Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1185

1185 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2026-4021 Contest Gallery <= 28.1.5 - Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion — Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe 8.1 High2026-03-23
CVE-2026-32879 New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure — new-api 4.9 Medium2026-03-23
CVE-2026-33716 AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php — AVideo 9.4 Critical2026-03-23
CVE-2026-33512 AVideo has an unauthenticated decrypt oracle leaking any ciphertext — AVideo 7.5 High2026-03-23
CVE-2026-4592 kalcaddle kodbox Password Login index.class.php tfaVerify improper authentication — kodbox 5.6 Medium2026-03-23
CVE-2026-32305 Traefik mTLS bypass via fragmented ClientHello SNI extraction failure — traefik 7.5 -2026-03-20
CVE-2026-33124 Frigate has insecure password change functionality — frigate 6.5 -2026-03-20
CVE-2026-32815 SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure — siyuan 9.1 -2026-03-19
CVE-2026-30836 Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) — certificates 10.0 Critical2026-03-19
CVE-2025-14716 Unauthorized access to information — GateManager 6.5 Medium2026-03-19
CVE-2026-32730 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware — apostrophe 8.1 High2026-03-18
CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup — parse-server 7.5 -2026-03-18
CVE-2026-2991 KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token — KiviCare – Clinic & Patient Management System (EHR) 7.3 High2026-03-18
CVE-2026-25937 GLPI has a MFA bypass — glpi 6.5 Medium2026-03-17
CVE-2026-4349 Duende IdentityServer4 Token Renewal Endpoint authorize improper authentication — IdentityServer4 5.6 Medium2026-03-17
CVE-2026-32246 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint — tinyauth 8.5 High2026-03-12
CVE-2026-32136 AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass — AdGuardHome 9.8 Critical2026-03-11
CVE-2026-30967 Parse Server OAuth2 authentication adapter account takeover via identity spoofing — parse-server 9.8AICriticalAI2026-03-10
CVE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter — parse-server 9.1AICriticalAI2026-03-10
CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover — feathers 8.2AIHighAI2026-03-10
CVE-2026-26141 Hybrid Worker Extension (Arc‑enabled Windows VMs) Elevation of Privilege Vulnerability — Azure Automation Hybrid Worker Windows Extension 7.8 High2026-03-10
CVE-2026-26128 Windows SMB Server Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.8 High2026-03-10
CVE-2026-24294 Windows SMB Server Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.8 High2026-03-10
CVE-2026-0953 Tutor LMS Pro <= 3.9.5 - Authentication Bypass via Social Login — Tutor LMS Pro 9.8 Critical2026-03-10
CVE-2025-68402 FreshRSS has an authentication bypass due to truncated bcrypt hash [edge branch] — FreshRSS 5.3AIMediumAI2026-03-09
CVE-2026-3794 doramart DoraCMS Email API send improper authentication — DoraCMS 7.3 High2026-03-09
CVE-2026-3739 suitenumerique messages ThreadAccess serializers.py ThreadAccessSerializer improper authentication — messages 6.3 Medium2026-03-08
CVE-2026-30851 Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation — caddy 8.1 High2026-03-07
CVE-2026-30863 Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters — parse-server 9.8 -2026-03-07
CVE-2026-29193 ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2 — zitadel 8.2 High2026-03-07

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1185 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.