All CosmicBytez Labs articles tagged #Unauthenticated, across news, security advisories, how-to guides, and projects.
Oracle WebLogic Server contains an unspecified vulnerability allowing unauthenticated attackers network access via T3 and IIOP protocols, potentially exposing all server data. CISA added this to its KEV catalog on June 1, 2026.
The GEO my WP WordPress plugin (versions up to 4.5.5) is vulnerable to unauthenticated SQL injection via the swlatlng and nelatlng parameters, which...
A critical authentication bypass (CVSS 9.8) in the OTP Login With Phone Number WordPress plugin allows unauthenticated attackers to log in as any user due...
A critical unauthenticated privilege escalation flaw in WP Maps Pro for WordPress (CVSS 9.8) allows attackers to create administrator accounts without...
CVSS 9.8 in Goobi Viewer REST API lets unauthenticated clients inject Solr streaming expressions, enabling RCE on affected digital heritage platforms.
CVSS 9.8 PHP object injection in Mirasvit Full Page Cache Warmer for Magento 2 lets unauthenticated attackers achieve RCE — patch to 1.11.12 now.
A CVSS 10.0 command injection vulnerability in UniFi OS allows any network-accessible attacker with no credentials to execute arbitrary OS commands,...
A critical CVSS 9.8 vulnerability in the Avada Builder (fusion-builder) WordPress plugin allows unauthenticated attackers to execute arbitrary PHP...
A CVSS 10.0 RCE vulnerability in CtrlPanel's web-based installer allows unauthenticated attackers to execute arbitrary code by exploiting a logic flaw...
The Boost plugin for WordPress versions up to 2.0.3 is vulnerable to PHP Object Injection via deserialization of the STYXKEY-BOOST_USER_LOCATION cookie,...
A CVSS 9.8 blind SQL injection vulnerability in Akilli Commerce's e-commerce platform allows unauthenticated attackers to extract the entire database...
A CVSS 9.1 authorization bypass in InfusedWoo Pro for WordPress lets unauthenticated attackers permanently delete arbitrary data across all installations...
A critical unauthenticated remote code execution vulnerability in SAP Commerce Cloud allows any unauthenticated user to upload malicious configurations...
The Custom css-js-php WordPress plugin through version 2.0.7 fails to sanitize user input before using it in a SQL query, and passes the result to dynamic...
A critical unauthenticated arbitrary file upload vulnerability in the User Registration Advanced Fields plugin for WordPress allows attackers to upload...
A critical unauthenticated RCE vulnerability in Kofax Capture (Tungsten Capture) exposes a deprecated .NET Remoting HTTP channel on port 2424 with no...
KTransformers through version 0.5.3 contains a critical unsafe deserialization vulnerability in its balance_serve backend mode, where an unauthenticated...
A critical server-side request forgery vulnerability in Microsoft Dynamics 365 (Online) allows an unauthenticated remote attacker to perform spoofing over...
A critical SQL injection vulnerability in SocialEngine versions 7.8.0 and prior allows unauthenticated remote attackers to execute arbitrary SQL queries...
A critical SQL injection vulnerability in the end-of-life Borg SPM 2007 application allows unauthenticated remote attackers to inject arbitrary SQL...
FalkorDB Browser 1.9.3 contains a critical unauthenticated path traversal vulnerability in its file upload API that allows remote attackers to write...
A critical CVSS 9.8 vulnerability in the Quick Playground WordPress plugin (versions up to 1.3.1) allows unauthenticated attackers to upload arbitrary...
A critical unauthenticated command injection vulnerability in the Tianxin Internet Behavior Management System's Reporter component allows attackers to...
A critical unauthenticated RCE vulnerability in Weaver (Fanwei) E-cology 10.0 allows attackers to execute arbitrary commands by abusing an exposed Dubbo...
An unauthenticated SQL injection vulnerability in ResourceSpace 8.6 allows attackers to execute arbitrary database queries via the 'ref' parameter in...
Snews CMS 1.7 contains a critical unrestricted file upload vulnerability allowing unauthenticated attackers to upload PHP webshells to the snews_files...
A critical unauthenticated SQL injection vulnerability (CVSS 9.1) in the setinfo endpoint allows remote attackers to corrupt data and cause denial of...
A critical code injection vulnerability in Laravel Livewire v3 allows unauthenticated remote attackers to execute arbitrary commands. Over 130,000...
A critical code injection vulnerability in Craft CMS allows unauthenticated remote attackers to execute arbitrary code on affected servers. Added to...
Oracle's March 2026 Critical Patch Update includes CVE-2026-21992, a CVSS 9.8 unauthenticated remote code execution vulnerability in Oracle Identity...
A maximum-severity vulnerability in Smallstep's Step CA certificate authority allows unauthenticated attackers to issue arbitrary certificates via the...
A critical unauthenticated remote code execution vulnerability (CVSS 9.8) in Oracle's Edge Cloud Infrastructure Designer and Visualisation Toolkit allows...