CVE Daily
← All tags

Tag: Unauthenticated/Unauthorized Access

All CVEs associated with "Unauthenticated/Unauthorized Access". Page 16/128 • 15319 CVEs.

Subscribe CVEs: RSS for “Unauthenticated/Unauthorized Access”  ·  RSS (High+Critical only)

About “Unauthenticated/Unauthorized Access”

A curated feed of “Unauthenticated/Unauthorized Access”-related CVEs appears below. We currently track 15319 CVEs for this tag (all time). In the last 365 days, 3827 were published. Average CVSS is 7.4 (all time; 7.4 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-306 - Missing Authentication for Critical Function, CWE-639 - Authorization Bypass Through User-Controlled Key.

In our taxonomy this topic maps to a HIGH impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-02-06
High

CVE-2026-1499

The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on t…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2025-10753

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and aut…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
2026-02-05
High

CVE-2026-24302

Improper access control in Azure Arc allows an unauthorized attacker to elevate privileges over a network.

CVSS: 8.6 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2026-0391

User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.

CVSS: 6.5 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
High

CVE-2020-37150

Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wire…

CVSS: 7.5 CWE: CWE-201 - Insertion of Sensitive Information Into Sent Data View on NVD
High

CVE-2025-68721

Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gai…

CVSS: 8.1 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2026-1927

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshift_app_pass_validation() function…

CVSS: 5.4 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2026-23572

Improper access control in the TeamViewer Full and Host clients (Windows, macOS, Linux) prior version 15.74.5 allows an authenticated user to bypass additional access controls with “Allow after confi…

CVSS: 7.2 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2026-1966

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, poten…

CVSS: 2.4 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Medium

CVE-2025-13416

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() fun…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2025-15080

Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an unauthenticated attacker to read device da…

CVSS: 8.8 CWE: CWE-1284 - Improper Validation of Specified Quantity in Input View on NVD
2026-02-04
High

CVE-2026-25537

jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or…

CVSS: 7.5 CWE: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion') View on NVD
Medium

CVE-2026-0948

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 b…

CVSS: 6.5 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2025-13375

IBM Common Cryptographic Architecture (CCA) 7.5.52 and 8.4.82 could allow an unauthenticated user to execute arbitrary commands with elevated privileges on the system.

CVSS: 9.8 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
Critical

CVE-2026-25139

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-…

CVSS: 9.1 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2026-25055

n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating…

CVSS: 8.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-70545

A stored cross-site scripting (XSS) vulnerability exists in the web management interface of the PPC (Belden) ONT 2K05X router running firmware v1.1.9_206L. The Common Gateway Interface (CGI) componen…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2026-24735

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly expose…

CVSS: 7.5 CWE: CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor View on NVD
Medium

CVE-2026-0679

The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and includin…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
2026-02-03
Critical

CVE-2026-1632

MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings,…

CVSS: 9.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2026-25509

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementat…

CVSS: 5.3 CWE: CWE-204 - Observable Response Discrepancy View on NVD
Critical

CVE-2026-25150

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The functi…

CVSS: 9.3 CWE: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') View on NVD
Critical

CVE-2020-37094

EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization a…

CVSS: 9.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2020-37091

Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms…

CVSS: 5.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2020-37086

Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. Attackers can explo…

CVSS: 6.2 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2020-37082

webERP 4.15.1 contains an unauthenticated file access vulnerability that allows remote attackers to download database backup files without authentication. Attackers can directly access generated back…

CVSS: 9.8 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
Medium

CVE-2026-1801

A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where li…

CVSS: 5.3 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
Critical

CVE-2025-10878

A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing una…

CVSS: 10.0 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2026-25235

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially veri…

CVSS: 7.5 CWE: CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG) View on NVD
High

CVE-2025-62501

SSH Hostkey misconfiguration vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) attack. T…

CVSS: 8.1 CWE: CWE-322 - Key Exchange without Entity Authentication View on NVD
Low

CVE-2025-52633

HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized acc…

CVSS: 3.1 CWE: CWE-539 - Use of Persistent Cookies Containing Sensitive Information View on NVD
Low

CVE-2025-52623

HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of s…

CVSS: 3.7 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Critical

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The expose…

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2025-70758

chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.…

CVSS: 7.5 CWE: CWE-703 - Improper Check or Handling of Exceptional Conditions View on NVD
Critical

CVE-2025-69971

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to for…

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Medium

CVE-2020-37115

GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive inf…

CVSS: 6.5 CWE: CWE-256 - Plaintext Storage of a Password View on NVD
Critical

CVE-2026-1568

Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to Insig…

CVSS: 9.6 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2026-24991

Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue a…

CVSS: 5.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Low

CVE-2025-11598

In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopen…

CVSS: 1.0 CWE: CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor View on NVD
Medium

CVE-2025-67856

A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This c…

CVSS: 5.4 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2025-67848

A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI a…

CVSS: 8.1 CWE: CWE-280 - Improper Handling of Insufficient Permissions or Privileges View on NVD
2026-02-02
Critical

CVE-2026-25137

The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This…

CVSS: 9.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-69207

Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state…

CVSS: 5.4 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2024-5386

In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's ac…

CVSS: 8.8 CWE: CWE-1125 - Excessive Attack Surface View on NVD
High

CVE-2026-1117

A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event…

CVSS: 8.2 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2026-25201

An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1.

