CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-8RH3-RVV2-3MR4
Vulnerability from github – Published: 2026-02-17 21:31 – Updated: 2026-02-17 21:31A vulnerability in the management API of the affected product could allow an unauthenticated remote attacker to trigger service restarts. Successful exploitation could allow an attacker to disrupt services and negatively impact system availability.
{
"affected": [],
"aliases": [
"CVE-2026-23596"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-17T21:22:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the management API of the affected product could allow an unauthenticated remote attacker to trigger service restarts. Successful exploitation could allow an attacker to disrupt services and negatively impact system availability.",
"id": "GHSA-8rh3-rvv2-3mr4",
"modified": "2026-02-17T21:31:15Z",
"published": "2026-02-17T21:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23596"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05002en_us\u0026docLocale=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8RQQ-PQ2C-29Q4
Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2026-06-03 15:30Authentication Bypass Using an Alternate Path or Channel vulnerability in GST Electronics inohom Nova Panel N7 allows Authentication Bypass.This issue affects inohom Nova Panel N7: through 1.9.9.6. NOTE: The vendor was contacted and it was learned that the product is not supported.
{
"affected": [],
"aliases": [
"CVE-2024-6684"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-12T13:38:39Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in GST Electronics inohom Nova Panel N7 allows Authentication Bypass.This issue affects inohom Nova Panel N7: through 1.9.9.6.\u00a0NOTE: The vendor was contacted and it was learned that the product is not supported.",
"id": "GHSA-8rqq-pq2c-29q4",
"modified": "2026-06-03T15:30:33Z",
"published": "2024-08-12T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6684"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1194"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-1194"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:X/U:Red",
"type": "CVSS_V4"
}
]
}
GHSA-8V37-Q45V-WGRX
Vulnerability from github – Published: 2025-08-23 09:30 – Updated: 2025-08-23 09:30The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email.
{
"affected": [],
"aliases": [
"CVE-2025-5821"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-23T07:15:32Z",
"severity": "CRITICAL"
},
"details": "The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user\u0027s email.",
"id": "GHSA-8v37-q45v-wgrx",
"modified": "2025-08-23T09:30:22Z",
"published": "2025-08-23T09:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5821"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/consultio-consulting-business-wordpress/25376496"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ce95a04-11bd-488e-ad25-1b661e083eb2?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8VQG-92MX-5P5H
Vulnerability from github – Published: 2025-07-02 09:30 – Updated: 2025-07-02 15:30Nokia Single RAN AirScale baseband allows an authenticated administrative user access to all physical boards after performing a single login to the baseband system board. The baseband does not re-authenticate the user when they connect from the baseband system board to the baseband capacity boards using the internal bsoc SSH service, which is available only internally within the baseband and through the internal backplane between the boards. The bsoc SSH allows login from one board to another via the baseband internal backplane using an SSH private key present on the baseband system board.
This bsoc SSH capability was previously considered an administrative functionality but has now been restricted to be available only to baseband root-privileged administrators. This restriction mitigates the possibility of misuse with lower-level privileges (e.g., from baseband software images). This mitigation is included starting from release 23R4-SR 3.0 MP and later
{
"affected": [],
"aliases": [
"CVE-2025-24332"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-02T09:15:24Z",
"severity": "HIGH"
},
"details": "Nokia Single RAN AirScale baseband allows an authenticated administrative user access to all physical boards after performing a single login to the baseband system board. The baseband does not re-authenticate the user when they connect from the baseband system board to the baseband capacity boards using the internal bsoc SSH service, which is available only internally within the baseband and through the internal backplane between the boards. The bsoc SSH allows login from one board to another via the baseband internal backplane using an SSH private key present on the baseband system board.\n\nThis bsoc SSH capability was previously considered an administrative functionality but has now been restricted to be available only to baseband root-privileged administrators. This restriction mitigates the possibility of misuse with lower-level privileges (e.g., from baseband software images). This mitigation is included starting from release 23R4-SR 3.0 MP and later",
"id": "GHSA-8vqg-92mx-5p5h",
"modified": "2025-07-02T15:30:36Z",
"published": "2025-07-02T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24332"
},
{
"type": "WEB",
"url": "https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2025-24332"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8VRH-3PM2-V4V6
Vulnerability from github – Published: 2026-02-25 16:00 – Updated: 2026-04-27 14:56Summary
When users share password-protected files, the recipient can completely bypass the password and still download the file.
