Total
352 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2791 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
| Mitigation bypass in the Networking: Cache component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | |||||
| CVE-2026-2784 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
| Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | |||||
| CVE-2026-2775 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
| Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | |||||
| CVE-2026-1747 | 1 Gitlab | 1 Gitlab | 2026-02-28 | N/A | 4.3 MEDIUM |
| GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages. | |||||
| CVE-2026-27611 | 1 Gtsteffaniak | 1 Filebrowser Quantum | 2026-02-27 | N/A | 6.5 MEDIUM |
| FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue. | |||||
| CVE-2025-68895 | 2026-02-27 | N/A | 6.5 MEDIUM | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in ahachat AhaChat Messenger Marketing ahachat-messenger-marketing allows Password Recovery Exploitation.This issue affects AhaChat Messenger Marketing: from n/a through <= 1.1. | |||||
| CVE-2026-1779 | 2026-02-27 | N/A | 8.1 HIGH | ||
| The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set. | |||||
| CVE-2026-1241 | 2026-02-27 | N/A | N/A | ||
| The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges. | |||||
| CVE-2025-64121 | 1 Nuvationenergy | 5 Nplatform, Nuvmsc3-04s-c, Nuvmsc3-08s-c and 2 more | 2026-02-26 | N/A | 9.8 CRITICAL |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1. | |||||
| CVE-2025-69985 | 1 Frangoteam | 1 Fuxa | 2026-02-26 | N/A | 9.8 CRITICAL |
| FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server. | |||||
| CVE-2025-67998 | 2026-02-25 | N/A | 8.8 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through <= 2.0.7. | |||||
| CVE-2026-22341 | 2026-02-24 | N/A | 5.4 MEDIUM | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.This issue affects Booked: from n/a through <= 3.0.0. | |||||
| CVE-2025-55338 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2026-02-22 | N/A | 6.1 MEDIUM |
| Missing Ability to Patch ROM Code in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | |||||
| CVE-2026-2540 | 2026-02-18 | N/A | N/A | ||
| The Micca KE700 system contains flawed resynchronization logic and is vulnerable to replay attacks. This attack requires sending two previously captured codes in a specific sequence. As a result, the system can be forced to accept previously used (stale) rolling codes and execute a command. Successful exploitation allows an attacker to clone the alarm key. This grants the attacker unauthorized access to the vehicle to unlock or lock the doors. | |||||
| CVE-2025-14714 | 2 Apple, Libreoffice | 2 Macos, Libreoffice | 2026-02-18 | N/A | 6.5 MEDIUM |
| An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4. | |||||
| CVE-2026-2095 | 1 Flowring | 1 Agentflow | 2026-02-13 | N/A | 9.8 CRITICAL |
| Agentflow developed by Flowring has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain arbitrary user authentication token and log into the system as any user. | |||||
| CVE-2026-2096 | 1 Flowring | 1 Agentflow | 2026-02-13 | N/A | 9.8 CRITICAL |
| Agentflow developed by Flowring has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality. | |||||
| CVE-2025-68707 | 1 Tycc | 2 Tongyu Ax1800, Tongyu Ax1800 Firmware | 2026-02-13 | N/A | 8.8 HIGH |
| An authentication bypass vulnerability in the Tongyu AX1800 Wi-Fi 6 Router with firmware 1.0.0 allows unauthenticated network-adjacent attackers to perform arbitrary configuration changes without providing credentials, as long as a valid admin session is active. This can result in full compromise of the device (i.e., via unauthenticated access to /boaform/formSaveConfig and /boaform/admin endpoints). | |||||
| CVE-2025-13980 | 1 Cksource | 1 Ckeditor 5 Premium Features | 2026-02-12 | N/A | 5.3 MEDIUM |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. | |||||
| CVE-2020-37156 | 2026-02-12 | N/A | 6.5 MEDIUM | ||
| BloodX 1.0 contains an authentication bypass vulnerability in login.php that allows attackers to access the dashboard without valid credentials. Attackers can exploit the vulnerability by sending a crafted payload with '=''or' parameters to bypass login authentication and gain unauthorized access. | |||||