Total
352 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-32130 | 1 Zitadel | 1 Zitadel | 2026-03-16 | N/A | 7.5 HIGH |
| ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2. | |||||
| CVE-2026-3930 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-03-16 | N/A | 5.3 MEDIUM |
| Unsafe navigation in Navigation in Google Chrome on iOS prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2026-22572 | 1 Fortinet | 3 Fortianalyzer, Fortimanager, Fortimanager Cloud | 2026-03-16 | N/A | 7.2 HIGH |
| An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.2 through 7.2.11 may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests. | |||||
| CVE-2026-26117 | 1 Microsoft | 1 Arc Enabled Servers Azure Connected Machine Agent | 2026-03-13 | N/A | 7.8 HIGH |
| Authentication bypass using an alternate path or channel in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-67039 | 2026-03-12 | N/A | 9.1 CRITICAL | ||
| An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The authentication on management pages can be bypassed by appending a specific suffix to the URL and by sending an Authorization header that uses "admin" as the username. | |||||
| CVE-2026-0602 | 2026-03-12 | N/A | 4.3 MEDIUM | ||
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering in the snippet rendering process under certain circumstances. | |||||
| CVE-2025-67041 | 2026-03-12 | N/A | 9.8 CRITICAL | ||
| An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges. | |||||
| CVE-2025-70082 | 2026-03-12 | N/A | 9.8 CRITICAL | ||
| An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component | |||||
| CVE-2026-27842 | 2026-03-11 | N/A | 9.8 CRITICAL | ||
| Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configuration. | |||||
| CVE-2026-1603 | 1 Ivanti | 1 Endpoint Manager | 2026-03-10 | N/A | 8.6 HIGH |
| An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data. | |||||
| CVE-2026-30777 | 1 Ec-cube | 1 Ec-cube | 2026-03-09 | N/A | 6.5 MEDIUM |
| EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page. | |||||
| CVE-2026-27389 | 2026-03-09 | N/A | 9.8 CRITICAL | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1. | |||||
| CVE-2026-27390 | 2026-03-09 | N/A | 8.8 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1. | |||||
| CVE-2026-20079 | 2026-03-05 | N/A | 10.0 CRITICAL | ||
| A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system. This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device. | |||||
| CVE-2025-67507 | 1 Filamentphp | 1 Filament | 2026-03-04 | N/A | 8.1 HIGH |
| Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1. | |||||
| CVE-2026-27707 | 1 Seerr | 1 Seerr | 2026-03-04 | N/A | 7.3 HIGH |
| Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue. | |||||
| CVE-2026-2628 | 2026-03-03 | N/A | 9.8 CRITICAL | ||
| The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators. | |||||
| CVE-2026-28411 | 1 Wegia | 1 Wegia | 2026-03-03 | N/A | 9.8 CRITICAL |
| WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue. | |||||
| CVE-2026-22205 | 1 Spip | 1 Spip | 2026-03-02 | N/A | 7.5 HIGH |
| SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal data. | |||||
| CVE-2026-1618 | 1 Uni-yaz | 1 Flexcity | 2026-03-02 | N/A | 8.8 HIGH |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Universal Software Inc. FlexCity/Kiosk allows Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36. | |||||