Details
This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password.
PoC
- As an authenticated user, create a share for a file, with a password specified in "Optional password" (make sure to allow anonymous access as the PoC doesn't explain how to do this on a share that requires login, but it is also possible to do on a share that requires login, with some small tweaks to the API request)
- Copy the first link (the clipboard WITHOUT an arrow) because the second one just completely skips the password without any effort required, which was mentioned in another vulnerability (https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x-f2w4)
Now, the link that was copied should look like: https://yourdomain/public/share/yoursharehash example: https://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA
Now, make a API request with any api client to GET https://yourdomain/public/api/shareinfo?hash=(the share hash from the link) example: https://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA
If curl is preferred, a (command line based API client), here's the command:
curl 'https://yourdomain/public/api/shareinfo?hash=yoursharehash' -H 'Accept: */*'
example:
curl 'https://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA' -H 'Accept: */*'
Example response:
{
"shareTheme": "default",
"title": "Shared files - IMG_20240814_213703451.jpg",
"description": "A share has been sent to you to view or download.",
"disableSidebar": false,
"source": "/folder",
"path": "/IMG_20240814_213703451.jpg/",
"downloadURL": "https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D",
"shareURL": "https://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA",
"enforceDarkLightMode": "default",
"viewMode": "normal",
"shareType": "normal",
"sidebarLinks": [
{
"name": "Share QR Code and Info",
"category": "shareInfo",
"target": "#",
"icon": "qr_code"
},
{
"name": "Download",
"category": "download",
"target": "#",
"icon": "download"
}
],
"hasPassword": true
}
Look at the downloadURL. It encodes the "&" symbol as "\u0026" so just replace "\u0026" with "&", example: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D should be changed to: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA&token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D
Then just copy paste the new link (example: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA&token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D) into any browser, and the file will download. All without giving a password.
Impact
This affects anyone who shares password-protected files.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gtsteffaniak/filebrowser/backend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260221163904-dbcfba993b85"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27611"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-288",
"CWE-602"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T16:00:49Z",
"nvd_published_at": "2026-02-25T03:16:05Z",
"severity": "HIGH"
},
"details": "### Summary\nWhen users share password-protected files, the recipient can completely bypass the password and still download the file.\n\n### Details\nThis happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password.\n\n### PoC\n1. As an authenticated user, create a share for a file, with a password specified in \"Optional password\" (make sure to allow anonymous access as the PoC doesn\u0027t explain how to do this on a share that requires login, but it is also possible to do on a share that requires login, with some small tweaks to the API request)\n2. Copy the first link (the clipboard WITHOUT an arrow) because the second one just completely skips the password without any effort required, which was mentioned in another vulnerability (https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x-f2w4)\n\nNow, the link that was copied should look