Total
63 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27478 | 1 Unitycatalog | 1 Unitycatalog | 2026-03-16 | N/A | 9.1 CRITICAL |
| Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens). The endpoint extracts the issuer (iss) claim from incoming JWTs and uses it to dynamically fetch the JWKS endpoint for signature validation without validating that the issuer is a trusted identity provider. | |||||
| CVE-2025-15595 | 1 Jrsoftware | 1 Inno Setup | 2026-03-13 | N/A | 7.8 HIGH |
| Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions. | |||||
| CVE-2026-28710 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2026-03-12 | N/A | 9.8 CRITICAL |
| Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | |||||
| CVE-2025-30412 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2026-03-12 | N/A | 10.0 CRITICAL |
| Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800. | |||||
| CVE-2025-30411 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2026-03-12 | N/A | 10.0 CRITICAL |
| Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800. | |||||
| CVE-2026-1693 | 1 Arcinformatique | 1 Pcvue | 2026-03-12 | N/A | 7.5 HIGH |
| The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials. | |||||
| CVE-2025-40552 | 1 Solarwinds | 1 Web Help Desk | 2026-02-26 | N/A | 9.8 CRITICAL |
| SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication. | |||||
| CVE-2025-57713 | 1 Qnap | 1 File Station | 2026-02-12 | N/A | 7.5 HIGH |
| A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later | |||||
| CVE-2025-40554 | 1 Solarwinds | 1 Web Help Desk | 2026-02-03 | N/A | 9.8 CRITICAL |
| SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk. | |||||
| CVE-2023-53894 | 1 Dulldusk | 1 Phpfilemanager | 2026-01-21 | N/A | 9.8 CRITICAL |
| phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server. | |||||
| CVE-2025-63807 | 1 2dogz | 1 Blogin | 2026-01-15 | N/A | 9.8 CRITICAL |
| An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods. | |||||
| CVE-2025-49201 | 1 Fortinet | 2 Fortipam, Fortiswitchmanager | 2026-01-14 | N/A | 8.1 HIGH |
| A weak authentication vulnerability in Fortinet FortiPAM 1.5.0, FortiPAM 1.4.0 through 1.4.2, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiSwitchManager 7.2.0 through 7.2.4 allows attacker to execute unauthorized code or commands via specially crafted http requests | |||||
| CVE-2025-1293 | 1 Hashicorp | 1 Hermes | 2025-12-18 | N/A | 8.2 HIGH |
| Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0. | |||||
| CVE-2024-29837 | 1 Cs-technologies | 1 Evolution | 2025-12-10 | N/A | 8.8 HIGH |
| The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in. | |||||
| CVE-2024-52541 | 1 Dell | 784 Alienware M15 R6, Alienware M15 R6 Firmware, Alienware M15 R7 and 781 more | 2025-12-01 | N/A | 8.2 HIGH |
| Dell Client Platform BIOS contains a Weak Authentication vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | |||||
| CVE-2025-12870 | 1 Aenrich | 1 A\+hrd | 2025-11-18 | N/A | 9.8 CRITICAL |
| The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges. | |||||
| CVE-2025-12871 | 1 Aenrich | 1 A\+hrd | 2025-11-18 | N/A | 9.8 CRITICAL |
| The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges. | |||||
| CVE-2025-1387 | 1 Learningdigital | 1 Orca Hcm | 2025-11-17 | N/A | 9.8 CRITICAL |
| Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user. | |||||
| CVE-2024-38182 | 1 Microsoft | 1 Dynamics 365 | 2025-11-14 | N/A | 9.0 CRITICAL |
| Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network. | |||||
| CVE-2025-11084 | 2025-11-12 | N/A | N/A | ||
| A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period. | |||||