Export limit exceeded: 357830 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 357830 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 357830 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (569 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13182 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_parse_request' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator. | ||||
| CVE-2024-9933 | 1 Watchtowerhq | 1 Watchtower | 2026-04-15 | 9.8 Critical |
| The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.10.1. This is due to the 'watchtower_ota_token' default value is empty, and the not empty check is missing in the 'Password_Less_Access::login' function. This makes it possible for unauthenticated attackers to log in to the WatchTowerHQ client administrator user. | ||||
| CVE-2024-4552 | 1 Phoeniixx | 1 Social Login Lite For Woocommerce | 2026-04-15 | 9.8 Critical |
| The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.6.0. This is due to insufficient verification on the user being supplied during the social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | ||||
| CVE-2025-7742 | 2026-04-15 | N/A | ||
| An authentication vulnerability exists in the LG Innotek camera model LNV5110R firmware that allows a malicious actor to upload an HTTP POST request to the devices non-volatile storage. This action may result in remote code execution that allows an attacker to run arbitrary commands on the target device at the administrator privilege level. | ||||
| CVE-2025-24332 | 2026-04-15 | 7.1 High | ||
| Nokia Single RAN AirScale baseband allows an authenticated administrative user access to all physical boards after performing a single login to the baseband system board. The baseband does not re-authenticate the user when they connect from the baseband system board to the baseband capacity boards using the internal bsoc SSH service, which is available only internally within the baseband and through the internal backplane between the boards. The bsoc SSH allows login from one board to another via the baseband internal backplane using an SSH private key present on the baseband system board. This bsoc SSH capability was previously considered an administrative functionality but has now been restricted to be available only to baseband root-privileged administrators. This restriction mitigates the possibility of misuse with lower-level privileges (e.g., from baseband software images). This mitigation is included starting from release 23R4-SR 3.0 MP and later | ||||
| CVE-2025-24846 | 2026-04-15 | 7.5 High | ||
| Authentication bypass vulnerability exists in FutureNet AS series (Industrial Routers) provided by Century Systems Co., Ltd. If this vulnerability is exploited, a remote unauthenticated attacker may obtain the device information such as MAC address by sending a specially crafted request. | ||||
| CVE-2024-11981 | 1 Billion Electric | 4 M100, M120n, M150 and 1 more | 2026-04-15 | 7.5 High |
| Certain models of routers from Billion Electric has an Authentication Bypass vulnerability, allowing unautheticated attackers to retrive contents of arbitrary web pages. | ||||
| CVE-2024-10490 | 2026-04-15 | N/A | ||
| An “Authentication Bypass Using an Alternate Path or Channel” vulnerability in the OPC UA Server configuration required for B&R mapp Cockpit before 6.0, B&R mapp View before 6.0, B&R mapp Services before 6.0, B&R mapp Motion before 6.0 and B&R mapp Vision before 6.0 may be used by an unauthenticated network-based attacker to cause information disclosure, unintended change of data, or denial of service conditions. B&R mapp Services is only affected, when mpUserX or mpCodeBox are used in the Automation Studio project. | ||||
| CVE-2025-64530 | 1 Apollographql | 1 Federation | 2026-04-15 | 7.5 High |
| Apollo Federation is an architecture for declaratively composing APIs into a unified graph. A vulnerability in versions of Apollo Federation's composition logic prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1 allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead querying the implementing object types/fields in Apollo Router via inline fragments, for example. A fix to versions 2.9.5, 2.10.4, 2.11.5, and 2.12.1 of composition logic in Federation now disallows interfaces types and fields to contain user-defined access control directives. Some workarounds are available. Users of Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below should manually copy the access control requirements on interface types/fields to each implementing object type/field where appropriate. Do not remove those access control requirements from the interface types/fields, as unpatched Apollo Composition will not automatically generate them in the supergraph schema. Customers not using Apollo Router access control features (`@authenticated`, `@requiresScopes`, or `@policy` directives) or not specifying access control requirements on interface types/fields are not affected and do not need to take action. | ||||
