CVE-2026-39963

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipitysetCookie function in include/functionsconfig.inc.php uses $SERVER'HTTPHOST' without validation as the domain parameter of setcookie. An attacker who can influence the Host header at login time, such as vi...

CVE-2026-0247

Multiple authorization bypass vulnerabilities in the Endpoint DLP component of Prisma Access Agent® allow a local attacker to bypass authentication controls and execute privileged operations...

CVE-2026-0393

The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerability affects only login operations within an active visualization session...

CVE-2026-26206

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication requests. Although the...

CVE-2026-44426

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object — including the members list user IDs, e-mails, roles, settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own...

CVE-2026-44341

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access ...

CVE-2026-44347

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on t...

CVE-2026-8993

D.Launcher 2 component of Slovak eID client ecosystem contains Improper URL Handler Processing vulnerability. Application registers multiple custom URL handlers that could be exploited to initiate full NTLM autentication or SMB connection to attacker infrastructure and to conduct SSRF Server Side...

CVE-2026-8903

The Two-factor authentication formerly IP Vault plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipvsavechanges function. This makes it possible for unauthenticated attackers to...

CVE-2026-8305

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

CVE-2026-8990

A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...

CVE-2026-8367

aria2c accepts a server certificate with incorrect Extended Key Usage EKU. If the attackers compromise a certificate with the associated private key issued for a different purpose, they may be able to reuse it for TLS server authentication...

CVE-2026-8321

A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware. Performing a manipulation results in authentication bypass using alternate channel. The attack is...

CVE-2026-35462

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...

CVE-2026-25660

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permission to any user existing in...

CVE-2026-43935

e107 is a content management system CMS. Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, o...

CVE-2026-43916

pamauthnft is a PAM session module binding nftables firewall rules to authenticated sessions via cgroupv2 inodes. Prior to 0.2.0-alpha, a heap buffer over-read in peerlookuptcp src/peerlookup.c:134, prior to the fix allowed a crafted NETLINKSOCKDIAG reply to slip past the message-size check, then...

CVE-2026-7365

IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication...

CVE-2026-7567

The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybelogintemporaryuser function, which fails to verify that the 'temp-login-token' GET parameter is a scalar string before...

CVE-2026-34457

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an authrequest-style integration such as nginx authrequest and either...