161567 matches found
CVE-2026-35672
CVE-2026-35672 affects phpMyFAQ prior to 4.1.3 where the default API client token is an empty string. The authentication check compares the configured token to the request header x-pmf-token and uses strict inequality; if the header is empty, authentication is bypassed. This allows unauthenticate...
WordPress Smart Online Order for Clover plugin <= 1.6.0 - Broken Authentication vulnerability
Broken Authentication vulnerability discovered by she11f in WordPress Plugin Smart Online Order for Clover versions = 1.6.0...
CLSA-2026-1779968889 Fix of 7 CVEs
SECURITY UPDATE: Authentication Bypass in digest authentication - debian/patches/CVE-2026-43512.patch: reject digest authentication attempts for unknown users in getDigest - CVE-2026-43512 SECURITY UPDATE: Account lockout bypass in LockOutRealm via case variation of user names -...
CVE-2026-8990
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...
CVE-2026-8990 Authentication Bypass in Kidsview
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...
CVE-2026-8990
The CVE-2026-8990 entry affects the Kidsview mobile application. A user with physical access can bypass the app’s authentication by interacting with push notifications, granting full access to the device owner’s account. Affected behavior is an authentication bypass via the notification channel, ...
CVE-2026-8990 Authentication Bypass in Kidsview
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...
EUVD-2026-32901
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...
[SECURITY] [DLA 4604-1] roundcube security update
Debian LTS Advisory DLA-4604-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin May 28, 2026 https://wiki.debian.org/LTS Package : roundcube Version : 1.4.15+dfsg.1-1+deb11u9 CVE ID : CVE-2026-48842 CVE-2026-48843 CVE-2026-48844 CVE-2026-48845 CVE-2026-48846...
EUVD-2026-32896
The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint...
CVE-2026-8979 Authentication Bypass
The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint...
CVE-2026-8979 Authentication Bypass
The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint...
CVE-2026-8979
The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint...
CVE-2026-8979
CVE-2026-8979 affects the Mennekes Amtron series firmware versions ≤ 5.22.3. The vulnerability is an authentication bypass where an unauthenticated remote attacker can change a user account password by sending a crafted POST to the /operator/operator endpoint. The CVSS data indicates a critical i...
SUSE-SU-2026:2103-1 Security update for apache2
This update for apache2 fixes the following issues - CVE-2026-23918: http2: double free and possible RCE on early reset bsc1263957. - CVE-2026-24072: modrewrite elevation of privileges via apexpr bsc1263935. - CVE-2026-28780: heap buffer overflow in modproxyajp via ajpmsgcheckheader bsc1264163. -...
CVE-2026-52806: Authenticated RCE via Argument Injection in Gogs (FIXED as of June 7, 2026)
Overview Rapid7 Labs discovered a critical argument injection CWE-88 vulnerability in Gogs, a popular open-source self-hosted Git service, tracked as CVE-2026-52806. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 Critical. The vulnerability allows any authenticated user to achieve remote cod...
USN-8332-1: CRaC JDK 17 vulnerabilities
Thomas Beckers discovered that the JAXP component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. CVE-2026-22016 It was discovered that the Networking component of CRa...
USN-8332-1 openjdk-17-crac vulnerabilities
Thomas Beckers discovered that the JAXP component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. CVE-2026-22016 It was discovered that the Networking component of CRa...
USN-8331-1 openjdk-lts vulnerabilities
Thomas Beckers discovered that the JAXP component of OpenJDK 11 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. CVE-2026-22016 It was discovered that the Networking component of...
CVE-2026-46193
In the Linux kernel, the following vulnerability has been resolved: xfrm: ah: account for ESN high bits in async callbacks AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or authdata area, but the async...