Authentication Bypass

Improper authentication on an undocumented administrative endpoint in ArcGIS Server 11.1 through 12.0 allows unauthenticated remote attackers to disrupt the web-based browsing interface by sending a crafted HTTP request. The vulnerability is classified as CWE-287 and carries a CVSS 5.3 medium score, reflecting network-reachable, zero-privilege exploitation offset by limited impact (integrity only, no confidentiality or availability loss). No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Unauthorized data disclosure in Splunk AI Toolkit versions below 5.7.3 allows authenticated low-privileged users to bypass srchFilter-based access controls and read confidential data scoped to more restricted custom roles. The flaw stems from the Splunk platform's behavior of combining inherited search filters via the OR SPL operator, causing the permissive filter injected by the AI Toolkit's authorize.conf to override stricter filters on child roles. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, but the CVSS confidentiality impact is rated High, making this a meaningful data exposure risk in multi-tenant or compliance-sensitive Splunk deployments.

Account takeover via IdP linking proof reuse in Red Hat Build of Keycloak allows an authenticated attacker with an account on the same external Identity Provider to hijack another user's local Keycloak account. The cross-session verification proof generated during the IdP account linking flow is scoped only to the tuple (local userId, idpAlias) and is not cryptographically bound to the specific upstream identity that completed verification, enabling a second IdP account - controlled by the attacker - to consume that proof and become linked to the victim's local account. No public exploit has been identified at time of analysis and the flaw is not listed in the CISA KEV catalog, though the high Confidentiality and Integrity impact (CVSS C:H/I:H) reflects the severity of a successful account takeover.

Authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to invoke internal REST API endpoints and act with Site Admin privileges across tenant boundaries. The flaw carries a maximum CVSS 10.0 score with a changed scope and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation enables reading sensitive tenant data and modifying configuration globally, making this a critical-priority issue for any organization running affected versions.

Account takeover in MISP's OidcAuth plugin (versions 2.5.0 through 2.5.37) enables an unauthenticated attacker holding a valid OIDC token from an insecure or untrusted IdP to authenticate as any local MISP user whose account has a NULL stored `sub` value. The vulnerability arises because the plugin unconditionally trusted the OIDC email claim to link identities to existing local accounts without verifying email ownership, bypassing authentication controls entirely (CWE-287). No public exploit has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.0 reflects adjacent network vector and high complexity conditions that constrain realistic exposure.

Cross-session PubSub topic injection in phoenix_storybook (versions 0.4.0 through before 1.1.0) allows a remote unauthenticated attacker to redirect a victim's playground control messages to an attacker-controlled LiveView iframe process. The vulnerability exists because ComponentIframeLive reads the PubSub coordination topic verbatim from a URL query parameter with no session-binding validation, enabling an attacker who loads a crafted iframe URL to hijack variation state changes, theme switches, and extra-assign payloads intended for a victim's active playground session. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 score of 2.3 reflects genuinely low severity given the prerequisites required.

HCL DominoIQ's Retrieval-Augmented Generation (RAG) feature fails to enforce document-level access controls when processing AI queries, allowing authenticated low-privileged users to retrieve sensitive Domino documents they are not authorized to view. Affecting the AI query subsystem of HCL DominoIQ, this broken access control flaw carries a CVSS 6.5 with High confidentiality impact, reflecting meaningful data exposure risk in enterprise Domino deployments. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Broken access control in the WpBookingly WordPress plugin (Magepeople Inc.) through version 1.2.9 enables network-authenticated high-privilege users to perform unauthorized integrity and availability-impacting actions against the booking management system. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce proper authorization checks on one or more endpoints, allowing exploitation of incorrectly configured access control levels. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Missing Authorization in the Image Photo Gallery Final Tiles Grid WordPress plugin (by WP Chill) allows low-privileged authenticated attackers to exploit incorrectly configured access control, resulting in unauthorized read access to restricted data. All plugin versions through 3.6.11 are affected per NVD and Patchstack. No public exploit identified at time of analysis, and the limited confidentiality impact (C:L) and authentication requirement (PR:L) constrain real-world blast radius, though the vulnerability remains a valid risk for multi-tenant or shared-access WordPress deployments.

