be bypassed using JavaScript prototype property access combined with loose equality type coercion. Any unauthenticated user can gain full admin access. Fixed in January 2025 commits.

Hcl Devops Deploy versions up to 8.1.2.3 is affected by insufficiently protected credentials (CVSS 4.9).

Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7. [CVSS 6.5 MEDIUM]

OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials.

Missing Authorization vulnerability in ThemeHunk Oneline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through 6.6. [CVSS 4.3 MEDIUM]

Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.8.1.1. [CVSS 4.3 MEDIUM]

Bigfix Insights For Vulnerability Remediation versions up to 4.2 is affected by insufficient session expiration (CVSS 2.0).

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (Merc...

Quote Comments (WordPress plugin) versions up to 3.0.0. is affected by missing authorization (CVSS 5.3).

The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. [CVSS 5.3 MEDIUM]

The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.6. [CVSS 7.5 HIGH]

The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. [CVSS 5.3 MEDIUM]

Rankology SEO and Analytics Tool (WordPress plugin) is affected by improper authorization (CVSS 2.7).

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. [CVSS 7.5 HIGH]

wolfSSH through 1.4.21 has a key exchange state machine vulnerability that can leak client passwords in cleartext, trick clients into sending bogus signatures, or skip user authentication entirely. A fundamental protocol implementation flaw.

Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21. [CVSS 5.3 MEDIUM]