CVEs classified under CWE-302, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (23)
CVE-2026-48781 — CVSS 9.9 (critical): Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled…
CVE-2024-56404 — CVSS 9.9 (critical): In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Only…
CVE-2024-43441 — CVSS 9.8 (critical): Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server. This issue affects Apache HugeGraph-Server: from…
CVE-2025-47158 — CVSS 9.0 (critical): Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.
CVE-2024-12838 — CVSS 8.8 (high): The passwordless login mechanism in CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability, allowing remote…
CVE-2026-39429 — CVSS 8.2 (high): kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and…
CVE-2025-8855 — CVSS 8.1 (high): Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by…
CVE-2025-24876 — CVSS 8.1 (high): The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an…
CVE-2025-26522: This vulnerability exists in RupeeWeb trading platform due to improper implementation of OTP validation mechanism in certain API endpoints…
CVE-2024-3741 — CVSS 7.5 (high): Electrolink transmitters are vulnerable to an authentication bypass vulnerability affecting the login cookie. An attacker can set an…
CVE-2024-22179 — CVSS 7.5 (high): The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving…
CVE-2024-45370 — CVSS 7.3 (high): An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2.6.1.0. A…
CVE-2024-49056 — CVSS 7.3 (high): Authentication bypass by assumed-immutable data on airlift.microsoft.com allows an authorized attacker to elevate privileges over a network.
CVE-2024-8475 — CVSS 6.5 (medium): Authentication Bypass by Assumed-Immutable Data vulnerability in Digital Operation Services WiFiBurada allows Manipulating User-Controlled…
CVE-2024-47086 — CVSS 6.5 (medium): This vulnerability exists in Apex Softcell LD DP Back Office due to improper implementation of OTP validation mechanism in certain API…
CVE-2026-28510 — CVSS 5.9 (medium): eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the…
CVE-2025-43992 — CVSS 5.6 (medium): Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an authentication bypass by…
CVE-2026-34460 — CVSS 5.4 (medium): NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state…
CVE-2024-3462 — CVSS 5.4 (medium): Ant Media Server Community Edition in a default configuration is vulnerable to an improper HTTP header based authorization, leading to a…
CVE-2025-46647 — CVSS 5.3 (medium): A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions…
CVE-2026-27840 — CVSS 4.3 (medium): ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC…
CVE-2021-1399 — CVSS 4.3 (medium): A vulnerability in the Self Care Portal of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager…
CVE-2025-20285 — CVSS 4.1 (medium): A vulnerability in the IP Access Restriction feature of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to bypass…