Missing authorization in PDF for Elementor Forms + Drag And Drop Template Builder (WordPress plugin by ADD-ONS.ORG) allows an authenticated low-privilege user to exploit incorrectly configured access control security levels, resulting in unauthorized integrity modifications with changed scope. All plugin versions through 5.5.1 are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, placing this in a monitor-and-patch priority tier rather than emergency response.

Privilege escalation in Mesalvo Meona Client Launcher and Server components allows a low-privileged authenticated user to gain access to the administrative panel due to improper access control enforcement. The flaw affects Meona Client Launcher Component through build 19.06.2020 15:11:49 and Meona Server Component through 2025.04 5+323020, and is tagged as an Authentication Bypass with no public exploit identified at time of analysis. The high CVSS score of 7.8 reflects full confidentiality, integrity, and availability impact once a normal user account is leveraged to escalate privileges.

Authenticated privilege escalation in the AcyMailing WordPress plugin (versions up to and including 10.8.2) allows users with subscriber-level access or higher to modify privileged plugin configuration and export subscriber secret keys. By chaining these missing authorization flaws with knowledge of an administrator's email address, attackers can achieve full administrator account takeover. No public exploit identified at time of analysis, but Wordfence - the reporting party - typically tracks WordPress plugin abuse closely.

{id} REST endpoint validates only the 'NextGEN Manage gallery' capability, entirely omitting gallery ownership checks and the 'NextGEN Manage others gallery' permission - making cross-user image destruction possible at low privilege. No public exploit code identified at time of analysis and no CISA KEV listing; however, when deleteImg is enabled (default), exploitation results in irreversible file-level data loss beyond what the CVSS 4.3 integrity score alone conveys.

Missing authorization in Movable Type allows authenticated non-administrator users to trigger unintended update operations under certain conditions. Affecting Movable Type, Movable Type Advanced, and Movable Type Premium products by Six Apart Ltd., the flaw (CWE-862) permits a low-privileged user to bypass access controls and perform write operations that should be restricted to administrators. No public exploit or CISA KEV listing exists at time of analysis; the vendor released a fix in version 9.0.8 on 2026-05-20 per the Six Apart advisory.

Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected functionality over the network, potentially chaining to code execution, privilege escalation, data tampering, denial of service, or information disclosure. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) reflects a critical severity issue affecting an AI/ML inference platform commonly deployed in production model-serving environments. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Authentication bypass in NVIDIA Triton Inference Server allows remote unauthenticated attackers to circumvent access controls, potentially leading to privilege escalation, denial of service, or information disclosure. With a CVSS 7.3 score and network-reachable attack vector (AV:N/AC:L/PR:N/UI:N), the flaw is exploitable without user interaction or credentials, though no public exploit identified at time of analysis. The vulnerability is not currently listed in CISA KEV, and EPSS data was not provided in the source intelligence.

Unauthorized template creation in the Xpro Addons for Elementor WordPress plugin exposes sites to unauthenticated content injection via a missing capability check on the get_content_editor AJAX function. All plugin versions through 1.5.0 are affected, allowing any remote attacker without credentials to create and publish Xpro templates on targeted WordPress sites. No public exploit identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitability against default installations with no preconditions.

Authentication bypass in the Oliver POS WooCommerce Point of Sale WordPress plugin (all versions through 2.4.2.6) allows unauthenticated remote attackers to gain full access to the plugin's REST API namespace by exploiting PHP type juggling in the permission callback. On fresh installations where the admin has not yet completed the connection wizard, the stored authorization token is unset (PHP false), and sending the header 'OliverAuth: 0' satisfies the loose comparison '0' == false, returning true and granting unrestricted access to all /wp-json/pos-bridge/* endpoints. Successful exploitation enables reading administrator account details, updating user profiles including email addresses, deleting non-admin users, and ultimately resetting the admin email to achieve full WordPress site takeover. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Privilege escalation in the BeycanPress Account Switcher WordPress plugin (versions up to and including 1.0.2) allows authenticated Subscriber-level users to hijack any account, including Administrator, by abusing a loose PHP comparison in the rememberLogin REST endpoint. No public exploit is identified at the time of analysis, but the issue is trivially reproducible from the disclosed root cause and the plugin source on WordPress.org is publicly indexable.