like:\nhttps://yourdomain/public/share/yoursharehash\nexample:\nhttps://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA\n\nNow, make a API request with any api client to GET \nhttps://yourdomain/public/api/shareinfo?hash=(the share hash from the link)\nexample:\nhttps://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA\n\nIf curl is preferred, a (command line based API client), here\u0027s the command:\n`curl \u0027https://yourdomain/public/api/shareinfo?hash=yoursharehash\u0027 -H \u0027Accept: */*\u0027`\nexample:\n`curl \u0027https://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA\u0027 -H \u0027Accept: */*\u0027`\n\nExample response:\n```\n{\n \"shareTheme\": \"default\",\n \"title\": \"Shared files - IMG_20240814_213703451.jpg\",\n \"description\": \"A share has been sent to you to view or download.\",\n \"disableSidebar\": false,\n \"source\": \"/folder\",\n \"path\": \"/IMG_20240814_213703451.jpg/\",\n \"downloadURL\": \"https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D\",\n \"shareURL\": \"https://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA\",\n \"enforceDarkLightMode\": \"default\",\n \"viewMode\": \"normal\",\n \"shareType\": \"normal\",\n \"sidebarLinks\": [\n {\n \"name\": \"Share QR Code and Info\",\n \"category\": \"shareInfo\",\n \"target\": \"#\",\n \"icon\": \"qr_code\"\n },\n {\n \"name\": \"Download\",\n \"category\": \"download\",\n \"target\": \"#\",\n \"icon\": \"download\"\n }\n ],\n \"hasPassword\": true\n}\n```\n\nLook at the downloadURL. It encodes the \"\u0026\" symbol as \"\\u0026\" so just replace \"\\u0026\" with \"\u0026\", example: \nhttps://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D\nshould be changed to:\nhttps://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D\n\nThen just copy paste the new link (example: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D) into any browser, and the file will download. All without giving a password.\n\n### Impact\nThis affects anyone who shares password-protected files.",
"id": "GHSA-8vrh-3pm2-v4v6",
"modified": "2026-04-27T14:56:47Z",
"published": "2026-02-25T16:00:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27611"
},
{
"type": "WEB",
"url": "https://github.com/gtsteffaniak/filebrowser/commit/a8c9b9419ec530568991a2f72cec4ed263f99e3c"
},
{
"type": "WEB",
"url": "https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1"
},
{
"type": "PACKAGE",
"url": "https://github.com/gtsteffaniak/filebrowser"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4546"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "FileBrowser Quantum: Password Protection Not Enforced on Shared File Links "
}
GHSA-8X4M-QW58-3PCX
Vulnerability from github – Published: 2026-03-29 15:15 – Updated: 2026-03-29 15:15Impact
Multiple vulnerabilities were discovered in tempo/charge and tempo/session which allowed for undesirable behaviors, including:
- Replaying tempo/charge transaction hashes across push/pull modes, across charge/session endpoints, and via concurrent requests
- Performing free tempo/charge requests due to missing transfer log verification in pull-mode
- Replaying tempo/charge credentials across routes via cross-route scope confusion (memo/splits not included in scope binding)
- Manipulating the fee payer of a tempo/charge handler into paying for requests (missing sender signature before co-signing)
- Bypassing tempo/session voucher signature verification
- Piggybacking off existing tempo/session channels via settle voucher reuse and weak channel ID binding
- Performing free tempo/session requests by exploiting channel reopen without on-chain settled state
- Accepting deductions on finalized tempo/session channels
- Bypassing payment on free routes via method-mismatch fallback
- Griefing tempo/session channels via force-close detection bypass (closeRequestedAt not persisted)
Patches
Fixed in 0.4.8.
