Authentication Bypass

Privilege escalation in PolarLearn account-management module allows authenticated non-admin users to arbitrarily reset passwords and delete user accounts due to an inverted admin permission check in versions 0-PRERELEASE-14 and earlier. The inverted logic in setCustomPassword() and deleteUser() functions grants administrative capabilities to regular users while blocking legitimate administrators. With a CVSS score of 8.8 and network-based attack vector requiring only low-privilege authentication, this represents a critical account takeover risk. No public exploit identified at time of analysis, though the authentication bypass nature (per tags) makes exploitation straightforward once the flaw is understood.

Stored XSS in ChurchCRM Note Editor enables authenticated users to execute arbitrary JavaScript in victims' browsers, leading to session hijacking and privilege escalation against administrators managing sensitive church member data. Affects ChurchCRM versions prior to 6.5.3. CVSS 7.3 (High) reflects network-accessible attack requiring low-privilege authentication and user interaction. EPSS and KEV data not provided; no public exploit identified at time of analysis. Vendor patch released in version 6.5.3.

Authorization bypass in Windmill 1.56.0-1.614.0 enables Operator role users to escalate privileges to remote code execution. Operators can bypass documented role restrictions via unprotected backend API endpoints to create/modify scripts, flows, and apps, then execute arbitrary code through the jobs API. Public exploit code exists (GitHub: Chocapikk/Windfall). EPSS data unavailable, but the low attack complexity (AC:L), network access vector (AV:N), and availability of weaponized POC indicate elevated real-world risk for self-hosted Windmill deployments with Operator-level users.

Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence over agent tool execution to read arbitrary local files and write/overwrite files outside intended repository boundaries. The vulnerability stems from inconsistent parameter handling where the path parameter is not passed to PermissionChecker in four file operation tools (read_file, write_file, edit_file, notebook_edit), enabling bypass of deny rules to access sensitive credentials, SSH keys, and configuration files. Upstream fix available (PR/commit); released patched version not independently confirmed. EPSS data not available; no public exploit identified at time of analysis.

OpenViking versions prior to 0.3.3 expose a missing authorization vulnerability in task polling endpoints that allows unauthenticated remote attackers to enumerate and retrieve background task metadata created by other users, exposing task types, status, resource identifiers, archive URIs, result payloads, and error information. This vulnerability enables information disclosure with a CVSS score of 6.9 and carries particular risk in multi-tenant deployments where cross-tenant data leakage could occur. No public exploit code has been identified at the time of analysis, though the vulnerability requires only network access and no special attack complexity.

File Browser versions prior to 2.63.1 allow authenticated users with download permission disabled to bypass access controls and read arbitrary text file content through the resourceGetHandler endpoint in http/resource.go, which fails to validate the Perm.Download permission flag unlike three other content-serving endpoints that correctly enforce this check. This authentication bypass affects any File Browser deployment where users are granted access but restricted from downloading files, and is fixed in version 2.63.1.

Unauthenticated attackers can trigger backup upload queue processing in Backup Migration plugin for WordPress (all versions up to 2.0.0) via the 'initializeOfflineAjax' AJAX endpoint, which lacks capability checks and relies on publicly exposed hardcoded tokens for validation. This allows remote attackers to cause unexpected backup transfers to cloud storage and resource exhaustion without authentication or user interaction. CVSS 5.3 (medium), no confirmed active exploitation reported.

Authorization bypass in File Browser allows unauthenticated access to shared files after permissions revoked. When administrators revoke a user's Share and Download permissions in File Browser (versions prior to 2.63.1), previously created share links remain accessible to unauthenticated users due to missing permission re-validation in the public share handler. This CWE-863 authorization flaw enables persistent unauthorized data access with high confidentiality impact (CVSS 8.2), though no public exploit or active exploitation (not in CISA KEV) has been identified at time of analysis.

Privilege escalation in pyLoad prior to 0.5.0b3.dev97 allows authenticated users with SETTINGS permission to bypass admin-only protections and modify SSL certificate and key file paths due to incorrect option name mappings in the ADMIN_ONLY_CORE_OPTIONS authorization set. The vulnerability arises from name mismatches (ssl_cert/ssl_key vs. ssl_certfile/ssl_keyfile) and complete omission of the ssl_certchain option from authorization checks, enabling any SETTINGS-privileged user to overwrite critical SSL configuration-a capability intended exclusively for administrators. CVSS 6.8 reflects high confidentiality and integrity impact with authenticated access required and high attack complexity.

Unauthenticated attackers can read arbitrary threads, enumerate thread IDs, and manipulate thread timestamps in FreeScout versions before 1.8.212 via an unvalidated IDOR vulnerability in the GET /thread/read/{conversation_id}/{thread_id} endpoint. The endpoint fails to verify both authentication and thread-conversation association, enabling complete enumeration of help desk conversations and metadata manipulation without credentials. This affects all FreeScout installations below version 1.8.212.

