Total
346 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11349 | 2 Scriptsbundle, Wordpress | 2 Adforest, Wordpress | 2025-08-12 | 9.8 Critical |
| The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the sb_login_user_with_otp_fun() function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators. | ||||
| CVE-2025-55012 | 1 Zed-industries | 1 Zed | 2025-08-12 | N/A |
| Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vulnerability to create or modify a project-specific configuration file, leading to the execution of arbitrary commands on a victim's machine without the explicit approval that would otherwise be required. This vulnerability has been patched in version 0.197.3. A workaround for this issue involves either avoid sending prompts to the Agent Panel, or to limit the AI Agent's file system access. | ||||
| CVE-2025-30184 | 1 Cyberdata | 2 011209 Sip Emergency Intercom, 011209 Sip Emergency Intercom Firmware | 2025-08-12 | 9.8 Critical |
| CyberData 011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path. | ||||
| CVE-2025-49125 | 1 Apache | 1 Tomcat | 2025-08-12 | 7.5 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | ||||
| CVE-2025-24000 | 2 Wordpress, Wpexperts | 2 Wordpress, Post Smtp | 2025-08-12 | 8.8 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in WPExperts Post SMTP allows Authentication Bypass.This issue affects Post SMTP: from n/a through 3.2.0. | ||||
| CVE-2025-0549 | 1 Gitlab | 1 Gitlab | 2025-08-08 | 6.8 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. A security vulnerability allows attackers to bypass Device OAuth flow protections, enabling authorization form submission through minimal user interaction. | ||||
| CVE-2024-43234 | 1 Xtendify | 1 Woffice | 2025-08-08 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in WofficeIO Woffice allows Authentication Bypass.This issue affects Woffice: from n/a through 5.4.14. | ||||
| CVE-2025-24472 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-08-08 | 8.1 High |
| An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests. | ||||
| CVE-2025-44957 | 2 Commscope, Ruckus | 32 Ruckus C110, Ruckus E510, Ruckus H320 and 29 more | 2025-08-07 | 8.5 High |
| Ruckus SmartZone (SZ) before 6.1.2p3 Refresh Build allows authentication bypass via a valid API key and crafted HTTP headers. | ||||
| CVE-2025-7710 | 2 Brave, Wordpress | 2 Brave, Wordpress | 2025-08-05 | 9.8 Critical |
| The Brave Conversion Engine (PRO) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.7.7. This is due to the plugin not properly restricting a claimed identity while authenticating with Facebook. This makes it possible for unauthenticated attackers to log in as other users, including administrators. | ||||
| CVE-2024-12225 | 2 Quarkus, Redhat | 2 Quarkus, Quarkus | 2025-07-31 | 9.1 Critical |
| A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an existing user that has no relation with the current attacker, allowing anyone to log in as an existing user by just knowing that user's user name. | ||||
| CVE-2020-10148 | 1 Solarwinds | 1 Orion Platform | 2025-07-30 | 9.8 Critical |
| The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected. | ||||
| CVE-2023-20269 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2025-07-30 | 5 Medium |
| A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier). Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured. Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability. | ||||
| CVE-2023-42793 | 1 Jetbrains | 1 Teamcity | 2025-07-30 | 9.8 Critical |
| In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible | ||||
| CVE-2023-46747 | 1 F5 | 20 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 17 more | 2025-07-30 | 9.8 Critical |
| Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | ||||
| CVE-2024-1709 | 1 Connectwise | 1 Screenconnect | 2025-07-30 | 10 Critical |
| ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. | ||||
| CVE-2024-27198 | 1 Jetbrains | 1 Teamcity | 2025-07-30 | 9.8 Critical |
| In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible | ||||
| CVE-2024-55591 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-07-30 | 9.6 Critical |
| An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. | ||||
| CVE-2025-4427 | 1 Ivanti | 1 Endpoint Manager Mobile | 2025-07-30 | 5.3 Medium |
| An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. | ||||
| CVE-2025-6895 | 2 Melapress, Wordpress | 2 Melapress Login Security, Wordpress | 2025-07-29 | 9.8 Critical |
| The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user. | ||||