| CVE-2024-9931 | 1 Jurre De Klijn | 1 Wux Blog Editor | 2026-04-15 | 9.8 Critical |
| The Wux Blog Editor plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.0. This is due to missing validation on the token being supplied during the autologin through the plugin. This makes it possible for unauthenticated attackers to log in to the first administrator user. | ||||
| CVE-2025-55012 | 1 Zed-industries | 1 Zed | 2026-04-15 | N/A |
| Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vulnerability to create or modify a project-specific configuration file, leading to the execution of arbitrary commands on a victim's machine without the explicit approval that would otherwise be required. This vulnerability has been patched in version 0.197.3. A workaround for this issue involves either avoid sending prompts to the Agent Panel, or to limit the AI Agent's file system access. | ||||
| CVE-2024-33610 | 2026-04-15 | 9.1 Critical | ||
| "sessionlist.html" and "sys_trayentryreboot.html" are accessible with no authentication. "sessionlist.html" provides logged-in users' session information including session cookies, and "sys_trayentryreboot.html" allows to reboot the device. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | ||||
| CVE-2024-7350 | 1 Reputeinfosystems | 1 Appointment Booking Calendar Plugin And Scheduling Plugin Bookingpress | 2026-04-15 | 9.8 Critical |
| The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. This is only exploitable when the 'Auto login user after successful booking' setting is enabled. | ||||
| CVE-2025-31512 | 2026-04-15 | 7.3 High | ||
| An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can bypass manager approval via isAddedByApprover in a Request%20Building%20Access requestSubmit API call. The vendor has stated that the system is protected by updating to a version equal to or greater than one of the following build numbers: 4.1.12.2.1.19, 4.1.12.5.2.36, 4.1.13.0.60, 4.1.13.2.0.3.39, 4.1.13.2.0.3.41, 4.1.13.2.42, 4.1.13.2.25.44, 4.1.14.0.13, 4.1.14.0.43, 4.1.14.0.48, and 4.1.14.1.5.32. | ||||
| CVE-2025-40743 | 1 Siemens | 4 Sinumerik 828d, Sinumerik 840d Sl, Sinumerik Mc and 1 more | 2026-04-15 | 8.3 High |
| A vulnerability has been identified in SINUMERIK 828D PPU.4 (All versions < V4.95 SP5), SINUMERIK 828D PPU.5 (All versions < V5.25 SP1), SINUMERIK 840D sl (All versions < V4.95 SP5), SINUMERIK MC (All versions < V1.25 SP1), SINUMERIK MC V1.15 (All versions < V1.15 SP5), SINUMERIK ONE (All versions < V6.25 SP1), SINUMERIK ONE V6.15 (All versions < V6.15 SP5). The affected application improperly validates authentication for its VNC access service, allowing access with insufficient password verification. This could allow an attacker to gain unauthorized remote access and potentially compromise system confidentiality, integrity, or availability. | ||||
| CVE-2025-0749 | 2026-04-15 | 8.1 High | ||
| The Homey theme for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.3. This is due to the 'verification_id' value being set to empty, and the not empty check is missing in the dashboard user profile page. This makes it possible for unauthenticated attackers to log in to the first verified user. | ||||
| CVE-2025-1739 | 2026-04-15 | 7.1 High | ||
| An Authentication Bypass vulnerability has been found in Trivision Camera NC227WF v5.8.0 from TrivisionSecurity. This vulnerability allows an attacker to retrieve administrator's credentials in cleartext by sending a request against the server using curl with random credentials to "/en/player/activex_pal.asp" and successfully authenticating the application. | ||||
| CVE-2025-51381 | 2026-04-15 | N/A | ||
| An authentication bypass vulnerability exists in KCM3100 Ver1.4.2 and earlier. If this vulnerability is exploited, an attacker may bypass the authentication of the product from within the LAN to which the product is connected. | ||||
| CVE-2025-10653 | 1 Raise3d | 1 Pro2 Series | 2026-04-15 | 8.6 High |
| An unauthenticated debug port may allow access to the device file system. | ||||
| CVE-2026-4700 | 1 Mozilla | 2 Firefox, Firefox Esr | 2026-04-14 | 9.8 Critical |
| Mitigation bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | ||||