Total
419 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-23760 | 1 Smartertools | 1 Smartermail | 2026-01-23 | N/A |
| SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host. | ||||
| CVE-2022-25369 | 2026-01-23 | 9.8 Critical | ||
| An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later). | ||||
| CVE-2025-34026 | 2 Versa, Versa-networks | 2 Concerto, Concerto | 2026-01-23 | 7.5 High |
| The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable. | ||||
| CVE-2025-69101 | 2 Amentotech, Wordpress | 2 Workreap, Wordpress | 2026-01-23 | N/A |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Workreap Core workreap_core allows Authentication Abuse.This issue affects Workreap Core: from n/a through <= 3.4.0. | ||||
| CVE-2024-10924 | 1 Really-simple-plugins | 1 Really Simple Security | 2026-01-23 | 9.8 Critical |
| The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default). | ||||
| CVE-2025-67282 | 1 Tim-solutions | 1 Tim Flow | 2026-01-22 | 5.4 Medium |
| In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user. | ||||
| CVE-2026-22037 | 1 Fastify | 1 Fastify | 2026-01-20 | 8.4 High |
| The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue. | ||||
| CVE-2025-10484 | 3 Fmeaddons, Woocommerce, Wordpress | 3 Registration And Login With Mobile Phone Number For Woocommerce, Woocommerce, Wordpress | 2026-01-20 | 9.8 Critical |
| The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password. | ||||
| CVE-2025-68860 | 2 Mobile Builder, Wordpress | 2 Mobile Builder, Wordpress | 2026-01-20 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through 1.4.2. | ||||
| CVE-2025-67915 | 2 Arraytics, Wordpress | 2 Timetics, Wordpress | 2026-01-20 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46. | ||||
| CVE-2025-64236 | 1 Wordpress | 1 Wordpress | 2026-01-20 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn allows Authentication Abuse.This issue affects Tuturn: from n/a before 3.6. | ||||
| CVE-2025-62064 | 2 Elated-themes, Wordpress | 2 Search And Go Directory, Wordpress | 2026-01-20 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Elated-Themes Search & Go search-and-go allows Password Recovery Exploitation.This issue affects Search & Go: from n/a through <= 2.7. | ||||
| CVE-2025-60041 | 1 Wordpress | 1 Wordpress | 2026-01-20 | 8.8 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch All emails-catch-all allows Password Recovery Exploitation.This issue affects Emails Catch All: from n/a through <= 3.5.3. | ||||
| CVE-2025-49901 | 2 Quantumcloud, Wordpress | 2 Simple Link Directory, Wordpress | 2026-01-20 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in quantumcloud Simple Link Directory qc-simple-link-directory allows Authentication Abuse.This issue affects Simple Link Directory: from n/a through < 14.8.1. | ||||
| CVE-2025-23504 | 1 Wordpress | 1 Wordpress | 2026-01-20 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3. | ||||
| CVE-2025-68707 | 2026-01-16 | 8.8 High | ||
| An authentication bypass vulnerability in the Tongyu AX1800 Wi-Fi 6 Router with firmware 1.0.0 allows unauthenticated network-adjacent attackers to perform arbitrary configuration changes without providing credentials, as long as a valid admin session is active. This can result in full compromise of the device (i.e., via unauthenticated access to /boaform/formSaveConfig and /boaform/admin endpoints). | ||||
| CVE-2025-30026 | 1 Axis | 2 Camera Station, Camera Station Pro | 2026-01-16 | 9.8 Critical |
| The AXIS Camera Station Server had a flaw that allowed to bypass authentication that is normally required. | ||||
| CVE-2025-63217 | 1 Itel | 3 Dab Mux, Id Mux, Id Mux Firmware | 2026-01-15 | 9.8 Critical |
| The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | ||||
| CVE-2025-46286 | 1 Apple | 4 Ios, Ipad Os, Ipados and 1 more | 2026-01-14 | 4.3 Medium |
| A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment. | ||||
| CVE-2025-22862 | 1 Fortinet | 2 Fortios, Fortiproxy | 2026-01-14 | 6.3 Medium |
| An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS 7.4.0 through 7.4.7, 7.2.0 through 7.2.11, 7.0.6 and above; and FortiProxy 7.6.0 through 7.6.2, 7.4.0 through 7.4.8, 7.2 all versions, 7.0.5 and above may allow an authenticated attacker to elevate their privileges via triggering a malicious Webhook action in the Automation Stitch component. | ||||