Unauthorized cross-customer data access in FreeScout help desk software versions prior to 1.8.212 allows authenticated users with low privileges to bypass customer visibility restrictions during merge operations. The limit_user_customer_visibility parameter-intended to restrict agents' access to specific customers-is ignored when merging customer records, enabling agents to view and manipulate data outside their authorized scope. CVSS 7.6 (High) with network-based attack vector and low complexity. No public exploit identified at time of analysis, EPSS data not provided.

Remote code execution via malicious websites targeting Pega Browser Extension (PBE) allows unauthenticated attackers to trigger unexpected message boxes and cause availability impact on affected systems. All versions of Pega Browser Extension prior to 3.1.45 are vulnerable; the attack requires user interaction (navigation to a malicious website) but no special privileges. CVSS 6.0 score reflects the moderate severity with high availability impact potential. No active exploitation or public exploit code has been identified at the time of analysis.

Arbitrary file write in Pega Browser Extension allows remote attackers to compromise system integrity when Robot Runtime users visit malicious websites while running automations in Chrome or Edge. Affects Pega Robotic Automation versions 22.1 and R25. Attack requires user interaction (navigating to attacker-controlled site) but no authentication. No public exploit identified at time of analysis, though attack complexity is low once user visits malicious site.

Pi-hole FTL versions 6.0 through 6.5 allow authenticated local users with CLI API session privileges to bypass authorization controls and overwrite configuration settings via Teleporter archive imports. The vulnerability exists because the /api/teleporter endpoint incorrectly permits CLI-scoped sessions (intended to be read-only) to execute privileged Teleporter operations, while the /api/config endpoint correctly enforces restrictions. This authentication bypass is fixed in Pi-hole FTL 6.6.

Unauthenticated API input validation flaws in Tandoor Recipes (<2.6.4) enable cross-tenant data leakage and denial of service. The /api/food/{id}/shopping/ endpoint accepts unvalidated amount and unit parameters, allowing attackers to cause application crashes via malformed numeric inputs (HTTP 500 errors) and leak foreign-key references across multi-tenant Space boundaries by associating unit IDs from other tenants. CVSS 7.3 reflects network-accessible, low-complexity attacks requiring no authentication. No public exploit identified at time of analysis, though exploitation is straightforward via direct API calls. EPSS data not available. Vendor-released patch: version 2.6.4.

Django admin changelist forms with ModelAdmin.list_editable enabled allow high-privileged users to create new instances via forged POST requests, bypassing intended access controls. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30; unsupported versions 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. The vulnerability requires admin-level privileges and results in unauthorized data modification rather than data exposure or availability impact. No public exploit code or active exploitation has been confirmed at time of analysis.

Unauthenticated attackers can bypass add permissions in Django GenericInlineModelAdmin (versions 6.0 <6.0.4, 5.2 <5.2.13, 4.2 <4.2.30) by submitting forged POST data to inline model forms. Permission checks fail to validate creation rights on inline model instances, enabling unauthorized database record insertion with network access alone. CVSS 9.8 critical severity reflects complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.01%).

Header spoofing in Django 4.2 through 6.0 allows remote attackers to bypass security controls by exploiting ambiguous ASGI header normalization. The ASGIRequest handler incorrectly maps both hyphenated and underscored header variants to the same underscored version, enabling attackers to send conflicting headers where the malicious version overwrites legitimate security headers. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. No public exploit identified at time of analysis. EPSS data not available, but the unauthenticated network attack vector and high integrity impact warrant immediate patching.

Credential scope bypass in runZero Platform allows high-privileged administrators to update credentials and apply them to tasks outside their authorized organization scope, resulting in unauthorized information disclosure. The vulnerability affects runZero Platform versions prior to 4.0.26021.0 and requires administrative privileges to exploit. No public exploit code or confirmed active exploitation has been identified.

RunZero Explorer versions prior to 4.0.260208.0 allow high-privileged authenticated users to access Explorer groups outside their authorized organization scope, enabling unauthorized cross-organizational information disclosure and potential service disruption. The vulnerability stems from incorrect authorization controls (CWE-863) and requires administrator-level credentials and high attack complexity to exploit. No public exploit code or active exploitation has been identified at time of analysis.

Incorrect authorization in runZero Platform MCP endpoints allows authenticated high-privilege users to access records outside their authorized organization scope, exposing sensitive data across organizational boundaries. The vulnerability affects runZero Platform versions prior to 4.0.260206.0 and requires high-privilege credentials to exploit, resulting in limited confidentiality impact. No public exploit code or active exploitation has been identified.

runZero Platform versions prior to 4.0.260205.0 contain an incorrect authorization flaw that allows authenticated high-privileged users to access task information outside their authorized organization scope via network-based vectors with high complexity. The vulnerability is low-severity (CVSS 2.2) and limited to confidentiality impact (information disclosure), with no public exploit identified at time of analysis.

runZero Platform versions prior to 4.0.260204.2 expose cleartext secrets for a subset of credential types and fields to authorized users due to insufficient credential protection, allowing users with legitimate platform access to view sensitive authentication data they should not be able to access. The vulnerability requires user interaction and has a CVSS score of 5.3 (Medium) with high confidentiality impact but no active exploitation or public exploit code identified at time of analysis.

runZero Platform versions prior to 4.0.260203.0 allow authenticated high-privilege MCP agents to access certificate information outside their authorized organization scope, enabling lateral information disclosure across organizational boundaries. The vulnerability stems from improper authorization checks (CWE-863) and carries a CVSS score of 3.0 (Low) due to high attack complexity and privilege requirements; no public exploit code or active exploitation has been identified.

runZero Platform allows high-privileged administrators to create and update users outside their authorized organization scope due to improper authorization checks, enabling privilege escalation and cross-organizational user manipulation. Versions prior to 4.0.260203.0 are affected. The vulnerability requires high-privilege authentication but can impact multiple organizations within a multi-tenant deployment, making it a significant risk for runZero deployments where administrative role separation is enforced.