Authorization bypass in the TypeSquare Webfonts for ConoHa WordPress plugin (all versions through 2.0.4) allows authenticated attackers with subscriber-level access to arbitrarily modify site-wide font configuration by submitting a POST request to any wp-admin page. The plugin fails to verify that the requesting user has permission to alter settings such as typesquare_auth (fontThemeUseType), show_post_form, and typesquare_fonttheme (CWE-862). Compounding the issue, when fontThemeUseType values 1 or 3 are targeted, nonce verification is also absent, making those specific code branches additionally exploitable via cross-site request forgery against higher-privileged users. No public exploit has been identified at time of analysis, and no confirmed patched version has been released.

Hostname-based ACL bypass in the rsync daemon (rsync ≤ 3.4.2) allows unauthenticated remote attackers to circumvent administrator-configured deny rules when the daemon runs with chroot enabled. By manipulating the PTR record for their source IP or engineering a reverse DNS resolution failure, an attacker causes the daemon to fall back to the default hostname 'UNKNOWN', which does not match any configured deny entry and therefore permits the connection. Confidentiality and integrity are both partially at risk; no public exploit has been identified at time of analysis, and a vendor-released patch (v3.4.3) is available.

Trilium Notes Electron desktop application on macOS, versions 0.102.1 and prior, permits local attackers to spoof macOS Transparency, Consent, and Control (TCC) permission prompts by exploiting the enabled RunAsNode Electron fuse, which allows arbitrary Node.js code to execute under Trilium's trusted identity. An attacker with local code execution can spawn a subprocess inheriting Trilium's macOS identity and then request TCC-protected resources - camera, microphone, screen, ~/Documents, ~/Downloads - causing the system prompt to appear as if the legitimate Trilium Notes app is requesting access, not the attacker. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the social-engineering angle makes it particularly dangerous for macOS users who extend implicit trust to Trilium. Version 0.102.2 resolves the issue by disabling the RunAsNode fuse.

Privilege escalation in Veritas InfoScale CmdServer prior to version 7.4.2 allows authenticated remote attackers to bypass access control restrictions and achieve full compromise of confidentiality, integrity, and availability on the targeted host. The flaw is tagged as an authentication bypass by intelligence sources and carries a CVSS 8.8 (High) rating; no public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Forceful browsing in the Drupal Date iCal contributed module (versions prior to 4.0.15) allows remote unauthenticated attackers to bypass authorization checks and access protected calendar resources. Despite a CVSS score of 9.8, the EPSS exploitation probability sits at just 0.02% (4th percentile) and no public exploit has been identified at time of analysis. The flaw is a CWE-862 missing authorization issue patched by the Drupal Security Team in version 4.0.15.

Privilege escalation in CtrlPanel hosting billing software (versions ≤1.1.1) allows any authenticated low-privilege user to invoke admin write endpoints because store()/update() controller methods omit the RBAC permission checks present on their corresponding form-display methods. Successful exploitation yields effective admin control over API credentials, coupons, vouchers, partner commissions, shop pricing, server ownership, and user accounts (including roles, credits, passwords, and Pterodactyl linkages). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

CtrlPanel versions 1.1.1 and prior expose administrative DataTable endpoints without enforcing admin-level authorization, allowing any authenticated low-privileged user to retrieve sensitive records that should be restricted to administrators. The flaw stems from a gap between route-prefix-level middleware and per-endpoint permission enforcement: routes under /admin/ appear protected but datatable() methods lack role verification, making the protection illusory. Exploitation yields access to user PII, payment and transaction records, active coupon codes, role/permission structure, server ownership mappings, and support ticket contents - a significant confidentiality breach. No public exploit or CISA KEV listing is identified at time of analysis; a vendor-released patch is available in version 1.2.0.

IP allowlist/blocklist bypass in Caddy Defender versions prior to 0.10.1 lets attackers from blocked IP ranges evade filtering when Caddy sits behind a trusted proxy, CDN, or load balancer. The module evaluated requests against r.RemoteAddr (the proxy's IP) instead of Caddy's resolved client_ip variable, so any source whose true IP should have been blocked could reach protected backends. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team's secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue.

Authorization bypass in LIVE555 RTSP server (versions before 2026.04.22) allows remote unauthenticated attackers to hijack active streaming sessions by replaying valid Session tokens over a separate TCP connection. By issuing PLAY or TEARDOWN commands with a captured token, attackers can crash the server via virtual function call errors or terminate legitimate viewers' streams. Publicly available exploit code exists, and a vendor patch has been released; no public exploit identified as actively exploited in CISA KEV at time of analysis.

