Total
57 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-32953 | 2026-03-20 | N/A | N/A | ||
| Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)—and thus the same key material—as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte. | |||||
| CVE-2026-28446 | 1 Openclaw | 1 Openclaw | 2026-03-11 | N/A | 9.4 CRITICAL |
| OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and uses suffix-based matching instead of strict equality. Remote attackers can bypass inbound access controls by placing calls with missing caller IDs or numbers ending with allowlisted digits to reach the voice-call agent and execute tools. | |||||
| CVE-2026-29515 | 2026-03-11 | N/A | N/A | ||
| MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grants access and allows listing, reading, writing, and deleting files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status. | |||||
| CVE-2019-25436 | 1 Sricam | 1 Deviceviewer | 2026-02-26 | N/A | 6.5 MEDIUM |
| Sricam DeviceViewer 3.12.0.1 contains a password change security bypass vulnerability that allows authenticated users to change passwords without proper validation of the old password field. Attackers can inject a large payload into the old password parameter during the change password process to bypass validation and set an arbitrary new password. | |||||
| CVE-2024-10127 | 1 M-files | 1 M-files Server | 2026-02-23 | N/A | 9.8 CRITICAL |
| Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration. | |||||
| CVE-2026-0999 | 1 Mattermost | 1 Mattermost Server | 2026-02-18 | N/A | 5.4 MEDIUM |
| Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548 | |||||
| CVE-2025-66489 | 1 Cal | 1 Cal.com | 2026-02-13 | N/A | 9.8 CRITICAL |
| Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8. | |||||
| CVE-2025-14510 | 2026-01-16 | N/A | 8.1 HIGH | ||
| Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120. | |||||
| CVE-2025-63210 | 1 Newtec | 4 Celoxa504, Celoxa504 Firmware, Celoxa820 and 1 more | 2026-01-15 | N/A | 9.8 CRITICAL |
| The Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 is vulnerable to an authentication bypass. An attacker can exploit this issue by modifying intercepted responses from the /celoxservice endpoint. By injecting a forged response body during the loginWithUserName flow, the attacker can gain Superuser or Operator access without providing valid credentials. | |||||
| CVE-2025-4676 | 2026-01-08 | N/A | 8.8 HIGH | ||
| Incorrect Implementation of Authentication Algorithm vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. | |||||
| CVE-2025-14273 | 1 Mattermost | 1 Mattermost Server | 2025-12-29 | N/A | 7.2 HIGH |
| Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555 | |||||
| CVE-2025-13390 | 1 Wpdirectorykit | 1 Wp Directory Kit | 2025-12-16 | N/A | 10.0 CRITICAL |
| The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token. | |||||
| CVE-2025-12419 | 1 Mattermost | 1 Mattermost Server | 2025-12-03 | N/A | 9.9 CRITICAL |
| Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost. | |||||
| CVE-2025-12421 | 1 Mattermost | 1 Mattermost Server | 2025-12-03 | N/A | 9.9 CRITICAL |
| Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled). | |||||
| CVE-2023-29357 | 1 Microsoft | 1 Sharepoint Server | 2025-10-28 | N/A | 9.8 CRITICAL |
| Microsoft SharePoint Server Elevation of Privilege Vulnerability | |||||
| CVE-2025-53782 | 1 Microsoft | 1 Exchange Server | 2025-10-27 | N/A | 8.4 HIGH |
| Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges locally. | |||||
| CVE-2024-7593 | 1 Ivanti | 1 Virtual Traffic Management | 2025-10-24 | N/A | 9.8 CRITICAL |
| Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel. | |||||
| CVE-2025-61783 | 2025-10-15 | N/A | N/A | ||
| Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability. | |||||
| CVE-2025-3230 | 1 Mattermost | 1 Mattermost Server | 2025-10-15 | N/A | 5.4 MEDIUM |
| Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens. | |||||
| CVE-2025-2571 | 1 Mattermost | 1 Mattermost Server | 2025-10-15 | N/A | 4.2 MEDIUM |
| Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow. | |||||