Runzero Platform versions prior to 4.0.260202.0 allow authenticated administrators with high privileges to access remediation and asset information across organizational boundaries through MCP agents, exposing sensitive data from unauthorized organization scopes. The vulnerability stems from improper authorization controls (CWE-863) and requires high-privilege account compromise to exploit, carrying a CVSS score of 5.8 (Medium). Vendor-released patch version 4.0.260202.0 resolves this issue.

MLflow through version 3.10.1 allows authenticated users to bypass authorization controls and download model artifacts from experiments they lack permission to access via an unprotected AJAX endpoint. The vulnerability requires valid MLflow authentication but no special privileges, enabling lateral access to restricted experiment data. Patch availability confirmed via upstream pull request; CISA SSVC assessment indicates partial technical impact with automatable exploitation path but no confirmed active exploitation.

Unauthenticated remote code execution in Weaver E-cology 10.0 (pre-20260312) allows attackers to execute arbitrary system commands via exposed debug functionality at /papi/esearch/data/devops/dubboApi/debug/method. Attackers exploit this by sending crafted POST requests with malicious interfaceName and methodName parameters to invoke command-execution helpers. Confirmed actively exploited (CISA KEV) with exploitation first observed by Shadowserver Foundation on March 31, 2026. Publicly available exploit code exists (h4cker.zip PoC), CVSS 9.8 (Critical), EPSS data not provided but real-world exploitation confirmed.

Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts protected by directory-level access controls. The vulnerability stems from a path mismatch where mod_auth validates access against DocumentRoot-relative paths while mod_cgi executes scripts at ScriptAlias-resolved paths outside DocumentRoot. With CVSS 8.3 (AV:N/AC:L/PR:N), the attack requires no authentication and low complexity but depends on specific ScriptAlias configurations (AT:P). SSVC assessment confirms the vulnerability is automatable with partial technical impact. No public exploit identified at time of analysis, though SSVC indicates exploitation status 'none'. Vendor-released patches available for affected OTP versions 17.0 through 28.4.1.

Erlang OTP public_key module (versions 1.16 through 1.20.3 and 1.17.1.2) fails to cryptographically verify OCSP responder certificate signatures, allowing network attackers to forge OCSP responses with self-signed certificates bearing matching issuer names and OCSPSigning extended key usage. This bypasses certificate revocation checks in SSL/TLS clients using OCSP stapling, enabling man-in-the-middle attackers to present revoked certificates as valid and intercept sensitive communications. Vendor-released patches are available (OTP 28.4.2, 27.3.4.10). CISA SSVC analysis indicates no current exploitation and non-automatable attack requirements, but technical impact is rated total due to potential cryptographic security control bypass. No public exploit identified at time of analysis.

Missing authorization in OceanWP Ocean Extra plugin versions through 2.5.3 allows authenticated users to bypass access control restrictions and perform unauthorized modifications or denial-of-service actions. An attacker with valid user credentials can exploit incorrectly configured access control checks to escalate privileges beyond their intended permission level. No public exploit code has been identified at time of analysis, but the vulnerability has been documented by Patchstack security researchers.

Missing authorization in Eniture Technology LTL Freight Quotes - Worldwide Express Edition plugin (versions through 5.2.1) allows unauthenticated remote attackers to modify data through incorrectly configured access control, affecting WordPress installations. The vulnerability has a CVSS score of 5.3 with no public exploit code confirmed, and affects WordPress plugin deployments where access control security levels are improperly enforced.

Unauthenticated attackers can forge Stripe webhook events in the Charitable donation plugin for WordPress up to version 1.8.9.7, allowing them to mark pending donations as completed without processing actual payments. The plugin fails to cryptographically verify incoming webhook payloads, enabling attackers to manipulate donation records and bypass payment validation. This impacts all WordPress sites using affected versions and could result in financial loss for fundraising organizations.

Unauthenticated attackers can modify plugin settings via a publicly accessible REST endpoint in Link Whisper Free WordPress plugin before version 0.9.1, enabling information disclosure and unauthorized configuration changes. The vulnerability has publicly available exploit code and affects all versions prior to 0.9.1. Although the CVSS score is 6.5 (medium), the EPSS score of 0.02% indicates very low real-world exploitation probability despite public POC availability.