Payment bypass in the discourse-subscriptions plugin allows unauthenticated users to gain membership in subscription-gated groups without completing a financial transaction. Affected are all Discourse installations running the subscriptions plugin prior to fixed versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.1 reflects high attack complexity, required user interaction, and limited confidentiality impact confined to the vulnerable system.

Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.6) allows authenticated attackers with subscriber-level privileges to enumerate and read all frontend form structures and stored visitor submission data, including contact details and messages submitted through any site form powered by the plugin. The flaw originates in missing authorization checks on an AJAX handler (Ajax.php, line 675), meaning any logged-in user - including the lowest-privilege role WordPress assigns - can exfiltrate sensitive visitor-submitted information without any administrative context. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege barrier and network-accessible attack vector make this a realistic data exposure risk for any multi-user or public-registration WordPress site running the affected plugin.

In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.

In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.

Source code disclosure in Nuxt's webpack and rspack dev server middleware enables a malicious website on the same local network to exfiltrate full application source code when developers run `nuxt dev --host`. The previous fix for GHSA-4gf7-ff8x-hq99 relied exclusively on Sec-Fetch-Mode and Sec-Fetch-Site headers, which browsers only send from potentially trustworthy origins (HTTPS or localhost) per the W3C Fetch Metadata specification - requests originating from plain HTTP pages on LAN omit these headers entirely, bypassing the same-origin check. A working proof-of-concept is embedded in the vendor advisory; no public exploit identified at time of analysis in CISA KEV.

Supply chain compromise in the guardrails-ai Python package allows attackers to execute embedded malicious code on any developer or production host that installed version 0.10.1 from PyPI on May 11, 2026. The malicious release was live for roughly two hours before PyPI quarantined it, and the vendor reports no observed callbacks to Guardrails AI infrastructure, but any system that pulled 0.10.1 should be treated as compromised. No public exploit identified at time of analysis as a separate artifact - the package itself is the exploit, and exploitation requires user interaction (the install action) per the CVSS UI:R designation.

Authentication bypass in the Motorola Factory Test component (com.motorola.motocit) on Motorola phones lets a co-resident Android app abuse an exposed writable file descriptor in external storage to stand up a TCP server, harvest protected settings, and act with the factory-test app's elevated permissions. The flaw is locally exploitable by any installed third-party app with low privileges and carries CVSS 4.0 score 8.4 with high confidentiality and integrity impact. No public exploit identified at time of analysis and not listed in CISA KEV.

Stored cross-site scripting via missing authorization in Funnel Builder for WooCommerce Checkout (FunnelKit) plugin versions prior to 3.15.0.3 allows remote unauthenticated attackers to write arbitrary content to the plugin's External Scripts global setting through an exposed public AJAX endpoint. Injected JavaScript executes in the browser of every visitor to the WooCommerce checkout page, enabling credit card skimming, session theft, and credential harvesting. Publicly available exploit code exists and Sansec research indicates the flaw is being exploited in the wild against live e-commerce sites.

Authentication security bypass in HestiaCP 1.2.0 through 1.9.4 allows unauthenticated remote attackers to spoof their source IP address by injecting an arbitrary value into the CF-Connecting-IP HTTP header, which the panel trusts unconditionally without verifying the request originated from Cloudflare's network. This enables attackers to defeat fail2ban brute-force throttling, evade per-user IP allowlists, and poison authentication audit logs. Publicly available exploit code exists and a vendor patch is available.

Unauthenticated SQL execution affects Sparx Pro Cloud Server when attackers omit the 'model' query parameter from the URL and instead supply the model name inside the binary POST body, bypassing the URL-based authentication check. Version 6.1 (build 167) and earlier are confirmed vulnerable, with broader version coverage unknown because the vendor did not respond to coordinated disclosure by CERT-PL. Publicly available exploit code exists via the researcher's blog write-up, though there is no CISA KEV listing of active in-the-wild exploitation.

Broken access control in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated low-privileged users to execute arbitrary SQL queries against the backend database with the database user's privileges. The flaw stems from missing permission checks in the database communication layer, effectively granting any logged-in user the ability to read or modify any data the service account can access. No public exploit identified at time of analysis, but technical write-ups have been published by CERT-PL and independent researchers.

Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151.

