CVE & CISA-KEV Catalog

362,600 CVEs1,630 actively exploited (KEV)AboutAPI
Active:
  • CVSS 7.4 v3·EPSS -·No fix yet

    AS228T with Authentication Bypass Vulnerability

    Published 2026-07-01

  • CVSS 5.3 v3·EPSS -·No fix yet

    In Modem, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01811421; Issue ID: MSV-6788.

    Published 2026-07-01

  • CVSS 5.3 v3·EPSS -·No fix yet

    In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01816800; Issue ID: MSV-6842.

    Published 2026-07-01

  • CVSS 9.1 v3·EPSS -·No fix yet

    Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list.

    Published 2026-06-30

  • CVSS 10.0 v3·EPSS 0.5%·Fix available

    Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /configs as the public instance-config endpoint and forwards it without a credential check. kestra addresses its resources by URL path segments that the caller chooses (/api/v1/{tenant}/flows/{namespace}, /api/v1/{tenant}/executions/{namespace}/{id}, /api/v1/{tenant}/namespaces/{namespace}/kv/{key}). An anonymous caller picks the literal configs as the final segment, and the request bypasses Basic-Auth entirely. Because the bypass reaches the flow-create and execution-trigger routes, an unauthenticated caller creates a flow containing a Shell or Process task and runs it. The task executes as root

    Published 2026-06-26

  • CVSS 7.5 v3·EPSS 0.3%·No fix yet

    Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions.

    Published 2026-06-26

  • CVSS 9.3 v4·EPSS 0.3%·No fix yet

    Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, handleIdentityToken parses a JWT issued by Apple during the OAuth flow. The try block checks for an email parameter. If the JWT does not contain an email address, the application falls back to accepting an arbitrary email value supplied directly in the request. Attackers are able to forge Apple JWTs that do not contain an email address and leverage this vulnerability to carry out account takeover attacks. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.

    Published 2026-06-24

  • CVSS 9.3 v4·EPSS 0.3%·No fix yet

    FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.

    Published 2026-06-24

  • CVSS 10.0 v3·EPSS 0.2%·Fix available

    Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration — which may not require client certificates — a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-spe

    Published 2026-06-23

  • CVSS 10.0 v3·EPSS 0.2%·Fix available

    Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This aff

    Published 2026-06-23

  • CVSS 10.0 v3·EPSS 0.6%·Fix available

    Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router. This vulnerability

    Published 2026-06-23

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to the PostgREST/RLS plane to access protected resources.

    Published 2026-06-23

  • CVSS 7.5 v3·EPSS 0.4%·No fix yet

    WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.

    Published 2026-06-20

  • CVSS 9.8 v3·EPSS 0.4%·No fix yet

    WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form functionality. Attackers can submit a POST request to the admin-ajax.php endpoint with the uabb-lf-google-submit action, a valid administrator email address, and a valid nonce to obtain session cookies and authenticate as that user.

    Published 2026-06-20

  • CVSS 8.2 v3·EPSS 0.2%·No fix yet

    Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients

    Published 2026-06-17

  • CVSS 6.5 v3·EPSS 0.3%·No fix yet

    Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation. This issue affects MStore API: from n/a through 4.18.4.

    Published 2026-06-17

  • CVSS 7.6 v3·EPSS 0.3%·No fix yet

    Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.

    Published 2026-06-17

  • CVSS 9.8 v3·EPSS 0.5%·No fix yet

    Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.

    Published 2026-06-17

  • CVSS 6.5 v3·EPSS 0.3%·No fix yet

    Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.

    Published 2026-06-17

  • CVSS 8.8 v3·EPSS 0.3%·No fix yet

    Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions.

    Published 2026-06-17

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Broken Authentication in Booknetic <= 4.8.5 versions.

    Published 2026-06-17

  • CVSS 8.7 v4·EPSS 0.5%·No fix yet

    syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The is

    Published 2026-06-16

  • CVSS 9.8 v3·EPSS 0.4%·No fix yet

    Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.

    Published 2026-06-15

  • CVSS 8.1 v3·EPSS 0.3%·No fix yet

    Unauthenticated Broken Authentication in Really Simple SSL <= 9.5.10 versions.

    Published 2026-06-15

  • CVSS 7.5 v3·EPSS 0.4%·No fix yet

    Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend <= 1.18.0 versions.

    Published 2026-06-15

  • CVSS 8.1 v3·EPSS 0.4%·No fix yet

    Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions.

    Published 2026-06-15

  • CVSS 6.5 v3·EPSS 0.4%·No fix yet

    Subscriber Broken Authentication in WP Full Stripe Free <= 8.4.1 versions.

