Total
465 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-3531 | 2026-03-30 | N/A | 6.5 MEDIUM | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0. | |||||
| CVE-2026-24359 | 2026-03-30 | N/A | 8.8 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4. | |||||
| CVE-2026-25406 | 2026-03-30 | N/A | 8.8 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through <= 3.9.4. | |||||
| CVE-2026-25357 | 2026-03-30 | N/A | 8.1 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7. | |||||
| CVE-2026-25035 | 2026-03-30 | N/A | 9.8 CRITICAL | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through <= 28.1.2.2. | |||||
| CVE-2026-25002 | 2026-03-30 | N/A | 7.5 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in ThimPress LearnPress – Sepay Payment learnpress-sepay-payment allows Authentication Abuse.This issue affects LearnPress – Sepay Payment: from n/a through <= 4.0.0. | |||||
| CVE-2026-27049 | 2026-03-30 | N/A | 9.8 CRITICAL | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.This issue affects Jobica Core: from n/a through <= 1.4.2. | |||||
| CVE-2026-32678 | 2026-03-30 | N/A | 7.5 HIGH | ||
| Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication. | |||||
| CVE-2026-2745 | 1 Gitlab | 1 Gitlab | 2026-03-26 | N/A | 6.8 MEDIUM |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsistent input validation in the authentication process. | |||||
| CVE-2026-3214 | 2026-03-26 | N/A | 6.5 MEDIUM | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10. | |||||
| CVE-2026-1917 | 2026-03-26 | N/A | 4.3 MEDIUM | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3. | |||||
| CVE-2026-4700 | 1 Mozilla | 1 Firefox | 2026-03-26 | N/A | 9.8 CRITICAL |
| Mitigation bypass in the Networking: HTTP component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. | |||||
| CVE-2026-33315 | 1 Vikunja | 1 Vikunja | 2026-03-24 | N/A | 4.3 MEDIUM |
| Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue. | |||||
| CVE-2026-23480 | 1 Blinko | 1 Blinko | 2026-03-24 | N/A | 8.8 HIGH |
| Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4. | |||||
| CVE-2026-32004 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due to canonicalization depth mismatch between auth-path classification and route-path canonicalization. Attackers can bypass plugin route authentication checks by submitting deeply encoded slash variants such as multi-encoded %2f to access protected /api/channels endpoints. | |||||
| CVE-2026-32031 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 4.8 MEDIUM |
| OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in gateway authentication for plugin channel endpoints due to path canonicalization mismatch between the gateway guard and plugin handler routing. Attackers can bypass authentication by sending requests with alternative path encodings to access protected plugin channel APIs without proper gateway authentication. | |||||
| CVE-2026-22733 | 2026-03-20 | N/A | 8.2 HIGH | ||
| Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31. | |||||
| CVE-2026-22731 | 2026-03-20 | N/A | 8.2 HIGH | ||
| Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different. | |||||
| CVE-2025-67039 | 1 Lantronix | 4 Eds3008ps1ns, Eds3008ps1ns Firmware, Eds3016ps1ns and 1 more | 2026-03-19 | N/A | 9.1 CRITICAL |
| An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The authentication on management pages can be bypassed by appending a specific suffix to the URL and by sending an Authorization header that uses "admin" as the username. | |||||
| CVE-2025-67041 | 1 Lantronix | 4 Eds3008ps1ns, Eds3008ps1ns Firmware, Eds3016ps1ns and 1 more | 2026-03-19 | N/A | 9.8 CRITICAL |
| An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges. | |||||