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151.

Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.

Mitigation bypass in Mozilla Firefox's DOM: Security component allows remote attackers to circumvent built-in browser security protections when a user visits a maliciously crafted web page. The flaw affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with CVSS 8.1 reflecting high confidentiality and integrity impact contingent on user interaction. EPSS scoring is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but the CWE-693 protection-mechanism-failure classification means defensive layers users rely on may not function as intended.

Spoofing via the Form Autofill component in Mozilla Firefox allows a network-based attacker to achieve high integrity impact against users who interact with attacker-controlled content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms no authentication is required from the attacker side, but a victim must interact with malicious content for the attack to succeed. No public exploit code has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), indicating very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.

Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151.

Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.

Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take over accounts, including highly privileged administrative ones. Exploitation requires the victim to click an attacker-crafted link, after which an existing SSO session causes transparent authentication into the attacker-controlled flow. No public exploit identified at time of analysis, but Red Hat has confirmed the flaw in Red Hat Build of Keycloak.

Broken access control in Brainstorm Force's Presto Player WordPress plugin (through version 4.1.3) allows authenticated low-privilege users to bypass authorization checks and read restricted data. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is network-exploitable by any authenticated WordPress user with no interaction required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Token replay exploitation in Red Hat Build of Keycloak's WebAuthn flow allows an unauthenticated remote attacker who intercepts an ExecuteActionsActionToken email link to enroll their own hardware-backed WebAuthn authenticator to a victim's account. Successful exploitation bypasses authentication entirely and grants the attacker persistent, credential-backed access to the compromised account. No public exploit code has been identified at time of analysis, and CISA KEV confirmation is absent, but the High confidentiality and integrity impact from CVSS underscores the severity if the attack preconditions are met.

Audience restriction bypass in Keycloak's OpenID Connect token introspection endpoint exposes sensitive token claims to unauthorized confidential clients. Any attacker-controlled confidential client holding valid realm credentials can query the introspection endpoint and retrieve claims from lightweight access tokens issued to other resource servers - violating the isolation guarantees of audience-scoped tokens. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and network-accessible vector make this a realistic threat in multi-tenant or multi-service Keycloak deployments where client isolation is a security boundary.

Unauthorized PII disclosure in Red Hat Build of Keycloak allows a low-privilege administrator holding only the 'view-clients' role to enumerate user identities and authorization grants across the entire realm by invoking the 'evaluate-scopes' Admin API endpoint with an arbitrary userId parameter. The vulnerability is an Insecure Direct Object Reference (CWE-639) in the Admin API layer, exploitable remotely over the network without requiring additional user interaction. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and clear abuse path make targeted insider or compromised-credential scenarios a realistic concern.

Keycloak's Authorization Services Protection API is vulnerable to an Insecure Direct Object Reference (IDOR) flaw that allows authenticated low-privileged clients to perform unauthorized GET, PUT, and DELETE operations on resources owned by a different Resource Server within the same realm. By supplying a resource UUID belonging to a peer Resource Server - which a client can obtain through enumeration or disclosure - the attacker bypasses Keycloak's authorization enforcement entirely. The CVSS score of 6.8 (High) reflects confirmed confidentiality and integrity impact, though High complexity (AC:H) indicates the attacker must first acquire valid cross-server UUIDs. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Remote code execution in Apache OFBiz before 24.09.06 stems from an improper authentication flaw in the password-change logic that allows unauthenticated remote attackers to bypass authentication and ultimately execute arbitrary code on the server. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against a widely deployed open-source ERP platform, though EPSS sits at only 0.07% and SSVC currently marks exploitation as 'none' - meaning no public exploit identified at time of analysis despite the severe technical impact.

Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Mass assignment in the TYPO3 'Frontend User Registration' extension allows unauthenticated remote attackers to assign arbitrary frontend user groups to accounts created or modified via the public registration and profile-edit flows. Because the extension neither restricts which user properties may be submitted nor enforces server-side access control on the group assignment field, an attacker registers or edits an account while injecting a privileged frontend user group identifier, immediately gaining access to content and functionality that would otherwise require elevated membership. No public exploit is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Improper permission control on the ZTE MU5250 web management interface allows an adjacent-network attacker with low-level credentials to modify device configuration beyond their authorized scope, resulting in high availability impact and low integrity impact. Affected firmware is confirmed as BD_FLYMODEMMU5250V1.0.0B27, self-disclosed by ZTE via their security bulletin. No public exploit code or CISA KEV listing exists at time of analysis, and exploitation is constrained to adjacent network access with some level of authenticated access per the CVSS vector.

