ReportizFlow
Filtered by vendor
Subscriptions
Total
458 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3930 | 1 Google | 1 Chrome | 2026-03-14 | 6.5 Medium |
| Unsafe navigation in Navigation in Google Chrome on iOS prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-26117 | 1 Microsoft | 1 Arc Enabled Servers Azure Connected Machine Agent | 2026-03-14 | 7.8 High |
| Authentication bypass using an alternate path or channel in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-22572 | 1 Fortinet | 5 Fortianalyzer, Fortianalyzercloud, Fortimanager and 2 more | 2026-03-13 | 6.8 Medium |
| An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.2 through 7.2.11 may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests. | ||||
| CVE-2025-67041 | 1 Lantronix | 1 Eds3000ps | 2026-03-13 | 9.8 Critical |
| An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges. | ||||
| CVE-2025-67039 | 1 Lantronix | 1 Eds3000ps | 2026-03-13 | 9.1 Critical |
| An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The authentication on management pages can be bypassed by appending a specific suffix to the URL and by sending an Authorization header that uses "admin" as the username. | ||||
| CVE-2026-32130 | 1 Zitadel | 1 Zitadel | 2026-03-13 | 7.5 High |
| ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2. | ||||
| CVE-2026-0602 | 1 Gitlab | 1 Gitlab | 2026-03-13 | 4.3 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering in the snippet rendering process under certain circumstances. | ||||
| CVE-2025-70082 | 1 Lantronix | 1 Eds3000ps | 2026-03-13 | 9.8 Critical |
| An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component | ||||
| CVE-2026-27842 | 1 Micro Research | 2 Mr-gm5a-l1, Mr-gm5l-s1 | 2026-03-11 | N/A |
| Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configuration. | ||||
| CVE-2026-1603 | 1 Ivanti | 1 Endpoint Manager | 2026-03-10 | 8.6 High |
| An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data. | ||||
| CVE-2026-30777 | 1 Ec-cube | 4 Ec-cube, Ec-cube 4.1 Series, Ec-cube 4.2 Series and 1 more | 2026-03-09 | 6.5 Medium |
| EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page. | ||||
| CVE-2026-27389 | 2 Designthemes, Wordpress | 2 Wedesigntech Ultimate Booking Addon, Wordpress | 2026-03-09 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1. | ||||
| CVE-2026-27390 | 2 Designthemes, Wordpress | 2 Wedesigntech Ultimate Booking Addon, Wordpress | 2026-03-09 | 8.8 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1. | ||||
| CVE-2026-2791 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2026-03-06 | 9.8 Critical |
| Mitigation bypass in the Networking: Cache component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | ||||
| CVE-2026-2775 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2026-03-06 | 9.8 Critical |
| Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | ||||
| CVE-2026-20079 | 1 Cisco | 1 Secure Firewall Management Center | 2026-03-05 | 10 Critical |
| A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system. This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device. | ||||
| CVE-2025-34251 | 2 Google, Tesla | 4 Android, Telematics Control Unit, Tesla and 1 more | 2026-03-05 | N/A |
| Tesla Telematics Control Unit (TCU) firmware prior to v2025.14 contains an authentication bypass vulnerability. The TCU runs the Android Debug Bridge (adbd) as root and, despite a “lockdown” check that disables adb shell, still permits adb push/pull and adb forward. Because adbd is privileged and the device’s USB port is exposed externally, an attacker with physical access can write an arbitrary file to a writable location and then overwrite the kernel’s uevent_helper or /proc/sys/kernel/hotplug entries via ADB, causing the script to be executed with root privileges. | ||||
| CVE-2026-23760 | 1 Smartertools | 1 Smartermail | 2026-03-05 | 9.8 Critical |
| SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host. | ||||
| CVE-2026-22205 | 1 Spip | 2 Saisies, Spip | 2026-03-05 | 7.5 High |
| SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal data. | ||||
| CVE-2020-37156 | 2 Bloodx Project, Diveshlunker | 2 Bloodx, Bloodx | 2026-03-05 | 6.5 Medium |
| BloodX 1.0 contains an authentication bypass vulnerability in login.php that allows attackers to access the dashboard without valid credentials. Attackers can exploit the vulnerability by sending a crafted payload with '=''or' parameters to bypass login authentication and gain unauthorized access. | ||||