Total
309 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32002 | 2025-07-02 | N/A | 9.8 CRITICAL | ||
| The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. | |||||
| CVE-2025-25171 | 2025-06-30 | N/A | 8.8 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemesGrove WP SmartPay allows Authentication Abuse. This issue affects WP SmartPay: from n/a through 2.7.13. | |||||
| CVE-2025-51381 | 2025-06-18 | N/A | 9.8 CRITICAL | ||
| An authentication bypass vulnerability exists in KCM3100 Ver1.4.2 and earlier. If this vulnerability is exploited, an attacker may bypass the authentication of the product from within the LAN to which the product is connected. | |||||
| CVE-2024-13772 | 1 Uxper | 1 Civi | 2025-06-17 | N/A | 5.6 MEDIUM |
| The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.6.1. This is due to a lack of password randomization and user validation through the fb_ajax_login_or_register and google_ajax_login_or_register actions. This makes it possible for unauthenticated attackers to login as any user as long as they have access to the email. | |||||
| CVE-2025-45607 | 1 Liaoxuefeng | 1 Itranswarp | 2025-06-16 | N/A | 9.8 CRITICAL |
| An issue in the component /manage/ of itranswarp v2.19 allows attackers to bypass authentication via a crafted request. | |||||
| CVE-2024-8012 | 1 Ivanti | 1 Workspace Control | 2025-06-12 | N/A | 7.8 HIGH |
| An authentication bypass weakness in the message broker service of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges. | |||||
| CVE-2025-31019 | 2025-06-12 | N/A | 8.8 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Password Policy Manager password-policy-manager allows Authentication Abuse.This issue affects Password Policy Manager: from n/a through 2.0.4. | |||||
| CVE-2025-47707 | 1 Miniorange | 1 Miniorange 2fa | 2025-06-10 | N/A | 7.5 HIGH |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0. | |||||
| CVE-2025-47710 | 1 Miniorange | 1 Miniorange 2fa | 2025-06-10 | N/A | 7.4 HIGH |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0. | |||||
| CVE-2025-48011 | 1 One Time Password Project | 1 One Time Password | 2025-06-10 | N/A | 4.8 MEDIUM |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.This issue affects One Time Password: from 0.0.0 before 1.3.0. | |||||
| CVE-2025-48010 | 1 One Time Password Project | 1 One Time Password | 2025-06-10 | N/A | 4.8 MEDIUM |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.This issue affects One Time Password: from 0.0.0 before 1.3.0. | |||||
| CVE-2025-40581 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-06-04 | N/A | 7.1 HIGH |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions with SINEMA Remote Connect Edge Client installed). Affected devices are vulnerable to an authentication bypass. This could allow a non-privileged local attacker to bypass the authentication of the SINEMA Remote Connect Edge Client, and to read and modify the configuration parameters. | |||||
| CVE-2025-4797 | 2025-06-04 | N/A | 9.8 CRITICAL | ||
| The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address. | |||||
| CVE-2022-23767 | 2 Hanssak, Microsoft | 3 Securegate, Weblink, Windows | 2025-06-03 | N/A | 8.8 HIGH |
| This vulnerability of SecureGate is SQL-Injection using login without password. A path traversal vulnerability is also identified during file transfer. An attacker can take advantage of these vulnerabilities to perform various attacks such as obtaining privileges and executing remote code, thereby taking over the victim’s system. | |||||
| CVE-2025-5190 | 2025-05-30 | N/A | 8.8 HIGH | ||
| The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the user id. | |||||
| CVE-2024-36042 | 1 Silverpeas | 1 Silverpeas | 2025-05-29 | N/A | 9.8 CRITICAL |
| Silverpeas before 6.3.5 allows authentication bypass by omitting the Password field to AuthenticationServlet, often providing an unauthenticated user with superadmin access. | |||||
| CVE-2025-4687 | 2025-05-29 | N/A | N/A | ||
| In Teltonika Networks Remote Management System (RMS), it is possible to perform account pre-hijacking by misusing the invite functionality. If a victim has a pending invite and registers to the platform directly, they are added to the attackers company without their knowledge. The victims account and their company can then be managed by the attacker.This issue affects RMS: before 5.7. | |||||
| CVE-2025-1909 | 1 Buddyboss | 1 Buddyboss Platform | 2025-05-28 | N/A | 9.8 CRITICAL |
| The BuddyBoss Platform Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.01. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | |||||
| CVE-2022-31022 | 1 Couchbase | 1 Bleve | 2025-05-27 | 2.1 LOW | 6.2 MEDIUM |
| Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted by this issue. Version 2.5.0 relocated the `http/` dir used _only_ by bleve-explorer to `blevesearch/bleve-explorer`, thereby addressing the issue. However, the http package is purely intended to be used for demonstration purposes. Bleve was never designed handle the RBACs, nor it was ever advertised to be used in that way. The collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment. The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. It is recommended to not use bleve/http in production use cases. | |||||
| CVE-2024-13553 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2025-05-27 | N/A | 9.8 CRITICAL |
| The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators. | |||||