Token revocation bypass in Red Hat Keycloak's OIDC Introspection endpoint allows low-privileged authenticated users to continue using tokens that should have been invalidated by realm-level notBefore revocation policies. When both realm-level and client-level notBefore policies are simultaneously active, the introspection endpoint incorrectly evaluates only the client-level policy, silently ignoring the realm-wide revocation. This means an administrator's deliberate, broad-scope revocation action - typically used in incident response or forced re-authentication scenarios - is rendered ineffective for any clients that also carry a client-level notBefore setting. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.

WebAuthn policy enforcement bypass in Red Hat Build of Keycloak allows low-privileged authenticated users to register credentials that violate administrator-configured realm security policies. The server-side processAction() method does not validate that newly registered WebAuthn credential parameters - such as public key algorithms - conform to the realm's defined WebAuthn policies, enabling a user to manipulate client-side JavaScript during the registration flow to submit non-compliant credential data. No public exploit has been identified at time of analysis; exploitation requires an authenticated session and is limited to integrity impact (policy bypass), with no direct confidentiality or availability consequence.

Broken access control on the /api/v1/autotranslate.translateMessage endpoint in Rocket.Chat allows any authenticated user to retrieve the full content of messages from rooms they have no membership in - including private groups, direct messages, and channels - by supplying only a valid message ID. The vulnerability stems from the complete absence of a room-level authorization check (canAccessRoomIdAsync is never invoked) before the message fetch via Messages.findOneById(). No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact (C:H in CVSS) means successful exploitation exposes sensitive private communications organization-wide.

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.

Unauthorized form structure disclosure in GLPI 11.0.0 through 11.0.6 allows a high-privileged authenticated user holding forms READ permission to export the structural definition of forms they are not authorized to access. The flaw, rooted in CWE-862 (Missing Authorization), means the application validates that a user can perform form exports in general but fails to verify per-form access entitlements before returning structure data. Impact is limited to low confidentiality exposure of form schemas with no integrity or availability consequence. No public exploit code or CISA KEV listing exists at time of analysis, and the vendor has released a confirmed fix in 11.0.7.

An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump all user records including bcrypt password hashes, tamper with drug inventory, and read private medical prescription data. The flaw stems from missing authentication middleware on backend Express routes such as /api/user/getUserData and /api/doctorOder. Publicly available exploit code exists, though EPSS rates exploitation probability at only 0.06% (17th percentile), consistent with a low-deployment open-source project rather than mass exploitation.

Authorization bypass in Innoshop 0.6.0 allows authenticated frontend users to directly invoke backend administrative interfaces, enabling privileged operations outside their intended scope. The CVSS 7.3 score reflects low-impact gains across confidentiality, integrity, and availability achievable without prior authentication to the admin panel. No public exploit identified at time of analysis, and EPSS estimates exploitation probability at just 0.02% (5th percentile), indicating minimal observed attacker interest so far.

{session_id}/assign-user endpoint. An attacker who can guess or otherwise learn a target session_id can reassign that session to themselves, read its conversation contents, and lock the legitimate owner out. No public exploit identified at time of analysis, and the issue is fixed in 0.6.51 per the upstream GHSA-q58p-v9r9-7gqj advisory.

Broken access control in HCL Connections exposes an integrity risk where an authenticated low-privileged user can update data outside their intended authorization scope under specific conditions. The CVSS vector (AV:N/AC:L/PR:L/UI:R) confirms the attack is network-reachable, requires only low-privilege credentials, and involves some form of user interaction. No public exploit code has been identified and HCL Connections is not listed in the CISA KEV catalog, placing this in a moderate-priority remediation tier for most organizations, though environments where data integrity in Connections is business-critical should treat it with elevated urgency.

Missing authorization in the Summarize browser extension (versions prior to 0.15.1/0.15.2, CPE: cpe:2.3:a:steipete:summarize) allows remote unauthenticated attackers to execute browser automation actions - including navigation and debugger-backed operations - without triggering per-call user approval. Exploitation requires the extension automation feature to be enabled and the user to interact with attacker-controlled content (UI:R per CVSS), making this a prompt-injection-driven authorization bypass rather than a standalone remote attack. No public exploit has been identified at time of analysis, and the vendor released a patch in v0.15.2 as reported by VulnCheck.

