Tag: pre-auth
All items tagged pre-auth.
- CVE-2026-20253 — Splunk Enterprise pre-auth RCE flips to confirmed exploitation and CISA KEV
- CVE-2026-12569 — PTC Windchill / FlexPLM pre-auth deserialization RCE, exploited, BSI calling admins at 02:30
- CVE-2026-48907 — Joomla Content Editor (JCE): unauthenticated profile-import to PHP RCE (CVSS 4.0 10.0, CISA KEV)
- CVE-2026-25089 / CVE-2026-39808 / CVE-2026-39813 — FortiSandbox: three critical flaws exploited in one 24-hour window
- CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated credential dump, mass-exploited
- CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (10.0) and PeopleSoft RCE (9.8)
- CVE-2026-0647 et al. — Rockwell Automation FLEX I/O unauthenticated password reset (9.4) and Logix CIP DoS, flagged by NCSC-CH
- CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated config-dump of email-connector credentials, mass-exploited
- CVE-2026-40624 — AVer PTC-series conference cameras: unauthenticated RCE via the management web interface
- UPDATE: Splunk CVE-2026-20253 now under confirmed limited targeted exploitation
- CVE-2026-12046 / CVE-2026-12045 / CVE-2026-12048 — pgAdmin 4: unauthenticated pickle deserialization RCE, AI-Assistant read-only-transaction bypass, stored XSS
- CVE-2026-42530 / CVE-2026-42055 — NGINX: HTTP/3 QUIC use-after-free and HTTP/2-proxy heap overflow, out-of-band F5 patches
- CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (CVSS 10.0) and PeopleSoft RCE (9.8)
- CVE-2026-0647 et al. — Rockwell Automation FLEX I/O unauthenticated password reset (CVSS 9.4) and Logix CIP denial-of-service, flagged by NCSC-CH
- CVE-2026-48907 — Widget Factory Joomla Content Editor (JCE) before version 2.9.99.5: unauthenticated profile-import → PHP RCE (CVSS v4 10.0)
- UPDATE: FortiSandbox — three critical flaws now exploited simultaneously, including the previously disclosure-only CVE-2026-25089
- CVE-2026-48611 / CVE-2026-48612 — phpBB: unauthenticated authentication bypass to admin, one HTTP request
- CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth command injection to root, now confirmed exploited and gateways backdoored
- CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, confirmed exploited in the EU
- CVE-2026-20253 — Splunk Enterprise: unauthenticated arbitrary file creation/truncation via the PostgreSQL sidecar proxy `[SINGLE-SOURCE]`
- CVE-2026-49261 — MariaDB Galera cluster: pre-auth lateral RCE via `wsrep_notify_cmd`
- CVE-2026-44748 — SAP NetWeaver AS ABAP: SAML XML Signature Wrapping (CVSS 9.9) `[SINGLE-SOURCE]`
- CVE-2026-10795 — UpdraftPlus WordPress backup plugin: unauthenticated authentication bypass to RCE
- CVE-2026-20253 — Splunk Enterprise: unauthenticated pre-auth RCE via the PostgreSQL sidecar proxy
- UPDATE: Ivanti Sentry CVE-2026-10520 — exploitation confirmed in the wild, gateways backdoored
- CVE-2026-48558 — SimpleHelp RMM: unauthenticated OIDC authentication bypass yields a full technician session
- June 2026 Patch Tuesday: four CVSS ≥ 9.1 criticals — Windows kernel TCP/IP RCE, Nuance PowerScribe, Azure Stack Edge, Exchange Online
- CVE-2026-25089 — Fortinet FortiSandbox: unauthenticated OS command injection in the web UI's VNC-launch handler (CVSS 9.8)
- UPDATE: ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records
- CVE-2026-5027 — Langflow: unauthenticated path traversal to arbitrary file write, exploited in the wild
- UPDATE: Windows Netlogon RCE CVE-2026-41089 now confirmed exploited in the wild in the EU; CERT-EU issues advisory 2026-007
- CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth OS command injection to root (CVSS 10.0), public PoC published today
- CVE-2026-47291 — Microsoft June Patch Tuesday: HTTP.sys pre-auth RCE (CVSS 9.8) headlines the largest-ever release (198 CVEs)
- CVE-2026-47895 — strongSwan: pre-auth double-free in libstrongswan identity cloning, unauthenticated RCE over EAP (patched 6.0.7)
- CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass, actively exploited by a Qilin affiliate
- CVE-2026-3300 — Everest Forms Pro (WordPress): unauthenticated `eval()` injection, actively exploited at scale
- CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, actively exploited
- CVE-2026-49975 — HTTP/2 Bomb: HPACK amplification + Slowloris chains to single-connection RAM exhaustion, patch status split by server
- CVE-2026-28318 — SolarWinds Serv-U: unauthenticated DoS added to CISA KEV
- CVE-2026-34906 / CVE-2026-34907 — Simple SA "Wirtualna Uczelnia": unauthenticated SSTI-to-RCE in the student-administration platform used across Polish public universities
- CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento 2 / Adobe Commerce): unauthenticated PHP object-injection RCE, now in CISA KEV
- CVE-2026-8206 + CVE-2026-8181 — Kirki and Burst Statistics WordPress plugins: unauthenticated account takeover under active mass-exploitation
- CVE-2026-20230 — Cisco Unified Communications Manager: unauthenticated SSRF to OS-root file write
- CVE-2024-21182 — Oracle WebLogic Server: unauthenticated T3/IIOP data access, KEV-listed on active exploitation
- CVE-2026-8732 — WP Maps Pro WordPress plugin: unauthenticated admin-account creation, actively exploited
- CVE-2026-44825 — Apache Solr: unauthenticated admin via hardcoded template credentials, no patch yet
- UPDATE: Windows Netlogon CVE-2026-41089 moves from "patch-available" to actively exploited
- CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect: Pre-Auth Authentication Bypass via Certificate Reuse
- CVE-2026-48710 "BadHost" — Starlette (FastAPI / vLLM / LiteLLM / MCP SDK): Pre-Auth Auth Bypass via Malformed Host Header
- FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel
- CVE-2026-4408 & CVE-2026-4480 — Samba: unauthenticated RCE in SAMR RPC and print-command subsystems (CVSS 10.0)
- CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8)
- ILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack surface
- CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection in `virtuser_query` plugin (CVSS 8.1)
- CVE-2026-35087 / CVE-2026-35089 / CVE-2026-35090 — Slican PBX telephony exchanges, triple pre-authentication admin bypass (CERT Polska)
- CVE-2026-9312 — GitHub Enterprise Server (< 3.22): unauthenticated SSRF via upload-endpoint path traversal exposes internal services and credentials
- CVE-2026-9642 — Delta Electronics DIAView SCADA: incomplete fix for prior unauthenticated remote database access (CVE-2025-62582) [SINGLE-SOURCE]
- CVE-2026-9058 — Szafir SDK (KIR): signature-verification routine reports success on an untrusted certificate chain, enabling auth bypass in Polish e-government
- CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: pre-shared ASP.NET `machineKey` enables ViewState deserialization RCE, exploited as a zero-day
- Large-scale ClickFix campaign mass-compromises self-hosted Ghost CMS sites via CVE-2026-26980
- CVE-2026-26980 — Ghost CMS Content API: unauthenticated blind SQL injection in the `slug` filter, actively exploited
- CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect pre-auth authentication bypass, exploited in two waves by the same actor
- CVE-2026-35616 — Fortinet FortiClient EMS pre-auth bypass, exploited to push EKZ Infostealer down the management channel
- CVE-2026-26980 — Ghost CMS unauthenticated blind SQL injection, mass-exploited into a ClickFix infostealer chain
- CVE-2026-4408 / CVE-2026-4480 — Samba dual unauthenticated RCE (CVSS 10.0), patch window closed mid-week
- CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: ViewState deserialization RCE exploited as a zero-day
- CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE (CVSS 9.8)
- CVE-2026-48710 "BadHost" — Starlette pre-auth host-header auth bypass across the Python AI/ASGI stack
- CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection
- Public administration & identity (CH / DACH lead) — the LMS, SSO and e-government estate under multi-product pressure
- DNS-resolver patch cluster — Unbound 1.25.1 (11 CVEs) and ISC BIND 9.18.49 / 9.20.23
- UPDATE: Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"
- CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround
- CVE-2026-45829 — ChromaDB Python FastAPI server: pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; still unpatched in v1.5.9)
- UPDATE: Drupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only
- Drupal core "highly critical" pre-patch warning — unauthenticated, zero-complexity, patch window today 17:00–21:00 UTC
- Sparx Enterprise Architect / Pro Cloud Server — five-CVE chain (pre-auth SQL injection + WebEA race-condition RCE), public PoC, no vendor patch
- CVE-2026-45584 — Microsoft Defender Engine heap-buffer-overflow RCE over network
- vm2 Node.js sandbox — 12 critical CVEs (CVE-2026-43997 / 43999 / 44005 / 44006 / 44008 / 44009 et al.), sandbox escape to host RCE, upgrade to ≥ 3.11.4
- UPDATE: SEPPmail Secure E-Mail Gateway — InfoGuard Labs full technical write-up; new CVE-2026-2743 (CVSS 10.0 pre-auth path traversal in LFT)
- UPDATE: CVE-2026-42945 NGINX Rift — in-the-wild exploitation confirmed by VulnCheck honeypots
- UPDATE: CVE-2026-0300 PAN-OS Captive Portal — revised fix-release timelines for 10.2.13-h21 and 10.2.16-h7; wave-2 target remains 2026-05-28
- Drupal core CVE-2026-9082 — pre-auth SQL injection, CISA KEV, active exploitation confirmed; NCSC.ch flipped to "actively exploited"
- Drupal CVE-2026-9082 — disclosure-only Monday to KEV-confirmed-exploited by Friday
- CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin across all tenants, no workaround
- CVE-2026-45829 — ChromaDB Python server: pre-auth RCE before the auth check, still unpatched
- CVE-2026-42096 … -42100 — Sparx Enterprise Architect / Pro Cloud Server: five-CVE pre-auth chain, public PoC, no patch
- Cisco Catalyst SD-WAN CVE-2026-20182 — UAT-8616 active, CISA Emergency Directive ED-26-03, 10+ companion-CVE clusters
- PAN-OS CVE-2026-0300 — wave 2 confirmed delayed to 2026-05-28; eight build streams remain on mitigation-only for a further 11 days
- PAN-OS CVE-2026-0300 — staged-patch arc spanning W19 and W20
- CVE-2026-44277 / CVE-2026-26083 — Fortinet FortiAuthenticator and FortiSandbox unauthenticated RCE
- CVE-2026-34263 — SAP Commerce Cloud pre-auth RCE; CVE-2026-34260 — SAP S/4HANA Enterprise Search SQL injection
- SEPPmail CVE-2026-44128 — CIRCL advisory confirms CVSS 9.3 unauthenticated Perl-eval RCE; no third-party PoC in window
- FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress stores — no CVE assigned
