ReportizFlow
Filtered by vendor
Subscriptions
Total
535 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-36119 | 1 Ibm | 1 I | 2026-02-26 | 7.1 High |
| IBM i 7.3, 7.4, 7.5, and 7.6 is affected by an authenticated user obtaining elevated privileges with IBM Digital Certificate Manager for i (DCM) due to a web session hijacking vulnerability. An authenticated user without administrator privileges could exploit this vulnerability to perform actions in DCM as an administrator. | ||||
| CVE-2025-26421 | 1 Google | 1 Android | 2026-02-26 | 4 Medium |
| In multiple locations, there is a possible lock screen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-26419 | 1 Google | 1 Android | 2026-02-26 | 3.3 Low |
| In initPhoneSwitch of SystemSettingsFragment.java, there is a possible FRP bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2025-59385 | 2 Qnap, Qnap Systems Inc. | 4 Qts, Quts Hero, Qts and 1 more | 2026-02-26 | 9.8 Critical |
| An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later | ||||
| CVE-2025-69258 | 2 Microsoft, Trendmicro | 3 Windows, Apex Central, Apexcentral | 2026-02-26 | 9.8 Critical |
| A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations. | ||||
| CVE-2026-0834 | 1 Tp-link | 4 Archer Ax53, Archer Ax53 Firmware, Archer C20 and 1 more | 2026-02-26 | 8.8 High |
| Logic vulnerability in TP-Link Archer C20 v6.0 and Archer AX53 v1.0 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability.This issue affects Archer C20 v6.0 < V6_251031. Archer AX53 v1.0 < V1_251215 | ||||
| CVE-2025-69401 | 2 Mdalabar, Wordpress | 2 Wooodt Lite, Wordpress | 2026-02-25 | 7.5 High |
| Authentication Bypass by Spoofing vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Identity Spoofing.This issue affects WooODT Lite: from n/a through <= 2.5.2. | ||||
| CVE-2022-2368 | 1 Microweber | 1 Microweber | 2026-02-25 | 6.5 Medium |
| Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20. | ||||
| CVE-2026-24853 | 1 Caido | 1 Caido | 2026-02-24 | 8.1 High |
| Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Host: 127.0.0.1:8080 header. This vulnerability is fixed in 0.55.0. | ||||
| CVE-2026-21862 | 1 Rustfs | 1 Rustfs | 2026-02-23 | 7.5 High |
| RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78. | ||||
| CVE-2025-13455 | 1 Lenovo | 8 Thinkplus Fu100, Thinkplus Fu100 Firmware, Thinkplus Fu200 and 5 more | 2026-02-23 | 7.8 High |
| A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint. | ||||
| CVE-2025-59501 | 1 Microsoft | 4 Configuration Manager, Configuration Manager 2403, Configuration Manager 2409 and 1 more | 2026-02-22 | 4.8 Medium |
| Authentication bypass by spoofing in Microsoft Configuration Manager allows an authorized attacker to perform spoofing over an adjacent network. | ||||
| CVE-2025-65046 | 1 Microsoft | 2 Edge, Edge Chromium | 2026-02-20 | 3.1 Low |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | ||||
| CVE-2024-8273 | 1 Hypr | 1 Hypr Server | 2026-02-19 | 8.8 High |
| Authentication Bypass by Spoofing vulnerability in HYPR Server allows Identity Spoofing.This issue affects Server: before 10.1. | ||||
| CVE-2026-25938 | 1 Frangoteam | 1 Fuxa | 2026-02-13 | 9.8 Critical |
| FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11. | ||||
| CVE-2024-53862 | 1 Argoproj | 2 Argo-workflows, Argo Workflows | 2026-02-06 | 7.5 High |
| Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` or when using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`. No authentication is performed by the Server itself on `client` tokens. Authentication & authorization is instead delegated to the k8s API server. However, the Workflow Archive does not interact with k8s, and so any token that looks valid will be considered authenticated, even if it is not a k8s token or even if the token has no RBAC for Argo. To handle the lack of pass-through k8s authN/authZ, the Workflow Archive specifically does the equivalent of a `kubectl auth can-i` check for respective methods. In 3.5.7 and 3.5.8, the auth check was accidentally removed on the GET Workflow endpoint's fallback to archived workflows on these lines, allowing archived workflows to be retrieved with a fake token. This vulnerability is fixed in 3.6.2 and 3.5.13. | ||||
| CVE-2020-37056 | 1 Crystal Shard | 1 Http-protection | 2026-02-03 | 9.8 Critical |
| Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and gain unauthorized access. | ||||
| CVE-2025-11250 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2026-01-29 | 9.1 Critical |
| Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations. | ||||
| CVE-2022-35957 | 3 Fedoraproject, Grafana, Redhat | 4 Fedora, Grafana, Ceph Storage and 1 more | 2026-01-28 | 6.6 Medium |
| Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/ | ||||
| CVE-2024-5037 | 1 Redhat | 4 Logging, Openshift, Openshift Container Platform and 1 more | 2026-01-27 | 7.5 High |
| A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication. | ||||