Path traversal in steipete/summarize prior to 0.15.1 lets authenticated callers of the /v1/summarize daemon endpoint write slide_*.png and slides.json files to arbitrary directories by supplying an absolute path or traversal sequences in the slidesDir parameter, and subsequently delete matching files via repeat extraction. The flaw, reported by VulnCheck and patched in v0.15.2, enables file write and limited destructive impact across the filesystem; no public exploit identified at time of analysis.

Missing authorization in the Summarize browser extension's content script window.postMessage bridge permits any malicious web page to perform unauthorized CRUD operations on automation artifacts scoped to the affected browser tab. By injecting messages with spoofed sender identifiers, an attacker-controlled page bypasses all authorization checks - enabling it to list, read, create, overwrite, or delete extension-managed artifacts without user awareness. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the attack barrier is low: exploitation requires only that the victim passively visit a malicious page while the extension is active.

Row action trigger endpoint in Budibase allows authenticated low-privilege users to execute automations on rows outside their authorized view scope, bypassing a documented security boundary. Any user holding BASIC-role READ access to a filtered view can supply an arbitrary `rowId` to `POST /api/tables/:sourceId/actions/:actionId/trigger` and invoke automations against rows explicitly excluded by the view's filters. Publicly available exploit code (curl PoC) is included in the GHSA advisory; this vulnerability is not listed in CISA KEV and no confirmed widespread active exploitation has been identified at time of analysis.

Cross-tenant credential fallback in n8n-mcp versions 2.51.1 and earlier allows an authenticated MCP tenant on a shared multi-tenant HTTP deployment to operate against the operator's own n8n instance instead of their assigned tenant. When ENABLE_MULTI_TENANT=true and a request omitted (or partially supplied) the x-n8n-url and x-n8n-key headers, n8n-mcp silently fell back to the process-level N8N_API_URL/N8N_API_KEY credentials, granting tenants unintended access to read/write workflows, executions, data-tables, and credential metadata. Patched in 2.51.2; no public exploit identified at time of analysis but the underlying logic is straightforward and the upstream fix commit is publicly visible.

Authentication bypass in the ruby-jwt gem (versions < 3.2.0) allows remote attackers to forge valid HS256/HS384/HS512 tokens when an application supplies an empty string or nil as the verification key. Because OpenSSL::HMAC.digest happily computes a digest under an empty key and JWT::JWA::Hmac coerces nil to '' without validating, any application whose key lookup degrades to '' (common with Redis misses, ORM string defaults, or `ENV['SECRET'] || ''` patterns) will accept attacker-signed tokens. No public exploit identified at time of analysis, but the vendor advisory (GHSA-c32j-vqhx-rx3x) and the v3.2.0 patch confirm the issue and the trivial forgery primitive.

Unauthenticated broadcast hijack in TinyIce versions 0.8.95 through 2.4.1 allows any network attacker reaching the HTTP port to inject arbitrary audio/video streams onto any mount via the WebRTC source-ingest endpoint. The POST /webrtc/source-offer handler omitted the source-password check that all other ingest paths (Icecast SOURCE/PUT, RTMP, SRT) enforce, letting attackers replace legitimate broadcasts with their own content. Publicly available exploit code exists in the form of a one-line curl probe published in the GHSA advisory, though no public exploit identified for sustained hijack at time of analysis.

Privilege elevation in Microsoft Azure Local Disconnected Operations allows unauthenticated network-based attackers to gain elevated rights via an improper authentication weakness (CWE-287). The flaw carries a maximum CVSS 10.0 score with scope change, and Microsoft has issued a patched build (Azure Local 2604.2.25645). No public exploit identified at time of analysis, but the trivial attack profile (AV:N/AC:L/PR:N/UI:N) makes this a top-priority fix for affected hybrid-cloud deployments.

