Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1941+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
All tags
40 articles

#Unauthenticated

All CosmicBytez Labs articles tagged #Unauthenticated, across news, security advisories, how-to guides, and projects.

  • SecurityJul 16, 2026

    CVE-2026-46339: 9Router Unauthenticated Plugin Registration & MCP Command Execution

    A critical CVSS 10 vulnerability in 9Router AI router versions 0.4.30–0.4.36 allows unauthenticated attackers to register custom plugins and execute arbitrary commands via an unprotected MCP bridge endpoint.

  • SecurityJul 8, 2026

    CVE-2026-12153: WP Learn Manager Plugin — Unauthenticated Authorization Bypass Allows Plugin Installation

    A critical CVSS 9.8 authorization bypass in the WP Learn Manager WordPress plugin allows unauthenticated attackers to install and activate arbitrary...

  • SecurityJul 8, 2026

    CVE-2026-14487: WordPress Simple Coherent Form Plugin — Critical Unauthenticated File Deletion

    A critical CVSS 9.1 vulnerability in the Simple Coherent Form WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server,...

  • SecurityJul 8, 2026

    CVE-2026-53483: Dell PowerProtect Data Domain Authentication Bypass — CVSS 9.8

    A critical authentication bypass in Dell PowerProtect Data Domain allows unauthenticated remote attackers to gain access to the backup platform. Combined...

  • SecurityJul 7, 2026

    CVE-2026-56290: Joomlack Page Builder Unauthenticated File Upload RCE — CISA KEV

    A CVSS 10.0 unauthenticated arbitrary file upload vulnerability in the Joomlack Page Builder CK Joomla extension allows any remote attacker to upload a...

  • SecurityJun 17, 2026

    CVE-2026-52715: GEO my WordPress Unauthenticated SQL Injection (CVSS 9.3)

    A critical unauthenticated SQL injection vulnerability in GEO my WordPress versions 4.5.5 and earlier allows attackers to extract database contents...

  • SecurityJun 5, 2026

    CVE-2026-35906: T3 Technology CPE Unauthenticated Root RCE via Debug CGI

    An undocumented debug CGI endpoint in T3 Technology CPE devices (T625Pro v1.0.07, T6825G v1.0.03) allows unauthenticated remote attackers to execute arbitrary…

  • SecurityJun 4, 2026

    CVE-2026-49188: ai_cmd Utility Root-Level popen() Injection via Socket Input

    A critical CVSS 9.8 vulnerability in the ai_cmd utility executes with full root permissions and pipes socket inputs directly to popen(), enabling…

  • SecurityJun 1, 2026

    CVE-2024-21182: Oracle WebLogic Server Unspecified Vulnerability

    Oracle WebLogic Server contains an unspecified vulnerability allowing unauthenticated attackers network access via T3 and IIOP protocols, potentially exposing…

  • SecurityMay 30, 2026

    CVE-2026-9757: GEO my WP Plugin SQL Injection via Query String Bypass

    The GEO my WP WordPress plugin (versions up to 4.5.5) is vulnerable to unauthenticated SQL injection via the swlatlng and nelatlng parameters, which...

  • SecurityMay 29, 2026

    CVE-2026-3655: OTP Login WordPress Plugin Auth Bypass via Firebase Session Mismatch

    A critical authentication bypass (CVSS 9.8) in the OTP Login With Phone Number WordPress plugin allows unauthenticated attackers to log in as any user due...

  • SecurityMay 29, 2026

    CVE-2026-8732: WP Maps Pro Privilege Escalation via Admin Account Creation

    A critical unauthenticated privilege escalation flaw in WP Maps Pro for WordPress (CVSS 9.8) allows attackers to create administrator accounts without...

  • SecurityMay 28, 2026

    CVE-2026-45083 — Goobi Viewer Unauthenticated RCE via Solr Streaming Expression Injection

    CVSS 9.8 in Goobi Viewer REST API lets unauthenticated clients inject Solr streaming expressions, enabling RCE on affected digital heritage platforms.

  • SecurityMay 27, 2026

    CVE-2026-45247 — Mirasvit Magento 2 Cache Warmer PHP Object Injection RCE

    CVSS 9.8 PHP object injection in Mirasvit Full Page Cache Warmer for Magento 2 lets unauthenticated attackers achieve RCE — patch to 1.11.12 now.

  • SecurityMay 22, 2026

    CVE-2026-34910 — UniFi OS Unauthenticated Command Injection

    A CVSS 10.0 command injection vulnerability in UniFi OS allows any network-accessible attacker with no credentials to execute arbitrary OS commands,...

  • SecurityMay 21, 2026

    CVE-2026-6279: Avada Builder Unauthenticated RCE via PHP

    A critical CVSS 9.8 vulnerability in the Avada Builder (fusion-builder) WordPress plugin allows unauthenticated attackers to execute arbitrary PHP...

  • SecurityMay 20, 2026

    CVE-2026-34234 — CtrlPanel Installer Unauthenticated Remote

    A CVSS 10.0 RCE vulnerability in CtrlPanel's web-based installer allows unauthenticated attackers to execute arbitrary code by exploiting a logic flaw...

  • SecurityMay 20, 2026

    CVE-2026-7637: WordPress Boost Plugin PHP Object Injection

    The Boost plugin for WordPress versions up to 2.0.3 is vulnerable to PHP Object Injection via deserialization of the STYXKEY-BOOST_USER_LOCATION cookie,...

  • SecurityMay 15, 2026

    Critical Blind SQL Injection in Akilli E-Commerce Website

    A CVSS 9.8 blind SQL injection vulnerability in Akilli Commerce's e-commerce platform allows unauthenticated attackers to extract the entire database...