- CVE-2026-41553 — DHTMLX PDF Export Module: unauthenticated server-side JavaScript injection RCE (CVSS 4.0 score 10.0), with CVE-2026-41552 and CVE-2026-7182 path-traversal companions
- UAT-8616 exploits Cisco Catalyst SD-WAN CVE-2026-20182; 10+ clusters exploit companion February 2026 CVEs; CISA Emergency Directive ED-26-03 issued
- CVE-2026-20182 — Cisco Catalyst SD-WAN Controller/Manager: pre-auth authentication bypass enabling full fabric takeover
- CVE-2026-42945 — NGINX Open Source / Plus / F5 WAF products: 18-year-old heap buffer overflow in rewrite module ("NGINX Rift"), PoC public
- UPDATE: CVE-2026-0300 PAN-OS Captive Portal — patch wave 2 delayed to 2026-05-28 for eight high-traffic build streams; mitigation remains the only option on those builds [SINGLE-SOURCE]
- CVE-2026-44277 / CVE-2026-26083 — Fortinet FortiAuthenticator and FortiSandbox unauthenticated RCE
- CVE-2026-45185 — Exim "Dead.Letter" use-after-free in BDAT/CHUNKING on GnuTLS builds
- CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 — Microsoft May 2026 Patch Tuesday (120+ CVEs, no zero-days)
- CVE-2026-34263 / CVE-2026-34260 — SAP Commerce Cloud pre-auth RCE, S/4HANA Enterprise Search SQL injection
- UPDATE: PAN-OS CVE-2026-0300 — first-wave patched builds released on 2026-05-13
- UPDATE: Palo Alto PAN-OS CVE-2026-0300 — first-wave fixed builds now scheduled for 2026-05-13; until then interim mitigation remains the only option
- Pre-stage PAN-OS Captive Portal upgrade for the 2026-05-13 first-wave release; keep interim mitigation enforced until then
- CVE-2026-0300 — Palo Alto PAN-OS Captive Portal unauthenticated root RCE; CL-STA-1132 active since 2026-04-09; no patch until 2026-05-13
- CVE-2026-6973 + CVE-2026-5787 — Ivanti EPMM on-prem pre-auth chain to admin RCE; 508 EU instances internet-exposed; named EU victims include the European Commission
- CVE-2026-42208 LiteLLM Proxy — pre-auth SQL injection exposing upstream LLM-provider API keys at the multi-tenant SaaS layer
- CVE-2026-44128 et al. — SEPPmail Secure Email Gateway: six-CVE cluster on the Swiss public sector's dominant email-encryption appliance
- CL-STA-1132 — PAN-OS CVE-2026-0300 exploitation cluster: disclosure-to-deadline-to-deadline-expiry inside the window
- CVE-2026-6722 — PHP SOAP extension use-after-free in `SOAP_GLOBAL(ref_map)`, CVSS 9.5 (with companion CVE-2026-7261, CVE-2026-7262)
- Hardening and mitigation
- Patch PHP across all web-facing infrastructure
- CVE-2026-42208 — LiteLLM Proxy pre-authentication SQL injection: CISA KEV deadline 2026-05-11; all upstream LLM API keys at risk
- CVE-2026-44128 et al. — SEPPmail Secure Email Gateway: CVSS 9.3 unauthenticated RCE and five additional CVEs [SINGLE-SOURCE-NATIONAL-CERT carve-out + vendor]
- CVE-2026-40982 — Spring Cloud Config Server: pre-authentication path traversal, CVSS 9.8; all actively-maintained branches affected
- CVE-2025-68670 — xrdp pre-authentication stack overflow, arbitrary code execution [SINGLE-SOURCE]
- UPDATE: CVE-2026-0300 — Palo Alto PAN-OS Captive Portal KEV deadline TODAY (2026-05-09); no patch exists; first patches expected 2026-05-13; CL-STA-1132 post-exploitation detail
- Swiss and DACH Deployment Context
- CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline **2026-05-10**)
- CVE-2026-5787 — Ivanti EPMM improper certificate validation (pre-auth Sentry impersonation, CVSS 9.1)
- UPDATE — CVE-2026-0300 (PAN-OS Captive Portal unauthenticated root RCE): CISA KEV deadline is **today (2026-05-09)**; no patch until 2026-05-13