Unauthenticated remote information disclosure in GenieACS 1.2.13 NBI API allows network-based attackers to read sensitive configuration data without authentication. The CVSS vector confirms zero authentication requirements (PR:N), enabling attackers to directly access the NBI API endpoint and exfiltrate high-confidentiality information. Publicly available exploit code exists. Attack complexity is low with no user interaction required. EPSS indicates low observed exploitation activity.

Unauthenticated super administrator account creation in MRCMS 3.1.2 allows remote attackers to bypass all access controls and add privileged accounts directly via UserController.save() method. The vulnerability exposes full system compromise through network-accessible endpoints requiring no prior authentication. CVSS 9.8 critical severity reflects unrestricted administrative takeover. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).

Unauthenticated account creation bypass in megagao production_ssm v1.0 allows remote attackers to create super administrator accounts via direct API access to /user/insert endpoint. The UserController.java insert() method processes account creation requests without authentication enforcement (CVSS vector PR:N confirms unauthenticated access). Successful exploitation grants full administrative control, enabling attackers to compromise confidentiality, integrity, and availability of the entire application. No public exploit identified at time of analysis.

Authentication bypass in OpenAirInterface V2.2.0 Access Management Function (AMF) allows unauthenticated remote attackers to register unauthorized User Equipment (UE) devices on 5G core networks. Exploiting incorrect state machine transitions during UE registration, attackers send SecurityModeComplete messages after InitialUERegistration to trigger registration acceptance without completing proper authentication procedures. This grants full network access to malicious devices, enabling unauthorized subscriber services consumption, interception of traffic, and potential lateral movement within 5G infrastructure. No public exploit identified at time of analysis.

BatchCheck API calls in OpenFGA 1.8.0 through 1.13.1 can bypass authorization policies when multiple permission checks target the same object, relation, and user combination, allowing authenticated attackers with limited privileges to gain unauthorized access to protected resources. The vulnerability stems from improper handling of duplicate check parameters in batch operations and is fixed in version 1.14.0.

IP address spoofing in Bulwark Webmail versions prior to 1.4.11 allows unauthenticated remote attackers to bypass IP-based rate limiting and forge audit log entries by manipulating the X-Forwarded-For HTTP header. The vulnerability enables brute-force attacks against admin login interfaces and allows malicious actors to mask their true origin in security logs. CVSS 8.7 reflects high integrity impact (VI:H) with network-accessible attack vector requiring no privileges (AV:N, PR:N). No public exploit identified at time of analysis, though exploitation is straightforward given the trust-boundary violation in HTTP header processing.

Information disclosure in HAX CMS versions prior to 25.0.0 exposes authentication tokens and user activity via unauthenticated access to the /server-status endpoint. Remote attackers can retrieve active user tokens, monitor real-time interactions, harvest client IP addresses, and map internal infrastructure without authentication (CVSS:4.0 AV:N/AC:L/PR:N). EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Publicly available exploit code exists per GitHub security advisory.

Authenticated users in Brave CMS can delete arbitrary article images belonging to other users via an Insecure Direct Object Reference (IDOR) flaw in versions prior to 2.0.6. The deleteImage method in ArticleController.php accepts filenames without verifying ownership, allowing any authenticated user with edit permissions to delete images from articles they don't own. CVSS 7.1 reflects high integrity impact with low availability impact. No public exploit identified at time of analysis, and EPSS data not available for this recent vulnerability.

Privilege escalation in Brave CMS 2.0.x before 2.0.6 allows authenticated users with low-privilege accounts to promote themselves to Super Admin by directly calling the unprotected role update endpoint. The vulnerability stems from a missing authorization middleware check on the /rights/update-role/{id} route, enabling complete takeover of the CMS by any user with valid credentials. No public exploit identified at time of analysis, but exploitation is trivial given the straightforward API endpoint access. With EPSS data unavailable and no KEV listing, risk primarily affects organizations using affected Brave CMS versions in multi-user environments.

Chyrp Lite prior to version 2026.01 allows authenticated users with post editing permissions to modify posts owned by other users through an insecure direct object reference (IDOR) and mass assignment vulnerability in the Post model. Attackers can inject internal class properties such as post IDs into the post_attributes payload to alter which post is being edited, effectively enabling unauthorized post takeover. The vulnerability requires valid authentication and existing post editing permissions but no user interaction, posing a medium-to-high integrity risk to multi-user blogging instances.

Authentication bypass in Totolink A8000R 5.9c.681_B20180413 allows remote attackers to manipulate the langType parameter in the setLanguageCfg function at /cgi-bin/cstecgi.cgi to bypass authentication controls without credentials. This unauthenticated remote vulnerability has publicly available exploit code and poses a confirmed risk to exposed router management interfaces.

Authentication bypass in Strawberry GraphQL WebSocket subscriptions (versions <0.312.3) allows unauthenticated remote attackers to access protected GraphQL subscription endpoints by exploiting the legacy graphql-ws subprotocol handler. Attackers can skip the on_ws_connect authentication hook by connecting with graphql-ws and sending subscription start messages without completing the connection_init handshake. No public exploit identified at time of analysis, though exploitation is straightforward given the protocol-level nature of the bypass. CVSS 7.5 reflects network-accessible unauthenticated attack with high confidentiality impact.

