Total
452 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67070 | 2026-01-13 | 8.2 High | ||
| A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the administrative panel. | ||||
| CVE-2024-2055 | 1 Articatech | 1 Artica Proxy | 2026-01-12 | 9.8 Critical |
| The "Rich Filemanager" feature of Artica Proxy provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. | ||||
| CVE-2024-2056 | 1 Articatech | 1 Artica Proxy | 2026-01-12 | 9.8 Critical |
| Services that are running and bound to the loopback interface on the Artica Proxy are accessible through the proxy service. In particular, the "tailon" service is running, running as the root user, is bound to the loopback interface, and is listening on TCP port 7050. Security issues associated with exposing this network service are documented at gvalkov's 'tailon' GitHub repo. Using the tailon service, the contents of any file on the Artica Proxy can be viewed. | ||||
| CVE-2026-21411 | 2026-01-08 | N/A | ||
| Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password. | ||||
| CVE-2025-15102 | 2 Delta Electronics, Deltaww | 3 Dvp-12se11t, Dvp-12se11t, Dvp-12se11t Firmware | 2026-01-06 | 9.1 Critical |
| DVP-12SE11T - Password Protection Bypass | ||||
| CVE-2025-68620 | 1 Signalk | 2 Signal K Server, Signalk-server | 2026-01-06 | 9.1 Critical |
| Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. The first is Unauthenticated WebSocket Request Enumeration: When a WebSocket client connects to the SignalK stream endpoint with the `serverevents=all` query parameter, the server sends all cached server events including `ACCESS_REQUEST` events that contain details about pending access requests. The `startServerEvents` function iterates over `app.lastServerEvents` and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when `allow_readonly` is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses. The second is Unauthenticated Token Polling: The access request status endpoint at `/signalk/v1/access/requests/:id` returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The `queryRequest` function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access. An attacker has two paths to exploit these vulnerabilities. Either the attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token; or the attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials. Both paths require zero authentication and enable complete authentication bypass. Version 2.19.0 fixes the underlying issues. | ||||
| CVE-2025-8093 | 2 Authenticator Login Project, Drupal | 2 Authenticator Login, Drupal | 2026-01-05 | 8.8 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.8. | ||||
| CVE-2025-64281 | 1 Centralsquare | 1 Community Development | 2025-12-31 | 9.8 Critical |
| An Authentication Bypass issue in CentralSquare Community Development 19.5.7 allows attackers to access the admin panel without admin credentials. | ||||
| CVE-2025-43436 | 1 Apple | 8 Ios, Ipad Os, Ipados and 5 more | 2025-12-18 | 7.5 High |
| A permissions issue was addressed with additional restrictions. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, visionOS 26.1. An app may be able to enumerate a user's installed apps. | ||||
| CVE-2024-56044 | 1 Vibethemes | 1 Wordpress Learning Management System | 2025-12-15 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in VibeThemes WPLMS allows Authentication Bypass.This issue affects WPLMS: from n/a through 1.9.9. | ||||
| CVE-2025-66200 | 1 Apache | 1 Http Server | 2025-12-10 | 5.4 Medium |
| mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | ||||
| CVE-2025-66238 | 1 Sunbirddcim | 2 Dctrack, Power Iq | 2025-12-08 | 7.2 High |
| DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine. | ||||
| CVE-2025-12760 | 2 Drupal, Email Tfa Project | 3 Drupal, Email Tfa, Email Tfa | 2025-12-08 | 5.4 Medium |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6. | ||||
| CVE-2025-12466 | 2 Drupal, Simple Oauth Project | 3 Drupal, Openid, Simple Oauth | 2025-12-04 | 7.5 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7. | ||||
| CVE-2025-43422 | 1 Apple | 3 Ios, Ipados, Iphone Os | 2025-12-01 | 4.6 Medium |
| The issue was addressed by adding additional logic. This issue is fixed in iOS 26.1 and iPadOS 26.1. An attacker with physical access to a device may be able to disable Stolen Device Protection. | ||||
| CVE-2025-13539 | 2 Elated Themes, Wordpress | 2 Findall Membership, Wordpress | 2025-12-01 | 9.8 Critical |
| The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'findall_membership_check_facebook_user' and the 'findall_membership_check_google_user' functions. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email. | ||||
| CVE-2025-13013 | 1 Mozilla | 2 Firefox, Firefox Esr | 2025-11-26 | 6.1 Medium |
| Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. | ||||
| CVE-2025-13018 | 1 Mozilla | 2 Firefox, Firefox Esr | 2025-11-25 | 8.1 High |
| Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. | ||||
| CVE-2025-10571 | 1 Abb | 1 Ability Edgenius | 2025-11-24 | 9.6 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in ABB ABB Ability Edgenius.This issue affects ABB Ability Edgenius: 3.2.0.0, 3.2.1.1. | ||||
| CVE-2024-7314 | 1 Anji-plus | 2 Aj-report, Report | 2025-11-22 | 9.8 Critical |
| anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC. | ||||