Total
517 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-31889 | 1 Shopware | 1 Shopware | 2026-03-16 | N/A | 8.9 HIGH |
| Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1. | |||||
| CVE-2026-0385 | 2026-03-16 | N/A | 5.0 MEDIUM | ||
| Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability | |||||
| CVE-2025-48840 | 1 Fortinet | 1 Fortiweb | 2026-03-12 | N/A | 5.3 MEDIUM |
| An authentication bypass by spoofing vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.8, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow a remote unauthenticated attacker to bypass hostname restrictions via a specially crafted request. | |||||
| CVE-2025-67298 | 2026-03-12 | N/A | 8.1 HIGH | ||
| An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile | |||||
| CVE-2026-32229 | 2026-03-12 | N/A | 6.8 MEDIUM | ||
| In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled | |||||
| CVE-2026-28465 | 1 Openclaw | 1 Openclaw | 2026-03-10 | N/A | 5.9 MEDIUM |
| OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers. | |||||
| CVE-2024-1524 | 1 Wso2 | 2 Api Manager, Identity Server | 2026-03-03 | N/A | 7.7 HIGH |
| When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control. The Deployment should have: -An IDP configured for federated authentication with Silent JIT provisioning enabled. The malicious actor should have: -A fresh valid user account in the federated IDP that has not been used earlier. -Knowledge of the username of a valid user in the local IDP. -An account at the federated IDP matching the targeted local username. | |||||
| CVE-2026-27700 | 1 Hono | 1 Hono | 2026-03-02 | N/A | 8.2 HIGH |
| Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue. | |||||
| CVE-2024-55925 | 1 Xerox | 1 Workplace Suite | 2026-02-28 | N/A | 7.5 HIGH |
| In Xerox Workplace Suite, an API restricted to specific hosts can be bypassed by manipulating the Host header. If the server improperly validates or trusts the Host header without verifying the actual destination, an attacker can forge a value to gain unauthorized access. This exploit targets improper host validation, potentially exposing sensitive API endpoints. | |||||
| CVE-2025-71056 | 2026-02-27 | N/A | 8.1 HIGH | ||
| Improper session management in GCOM EPON 1GE ONU version C00R371V00B01 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. | |||||
| CVE-2026-2800 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-26 | N/A | 9.8 CRITICAL |
| Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability affects Firefox < 148 and Thunderbird < 148. | |||||
| CVE-2025-69401 | 2026-02-25 | N/A | 7.5 HIGH | ||
| Authentication Bypass by Spoofing vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Identity Spoofing.This issue affects WooODT Lite: from n/a through <= 2.5.2. | |||||
| CVE-2022-2368 | 1 Microweber | 1 Microweber | 2026-02-25 | 7.5 HIGH | 6.5 MEDIUM |
| Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20. | |||||
| CVE-2026-24853 | 1 Caido | 1 Caido | 2026-02-24 | N/A | 8.1 HIGH |
| Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Host: 127.0.0.1:8080 header. This vulnerability is fixed in 0.55.0. | |||||
| CVE-2026-21862 | 1 Rustfs | 1 Rustfs | 2026-02-23 | N/A | 7.5 HIGH |
| RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78. | |||||
| CVE-2025-13455 | 1 Lenovo | 8 Thinkplus Fu100, Thinkplus Fu100 Firmware, Thinkplus Fu200 and 5 more | 2026-02-23 | N/A | 7.8 HIGH |
| A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint. | |||||
| CVE-2025-65046 | 1 Microsoft | 1 Edge Chromium | 2026-02-20 | N/A | 3.1 LOW |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||||
| CVE-2024-8273 | 1 Hypr | 1 Hypr Server | 2026-02-19 | N/A | 8.8 HIGH |
| Authentication Bypass by Spoofing vulnerability in HYPR Server allows Identity Spoofing.This issue affects Server: before 10.1. | |||||
| CVE-2026-25938 | 1 Frangoteam | 1 Fuxa | 2026-02-13 | N/A | 9.8 CRITICAL |
| FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11. | |||||
| CVE-2026-0834 | 1 Tp-link | 4 Archer Ax53, Archer Ax53 Firmware, Archer C20 and 1 more | 2026-02-10 | N/A | 8.8 HIGH |
| Logic vulnerability in TP-Link Archer C20 v6.0 and Archer AX53 v1.0 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability.This issue affects Archer C20 v6.0 < V6_251031. Archer AX53 v1.0 < V1_251215 | |||||