Authentication bypass in changedetection.io allows unauthenticated remote attackers to access backup management endpoints due to incorrect Flask decorator ordering. Attackers can trigger backup creation, list all backups, download backup archives containing application secrets, webhook URLs with embedded tokens, monitored URLs, Flask secret keys, and password hashes, or delete all backups without authentication. The vulnerability affects 13 routes across 5 blueprint files where @login_optionally_required is placed before @blueprint.route() instead of after it, causing Flask to register the undecorated function and silently disable authentication. Publicly available exploit code exists (POC demonstrated complete data exfiltration), though no confirmed active exploitation (CISA KEV). EPSS data not provided, but CVSS 9.8 (network-exploitable, no authentication required, high confidentiality/integrity/availability impact) indicates critical severity.

Repository-scoped authorization bypass in distribution container registry allows restored read access to explicitly deleted blobs when Redis caching is enabled. Affects distribution/distribution v2.8.x and v3.0.x when both storage.cache.blobdescriptor: redis and storage.delete.enabled: true are configured. Unauthenticated remote attackers can retrieve sensitive content deleted from repo A after repo B repopulates the shared Redis descriptor cache, exposing confidential data that operators believed was permanently revoked. CVSS 7.5 (High). Publicly available exploit code exists with deterministic PoC demonstrating the state-machine race condition. EPSS data not provided, but the low attack complexity (AC:L) and no privilege requirement (PR:N) indicate straightforward exploitation once the vulnerable configuration is identified.

Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization in the batch update API endpoint. Any authenticated user within a shared Space can modify recipes marked private by other users, force-share private recipes, and tamper with metadata by exploiting the PUT /api/recipe/batch_update/ endpoint which bypasses authorization checks enforced on single-recipe endpoints. Affects all versions prior to 2.6.4. CVSS 8.1 (High) reflects network-accessible attack requiring only low-privilege authentication with no user interaction. No public exploit identified at time of analysis, though exploitation is straightforward for authenticated attackers.

Unrestricted file upload in Cyber-III Student-Management-System allows authenticated remote attackers to upload arbitrary files via manipulation of the File parameter in /AssignmentSection/submission/upload.php, leading to potential remote code execution or data exfiltration. The vulnerability affects the move_uploaded_file function and has publicly available exploit code; the vendor has not responded to early disclosure notification. CVSS 5.3 reflects low confidentiality and integrity impact within an authenticated context, though real-world risk depends on file execution permissions and web server configuration.

Arbitrary code execution in Lupa (Python-Lua integration library) versions ≤2.6 allows unauthenticated remote attackers to bypass attribute filtering controls via Python's getattr/setattr built-ins. The vulnerability enables attackers to circumvent sandbox restrictions designed to limit Lua runtime access to sensitive Python objects, ultimately achieving code execution in the CPython host process. EPSS data unavailable; no CISA KEV listing or public exploit identified at time of analysis, though exploitation complexity is low per CVSS vector (AC:L, PR:N).

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal hold data without proper permission validation. After failed authorization checks, the plugin continues processing requests instead of terminating them, enabling low-privileged authenticated users to access, create, download, and delete sensitive legal hold data through direct API calls. This represents a critical failure in access control enforcement for compliance-critical data. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Improper authorization in Cyber-III Student-Management-System allows unauthenticated remote attackers to bypass authentication controls via crafted HTTP POST requests to /viva/update.php. The vulnerability (CWE-285) enables unauthorized modification of student records by manipulating the 'Name' parameter. Publicly available exploit code exists (GitHub issue #236), and the project maintainer has not responded to responsible disclosure attempts. EPSS data not provided, but CVSS 7.3 with PR:N indicates significant risk for internet-facing deployments.

In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path.

Missing authentication in gpt-researcher HTTP REST API (versions ≤3.4.3) allows remote attackers to bypass access controls and interact with the API without credentials. Publicly available exploit code exists (GitHub issue #1695), enabling unauthorized information disclosure, data manipulation, and service disruption. CVSS 7.3 with network attack vector, low complexity, and no privileges required indicates significant exploitability. Vendor has not responded to early disclosure (VulDB submission 785874), leaving users without official patch guidance.

Missing authentication in JeecgBoot 3.9.0 and 3.9.1 allows unauthenticated remote attackers to access the AI Chat Module functionality without credential verification. The vulnerability resides in JeecgBizToolsProvider.java within the jeecg-module-system component. Vendor-released patches are available via GitHub commits (b7c9aeba and 2c1cc88b) pending inclusion in the next official release. No public exploit code or active exploitation confirmed at time of analysis, though the low attack complexity (AC:L) and network attack vector (AV:N) with no authentication required (PR:N) indicate trivial exploitation potential.

