Total
3896 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0407 | 1 Netgear | 8 Ex2800, Ex2800 Firmware, Ex3110 and 5 more | 2026-02-20 | N/A | 8.0 HIGH |
| An insufficient authentication vulnerability in NETGEAR WiFi range extenders allows a network adjacent attacker with WiFi authentication or a physical Ethernet port connection to bypass the authentication process and access the admin panel. | |||||
| CVE-2025-68663 | 1 Getoutline | 1 Outline | 2026-02-20 | N/A | 5.3 MEDIUM |
| Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a vulnerability was found in Outline's WebSocket authentication mechanism that allows suspended users to maintain or establish real-time WebSocket connections and continue receiving sensitive operational updates after their account has been suspended. This vulnerability is fixed in 1.1.0. | |||||
| CVE-2026-2165 | 1 Detronetdip | 1 E-commerce | 2026-02-19 | 7.5 HIGH | 7.3 HIGH |
| A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2025-15586 | 2026-02-19 | N/A | N/A | ||
| OGP-Website installs prior git commit 52f865a4fba763594453068acf8fa9e3fc38d663 are affected by a type juggling flaw which if exploited can result in authentication bypass without knowledge of the victim account's password. | |||||
| CVE-2025-41023 | 2026-02-19 | N/A | N/A | ||
| An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms. Once inside the web application, the attacker can use any of its features regardless of the authorisation method used. | |||||
| CVE-2026-25748 | 1 Goauthentik | 1 Authentik | 2026-02-19 | N/A | 8.6 HIGH |
| authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue. | |||||
| CVE-2026-26119 | 1 Microsoft | 1 Windows Admin Center | 2026-02-19 | N/A | 8.8 HIGH |
| Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2026-25922 | 1 Goauthentik | 1 Authentik | 2026-02-18 | N/A | 8.8 HIGH |
| authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue. | |||||
| CVE-2025-7630 | 2026-02-18 | N/A | 5.3 MEDIUM | ||
| Improper Restriction of Excessive Authentication Attempts, Improper Authentication vulnerability in Doruk Communication and Automation Industry and Trade Inc. Wispotter allows Password Brute Forcing, Brute Force.This issue affects Wispotter: from 1.0 before v2025.10.08.1. | |||||
| CVE-2026-1368 | 2026-02-18 | N/A | 7.5 HIGH | ||
| The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key. | |||||
| CVE-2026-20655 | 1 Apple | 2 Ipados, Iphone Os | 2026-02-18 | N/A | 5.5 MEDIUM |
| An authorization issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An attacker with physical access to a locked device may be able to view sensitive user information. | |||||
| CVE-2025-65128 | 2026-02-17 | N/A | 8.1 HIGH | ||
| A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose names end with "*_nocommit" and supplying the parameters expected by the invoked function, an attacker can change configuration data, including SSID, Wi-Fi credentials, and administrative passwords, without authentication or an existing session. | |||||
| CVE-2025-65127 | 2026-02-17 | N/A | 6.5 MEDIUM | ||
| A lack of session validation in the web API component of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote unauthenticated attackers to access administrative information-retrieval functions intended for authenticated users. By invoking "get_*" operations, attackers can obtain device configuration data, including plaintext credentials, without authentication or an existing session. | |||||
| CVE-2025-64175 | 1 Gogs | 1 Gogs | 2026-02-17 | N/A | 8.8 HIGH |
| Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | |||||
| CVE-2026-24003 | 1 Linuxfoundation | 1 Everest | 2026-02-17 | N/A | 4.3 MEDIUM |
| EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with illegitimate data.cThanks to the modular design of EVerest, authorization is handled in a separate module and EVSEManager Charger internal state machine cannot transition out of the `WaitingForAuthentication` state through ISO 15118-2 communication. From this state, it was however possible through ISO 15118-2 messages which are published to the MQTT server to trick it into preparing to charge, and even to prepare to send current. The final requirement to actually send current to the EV was the closure of the contactors, which does not appear to be possible without leaving the `WaitingForAuthentication` state and leveraging ISO 15118-2 messages. As of time of publication, no fixed versions are available. | |||||
| CVE-2026-22764 | 1 Dell | 1 Openmanage Network Integration | 2026-02-13 | N/A | 4.3 MEDIUM |
| Dell OpenManage Network Integration, versions prior to 3.9, contains an Improper Authentication vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | |||||
| CVE-2026-25893 | 1 Frangoteam | 1 Fuxa | 2026-02-13 | N/A | 9.8 CRITICAL |
| FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10. | |||||
| CVE-2025-29813 | 1 Microsoft | 1 Azure Devops | 2026-02-13 | N/A | 10.0 CRITICAL |
| Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2024-25699 | 3 Esri, Linux, Microsoft | 4 Arcgis Enterprise, Portal For Arcgis, Linux Kernel and 1 more | 2026-02-13 | N/A | 8.5 HIGH |
| There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and below on Kubernetes, which under unique circumstances could allow a remote, authenticated attacker with low‑privileged access to compromise the confidentiality, integrity, and availability of the software. Successful exploitation allows the attacker to cross an authentication and authorization boundary beyond their originally assigned access, resulting in a scope change. | |||||
| CVE-2026-0405 | 1 Netgear | 50 Cbr750, Cbr750 Firmware, Nbr750 and 47 more | 2026-02-12 | N/A | 7.8 HIGH |
| An authentication bypass vulnerability in NETGEAR Orbi devices allows users connected to the local network to access the router web interface as an admin. | |||||