CWE-288 (使用候选路径或通道进行的认证绕过) — Vulnerability Class 435

435 vulnerabilities classified as CWE-288 (使用候选路径或通道进行的认证绕过). AI Chinese analysis included.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-0948	Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005 — Microsoft Entra ID SSO Login	9.8^AI	Critical^AI	2026-02-04
CVE-2025-13986	Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124 — Disable Login Page	9.8^AI	Critical^AI	2026-01-28
CVE-2025-13980	CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118 — CKEditor 5 Premium Features	9.8^AI	Critical^AI	2026-01-28
CVE-2025-21589	Session Smart Router, Session Smart Conductor, WAN Assurance Router: API Authentication Bypass vulnerability — Session Smart Router	9.8	Critical	2026-01-27
CVE-2026-24858	Fortinet多款产品安全漏洞 — FortiOS	9.4	Critical	2026-01-27
CVE-2025-69101	WordPress Workreap Core plugin <= 3.4.1 - Broken Authentication vulnerability — Workreap Core	9.8^AI	Critical^AI	2026-01-22
CVE-2026-23760	SmarterTools SmarterMail < Build 9511 Authentication Bypass via Password Reset API — SmarterMail	9.8^AI	Critical^AI	2026-01-22
CVE-2025-10484	Registration & Login with Mobile Phone Number for WooCommerce <= 1.3.1 - Authentication Bypass — Registration & Login with Mobile Phone Number for WooCommerce	9.8	Critical	2026-01-17
CVE-2025-67915	WordPress Timetics plugin <= 1.0.46 - Broken Authentication vulnerability — Timetics	8.8	High	2026-01-08
CVE-2025-23504	WordPress Felan Framework plugin <= 1.1.3 - Account Takeover vulnerability — Felan Framework	9.8	-	2026-01-08
CVE-2026-21411	Plat’Home OpenBlocks IoT VX2 安全漏洞 — OpenBlocks IoT DX1 (FW5.0.x)	9.8	-	2026-01-06
CVE-2025-3652	Petlibro Smart Pet Feeder Platform through 1.7.31 Audio Information Disclosure via API endpoint — Smart Pet Feeder Platform	5.3	Medium	2026-01-03
CVE-2025-64121	Nuvation Energy Multi-Stack Controller Authentication Bypass — Multi-Stack Controller (MSC)	9.8	-	2026-01-02
CVE-2025-68620	Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling — signalk-server	9.1	Critical	2026-01-01
CVE-2025-15102	DVP-12SE11T - Password Protection Bypass — DVP-12SE11T	9.1	Critical	2025-12-30
CVE-2025-68860	WordPress Mobile builder plugin <= 1.4.2 - Broken Authentication vulnerability — Mobile builder	9.8	Critical	2025-12-29
CVE-2025-64236	WordPress Tuturn plugin < 3.6 - Broken Authentication vulnerability — Tuturn	9.8	Critical	2025-12-18
CVE-2025-14714	TCC Bypass via Inherited Permissions in Bundled Interpreter — LibreOffice	9.8^AI	Critical^AI	2025-12-15
CVE-2025-11984	Authentication Bypass Using an Alternate Path or Channel in GitLab — GitLab	6.8	Medium	2025-12-11
CVE-2025-66238	Sunbird DCIM dcTrack and Power IQ Authentication Bypass Using an Alternate Path or Channel — DCIM dcTrack	7.2	High	2025-12-04
CVE-2025-13539	FindAll Membership <= 1.0.4 - Authentication Bypass via Social Login — FindAll Membership	9.8	Critical	2025-11-27
CVE-2025-10571	ABB Ability Edgenius Authentication Bypass — ABB Ability Edgenius	9.6	Critical	2025-11-20
CVE-2025-12760	Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115 — Email TFA	9.8^AI	Critical^AI	2025-11-18
CVE-2025-64530	@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields — federation	7.5	High	2025-11-13
CVE-2025-59367	ASUS DSL-AC51 安全漏洞 — DSL-AC51	9.8	-	2025-11-13
CVE-2025-64173	Apollo Router Core: Access Control Bypass on Polymorphic Types — router	7.5	High	2025-11-06
CVE-2025-62064	WordPress Search & Go theme <= 2.7 - Broken Authentication vulnerability — Search & Go	9.8	-	2025-11-06
CVE-2025-5397	Jobmonster - Job Board WordPress Theme <= 4.8.1 - Authentication Bypass — Noo JobMonster	9.8	Critical	2025-10-31
CVE-2025-12466	Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114 — Simple OAuth (OAuth2) & OpenID Connect	9.8^AI	Critical^AI	2025-10-29
CVE-2025-9313	Unauthorized database access in Asseco mMedica — mMedica	9.8^AI	Critical^AI	2025-10-28

Vulnerabilities classified as CWE-288 (使用候选路径或通道进行的认证绕过) represent 435 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-288 (使用候选路径或通道进行的认证绕过) — Vulnerability Class 435