CVE Daily
← All tags

Tag: Unauthenticated/Unauthorized Access

All CVEs associated with "Unauthenticated/Unauthorized Access". Page 4/128 • 15317 CVEs.

Subscribe CVEs: RSS for “Unauthenticated/Unauthorized Access”  ·  RSS (High+Critical only)

About “Unauthenticated/Unauthorized Access”

A curated feed of “Unauthenticated/Unauthorized Access”-related CVEs appears below. We currently track 15317 CVEs for this tag (all time). In the last 365 days, 3826 were published. Average CVSS is 7.4 (all time; 7.4 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-306 - Missing Authentication for Critical Function, CWE-639 - Authorization Bypass Through User-Controlled Key.

In our taxonomy this topic maps to a HIGH impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-12
Critical

CVE-2026-44343

WGDashboard is a dashboard for WireGuard VPN. Prior to 4.3.2, there are critical vulnerabilities affecting WGDashboard that, if exploited, could allow unauthorized parties to access the host file sys…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2026-44196

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and…

CVSS: 9.1 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2026-42899

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.

CVSS: 7.5 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
High

CVE-2026-42893

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network.

CVSS: 7.4 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2026-42891

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

CVSS: 6.5 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Medium

CVE-2026-42838

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a netw…

CVSS: 5.4 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
High

CVE-2026-42832

Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.

CVSS: 7.7 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2026-42831

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
Critical

CVE-2026-42300

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw strin…

CVSS: 9.3 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2026-41614

Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.

CVSS: 6.2 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2026-41613

Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

CVSS: 8.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2026-41612

Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.

CVSS: 5.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2026-41611

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

CVSS: 7.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2026-41610

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

CVSS: 6.3 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2026-41109

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature ove…

CVSS: 8.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
High

CVE-2026-41107

External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.

CVSS: 7.4 CWE: CWE-73 - External Control of File Name or Path View on NVD
Critical

CVE-2026-41103

Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.

CVSS: 9.1 CWE: CWE-303 - Incorrect Implementation of Authentication Algorithm View on NVD
Critical

CVE-2026-41096

Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.

CVSS: 9.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2026-41094

Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.

CVSS: 8.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2026-41089

Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.

CVSS: 9.8 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Medium

CVE-2026-40421

Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

CVSS: 4.3 CWE: CWE-73 - External Control of File Name or Path View on NVD
Medium

CVE-2026-40416

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

CVSS: 4.3 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
High

CVE-2026-40415

Use after free in Windows TCP/IP allows an unauthorized attacker to execute code over a network.

CVSS: 8.1 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2026-40406

Use after free in Windows TCP/IP allows an unauthorized attacker to disclose information over a network.

CVSS: 7.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2026-40405

Null pointer dereference in Windows TCP/IP allows an unauthorized attacker to deny service over a network.

CVSS: 7.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Critical

CVE-2026-40402

Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.

CVSS: 9.3 CWE: CWE-416 - Use After Free View on NVD
Critical

CVE-2026-40379

Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network.

CVSS: 9.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2026-40367

Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

CVSS: 8.4 CWE: CWE-822 - Untrusted Pointer Dereference View on NVD
High

CVE-2026-40366

Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

CVSS: 8.4 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2026-40364

Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

CVSS: 8.4 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2026-40363

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

CVSS: 8.4 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2026-40362

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2026-40361

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

CVSS: 8.4 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2026-40360

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

CVSS: 7.8 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2026-40359

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2026-40358

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

CVSS: 8.4 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2026-35440

Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

CVSS: 5.5 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
High

CVE-2026-35433

Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2026-35429

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

CVSS: 4.3 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
High

CVE-2026-35424

Missing release of memory after effective lifetime in Windows Internet Key Exchange (IKE) Protocol allows an unauthorized attacker to deny service over a network.

