207 matches found
CVE-2026-58253
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when noauthuser was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an...
CVE-2026-14495
CVE-2026-14495 affects DoLogin Security for WordPress up to version 4.3. The issue is an authentication bypass caused by insufficient randomness in the dologin token: the PRNG is seeded with mt_srand((double) microtime() * 1000000), discarding the integer-seconds and giving ~10^6 seeds (~20 bits ...
CVE-2026-11965 User Registration & Membership < 5.2.0 - Unauthenticated Paid Membership Bypass
The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users after self-registering an account through the open registration flow to obtain an active subscription on any paid...
CVE-2026-58399
@acastellon/auth is an authentication control system for microservices. Versions prior to 2.3.0 appear to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for...
CVE-2026-56219 Capgo - Unauthenticated RBAC Bindings and Email Disclosure via get_org_user_access_rbac NULL-auth Bypass
Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.getorguseraccessrbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose...
CVE-2026-56219 Capgo - Unauthenticated RBAC Bindings and Email Disclosure via get_org_user_access_rbac NULL-auth Bypass
Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.getorguseraccessrbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose...
CVE-2026-9242
The CVE covers RegistrationMagic for WordPress (all versions up to 6.0.8.6) with an AUTHENTICATION BYPASS via forged PayPal IPN requests. The PayPal IPN callback is registered as a nopriv AJAX action with no authentication or nonce, and the handler writes attacker-controlled POST data (including ...
CVE-2026-56245
Summary (MODE C): Supabase Capgo before 12.128.2 contains an authorization bypass in the SECURITY DEFINER record_build_time RPC, allowing unauthenticated attackers to insert arbitrary build-time records. Exploitation path: POST /rest/v1/rpc/record_build_time with a public API key. Impact: cross‑t...
Linux Distros Unpatched Vulnerability : CVE-2026-52844
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/...
CVE-2026-48020
Traefik CVE-2026-48020 describes an authentication bypass via StripPrefix Route-Level Auth Bypass. Prior to fixes, when a public router uses PathPrefix with StripPrefix, requests containing .. or %2e%2e could match the public route, then after prefix stripping and path normalization, resolve to a...
CVE-2026-10530 Pie Register < 3.8.4.10 - Unauthenticated Email Verification Bypass via Predictable Token
The Pie Register WordPress plugin before 3.8.4.10 does not use sufficiently random values when generating its account verification tokens, allowing unauthenticated attackers to predict a valid token and activate an account without access to the associated email inbox...
CVE-2026-56299
Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/ endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send OPTIONS requests to bypass authentication middleware and invoke tusProxy logic with invalid...
CVE-2026-56346 AVideo - Unauthenticated PGP Message Decryption via decryptMessage.json.php Endpoint
AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credential...
EUVD-2026-36914
Unauthenticated Bypass Vulnerability in WpTravelly = 2.1.7 versions...
CVE-2026-42752
Unauthenticated Bypass Vulnerability in Stripe Payments = 2.0.98 versions...
CVE-2026-42655
Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP = 4.6.19 versions...
CVE-2026-42662
Unauthenticated Bypass Vulnerability in Event Tickets = 5.27.5 versions...
CVE-2026-27089
Unauthenticated Bypass Vulnerability in WpTravelly = 2.1.7 versions...
EUVD-2026-36838
Unauthenticated Bypass Vulnerability in Stripe Payments = 2.0.98 versions...
CVE-2026-42752 WordPress Stripe Payments plugin <= 2.0.98 - Bypass Vulnerability vulnerability
Unauthenticated Bypass Vulnerability in Stripe Payments = 2.0.98 versions...