Total
538 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-8644 | 1 Ibm | 1 Websphere Application Server | 2026-06-04 | N/A | 9.1 CRITICAL |
| IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing. | |||||
| CVE-2026-7507 | 1 Redhat | 1 Build Of Keycloak | 2026-06-03 | N/A | 7.5 HIGH |
| A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts. | |||||
| CVE-2026-46414 | 2026-06-02 | N/A | 8.8 HIGH | ||
| Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK message claiming client_type="constellation" and target_id=<victim-device-id>. The server trusts the role and target values from the wire message rather than enforcing the role registered for that WebSocket connection. As a result, any authenticated WebSocket client with the shared server token can spoof the higher-privilege constellation role and dispatch attacker-controlled tasks to another connected device. The same client registry also allows duplicate client_id registration, overwriting an existing live client's stored websocket, role, and task protocol. This is an authenticated WebSocket role/identity spoofing issue leading to peer task hijacking. | |||||
| CVE-2026-47123 | 2026-06-02 | N/A | 7.5 HIGH | ||
| FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies — which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220. | |||||
| CVE-2026-44649 | 2026-06-02 | N/A | 9.8 CRITICAL | ||
| SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0. | |||||
| CVE-2026-42674 | 2026-06-01 | N/A | 7.5 HIGH | ||
| Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding. This issue affects Advanced Access Manager: from n/a through 7.1.0. | |||||
| CVE-2026-42602 | 1 Opentelemetry | 1 Opentelemetry Collector Contrib | 2026-06-01 | N/A | 8.1 HIGH |
| azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension's Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client's token to the result with string equality — and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens). | |||||
| CVE-2021-22779 | 1 Schneider-electric | 61 Ecostruxure Control Expert, Ecostruxure Process Expert, Modicon M340 Bmxp341000 and 58 more | 2026-05-29 | 6.4 MEDIUM | 9.1 CRITICAL |
| Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580 CPU (all versions - part numbers BMEP* and BMEH*), Modicon M340 CPU (all versions - part numbers BMXP34*), that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller. | |||||
| CVE-2026-8676 | 2026-05-27 | N/A | 8.8 HIGH | ||
| An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an existing bond, spoofing the bonded device and creating a new bond. | |||||
| CVE-2018-25361 | 2026-05-26 | N/A | 6.8 MEDIUM | ||
| Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local attackers to remove passcodes by injecting pre-encrypted database entries using a constant encryption key. Attackers can inject malicious database records into the application's database files to unlock the client and access all stored data, chats, images, and files without knowing the original passcode. | |||||
| CVE-2026-24899 | 1 Fleetdm | 1 Fleet | 2026-05-26 | N/A | 7.5 HIGH |
| Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the `aud` (audience) or `iss` (issuer) claims, any Microsoft-signed Azure AD access token containing the expected scopes can be used to authenticate to Fleet's MDM endpoints. If Windows MDM is enabled, an attacker with access to any Azure AD tenant can obtain a valid Microsoft-signed token and use it to enroll unauthorized devices and interact with Fleet's MDM management APIs. During device management, Fleet may expose sensitive enrollment secrets embedded in MDM command payloads, enabling further unauthorized access. Version 4.82.0 contains a patch. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. | |||||
| CVE-2023-2887 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2026-05-22 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Spoofing vulnerability in CBOT Chatbot allows Authentication Bypass. This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | |||||
| CVE-2023-4178 | 1 Neutron | 1 Smart Vms | 2026-05-21 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Spoofing vulnerability in Neutron Neutron Smart VMS allows Authentication Bypass. This issue affects Neutron Smart VMS: before b1130.1.0.1. | |||||
| CVE-2026-8961 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-05-20 | N/A | 6.5 MEDIUM |
| Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | |||||
| CVE-2026-39309 | 2026-05-20 | N/A | 5.5 MEDIUM | ||
| Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission prompts by running malicious code under the identity of the trusted app. The root cause is that the RunAsNode fuse allows launching the app in a special Node.js mode using -e to execute arbitrary system commands with Trilium Notes's permissions and identity. An attacker can leverage this through a subprocess to request any sensitive permissions, such as access to hardware (camera, microphone) and TCC-protected files, causing the TCC system prompt to appear as if the request came from Trilium rather than the attacker's code, because macOS treats the subprocess as part of the parent application. Exploitation allows access to TCC-protected resources like the screen, camera, microphone, and folders such as ~/Documents and ~/Downloads, undermining macOS's security model and UI integrity through social engineering. This issue has been fixed in version 0.102.2. | |||||
| CVE-2026-8963 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-05-20 | N/A | 7.5 HIGH |
| Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | |||||
| CVE-2026-8951 | 1 Mozilla | 1 Firefox | 2026-05-20 | N/A | 6.5 MEDIUM |
| Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151. | |||||
| CVE-2026-8960 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-05-20 | N/A | 7.5 HIGH |
| Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | |||||
| CVE-2023-23398 | 1 Microsoft | 4 365 Apps, Excel, Office and 1 more | 2026-05-19 | N/A | 7.1 HIGH |
| Microsoft Excel Spoofing Vulnerability | |||||
| CVE-2026-46356 | 1 Fleetdm | 1 Fleet | 2026-05-18 | N/A | 7.5 HIGH |
| Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions. As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks. This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected. Version 4.80.1 contains a patch. If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites `X-Forwarded-For` with the true client IP, and apply rate limiting at the proxy or WAF layer. | |||||