Authentication-Bypass
Oracle E-Business Suite Payments Flaw Under Active Exploitation Before Patch Window Closed
CVE-2026-46817, a CVSS 9.8 unauthenticated takeover flaw in Oracle E-Business Suite's Payments module, is being mass-exploited via the ibytransmit endpoint — patched in May but hit in the wild before any public PoC existed.
Ubiquiti UniFi OS Server Triple-CVE Chain Enables Unauthenticated Root RCE
Three max-severity CVEs (2026-34908/09/10) in UniFi OS Server chain from an Nginx auth bypass to root command injection — CISA added all three to KEV on June 23 amid Mirai/Gaafgyt botnet exploitation.
A Zero-Length Compare and 27 Years: OpenBSD's PAP Authentication Bypass (CVE-2026-55706)
CVE-2026-55706 is a 27-year-old authentication bypass in OpenBSD's sppp(4) PAP handler. An attacker-controlled compare length means empty credentials produce a PAP_ACK — and an oversized one leaks kernel heap. Full details and a working PoC are public.
CVE-2026-50751: Check Point VPN Auth Bypass Exploited by Qilin — IKEv1 Sessions Without a Password
Check Point confirmed active exploitation of CVE-2026-50751, a CVSS 9.3 authentication bypass in Remote Access VPN and Mobile Access deployments running deprecated IKEv1. Attackers establish VPN sessions without a valid password; one case is tied to a Qilin ransomware affiliate. Earliest exploitation traces to May 7.
CVE-2026-0257: Palo Alto GlobalProtect Auth Bypass Now Exploited — Unauthorized VPN Access Into Your Network
Palo Alto confirmed active exploitation of CVE-2026-0257, a CVSS 7.8 GlobalProtect authentication bypass that lets attackers establish unauthorized VPN sessions into the internal network. Rapid7 traced exploitation back to May 17. CISA KEV deadline is June 1.
BadHost (CVE-2026-48710): A Forged Host Header Walks Past Auth in Every Starlette App
BadHost (CVE-2026-48710) is a Host-header authentication bypass in Starlette before 1.0.1. One malformed header makes request.url.path lie to your middleware — unlocking protected routes on FastAPI, vLLM, LiteLLM, and MCP servers without credentials.
Cisco Secure Workload CVE-2026-20223: Unauthenticated API Flaw Hands Over Site Admin
A CVSS 10.0 flaw in Cisco Secure Workload lets unauthenticated attackers reach internal REST APIs with Site Admin privileges across tenant boundaries. No workarounds — patch now.
Sentry CVE-2026-42354: Incomplete Fix Reopens SAML SSO Account Takeover
Sentry self-hosted is vulnerable again to cross-organization SAML account takeover, three months after CVE-2026-27197 was supposedly patched. Upgrade to 26.4.1.
MOVEit Automation Hit With CVSS 9.8 Auth Bypass: CVE-2026-4670 Grants Admin Without Credentials
Progress patches a 9.8-severity authentication bypass plus a 7.7 privilege escalation in MOVEit Automation; Airbus reported both, no in-the-wild exploitation yet but the MFT family's track record demands immediate patching.
cPanel & WHM CVE-2026-41940: Critical Auth Bypass Triggers Global Hosting Lockdown
An unauthenticated CRLF-injection auth bypass in cPanel & WHM (CVSS 9.8) sent every major hosting provider into emergency port-blocking mode within hours of disclosure. All supported release tracks are affected.
Quest KACE SMA CVE-2025-32975: CVSS 10.0 SSO Auth Bypass Added to CISA KEV as Admin Takeover Campaign Continues
CISA added CVE-2025-32975 — a CVSS 10.0 SSO authentication bypass in Quest KACE Systems Management Appliance — to the KEV catalog on April 20, 2026. Federal agencies must patch by May 4. Exploitation has been in progress since March.
Two Critical FortiSandbox Flaws Let Unauthenticated Attackers Execute Commands and Bypass Auth
Fortinet discloses CVE-2026-39808 and CVE-2026-39813 — two CVSS 9.1 flaws in FortiSandbox allowing unauthenticated command execution and authentication bypass via crafted HTTP requests.
CVE-2026-33032: Nginx UI MCP Endpoint Lets Anyone Hijack Your Web Server — No Auth Required
Critical 9.8 CVSS flaw in Nginx UI exposes unauthenticated MCP endpoint. Public PoC available, no patch yet. Disable or firewall Nginx UI immediately.
Progress ShareFile Pre-Auth RCE Chain: CVE-2026-2699 and CVE-2026-2701 Give Attackers Full Server Takeover
Two critical Progress ShareFile flaws chain into a pre-authentication RCE — with ~30,000 Storage Zone Controllers exposed and a public POC now available.
Cisco Patches Two 9.8 CVSS Flaws in IMC and Smart Software Manager — No Workarounds Available
Critical authentication bypass in Cisco IMC (CVE-2026-20093) and unauthenticated root RCE in SSM On-Prem (CVE-2026-20160) both score CVSS 9.8. Patch immediately — no workarounds exist.
Your Firewall Is the Foothold: Q1 2026's Edge Device Exploitation Epidemic
Three months into 2026, edge devices are the dominant entry point for attackers. A deep dive into the FortiGate SSO bypass and Ivanti EPMM RCE chains, and why this pattern shows no signs of stopping.
CVE-2026-20127: Cisco SD-WAN Zero-Day Exploited for Three Years Before Disclosure
UAT-8616 abused a CVSS 10.0 auth bypass in Cisco Catalyst SD-WAN Controller and Manager since 2023, inserting rogue control-plane peers and escalating to root via a deliberate version-downgrade chain. Cisco disclosed in late February.