Authentication bypass in Kaleris Yard Management System (YMS) v7.2.2.1 enables unauthenticated remote attackers to completely circumvent login verification and gain unauthorized access to application resources with full confidentiality, integrity, and availability impact. The vulnerability has a 9.8 CVSS score with network-based attack vector requiring no privileges or user interaction. Currently tracked at 2% EPSS (5th percentile) with no confirmed active exploitation (not in CISA KEV), though a public proof-of-concept repository exists on GitHub, significantly elevating exploitation risk for this critical authentication flaw.

Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated users with the shipping/receiving role to access truck dashboard resources beyond their assigned permissions, resulting in unauthorized information disclosure. The vulnerability requires valid authentication credentials and affects a specific version of the Kaleris Yard Management System (YMS). Public exploit code is available, and CISA has identified this as exploitable through their SSVC framework, though technical impact is limited to confidentiality breach without integrity or availability consequences.

Remote unauthenticated command execution in Honeywell Handheld Scanner base stations (C1/D1/A1/B1 models) allows attackers within Bluetooth range to execute system commands on connected host systems without authentication. Affects C1 Base (Ingenic x1000) before GK000432BAA, D1 Base (Ingenic x1600) before HE000085BAA, and A1/B1 Base (IMX25) before BK000763BAA/BK000765BAA/CU000101BAA. CVSS 8.1 (High) reflects high confidentiality and integrity impact with network attack vector requiring user interaction. No public exploit identified at time of analysis, though the missing authentication (CWE-306) combined with proximity-based Bluetooth attack vector creates significant risk for environments using these industrial scanning devices.

Remote unauthenticated attackers can bypass authorization checks in the FsBrowseClean component's deletefile function of Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30 by manipulating the dir/path argument, enabling unauthorized file deletion. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications. CVSS 6.9 reflects moderate integrity impact with network-accessible attack surface and low attack complexity.

Improper authentication in Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30 allows unauthenticated remote attackers to bypass authentication controls via the index_config function in /LoginCB endpoint. Publicly available exploit code exists. With EPSS data unavailable and no CISA KEV listing, exploitation likelihood remains moderate, though the low attack complexity (CVSS AC:L) and network-accessible attack vector increase accessibility for opportunistic attacks against exposed industrial LED display controllers.

Improper access controls in Technostrobe HI-LED-WR120-G2 firmware 5.5.0.1R6.03.30 enable unauthenticated remote attackers to bypass authentication mechanisms via the /Technostrobe/ endpoint, exposing multiple endpoints with low-level confidentiality, integrity, and availability impact. Publicly available exploit code exists demonstrating the authentication bypass (CVSS 7.3, EPSS data not provided). Vendor did not respond to coordinated disclosure attempts, leaving users at elevated risk without official remediation guidance.

Authentication bypass in badlogic pi-mono up to version 0.58.4 allows authenticated attackers to escalate privileges or access unauthorized Slack channels via the pi-mom Slack Bot component. The vulnerability stems from improper authentication validation in the Slack channel routing logic and can be exploited remotely by users with existing access to the system. Public exploit code is available, and the vendor has not responded to disclosure attempts, making this an active security concern for deployed instances.

Improper authorization in Dromara lamp-cloud up to version 5.8.1 allows authenticated remote attackers to bypass access controls in the DefUserController pageUser endpoint, gaining unauthorized read access to sensitive user information. The CVSS score of 4.3 reflects low confidentiality impact with network accessibility and low attack complexity; however, public exploit code availability and vendor non-responsiveness increase real-world risk despite the modest base score.

Improper access controls in Tenda 4G03 Pro firmware (versions up to 04.03.01.53) enable unauthenticated remote attackers to bypass authentication mechanisms via the /bin/httpd binary, potentially achieving unauthorized administrative access to the router. This vulnerability has publicly available exploit code and affects consumer-grade 4G routers commonly used for home and small office networks. EPSS data not available, but the combination of network-accessible attack vector, low complexity, and public exploit elevates real-world risk.

Hardcoded database credentials in Text to Speech for WP (AI Voices by Mementor) WordPress plugin versions ≤1.9.8 expose the vendor's external telemetry MySQL server to unauthorized write access by unauthenticated remote attackers. The credentials are embedded in the Mementor_TTS_Remote_Telemetry class and can be extracted via static analysis or HTTP request inspection. EPSS data not provided, but the unauthenticated network vector (CVSS:3.1/AV:N/AC:L/PR:N) and public disclosure via Wordfence indicate elevated risk despite no confirmed active exploitation (CISA KEV) or publicly available exploit code identified at time of analysis.

Authenticated attackers with subscriber-level access can obtain paid lifetime membership plans in the ProfilePress WordPress plugin (≤4.16.11) without payment by exploiting a missing ownership verification flaw. The vulnerability allows hijacking of another user's active subscription during checkout to manipulate proration calculations. With a 7.1 CVSS score, low attack complexity, and requiring only low-privilege authentication, this presents a significant revenue loss risk for sites using ProfilePress for paid memberships. No public exploit identified at time of analysis, though EPSS data not available. Vendor patch released in version 4.16.12.

Kadence Blocks Page Builder Toolkit for Gutenberg Editor plugin for WordPress allows authenticated contributors to bypass authorization checks and upload arbitrary images to the Media Library via the process_pattern REST API endpoint. An attacker with contributor-level access or higher can supply remote image URLs that the server downloads and converts into media attachments, exploiting missing capability verification for the upload_files action. No public exploit code or active exploitation has been reported at time of analysis.