CVSS: 7.5 CWE: CWE-401 - Missing Release of Memory after Effective Lifetime View on NVD
Medium

CVE-2026-35423

Out-of-bounds read in Telnet Client allows an unauthorized attacker to disclose information over a network.

CVSS: 5.4 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2026-35422

Authentication bypass using an alternate path or channel in Windows TCP/IP allows an authorized attacker to bypass a security feature over a network.

CVSS: 6.5 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
High

CVE-2026-35421

Heap-based buffer overflow in Windows GDI allows an unauthorized attacker to execute code locally.

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
Medium

CVE-2026-34350

Null pointer dereference in Windows Storport Miniport Driver allows an unauthorized attacker to deny service over a network.

CVSS: 6.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
High

CVE-2026-34329

Heap-based buffer overflow in Windows Message Queuing allows an unauthorized attacker to execute code over an adjacent network.

CVSS: 8.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2026-33833

Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

CVSS: 8.2 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2026-32185

Files or directories accessible to external parties in Microsoft Teams allows an unauthorized attacker to perform spoofing locally.

CVSS: 5.5 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
High

CVE-2026-32177

Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2026-32161

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent net…

CVSS: 7.5 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
Medium

CVE-2026-31243

The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functionality accessible via the DELETE /memories endpoint. An unauthenticated attacke…

CVSS: 6.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2026-31242

The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE r…

CVSS: 9.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2026-29204

Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized ac…

CVSS: 9.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2026-26083

A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, Fort…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2026-20887

Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an unauthenticated user co…

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-35990

Improper input validation for some Intel Endpoint Management Assistant (EMA) software before version 1.14.5 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged softwar…

CVSS: 8.7 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2026-43512

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, fr…

CVSS: 9.8 CWE: CWE-592 View on NVD
Critical

CVE-2026-30805

Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800

CVSS: 9.1 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
High

CVE-2026-6865

CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly han…

CVSS: 7.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2026-4827

CWE‑331: Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections.

CVSS: 8.7 CWE: CWE-331 - Insufficient Entropy View on NVD
High

CVE-2026-6001

Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPSİS allows Exploitation of Trusted Identifiers. This issue affects BAPSİS: before v.202604152042.

CVSS: 8.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2026-5029

A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unau…

CVSS: 8.7 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2026-33893

A vulnerability has been identified in Teamcenter V2312 (All versions < V2312.0014), Teamcenter V2406 (All versions < V2406.0012), Teamcenter V2412 (All versions < V2412.0009), Teamcenter V2506 (All…

CVSS: 7.5 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
High

CVE-2026-27662

Affected devices do not properly restrict access to the web browser via the Control Panel when no corresponding security mechanisms are in place. This could allow an unauthenticated attacker to gain…

CVSS: 7.7 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
High

CVE-2025-40946

A vulnerability has been identified in blueplanet 100 NX3 M8 (All versions), blueplanet 100 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 105 TL3 (All versions), blueplanet 105 TL3 GEN2 (All version…

CVSS: 8.3 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
Medium

CVE-2024-54017

A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V11.0), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 6…

CVSS: 5.3 CWE: CWE-334 - Small Space of Random Values View on NVD
Medium

CVE-2026-7050

The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perf…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2026-4663

The iPOSpays Gateways WC plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.3.7. This is due to the plugin exposing a REST API endpoint /wp-json/ipospays/v1…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2026-7255

** UNSUPPORTED WHEN ASSIGNED ** An improper restriction of excessive authentication attempts vulnerability in the web management interface of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could a…

CVSS: 6.5 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
Medium

CVE-2026-40137

SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially e…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-40133

Due to missing authorization check in SAP S/4HANA Condition Maintenance, an authenticated attacker could gain unauthorized access to view and modify condition table records, resulting in low impact o…

