Threats Tagged 'cwe-288'
View all threats tagged with 'cwe-288'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'cwe-288'
Click on any threat for detailed analysis and mitigation recommendations
CVE-2026-50194: CWE-288: Authentication Bypass Using an Alternate Path or Channel in SteeltoeOSS Steeltoe.Management.EndpointCVE-2026-50194 0 Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port. Join the discussion | CVE Database V5 | 06/17/2026, 21:03:26 UTC Added: 06/17/2026, 21:50:06 UTC |
CVE-2026-54817: CWE-288 Authentication Bypass Using an Alternate Path or Channel in FluxBuilder MStore APICVE-2026-54817 0 Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation. This issue affects MStore API: from n/a through 4.18.4. Join the discussion | CVE Database V5 | 06/17/2026, 13:36:04 UTC Added: 06/17/2026, 14:01:13 UTC |
CVE-2026-54804: CWE-288 Authentication Bypass Using an Alternate Path or Channel in melhorenvio Melhor EnvioCVE-2026-54804 0 Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions. Join the discussion | CVE Database V5 | 06/17/2026, 09:51:43 UTC Added: 06/17/2026, 11:09:09 UTC |
CVE-2026-49767: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Tomdever wpForo ForumCVE-2026-49767 0 Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions. Join the discussion | CVE Database V5 | 06/17/2026, 09:51:27 UTC Added: 06/17/2026, 11:09:04 UTC |
CVE-2026-49071: CWE-288 Authentication Bypass Using an Alternate Path or Channel in OPMC WooCommerce DropshippingCVE-2026-49071 0 Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions. Join the discussion | CVE Database V5 | 06/17/2026, 09:51:19 UTC Added: 06/17/2026, 11:09:04 UTC |
CVE-2026-42629: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Powerpackelements PowerPack Pro for ElementorCVE-2026-42629 0 Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions. Join the discussion | CVE Database V5 | 06/17/2026, 09:51:14 UTC Added: 06/17/2026, 11:09:00 UTC |
CVE-2026-25439: CWE-288 Authentication Bypass Using an Alternate Path or Channel in fs-code BookneticCVE-2026-25439 0 Unauthenticated Broken Authentication in Booknetic <= 4.8.5 versions. Join the discussion | CVE Database V5 | 06/17/2026, 09:50:41 UTC Added: 06/17/2026, 11:08:48 UTC |
CVE-2026-12225: CWE-288 Authentication bypass using an alternate path or channel in syracom AG Secure Login (2FA) for JiraCVE-2026-12225 0 syracom AG Secure Login (2FA) for Atlassian Jira version 3.4.0.0 contains an authentication bypass vulnerability. An attacker with valid user credentials can bypass the two-factor authentication by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. This allows access to the affected Atlassian application without completing 2FA. If the compromised account has administrative privileges, the attacker can perform administrative actions including disabling the 2FA plugin. The issue is fixed in version 3.5.0.0. Join the discussion | CVE Database V5 | 06/16/2026, 11:20:37 UTC Added: 06/16/2026, 11:30:18 UTC |
CVE-2026-49764: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Metagauss RegistrationMagicCVE-2026-49764 0 Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions. Join the discussion | CVE Database V5 | 06/15/2026, 20:19:23 UTC Added: 06/15/2026, 20:32:48 UTC |
CVE-2026-48970: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Really Simple Plugins Really Simple SSLCVE-2026-48970 0 Unauthenticated Broken Authentication in Really Simple SSL <= 9.5.10 versions. Join the discussion | CVE Database V5 | 06/15/2026, 20:19:08 UTC Added: 06/15/2026, 20:32:40 UTC |
Showing 1 to 10 of 31 results