Total
411 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4427 | 1 Ivanti | 1 Endpoint Manager Mobile | 2025-10-24 | N/A | 5.3 MEDIUM |
| An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. | |||||
| CVE-2024-1709 | 1 Connectwise | 1 Screenconnect | 2025-10-24 | N/A | 10.0 CRITICAL |
| ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. | |||||
| CVE-2024-55591 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-10-24 | N/A | 9.8 CRITICAL |
| An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. | |||||
| CVE-2025-24472 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-10-24 | N/A | 8.1 HIGH |
| An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests. | |||||
| CVE-2025-48926 | 1 Smarsh | 1 Telemessage | 2025-10-22 | N/A | 4.3 MEDIUM |
| The admin panel in the TeleMessage service through 2025-05-05 allows attackers to discover usernames, e-mail addresses, passwords, and telephone numbers. | |||||
| CVE-2025-11534 | 2025-10-21 | N/A | N/A | ||
| The affected Raisecom devices allow SSH sessions to be established without completing user authentication. This could allow attackers to gain shell access without valid credentials. | |||||
| CVE-2025-58133 | 1 Zoom | 1 Rooms | 2025-10-21 | N/A | 5.3 MEDIUM |
| Authentication bypass in some Zoom Rooms Clients before version 6.5.1 may allow an unauthenticated user to conduct a disclosure of information via network access. | |||||
| CVE-2025-10294 | 2025-10-16 | N/A | 9.8 CRITICAL | ||
| The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet. | |||||
| CVE-2025-9967 | 2025-10-16 | N/A | 9.8 CRITICAL | ||
| The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's password to a one-time password if the attacker knows the user's phone number | |||||
| CVE-2025-22862 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-10-15 | N/A | 6.7 MEDIUM |
| An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS 7.4.0 through 7.4.7, 7.2.0 through 7.2.11, 7.0.6 and above; and FortiProxy 7.6.0 through 7.6.2, 7.4.0 through 7.4.8, 7.2 all versions, 7.0.5 and above may allow an authenticated attacker to elevate their privileges via triggering a malicious Webhook action in the Automation Stitch component. | |||||
| CVE-2025-11522 | 2025-10-09 | N/A | 9.8 CRITICAL | ||
| The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_check_facebook_user() function This makes it possible for unauthenticated attackers to gain access to other user's accounts, including administrators, when Facebook login is enabled. | |||||
| CVE-2025-34251 | 2025-10-08 | N/A | N/A | ||
| Tesla Telematics Control Unit (TCU) firmware prior to v2025.14 contains an authentication bypass vulnerability. The TCU runs the Android Debug Bridge (adbd) as root and, despite a “lockdown” check that disables adb shell, still permits adb push/pull and adb forward. Because adbd is privileged and the device’s USB port is exposed externally, an attacker with physical access can write an arbitrary file to a writable location and then overwrite the kernel’s uevent_helper or /proc/sys/kernel/hotplug entries via ADB, causing the script to be executed with root privileges. | |||||
| CVE-2025-6388 | 2025-10-06 | N/A | 9.8 CRITICAL | ||
| The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.2.14. This is due to the custom_actions() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's username. | |||||
| CVE-2025-10653 | 2025-10-06 | N/A | 8.6 HIGH | ||
| An unauthenticated debug port may allow access to the device file system. | |||||
| CVE-2025-61673 | 2025-10-06 | N/A | 8.6 HIGH | ||
| Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token validation logic is skipped entirely, allowing an unauthenticated user to read and write to Schema Registry endpoints that should otherwise be protected. This effectively renders the OAuth authentication mechanism ineffective. This issue is fixed in version 5.0.2. | |||||
| CVE-2025-7038 | 2025-10-02 | N/A | 8.2 HIGH | ||
| The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account. | |||||
| CVE-2025-10538 | 2025-10-02 | N/A | N/A | ||
| An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information. | |||||
| CVE-2025-24206 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-10-02 | N/A | 7.7 HIGH |
| An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to bypass authentication policy. | |||||
| CVE-2025-0364 | 1 Bigantsoft | 1 Bigant Server | 2025-09-29 | N/A | 9.8 CRITICAL |
| BigAntSoft BigAnt Server, up to and including version 5.6.06, is vulnerable to unauthenticated remote code execution via account registration. An unauthenticated remote attacker can create an administrative user through the default exposed SaaS registration mechanism. Once an administrator, the attacker can upload and execute arbitrary PHP code using the "Cloud Storage Addin," leading to unauthenticated code execution. | |||||
| CVE-2024-10438 | 1 Sun.net | 1 Ehrd Ctms | 2025-09-25 | N/A | 7.5 HIGH |
| The eHRD CTMS from Sunnet has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to bypass authentication by satisfying specific conditions in order to access certain functionalities. | |||||