    Published 2026-06-15

  • CVSS 5.3 v3·EPSS 0.3%·No fix yet

    Unauthenticated Broken Authentication in Simple Cloudflare Turnstile <= 1.38.0 versions.

    Published 2026-06-15

  • CVSS 6.5 v3·EPSS 0.3%·No fix yet

    Subscriber Sensitive Data Exposure in WP SMS <= 7.2.1 versions.

    Published 2026-06-15

  • CVSS 7.1 v3·EPSS 0.4%·No fix yet

    Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions.

    Published 2026-06-15

  • CVSS 7.5 v3·EPSS 0.3%·No fix yet

    Unauthenticated Broken Authentication in ReviewX <= 2.3.6 versions.

    Published 2026-06-15

  • CVSS 7.1 v3·EPSS 0.4%·No fix yet

    Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions.

    Published 2026-06-15

  • CVSS 8.8 v3·EPSS 0.3%·No fix yet

    Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7.

    Published 2026-06-15

  • CVSS 5.3 v3·EPSS 0.2%·Fix available

    Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.

    Published 2026-06-12

  • CVSS 9.9 v3·EPSS 47%·Fix available

    An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access

    Published 2026-06-09

  • CVSS 8.8 v3·EPSS 0.4%·No fix yet

    The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajax_run_tool() AJAX handler relying solely on a nonce check (check_ajax_referer) for security without performing any capability check, combined with the create_temporary_link tool allowing the generation of passwordless login links for arbitrary users, and the handle_temporary_links() function authenticating visitors via these links without any additional authorization validation. The required nonce is exposed to all authenticated backend users (including Subscribers) via wp_localize_script() on all non-settings admin pages when the plugin's welcome pointer has no

    Published 2026-06-05

  • CVSS 6.8 v3·EPSS 0.2%·No fix yet

    An issue in the U-Boot component of GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass authentication and gain root access via interrupting the boot sequence and injecting a crafted string into the kernel boot arguments.

    Published 2026-06-04

  • CVSS 7.1 v3·EPSS 0.2%·No fix yet

    Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Swings Wallet System for WooCommerce allows Password Recovery Exploitation. This issue affects Wallet System for WooCommerce: from n/a through 2.7.5.

    Published 2026-06-02

  • CVSS 7.5 v3·EPSS 0.3%·No fix yet

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Liquid Web / StellarWP BookIt allows Password Recovery Exploitation. This issue affects BookIt: from n/a before 2.5.4.1.

    Published 2026-06-02

  • CVSS 6.9 v4·EPSS 0.2%·No fix yet

    Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials. This vulnerability is fixed in 0.11.1.

    Published 2026-05-29

  • CVSS 9.8 v3·EPSS 0.4%·No fix yet

    Nozomi Networks Labs identified a CWE-288: Authentication Bypass Using an Alternate Path or Channel in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to bypass authentication of the Console web application and perform actions as an authenticated user.

    Published 2026-05-29

  • CVSS 8.8 v3·EPSS 0.5%·No fix yet

    Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH. Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.

    Published 2026-05-28

  • CVSS 5.3 v4·EPSS 0.2%·No fix yet

    A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3

    Published 2026-05-28

  • CVSS 9.3 v4·EPSS 0.6%·No fix yet

    In Slican telephone exchanges it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID. This allows them to bypass admin authentication and gain full access to the service protocol and configuration panel. This vulnerability is independent of the telephone exchanges configuration. If remote access is disabled, calling with this caller ID will temporarily enable it. This issue was fixed in versions below: - IPL-256: version 6.61.0040 - IPM-032: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were di

    Published 2026-05-27

  • CVSS 9.3 v4·EPSS 0.7%·No fix yet

    Slican telephone exchanges allow administrative protocol authentication bypass. An attacker can bypass the need to enter login credentials by executing the appropriate command. This issue was fixed in versions below: - NCP: version 1.24.0250 - IPx series: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.

    Published 2026-05-27

  • CVSS 7.5 v3·EPSS 0.3%·No fix yet

    Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Password Recovery Exploitation.This issue affects Backup and Staging by WP Time Capsule: from n/a through <= 1.22.25.

    Published 2026-05-27

  • CVSS 7.1 v3·EPSS 0.2%·No fix yet

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types (Remove comments): from n/a through <= 1.3.0.

    Published 2026-05-27

  • CVSS 7.3 v3·EPSS 0.2%·No fix yet

    Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Authentication Bypass.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.

    Published 2026-05-27

  • CVSS 8.2 v3·EPSS 0.3%·No fix yet

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through <= 4.3.0.

    Published 2026-05-27

  • CVSS 2.4 v3·EPSS 0.2%·No fix yet

    AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents, an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.

    Published 2026-05-26

Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.