CVE-2026-39322 PolarLearn: Any password authenticates banned accounts and grants API access

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and...

VulnCheck KEV: CVE-2026-21891

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a...

CVE-2026-28514 Rocket.Chat: Users can login with any password via the EE ddp-streamer-service

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows a...

CVE-2026-21891 ZimaOS has Authentication Bypass via System-Level Username

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a...

CVE-2026-21891

ZimaOS up to version 1.5.0 has an authentication bypass vulnerability. The login logic validates usernames but mishandles the password result when the username matches common system service accounts, effectively granting authenticated access regardless of the password. Affected software: ZimaOS (...

Improper Authentication

org.jenkins-ci.plugins, active-directory is vulnerable to improper authentication. The vulnerability is due to improper handling of cached successful authentications in Windows/ADSI mode, which allows an attacker to log in as any user using any password while the valid authentication session...

CVE-2023-3266

A non-feature complete authentication mechanism exists in the production application allowing an attacker to bypass all authentication checks if LDAP authentication is selected.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an...

USN-6053-1 php7.0 vulnerability

It was discovered that PHP incorrectly handled certain invalid Blowfish password hashes. An invalid password hash could possibly allow applications to accept any password as valid, contrary to expectations...

DEBIAN-CVE-2019-11187

Incorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the case-insensitive substring "success" when an arbitrary password is provided...

CVE-2017-1000433

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password...

UBUNTU-CVE-2009-4402

The default configuration of SQL-Ledger 2.8.24 allows remote attackers to perform unspecified administrative operations by providing an arbitrary password to the admin interface...