Security feature bypass in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 enables remote attackers to circumvent browser security controls through improper input validation (CWE-20), resulting in limited confidentiality and integrity compromise. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation is network-based, requires no attacker privileges, but demands user interaction - consistent with a browser-based attack requiring a victim to engage with malicious content. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication bypass in Neotoma (npm package for Node.js data exploration) versions 0.6.0 through 0.11.0 allows unauthenticated remote attackers to access production Inspector UI and API endpoints when deployed behind reverse proxies. The vulnerability stems from CWE-288 authentication logic flaw where the REST middleware incorrectly treats reverse-proxied public requests as local development traffic when received over loopback sockets without Bearer tokens, granting unauthorized local-user privileges. Fixed in version 0.11.1 released April 2025, which implements X-Forwarded-For validation and fails closed in production environments. No public exploit code identified at time of analysis, though exploitation is straightforward for attackers who identify affected deployments.

{file_id}/preview endpoint. The flaw is amplified on Dify Cloud, where free self-registration makes account creation trivial, and publicly available exploit code exists via the Huntr disclosure. No CISA KEV listing has been recorded at time of analysis, but the combination of low-friction account access and a documented PoC raises practical exposure considerably.

Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another tenant's LLM trace traffic - including prompts and model responses - to an attacker-controlled observability provider. Because Dify Cloud permits free self-registration, the authentication barrier is effectively trivial; publicly available exploit code exists and a vendor patch is shipped via PR #35793. The flaw is an instance of CWE-639 (insecure direct object reference) in the trace-configuration endpoints, which accepted an app_id without validating tenant ownership.

Broken access control in Arcane's GitOps backend (versions <= 1.18.1) allows any authenticated low-privilege user to exfiltrate plaintext Git credentials (PATs/SSH keys) stored for source-of-truth repositories. Eight of nine /api/customize/git-repositories endpoints omit the checkAdmin() gate, letting a 'user' role attacker repoint a repository URL to an attacker-controlled host and trigger a /test or /branches call that transmits the decrypted token via HTTP Basic auth. No public exploit identified at time of analysis, but the GHSA advisory documents a complete attack chain and a patched release (1.19.0) is available.

Authorization bypass in Creartia's ICMS content management system allows remote unauthenticated attackers to gain unauthorized access to protected features and escalate privileges by manipulating HTTP redirect headers during the login process. The vulnerability has a CVSS 9.3 score and vendor patches are available through INCIBE advisory.

Authenticated team members with 'Manage Own Slash Commands' permission can hijack existing slash commands in Mattermost 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 by editing their own command triggers to match already-registered system or custom commands. This privilege escalation flaw (CWE-863: Incorrect Authorization) enables command impersonation, allowing attackers to intercept and potentially manipulate user interactions with legitimate slash commands. With CVSS 4.3 (low-medium severity) and EPSS data unavailable, real-world risk depends heavily on organizational use of slash commands for sensitive operations. No public exploit identified at time of analysis, and the attack requires authenticated access with specific permissions, limiting immediate exposure compared to unauthenticated network vulnerabilities.

Unauthorized access to public playbooks in Mattermost 10.11.x through 11.5.x allows authenticated users without proper permissions to retrieve public playbooks via the /get endpoint. The vulnerability affects all versions from 10.11.0 through 10.11.13, 11.4.0 through 11.4.3, and 11.5.0 through 11.5.1 due to missing public/private permission validation. With CVSS 4.3 (Medium) and requiring authenticated access (PR:L), this represents a privilege escalation issue allowing disclosure of potentially sensitive playbook configurations, but is limited to low confidentiality impact without integrity or availability compromise. No active exploitation confirmed (not in CISA KEV) and EPSS data not provided.

Authenticated Mattermost users can read private channel threads and direct messages they lack access to by exploiting the AI post rewrite endpoint. Versions 11.5.0 and 11.5.1 fail to verify channel membership before processing AI-assisted message rewrites, enabling privilege escalation from low-privileged authenticated users to access confidential communications. CVSS 6.5 reflects network-accessible attack with low complexity requiring only basic authentication. EPSS data not available; no public exploit or KEV listing identified at time of analysis.

{option}` or `/gitlab webhook {option}`, resulting in availability impact (A:H) to the Gitlab plugin infrastructure. CVSS 6.5 reflects moderate risk, with EPSS data and active exploitation status not available at time of analysis.

Authorization bypass in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated users with 'Manage Playbook Configurations' permission to reassign playbooks to arbitrary teams via PUT API, circumventing team membership restrictions. This access control flaw enables lateral privilege escalation across team boundaries without proper authorization checks. EPSS exploitation probability data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.