CVEs classified under CWE-289, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (24)
CVE-2026-9701 — CVSS 9.8 (critical): The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The…
CVE-2026-24058 — CVSS 9.8 (critical): Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass…
CVE-2025-13613 — CVSS 9.8 (critical): The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to…
CVE-2024-56511 — CVSS 9.8 (critical): DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in the…
CVE-2023-1803 — CVSS 9.8 (critical): Authentication Bypass by Alternate Name vulnerability in DTS Electronics Redline Router firmware allows Authentication Bypass. This issue…
CVE-2025-29266 — CVSS 9.6 (critical): Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if a container is…
CVE-2026-50627 — CVSS 9.1 (critical): The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a…
CVE-2025-55130 — CVSS 9.1 (critical): A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted…
CVE-2026-56091: When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication…
CVE-2025-64343 — CVSS 7.8 (high): (conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, the…
CVE-2025-41248 — CVSS 7.5 (high): The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a…
CVE-2024-11283 — CVSS 7.5 (high): The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to…
CVE-2024-2098 — CVSS 7.5 (high): The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the…
CVE-2023-41890 — CVSS 7.5 (high): Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to…
CVE-2025-60375 — CVSS 7.3 (high): The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side…
CVE-2024-34519 — CVSS 6.8 (medium): Avantra Server 24.x before 24.0.7 and 24.1.x before 24.1.1 mishandles the security of dashboards, aka XAN-5367. If a user can create a…
CVE-2023-38487 — CVSS 6.5 (medium): HedgeDoc is software for creating real-time collaborative markdown notes. Prior to version 1.9.9, the API of HedgeDoc 1 can be used to…
CVE-2025-14777 — CVSS 6.0 (medium): A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource…
CVE-2025-8415 — CVSS 5.9 (medium): A vulnerability was found in the Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external…
CVE-2026-23903 — CVSS 5.3 (medium): Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended…
CVE-2023-51663 — CVSS 5.3 (medium): Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic…
CVE-2026-43617 — CVSS 4.8 (medium): Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list…
CVE-2025-64521 — CVSS 4.8 (medium): authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and…
CVE-2026-3184 — CVSS 3.7 (low): A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify…