CVEs classified under CWE-288, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-53622 — CVSS 10.0 (critical): Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS…
CVE-2026-48491 — CVSS 10.0 (critical): Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's…
CVE-2026-48020 — CVSS 10.0 (critical): Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in…
CVE-2026-20079 — CVSS 10.0 (critical): A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote…
CVE-2024-10081 — CVSS 10.0 (critical): CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication…
CVE-2024-2973 — CVSS 10.0 (critical): An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running…
CVE-2026-10523 — CVSS 9.9 (critical): An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote…
CVE-2024-6684: Authentication Bypass Using an Alternate Path or Channel vulnerability in GST Electronics inohom Nova Panel N7 allows Authentication…
CVE-2019-25763 — CVSS 9.8 (critical): WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain…
CVE-2025-41273 — CVSS 9.8 (critical): Nozomi Networks Labs identified a CWE-288: Authentication Bypass Using an Alternate Path or Channel in the Console WebUI in Waterfall…
CVE-2026-24207 — CVSS 9.8 (critical): NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of…
CVE-2026-40621 — CVSS 9.8 (critical): ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated…
CVE-2026-7458 — CVSS 9.8 (critical): The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including…
CVE-2026-7567 — CVSS 9.8 (critical): The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to…
CVE-2026-40630 — CVSS 9.8 (critical): A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to…
CVE-2026-6771 — CVSS 9.8 (critical): Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and…
CVE-2026-6768 — CVSS 9.8 (critical): Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
CVE-2026-6760 — CVSS 9.8 (critical): Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
CVE-2026-3461 — CVSS 9.8 (critical): The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This…
CVE-2026-31271 — CVSS 9.8 (critical): megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in…
CVE-2026-30079 — CVSS 9.8 (critical): In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows…
CVE-2026-31151 — CVSS 9.8 (critical): An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's…
CVE-2026-29139 — CVSS 9.8 (critical): SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim…
CVE-2026-27049 — CVSS 9.8 (critical): Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.This…
CVE-2026-25035 — CVSS 9.8 (critical): Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery…
CVE-2026-4700 — CVSS 9.8 (critical): Mitigation bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and…
CVE-2026-27842 — CVSS 9.8 (critical): Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device…
CVE-2026-27389 — CVSS 9.8 (critical): Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon…
CVE-2026-2628 — CVSS 9.8 (critical): The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up…
CVE-2026-28411 — CVSS 9.8 (critical): WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST`…
CVE-2025-69985 — CVSS 9.8 (critical): FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in…
CVE-2026-2791 — CVSS 9.8 (critical): Mitigation bypass in the Networking: Cache component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and…
CVE-2026-2784 — CVSS 9.8 (critical): Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and…
CVE-2026-2775 — CVSS 9.8 (critical): Mitigation bypass in the DOM: HTML Parser component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8…
CVE-2026-2096 — CVSS 9.8 (critical): Agentflow developed by Flowring has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and…
CVE-2026-2095 — CVSS 9.8 (critical): Agentflow developed by Flowring has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to exploit a specific…
CVE-2025-21589 — CVSS 9.8 (critical): An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allows a…
CVE-2025-10484 — CVSS 9.8 (critical): The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all…
CVE-2025-23504 — CVSS 9.8 (critical): Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication…
CVE-2025-64121 — CVSS 9.8 (critical): Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows…
CVE-2025-68860 — CVSS 9.8 (critical): Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder mobile-builder allows…
CVE-2025-64236 — CVSS 9.8 (critical): Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn allows Authentication Abuse.This issue affects…
CVE-2025-13539 — CVSS 9.8 (critical): The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due…
CVE-2025-63217 — CVSS 9.8 (critical): The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can…