Total
352 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-60041 | 2026-01-20 | N/A | 8.8 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch All emails-catch-all allows Password Recovery Exploitation.This issue affects Emails Catch All: from n/a through <= 3.5.3. | |||||
| CVE-2025-49901 | 2026-01-20 | N/A | 9.8 CRITICAL | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in quantumcloud Simple Link Directory qc-simple-link-directory allows Authentication Abuse.This issue affects Simple Link Directory: from n/a through < 14.8.1. | |||||
| CVE-2025-23504 | 2026-01-20 | N/A | 9.8 CRITICAL | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3. | |||||
| CVE-2025-30026 | 1 Axis | 2 Camera Station, Camera Station Pro | 2026-01-16 | N/A | 9.8 CRITICAL |
| The AXIS Camera Station Server had a flaw that allowed to bypass authentication that is normally required. | |||||
| CVE-2025-63217 | 1 Itel | 2 Id Mux, Id Mux Firmware | 2026-01-15 | N/A | 9.8 CRITICAL |
| The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | |||||
| CVE-2025-46286 | 1 Apple | 2 Ipados, Iphone Os | 2026-01-14 | N/A | 4.3 MEDIUM |
| A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment. | |||||
| CVE-2025-67070 | 2026-01-13 | N/A | 8.2 HIGH | ||
| A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the administrative panel. | |||||
| CVE-2026-21411 | 2026-01-08 | N/A | 8.8 HIGH | ||
| Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password. | |||||
| CVE-2025-15102 | 1 Deltaww | 2 Dvp-12se11t, Dvp-12se11t Firmware | 2026-01-06 | N/A | 9.1 CRITICAL |
| DVP-12SE11T - Password Protection Bypass | |||||
| CVE-2025-68620 | 1 Signalk | 1 Signal K Server | 2026-01-06 | N/A | 9.1 CRITICAL |
| Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. The first is Unauthenticated WebSocket Request Enumeration: When a WebSocket client connects to the SignalK stream endpoint with the `serverevents=all` query parameter, the server sends all cached server events including `ACCESS_REQUEST` events that contain details about pending access requests. The `startServerEvents` function iterates over `app.lastServerEvents` and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when `allow_readonly` is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses. The second is Unauthenticated Token Polling: The access request status endpoint at `/signalk/v1/access/requests/:id` returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The `queryRequest` function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access. An attacker has two paths to exploit these vulnerabilities. Either the attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token; or the attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials. Both paths require zero authentication and enable complete authentication bypass. Version 2.19.0 fixes the underlying issues. | |||||
| CVE-2025-8093 | 1 Authenticator Login Project | 1 Authenticator Login | 2026-01-05 | N/A | 8.8 HIGH |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.8. | |||||
| CVE-2025-64281 | 1 Centralsquare | 1 Community Development | 2025-12-31 | N/A | 9.8 CRITICAL |
| An Authentication Bypass issue in CentralSquare Community Development 19.5.7 allows attackers to access the admin panel without admin credentials. | |||||
| CVE-2025-11621 | 1 Hashicorp | 1 Vault | 2025-12-29 | N/A | 8.1 HIGH |
| Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27 | |||||
| CVE-2025-11984 | 1 Gitlab | 1 Gitlab | 2025-12-23 | N/A | 6.8 MEDIUM |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions. | |||||
| CVE-2025-43436 | 1 Apple | 5 Ipados, Iphone Os, Tvos and 2 more | 2025-12-17 | N/A | 7.5 HIGH |
| A permissions issue was addressed with additional restrictions. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, visionOS 26.1. An app may be able to enumerate a user's installed apps. | |||||
| CVE-2024-56044 | 1 Vibethemes | 1 Wordpress Learning Management System | 2025-12-15 | N/A | 9.8 CRITICAL |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in VibeThemes WPLMS allows Authentication Bypass.This issue affects WPLMS: from n/a through 1.9.9. | |||||
| CVE-2025-66200 | 1 Apache | 1 Http Server | 2025-12-10 | N/A | 5.4 MEDIUM |
| mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | |||||
| CVE-2025-66238 | 2025-12-08 | N/A | 7.2 HIGH | ||
| DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine. | |||||
| CVE-2025-12760 | 1 Email Tfa Project | 1 Email Tfa | 2025-12-08 | N/A | 5.4 MEDIUM |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6. | |||||
| CVE-2025-12466 | 1 Simple Oauth Project | 1 Simple Oauth | 2025-12-04 | N/A | 7.5 HIGH |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7. | |||||