Workarounds
There are no workarounds available for these vulnerabilities.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mppx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-294",
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:15:36Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\n\nMultiple vulnerabilities were discovered in `tempo/charge` and `tempo/session` which allowed for undesirable behaviors, including:\n- Replaying `tempo/charge` transaction hashes across push/pull modes, across charge/session endpoints, and via concurrent requests\n- Performing free `tempo/charge` requests due to missing transfer log verification in pull-mode\n- Replaying `tempo/charge` credentials across routes via cross-route scope confusion (`memo`/`splits` not included in scope binding)\n- Manipulating the fee payer of a `tempo/charge` handler into paying for requests (missing sender signature before co-signing)\n- Bypassing `tempo/session` voucher signature verification\n- Piggybacking off existing `tempo/session` channels via settle voucher reuse and weak channel ID binding\n- Performing free `tempo/session` requests by exploiting channel reopen without on-chain settled state\n- Accepting deductions on finalized `tempo/session` channels\n- Bypassing payment on free routes via method-mismatch fallback\n- Griefing `tempo/session` channels via force-close detection bypass (`closeRequestedAt` not persisted)\n\n### Patches\n\nFixed in 0.4.8.\n\n### Workarounds\n\nThere are no workarounds available for these vulnerabilities.",
"id": "GHSA-8x4m-qw58-3pcx",
"modified": "2026-03-29T15:15:36Z",
"published": "2026-03-29T15:15:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wevm/mppx/security/advisories/GHSA-8x4m-qw58-3pcx"
},
{
"type": "PACKAGE",
"url": "https://github.com/wevm/mppx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "mppx has multiple payment bypass and griefing vulnerabilities"
}
GHSA-92HX-3MH6-HC49
Vulnerability from github – Published: 2023-09-24 03:30 – Updated: 2024-05-03 20:24An authentication bypass vulnerability was discovered in kube-apiserver. This issue could allow a remote, authenticated attacker who has been given permissions "update, patch" the "pods/ephemeralcontainers" subresource beyond what the default is. They would then need to create a new pod or patch one that they already have access to. This might allow evasion of SCC admission restrictions, thereby gaining control of a privileged pod.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openshift/apiserver-library-go"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20230621"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1260"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-25T18:32:19Z",
"nvd_published_at": "2023-09-24T01:15:42Z",
"severity": "HIGH"
},
"details": "An authentication bypass vulnerability was discovered in kube-apiserver. This issue could allow a remote, authenticated attacker who has been given permissions \"update, patch\" the \"pods/ephemeralcontainers\" subresource beyond what the default is. They would then need to create a new pod or patch one that they already have access to. This might allow evasion of SCC admission restrictions, thereby gaining control of a privileged pod.",
"id": "GHSA-92hx-3mh6-hc49",
"modified": "2024-05-03T20:24:51Z",
"published": "2023-09-24T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1260"
},
{
"type": "WEB",
"url": "https://github.com/openshift/apiserver-library-go/commit/a994128188486d2dce99a528fbcc017d276081e0"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:3976"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4093"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4312"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4898"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:5008"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-1260"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2176267"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-92hx-3mh6-hc49"
},
{
"type": "PACKAGE",
"url": "https://github.com/openshift/apiserver-library-go"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231020-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "kube-apiserver authentication bypass vulnerability"
}
GHSA-92MP-2F65-64FR
Vulnerability from github – Published: 2025-06-27 12:31 – Updated: 2026-04-01 18:35Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemesGrove WP SmartPay allows Authentication Abuse. This issue affects WP SmartPay: from n/a through 2.7.13.
{
"affected": [],
"aliases": [
"CVE-2025-25171"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-27T12:15:31Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemesGrove WP SmartPay allows Authentication Abuse. This issue affects WP SmartPay: from n/a through 2.7.13.",
"id": "GHSA-92mp-2f65-64fr",
"modified": "2026-04-01T18:35:34Z",
"published": "2025-06-27T12:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25171"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/smartpay/vulnerability/wordpress-wp-smartpay-plugin-2-7-13-account-takeover-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-95PV-G7FC-7PXJ
Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to access confidential issue content in public projects without proper authorization due to improper authorization checks.
{
"affected": [],
"aliases": [
"CVE-2026-4524"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T06:16:23Z",
"severity": "MODERATE"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to access confidential issue content in public projects without proper authorization due to improper authorization checks.",
"id": "GHSA-95pv-g7fc-7pxj",
"modified": "2026-05-14T06:31:33Z",
"published": "2026-05-14T06:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4524"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3597717"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/594295"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-96H5-Q657-FQCV
Vulnerability from github – Published: 2025-06-24 21:30 – Updated: 2025-06-24 21:30Insufficient policy enforcement in Loader in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2025-6556"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T20:15:27Z",
"severity": "MODERATE"
},
"details": "Insufficient policy enforcement in Loader in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)",
"id": "GHSA-96h5-q657-fqcv",
"modified": "2025-06-24T21:30:30Z",
"published": "2025-06-24T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6556"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_24.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/40062462"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.