  • SecurityMay 15, 2026

    Critical Auth Bypass in InfusedWoo Pro Enables

    A CVSS 9.1 authorization bypass in InfusedWoo Pro for WordPress lets unauthenticated attackers permanently delete arbitrary data across all installations...

  • SecurityMay 12, 2026

    CVE-2026-34263 — SAP Commerce Cloud Unauthenticated RCE

    A critical unauthenticated remote code execution vulnerability in SAP Commerce Cloud allows any unauthenticated user to upload malicious configurations...

  • SecurityMay 11, 2026

    CVE-2026-6433: WordPress Plugin SQLi Enables

    The Custom css-js-php WordPress plugin through version 2.0.7 fails to sanitize user input before using it in a SQL query, and passes the result to dynamic...

  • SecurityMay 2, 2026

    CVE-2026-4882: Unauthenticated File Upload in WordPress

    A critical unauthenticated arbitrary file upload vulnerability in the User Registration Advanced Fields plugin for WordPress allows attackers to upload...

  • SecurityApr 24, 2026

    Kofax Capture Unauthenticated RCE via Exposed .NET Remoting

    A critical unauthenticated RCE vulnerability in Kofax Capture (Tungsten Capture) exposes a deprecated .NET Remoting HTTP channel on port 2424 with no...

  • SecurityApr 24, 2026

    CVE-2026-26210: KTransformers Unsafe Deserialization RCE

    KTransformers through version 0.5.3 contains a critical unsafe deserialization vulnerability in its balance_serve backend mode, where an unauthenticated...

  • SecurityApr 24, 2026

    CVE-2026-32210: Microsoft Dynamics 365 Online SSRF Enables

    A critical server-side request forgery vulnerability in Microsoft Dynamics 365 (Online) allows an unauthenticated remote attacker to perform spoofing over...

  • SecurityApr 24, 2026

    SocialEngine Unauthenticated SQL Injection via Activity

    A critical SQL injection vulnerability in SocialEngine versions 7.8.0 and prior allows unauthenticated remote attackers to execute arbitrary SQL queries...

  • SecurityApr 24, 2026

    CVE-2026-6887: Borg SPM 2007 SQL Injection Exposes Full

    A critical SQL injection vulnerability in the end-of-life Borg SPM 2007 application allows unauthenticated remote attackers to inject arbitrary SQL...

  • SecurityApr 11, 2026

    CVE-2026-6057: FalkorDB Browser Unauthenticated Path

    FalkorDB Browser 1.9.3 contains a critical unauthenticated path traversal vulnerability in its file upload API that allows remote attackers to write...

  • SecurityApr 9, 2026

    CVE-2026-1830: WordPress Quick Playground Plugin RCE via Unauthenticated File Upload

    A critical CVSS 9.8 vulnerability in the Quick Playground WordPress plugin (versions up to 1.3.1) allows unauthenticated attackers to upload arbitrary...

  • SecurityApr 8, 2026

    CVE-2021-4473: Tianxin Behavior Management System

    A critical unauthenticated command injection vulnerability in the Tianxin Internet Behavior Management System's Reporter component allows attackers to...

  • SecurityApr 8, 2026

    CVE-2026-22679: Weaver E-cology 10.0 Unauthenticated Remote

    A critical unauthenticated RCE vulnerability in Weaver (Fanwei) E-cology 10.0 allows attackers to execute arbitrary commands by abusing an exposed Dubbo...

  • SecurityApr 6, 2026

    CVE-2019-25662: ResourceSpace 8.6 Unauthenticated SQL

    An unauthenticated SQL injection vulnerability in ResourceSpace 8.6 allows attackers to execute arbitrary database queries via the 'ref' parameter in...

  • SecurityApr 5, 2026

    CVE-2016-20052: Snews CMS 1.7 Unrestricted File Upload

    Snews CMS 1.7 contains a critical unrestricted file upload vulnerability allowing unauthenticated attackers to upload PHP webshells to the snews_files...

  • SecurityApr 3, 2026

    CVE-2026-33615: Critical Unauthenticated SQL Injection in setinfo Endpoint

    A critical unauthenticated SQL injection vulnerability (CVSS 9.1) in the setinfo endpoint allows remote attackers to corrupt data and cause denial of...

  • SecurityMar 21, 2026

    CVE-2025-54068: Laravel Livewire Code Injection

    A critical code injection vulnerability in Laravel Livewire v3 allows unauthenticated remote attackers to execute arbitrary commands. Over 130,000...

  • SecurityMar 20, 2026

    CVE-2025-32432: Craft CMS Code Injection Vulnerability

    A critical code injection vulnerability in Craft CMS allows unauthenticated remote attackers to execute arbitrary code on affected servers. Added to...

  • SecurityMar 20, 2026

    CVE-2026-21992: Critical Oracle Identity Manager

    Oracle's March 2026 Critical Patch Update includes CVE-2026-21992, a CVSS 9.8 unauthenticated remote code execution vulnerability in Oracle Identity...

  • SecurityMar 20, 2026

    CVE-2026-30836: Step CA SCEP UpdateReq Allows

    A maximum-severity vulnerability in Smallstep's Step CA certificate authority allows unauthenticated attackers to issue arbitrary certificates via the...

  • SecurityMar 18, 2026

    CVE-2026-21994: Critical Unauthenticated RCE in Oracle Edge

    A critical unauthenticated remote code execution vulnerability (CVSS 9.8) in Oracle's Edge Cloud Infrastructure Designer and Visualisation Toolkit allows...