Total
398 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11534 | 1 Raisecom | 1 Rax701 | 2025-10-23 | N/A |
| The affected Raisecom devices allow SSH sessions to be established without completing user authentication. This could allow attackers to gain shell access without valid credentials. | ||||
| CVE-2025-48926 | 1 Smarsh | 1 Telemessage | 2025-10-22 | 4.3 Medium |
| The admin panel in the TeleMessage service through 2025-05-05 allows attackers to discover usernames, e-mail addresses, passwords, and telephone numbers. | ||||
| CVE-2024-46887 | 2025-10-21 | 5.3 Medium | ||
| The web server of affected devices do not properly authenticate user request to the '/ClientArea/RuntimeInfoData.mwsl' endpoint. This could allow an unauthenticated remote attacker to gain knowledge about current actual and configured maximum cycle times as well as about configured maximum communication load. | ||||
| CVE-2025-8093 | 1 Drupal | 1 Drupal | 2025-10-21 | 8.8 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.8. | ||||
| CVE-2025-9967 | 2 Gsayed786, Wordpress | 2 Orion Sms Otp Verification, Wordpress | 2025-10-21 | 9.8 Critical |
| The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's password to a one-time password if the attacker knows the user's phone number | ||||
| CVE-2025-10294 | 1 Wordpress | 1 Wordpress | 2025-10-20 | 9.8 Critical |
| The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet. | ||||
| CVE-2025-22862 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-10-15 | 6.3 Medium |
| An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS 7.4.0 through 7.4.7, 7.2.0 through 7.2.11, 7.0.6 and above; and FortiProxy 7.6.0 through 7.6.2, 7.4.0 through 7.4.8, 7.2 all versions, 7.0.5 and above may allow an authenticated attacker to elevate their privileges via triggering a malicious Webhook action in the Automation Stitch component. | ||||
| CVE-2025-11522 | 2 Elated-themes, Wordpress | 2 Search And Go Directory, Wordpress | 2025-10-09 | 9.8 Critical |
| The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_check_facebook_user() function This makes it possible for unauthenticated attackers to gain access to other user's accounts, including administrators, when Facebook login is enabled. | ||||
| CVE-2025-9914 | 1 Sick | 4 Baggage Analytics, Logistic Diagnostic Analytics, Package Analytics and 1 more | 2025-10-08 | 4.3 Medium |
| The credentials of the users stored in the system's local database can be used for the log in, making it possible for an attacker to gain unauthorized access. This could potentially affect the confidentiality of the application. | ||||
| CVE-2025-10653 | 1 Raise3d | 1 Pro2 Series | 2025-10-06 | 8.6 High |
| An unauthenticated debug port may allow access to the device file system. | ||||
| CVE-2025-6388 | 1 Wordpress | 1 Wordpress | 2025-10-06 | 9.8 Critical |
| The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.2.14. This is due to the custom_actions() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's username. | ||||
| CVE-2025-61673 | 1 Aiven | 2 Aiven, Karapace | 2025-10-06 | 8.6 High |
| Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token validation logic is skipped entirely, allowing an unauthenticated user to read and write to Schema Registry endpoints that should otherwise be protected. This effectively renders the OAuth authentication mechanism ineffective. This issue is fixed in version 5.0.2. | ||||
| CVE-2025-7038 | 2 Latepoint, Wordpress | 2 Latepoint, Wordpress | 2025-10-02 | 8.2 High |
| The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account. | ||||
| CVE-2025-10538 | 1 Lg | 2 Lnd7210, Lnv7210r | 2025-10-02 | N/A |
| An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information. | ||||
| CVE-2025-24206 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-10-02 | 7.7 High |
| An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to bypass authentication policy. | ||||
| CVE-2024-10438 | 2 Sun.net, Sunnet | 2 Ehrd Ctms, Ehrd Ctms | 2025-09-25 | 7.5 High |
| The eHRD CTMS from Sunnet has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to bypass authentication by satisfying specific conditions in order to access certain functionalities. | ||||
| CVE-2025-5955 | 2 Aonetheme, Wordpress | 2 Service Finder Sms System, Wordpress | 2025-09-19 | 8.1 High |
| The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user's phone number before logging them in. This makes it possible for unauthenticated attackers to login as arbitrary users. | ||||
| CVE-2023-49564 | 1 Nokia | 2 Cbis, Ncs | 2025-09-18 | 8.8 High |
| The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows attackers to reach restricted or sensitive endpoints of the HTTP API without providing any valid credentials. The root cause of this vulnerability lies in a weak verification mechanism within the authentication implementation present in the Nginx Podman container on the CBIS/NCS Manager host machine. The risk can be partially mitigated by restricting access to the management network using external firewall. | ||||
| CVE-2025-53099 | 2 Getsentry, Sentry | 2 Sentry, Sentry | 2025-09-15 | 7.5 High |
| Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a user's account. With a specially timed requests and redirect flows, an attacker could generate multiple authorization codes that could be used to exchange for access and refresh tokens. This was possible even after de-authorizing the particular application. This issue has been patched in version 25.5.0. Self-hosted Sentry users should upgrade to version 25.5.0 or higher. Sentry SaaS users do not need to take any action. | ||||
| CVE-2025-50904 | 1 Winterchens | 1 My-site | 2025-09-11 | 9.8 Critical |
| There is an authentication bypass vulnerability in WinterChenS my-site thru commit 6c79286 (2025-06-11). An attacker can exploit this vulnerability to access /admin/ API without any token. | ||||