Insecure Direct Object Reference in WCFM Frontend Manager for WooCommerce (versions ≤6.7.25) allows authenticated vendors to manipulate arbitrary orders and delete any WordPress posts, products, or pages beyond their ownership scope. Exploitation requires only vendor-level credentials (PR:L) with no user interaction, enabling privilege escalation through unauthorized access to store-wide content. EPSS data not available; no public exploit identified at time of analysis, though the vulnerability's straightforward IDOR nature increases weaponization risk once details are public.

Prototype pollution in defu npm package (≤6.1.4) allows remote attackers to override application logic by injecting __proto__ keys through unsanitized user input. The vulnerability enables authentication bypass and arbitrary property injection when applications merge untrusted JSON, database records, or configuration data using defu(). CVSS 7.5 (High) with network-accessible, low-complexity exploitation requiring no authentication. No active exploitation confirmed (not in CISA KEV), but public proof-of-concept exists in the GitHub advisory demonstrating admin privilege escalation.

Unauthenticated access to FFmpeg server configuration endpoint in AVideo allows remote attackers to probe infrastructure details and determine encoding architecture without authentication, while sibling management endpoints properly enforce admin-only access. This information disclosure aids reconnaissance for targeted attacks against video encoding infrastructure. CVSS 5.3, no public exploit code identified, no active exploitation confirmed.

Unauthenticated access to payment order data in the BlockonomicsYPT plugin for AVideo allows remote attackers to retrieve sensitive payment information including user IDs, transaction amounts, and Bitcoin transaction details for any address without authentication. The vulnerable check.php endpoint returns complete order records queryable by Bitcoin address alone, enabling attackers to link on-chain transactions to specific platform user accounts and violate user privacy. No exploit complexity is required beyond discovering Bitcoin addresses on the public blockchain.

Arbitrary file overwrite in Directus TUS resumable upload endpoint allows authenticated users to replace any existing file by UUID, bypassing row-level access controls. The vulnerability affects the npm package directus, where the /files/tus controller validates only collection-level permissions but skips item-level authorization checks. Attackers with basic file upload permissions can permanently overwrite victim files with malicious content, potentially escalating privileges by replacing admin-owned assets. EPSS data not available, but the moderate complexity (CVSS AC:L, PR:L) and specific bypass mechanism suggest focused targeting risk. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

OAuth authorization flow interception in Directus enables attackers to steal victims' identity provider access tokens through cross-origin window manipulation. This authentication bypass vulnerability (CVSS 8.7) affects the Directus npm package due to missing Cross-Origin-Opener-Policy headers on SSO login pages, allowing malicious sites to redirect OAuth flows to attacker-controlled clients. No public exploit identified at time of analysis, though EPSS data unavailable. Attack complexity rated HIGH due to requirement for victim interaction with attacker-controlled origin during authentication flow.

Unauthenticated attackers can modify registration form status in Pie Register plugin for WordPress versions up to 3.8.4.8 due to a missing capability check in the pie_main() function. The vulnerability allows unauthorized changes to critical registration settings without authentication, impacting the integrity of user registration workflows. CVSS 6.5 reflects moderate severity with both confidentiality and availability impact; no public exploit code or active exploitation has been confirmed at this time.

Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV).

Unauthenticated proxy access in AVideo's SocialMediaPublisher plugin allows any user to make arbitrary Facebook/Instagram Graph API calls through the `publishInstagram.json.php` endpoint without authentication or authorization checks. By sending crafted requests with stolen or leaked access tokens, attackers can publish, modify, or delete content on the platform's Instagram account and potentially bypass rate limits using the server's IP address. CVSS 5.3 (medium integrity impact); no active exploitation confirmed but proof-of-concept is publicly available.

JWT token validation bypass in fast-jwt npm library (all versions through 3.3.3) allows unauthenticated remote attackers to forge tokens with critical header parameters, achieving authentication bypass and security policy circumvention. The library violates RFC 7515 by accepting JWS tokens containing unrecognized 'crit' extensions that MUST be rejected per specification. No public exploit identified at time of analysis, though proof-of-concept code demonstrates trivial exploitation. CVSS 7.5 (High) reflects network-accessible integrity impact with no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Vendor advisory published via GitHub Security Advisory GHSA-hm7r-c7qw-ghp6.

Authentication bypass in LiteLLM's JWT/OIDC implementation allows unauthenticated attackers to impersonate legitimate users via cache key collision. When JWT authentication is enabled (non-default configuration), the userinfo cache uses only the first 20 characters of the token as a key. Because JWT headers from the same signing algorithm produce identical prefixes, attackers can forge tokens that collide with cached legitimate sessions, inheriting victim identities and permissions. Fixed in v1.83.0. No public exploit identified at time of analysis, but the vulnerability is straightforward to exploit in affected configurations.

