160926 matches found
Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0006)
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through...
Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution
Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution. id: CVE-2021-40539 info: name: Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution author:...
IBM Planning Analytics - Authentication Bypass & Remote Code Execution Version Detection
IBM Planning Analytics versions 2.0.0 through 2.0.8 are vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. id: CVE-2019-4716 info: name: IBM Planning Analytics - Authentication Bypass & Remote...
CVE-2026-12443
An use after free flaw was found in the Web Authentication component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=522566295...
CVE-2026-3640
The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permissioncallback of returntrue, which allows all incoming requests...
CVE-2026-12430 Blocksy Companion <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and...
CVE-2026-12049
A flaw was found in pgAdmin 4. This open redirect vulnerability exists in the multi-factor authentication MFA flow. An authenticated user could be tricked into clicking a specially crafted link, which would redirect them to an attacker-controlled website. This could increase the success rate of...
EUVD-2026-37946
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network...
EUVD-2026-37945
Improper authentication in Azure Bot Service allows an authorized attacker to elevate privileges over a network...
CVE-2026-12049
Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next= -- a link typically...
CVE-2026-12046
Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/ and POST /sqleditor/initialize/sqleditor/updateconnection/// -- were the only routes in the module missing the @pgaloginrequired decorator. Both reach a pickle.loads sink on session'gridData''commandobj':...
PT-2026-50876
Name of the Vulnerable Software and Affected Versions JetBrains Hub versions prior to 2026.1.13757 JetBrains Hub versions prior to 2025.3.148033 JetBrains Hub versions prior to 2025.2.148048 JetBrains Hub versions prior to 2025.1.148120 JetBrains Hub versions prior to 2024.3.148430 JetBrains Hub...
PT-2026-50896
Name of the Vulnerable Software and Affected Versions Apache APISIX versions 3.5.0 through 3.16.0 Description An authentication bypass issue exists in the opa plugin. An attacker can relay spoofed identity headers to upstream services by exploiting non-default configurations in the opa plugin,...
PT-2026-50898
Name of the Vulnerable Software and Affected Versions Apache APISIX versions 3.0.0 through 3.16.0 Description A Cross-Site Request Forgery CSRF issue exists in the cas-auth plugin under default configurations. This allows a remote attacker to trick a victim into visiting a malicious webpage,...
PT-2026-50880
Name of the Vulnerable Software and Affected Versions Apache APISIX versions 2.2 through 3.16.0 Description An authentication bypass by spoofing exists in the jwt-auth plugin. This flaw allows an attacker to completely bypass authentication by using a spoofed token when certain configurations of...
PT-2026-51068
Name of the Vulnerable Software and Affected Versions Traefik versions 3.7.0-ea.1 through 3.7.4 Description A fail-open authentication issue exists in the Kubernetes Ingress NGINX provider. When an Ingress explicitly enables BasicAuth or DigestAuth using the nginx.ingress.kubernetes.io/auth-type...
PT-2026-50887
Name of the Vulnerable Software and Affected Versions Apache APISIX versions 3.11.0 through 3.16.0 Description An authentication bypass exists due to a capture-replay issue. An attacker can leverage specific configurations in the hmac-auth module to reuse a token indefinitely, effectively bypassi...
PT-2026-50873
Name of the Vulnerable Software and Affected Versions JetBrains Hub versions prior to 2026.1.13757 JetBrains Hub versions prior to 2025.3.148033 JetBrains Hub versions prior to 2025.2.148048 JetBrains Hub versions prior to 2025.1.148120 JetBrains Hub versions prior to 2024.3.148430 JetBrains Hub...
PT-2026-50879
Name of the Vulnerable Software and Affected Versions Apache APISIX versions 2.12.0 through 3.16.0 Description Improper Input Validation in the forward-auth plugin allows an attacker to spoof identity headers by leveraging specific configurations. Recommendations Upgrade to version 3.17.0...
PT-2026-50895
Name of the Vulnerable Software and Affected Versions Apache APISIX versions 3.8.0 through 3.16.0 Description Improper Validation of Integrity Check Value in the jwe-decrypt plugin under default configuration allows for authentication bypass. Recommendations Upgrade to version 3.17.0...