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2026-25200

A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Low

CVE-2026-1743

A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The mani…

CVSS: 3.1 CWE: CWE-287 - Improper Authentication View on NVD
2026-02-01
Medium

CVE-2022-50950

Webile 1.0.1 contains a directory traversal vulnerability that allows remote attackers to manipulate file system paths without authentication. Attackers can exploit path manipulation to access sensit…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2026-01-31
Medium

CVE-2026-1431

The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and i…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2025-15525

The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in al…

CVSS: 5.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-15510

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
2026-01-30
Critical

CVE-2020-37056

Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP v…

CVSS: 9.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
High

CVE-2020-37041

OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-36365

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated use…

CVSS: 6.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2024-4027

A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. T…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2026-1498

An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server through an exposed…

CVSS: 7.0 CWE: CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') View on NVD
2026-01-29
Critical

CVE-2026-1453

A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can gran…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2020-37008

EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak in…

CVSS: 7.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2020-36999

Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by…

CVSS: 8.2 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2025-7013

Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Exploitation of Trusted Identifiers.This issue affects Menu Panel: through 29012026.…

CVSS: 5.7 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2026-01-28
High

CVE-2026-24835

Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to comple…

CVSS: 7.1 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2026-24768

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of t…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Medium

CVE-2025-13986

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3.

CVSS: 4.2 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2025-13980

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 bef…

CVSS: 5.3 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2023-37525

A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, lea…

CVSS: 5.3 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
High

CVE-2026-0750

Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: f…

CVSS: 7.5 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
High

CVE-2025-57793

Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user-supplied input in a web application component. Crafted input can be executed a…

CVSS: 8.6 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2025-57792

Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker can supply crafted input that…

CVSS: 10.0 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2020-36963

Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypass vulnerability that allows unauthenticated attackers to download router configuration files. Attackers can send a spec…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2020-36945

WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inj…

CVSS: 8.2 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2025-14386

The Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2025-40554

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

CVSS: 9.8 CWE: CWE-1390 - Weak Authentication View on NVD
Critical

CVE-2025-40553

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Critical

CVE-2025-40552

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected…

CVSS: 9.8 CWE: CWE-1390 - Weak Authentication View on NVD
Critical

CVE-2025-40551

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2025-40536

SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functio…

CVSS: 8.1 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Medium

CVE-2026-1310

The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_e…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2026-0832

The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to,…

CVSS: 7.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2026-0825

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions u…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
2026-01-27
High

CVE-2026-24748

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed…

CVSS: 7.2 CWE: CWE-863 - Incorrect Authorization View on NVD
Critical

CVE-2025-21589

An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allows a network-based attacker to bypass authentication and take administrative…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2026-24858

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
High

CVE-2026-1315

By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenti…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2026-0919

The HTTP parser of Tapo C210 v3, C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2026-0918

The Tapo C100 v5, C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation trigge…

CVSS: 7.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Critical

CVE-2026-1470

n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evalua…

CVSS: 9.9 CWE: CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') View on NVD
Medium

CVE-2025-12386

Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to…

CVSS: 6.9 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2026-24477

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the v…

CVSS: 7.5 CWE: CWE-201 - Insertion of Sensitive Information Into Sent Data View on NVD
2026-01-26
High

CVE-2025-14459

A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access…

CVSS: 8.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2026-24437

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store cre…

CVSS: 5.5 CWE: CWE-525 - Use of Web Browser Cache Containing Sensitive Information View on NVD
High

CVE-2026-21509

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

CVSS: 7.8 CWE: CWE-807 - Reliance on Untrusted Inputs in a Security Decision View on NVD
Medium

CVE-2025-57785

A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution.

CVSS: 6.5 CWE: CWE-415 - Double Free View on NVD
Medium

CVE-2025-57783

Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawath…

CVSS: 5.3 CWE: N/A View on NVD
Low

CVE-2026-24656

Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes p…

CVSS: 3.7 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2026-01-24
Medium

CVE-2025-14941

The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on m…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-24420

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissi…

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2026-24139

MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete applic…

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
2026-01-23
Critical

CVE-2025-70457

A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file co…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2022-25369

An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2026-24634

Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affec…

CVSS: 5.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2026-24631

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Rosebud rosebud allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rosebud: fro…

CVSS: 5.4 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2026-24599

Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This…

CVSS: 5.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2025-4320

Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Authentication Bypass…

CVSS: 10.0 CWE: CWE-305 - Authentication Bypass by Primary Weakness View on NVD
Medium

CVE-2026-22274

Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthent…

CVSS: 6.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2026-22271

Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with…

CVSS: 7.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2026-0790

ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8…

CVSS: 7.5 CWE: CWE-425 - Direct Request ('Forced Browsing') View on NVD
2026-01-22
Critical

CVE-2026-24307

Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network.

CVSS: 9.3 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
Critical

CVE-2026-24306

Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network.

CVSS: 9.8 CWE: CWE-284 - Improper Access Control View on NVD
Critical

CVE-2026-24124

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RB…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2026-21524

Exposure of sensitive information to an unauthorized actor in Azure Data Explorer allows an unauthorized attacker to disclose information over a network.

CVSS: 7.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2026-21521

Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network.

CVSS: 7.4 CWE: CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences View on NVD
High

CVE-2026-21520

Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector

CVSS: 7.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Critical

CVE-2026-21264

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network.

CVSS: 9.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2026-21227

Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network.

CVSS: 8.2 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-67652

An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust…

CVSS: 6.1 CWE: CWE-261 - Weak Encoding for Password View on NVD
High

CVE-2025-55705

This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or…

CVSS: 7.3 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Critical

CVE-2025-54816

This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this…

CVSS: 9.4 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2025-53968

This vulnerability arises because there are no limitations on the number of authentication attempts a user can make. An attacker can exploit this weakness by continuously sending authentication req…

CVSS: 7.5 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
Critical

CVE-2026-24058

Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including…

CVSS: 9.8 CWE: CWE-289 - Authentication Bypass by Alternate Name View on NVD