Remote code execution in BerriAI LiteLLM (pkg:pip/litellm) prior to v1.83.0 allows authenticated users without admin privileges to execute arbitrary Python code, modify proxy configuration, read server files, and hijack privileged accounts via an improperly protected /config/update endpoint. Authentication requirements not confirmed from available data. No public exploit identified at time of analysis, but the attack surface is well-documented in the vendor advisory. CVSS score unavailable; however, the combination of RCE capability and authentication bypass warrants immediate remediation for all LiteLLM deployments.

Authentication bypass in JupyterHub OAuthenticator <17.4.0 allows authenticated attackers with unverified email addresses on Auth0 tenants to login with arbitrary usernames, enabling account takeover when email is configured as the username claim. The vulnerability requires low-complexity exploitation over the network with low privileges (CVSS 8.8, AV:N/AC:L/PR:L). No public exploit identified at time of analysis, though the vendor has released a security advisory with technical details. EPSS data not available, but the authentication bypass nature and account takeover potential make this a priority for organizations using JupyterHub with Auth0 OAuth integration.

Unauthenticated information disclosure in Piwigo photo gallery software (versions prior to 16.3.0) allows remote attackers to retrieve complete browsing history of all gallery visitors through exposed pwg.history.search API endpoint. The API method lacks mandatory admin-only access controls (CWE-862), enabling trivial privacy violation with CVSS 7.5 severity. EPSS exploitation probability and KEV status not available; no public exploit identified at time of analysis, though exploitation requires only basic HTTP requests given the zero-authentication requirement (CVSS vector PR:N).

Unauthorized read access to root-owned files via TOCTOU race condition in util-linux mount binary (versions prior to 2.41.4) allows local users with existing fstab entries to replace loop device source files with symlinks pointing to sensitive files or block devices, bypassing intended access controls. The vulnerability requires moderate exploitation effort (AC:H) and authenticated user access (PR:L) but grants disclosure of confidential data including filesystem backups and disk volumes. No public exploit code or active CISA KEV status identified at time of analysis.

Unauthenticated remote code execution in OpenPrinting CUPS 2.4.16 and earlier allows attackers to send print jobs to shared PostScript queues without authentication, exploit a newline injection vulnerability in page-border parameter handling, and execute arbitrary binaries as the lp user by chaining a follow-up raw print job. CISA KEV status and active exploitation confirmation not provided; no publicly available patches identified at publication.

Local privilege escalation in OpenPrinting CUPS 2.4.16 and prior allows unprivileged users to bypass authentication and create arbitrary file overwrites as root by coercing cupsd into issuing reusable Authorization tokens and leveraging printer-sharing policies to persist file:// URIs that bypass FileDevice restrictions. A proof-of-concept demonstrates root command execution via sudoers file modification, and the vulnerability is confirmed by the presence of public exploit code.

CUPS daemon (cupsd) versions 2.4.16 and earlier authenticate users via case-insensitive username comparison, allowing an authenticated high-privileged user to bypass authorization controls by submitting requests under a username that differs only in case from an authorized user, gaining access to restricted printing operations. No public exploit code has been identified, and patches were not available at the time of initial disclosure, though a upstream commit indicates a fix may have been prepared.

Authorization bypass vulnerabilities in prompts.chat (pre-commit 7b81836) expose private prompt data to unauthenticated remote attackers. Missing isPrivate validation checks across multiple API endpoints and metadata generation functions allow unauthorized retrieval of version history, change requests, examples, content, and HTML meta tag information for prompts marked private. No public exploit identified at time of analysis, though CVSS 8.7 reflects network-accessible, low-complexity attack requiring no privileges. Vendor-released patch available via GitHub commit 7b81836b21.

Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers access to production cloud storage containers with excessive permissions. The CVSS v4.0 score of 8.8 reflects network-accessible attack vector with no complexity barriers, enabling high confidentiality impact and limited integrity/availability impact. CISA ICS-CERT disclosure indicates industrial/IoT context. No public exploit identified at time of analysis, though hardcoded credential vulnerabilities are trivial to exploit once discovered. EPSS data not available for this recent CVE.

Insecure Direct Object Reference (IDOR) vulnerability in Gardyn Cloud API allows unauthenticated remote attackers to access and modify arbitrary user profiles by manipulating ID parameters in API calls. CVSS:4.0 rates this 9.3 (Critical) with network-accessible attack vector requiring no privileges or user interaction, enabling unauthorized access to high-sensitivity user data and profile modification. CISA ICS-CERT issued advisory ICSA-26-055-03 for this IoT/smart garden system vulnerability. No public exploit identified at time of analysis, though the attack technique (parameter manipulation) is trivial to execute.

Unauthenticated access to complete user account data in Gardyn Cloud API allows remote attackers to retrieve sensitive information for all registered users. The vulnerability stems from an unprotected endpoint exposing full account details without authentication checks (CVSS 9.2, AV:N/PR:N). CISA ICS-CERT has published an advisory, indicating exposure in operational technology/IoT contexts. No public exploit identified at time of analysis, though the vulnerability's simplicity (low attack complexity, no privileges required) makes exploitation straightforward once the endpoint is discovered.