Total
539 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-25318 | 1 Tenda | 4 A300, A300 Firmware, Fh303 and 1 more | 2026-05-04 | N/A | 9.8 CRITICAL |
| Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites. | |||||
| CVE-2026-7422 | 1 Amazon | 1 Freertos-plus-tcp | 2026-05-04 | N/A | 6.5 MEDIUM |
| Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint. To mitigate this issue, users should upgrade to the fixed version when available. | |||||
| CVE-2026-39858 | 1 Traefik | 1 Traefik | 2026-05-01 | N/A | 10.0 CRITICAL |
| Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. | |||||
| CVE-2025-50328 | 2026-04-30 | N/A | 7.3 HIGH | ||
| A vulnerability in B1 Free Archiver v1.5.86 allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections. When an archive is downloaded from the internet and extracted using B1 Free Archiver, the software fails to propagate the 'Zone.Identifier' alternate data stream to the extracted files. As a result, these files can be executed without triggering Windows Defender SmartScreen warnings or security prompts, enabling untrusted code execution without standard security restrictions. | |||||
| CVE-2026-32492 | 2026-04-29 | N/A | 5.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in Joe Dolson My Tickets my-tickets allows Identity Spoofing.This issue affects My Tickets: from n/a through <= 2.1.1. | |||||
| CVE-2026-24372 | 2026-04-29 | N/A | 7.5 HIGH | ||
| Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10. | |||||
| CVE-2025-58595 | 2026-04-29 | N/A | 5.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in Saad Iqbal All In One Login change-wp-admin-login allows Identity Spoofing.This issue affects All In One Login: from n/a through <= 2.0.8. | |||||
| CVE-2025-32275 | 1 Ays-pro | 1 Survey Maker | 2026-04-29 | N/A | 4.3 MEDIUM |
| Authentication Bypass by Spoofing vulnerability in Ays Pro Survey Maker survey-maker allows Identity Spoofing.This issue affects Survey Maker: from n/a through <= 5.1.6.3. | |||||
| CVE-2025-32227 | 2026-04-29 | N/A | 4.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in Asgaros Asgaros Forum asgaros-forum allows Identity Spoofing.This issue affects Asgaros Forum: from n/a through <= 3.0.0. | |||||
| CVE-2025-24628 | 2026-04-29 | N/A | 5.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in bestwebsoft Google Captcha google-captcha allows Identity Spoofing.This issue affects Google Captcha: from n/a through <= 1.78. | |||||
| CVE-2024-21746 | 1 Wpmet | 1 Wp Ultimate Review | 2026-04-29 | N/A | 5.3 MEDIUM |
| Authentication Bypass by Spoofing vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows Identity Spoofing.This issue affects Wp Ultimate Review: from n/a through <= 2.3.6. | |||||
| CVE-2026-0834 | 1 Tp-link | 4 Archer Ax53, Archer Ax53 Firmware, Archer C20 and 1 more | 2026-04-28 | N/A | 8.8 HIGH |
| Logic vulnerability in TP-Link Archer C20 v5, 6.0, Archer AX53 v1.0 and TL-WR841N v13 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability. This issue affects Archer C20 v6.0 < V6_251031, Archer C20 v5 <EU_V5_260317 or < US_V5_260419 Archer AX53 v1.0 < V1_251215 TL-WR841N v13 < 0.9.1 Build 20231120 Rel.62366 | |||||
| CVE-2023-41133 | 2026-04-28 | N/A | 5.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in Michal Novák Secure Admin IP allows Functionality Bypass.This issue affects Secure Admin IP: from n/a through 2.0. | |||||
| CVE-2026-40575 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2026-04-27 | N/A | 9.1 CRITICAL |
| OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-regex` or `--skip-auth-route` is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application. This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session. Impacted users are deployments that run oauth2-proxy with `--reverse-proxy` enabled and configure at least one `--skip-auth-regex` or `--skip-auth-route` rule. This issue is patched in `v7.15.2`. Some workarounds are available for those who cannot upgrade immediately. Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level; explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy; restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy; and/or remove or narrow `--skip-auth-regex` / `--skip-auth-route` rules where possible. For nginx-based deployments, ensure `X-Forwarded-Uri` is set by nginx and not passed through from the client. | |||||
| CVE-2025-69401 | 2026-04-27 | N/A | 7.5 HIGH | ||
| Authentication Bypass by Spoofing vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Identity Spoofing.This issue affects WooODT Lite: from n/a through <= 2.5.2. | |||||
| CVE-2026-25660 | 1 Ericsson | 1 Codechecker | 2026-04-27 | N/A | 9.8 CRITICAL |
| CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3. | |||||
| CVE-2025-59707 | 1 N2ws | 1 N2w | 2026-04-25 | N/A | 9.8 CRITICAL |
| In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution and account credentials theft because of a spoofing vulnerability. | |||||
| CVE-2025-59706 | 1 N2ws | 1 N2w | 2026-04-25 | N/A | 9.8 CRITICAL |
| In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution. | |||||
| CVE-2024-45453 | 2026-04-23 | N/A | 3.7 LOW | ||
| Authentication Bypass by Spoofing vulnerability in Peter Hardy-vanDoorn Maintenance Redirect jf3-maintenance-mode.This issue affects Maintenance Redirect: from n/a through <= 2.0.1. | |||||
| CVE-2024-43944 | 2026-04-23 | N/A | 3.7 LOW | ||
| Authentication Bypass by Spoofing vulnerability in ilyasine Maintenance & Coming Soon Redirect Animation maintenance-coming-soon-redirect-animation allows Identity Spoofing.This issue affects Maintenance & Coming Soon Redirect Animation: from n/a through <= 2.3.3. | |||||