Threats Tagged 'cwe-290'

CVE-2026-42662 is an authentication bypass vulnerability affecting Liquid Web / StellarWP Event Tickets plugin versions up to 5.27.5. This vulnerability allows unauthenticated attackers to bypass authentication controls, potentially leading to limited integrity and availability impacts. The vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing) and has a medium severity rating with a CVSS score of 6.5.

CVE-2026-27089 is an authentication bypass vulnerability affecting WpTravelly versions up to and including 2.1.7. This flaw allows an unauthenticated attacker to bypass authentication controls by spoofing, potentially leading to unauthorized actions that impact integrity. The vulnerability has a high severity rating with a CVSS score of 7.5. No official patch or remediation guidance is currently available from the vendor. There are no known exploits in the wild at this time.

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location.

Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc. Related Marketing Cloud (RMC) allows Brute Force. This issue affects Related Marketing Cloud (RMC): through 12052026.

A potential authentication bypass was reported in Lenovo Smart Connect for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges.

Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network.

IBM WebSphere Application Server versions 8.5 and 9.0 contain a critical authentication bypass vulnerability (CVE-2026-8644) that allows identity spoofing. This flaw can enable an attacker to bypass authentication controls without user interaction, potentially leading to high impact on integrity and availability. There is no official patch or remediation level currently confirmed by the vendor. No known exploits in the wild have been reported at this time.

Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding. This issue affects Advanced Access Manager: from n/a through 7.1.0.

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies — which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220.