CVSS: 6.3 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2026-34263

Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to hi…

CVSS: 9.6 CWE: CWE-459 - Incomplete Cleanup View on NVD
Critical

CVE-2026-34260

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The applica…

CVSS: 9.6 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2026-34258

SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicki…

CVSS: 4.7 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
Medium

CVE-2026-27682

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that…

CVSS: 4.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-05-11
High

CVE-2026-43912

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as grou…

CVSS: 8.7 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2026-43885

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints…

CVSS: 7.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2026-43880

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter…

CVSS: 5.3 CWE: CWE-940 - Improper Verification of Source of a Communication Channel View on NVD
High

CVE-2026-43874

WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the pay…

CVSS: 7.2 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2026-8321

A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware. P…

CVSS: 7.3 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2026-42882

oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware a…

CVSS: 9.4 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2026-42869

SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value i…

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2026-45223

Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin…

CVSS: 8.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2026-45222

Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, al…

CVSS: 6.1 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Critical

CVE-2026-42864

FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authentication (permission_classes = […

CVSS: 9.9 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2026-44994

OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields. Att…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2026-44991

OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are co…

CVSS: 4.2 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2026-44413

In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users could expose server API to unauthorised access

CVSS: 8.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2026-44226

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<p…

CVSS: 5.3 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
Critical

CVE-2026-38567

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker c…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2026-36962

SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution…

CVSS: 7.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2026-33359

In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforce…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2026-42613

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without…

CVSS: 9.4 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2026-42608

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POS…

CVSS: 9.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-9973

Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations.…

CVSS: 6.4 CWE: CWE-284 - Improper Access Control View on NVD
Critical

CVE-2026-40636

Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains a use of hard-coded credentials vulnerability. An unauthenticated attacker with local access could p…

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Medium

CVE-2026-35157

Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthentic…

CVSS: 5.8 CWE: CWE-1236 - Improper Neutralization of Formula Elements in a CSV File View on NVD
Medium

CVE-2025-43992

Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an authentication bypass by assumed-immutable data vulnerability in Geo replication. An unauthentica…

CVSS: 5.6 CWE: CWE-302 - Authentication Bypass by Assumed-Immutable Data View on NVD
High

CVE-2025-10908

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security…

CVSS: 7.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2026-05-10
Medium

CVE-2021-47946

OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiti…

CVSS: 5.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Critical

CVE-2021-47932

WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2021-47923

OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID c…

CVSS: 9.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
High

CVE-2026-7262

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which check…

CVSS: 7.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2026-05-09
Low

CVE-2026-8196

A flaw has been found in JeecgBoot 3.9.1. The impacted element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginControlle…

CVSS: 3.7 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2026-42606

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with…

CVSS: 8.1 CWE: CWE-640 - Weak Password Recovery Mechanism for Forgotten Password View on NVD
Critical

CVE-2026-42569

phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been p…

CVSS: 9.4 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2026-8198

The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2026-1749

There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.

CVSS: 6.8 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2026-7652

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due…

CVSS: 5.3 CWE: CWE-640 - Weak Password Recovery Mechanism for Forgotten Password View on NVD
2026-05-08
High

CVE-2026-42351

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystem…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2026-42302

FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The star…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2026-42298

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows a…

CVSS: 10.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2026-41432

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an…

CVSS: 7.1 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
Critical

CVE-2026-42193

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verif…

CVSS: 9.1 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
High

CVE-2026-44400

MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing Authent…

CVSS: 8.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2026-42030

MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker t…

CVSS: 6.1 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD
High

CVE-2026-41576

Brave CMS is an open-source CMS. Prior to commit 6c56603, the contact form is publicly accessible (no authentication required). User-supplied message text is passed through PHP's nl2br() function, wh…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2026-25199

Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxm…

CVSS: 9.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2026-8153

OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2026-8076

Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based cr…

CVSS: 9.3 CWE: CWE-1391 - Use of Weak Credentials View on NVD
Critical

CVE-2026-6213

A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check and achieve arbitrary code execution as root on the server side. Depending on imp…

CVSS: 10.0 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD