By weakness (CWE)
CWE-306: related vulnerabilities
CVEs classified under CWE-306. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
8 published vulnerabilities
- CVE-2026-24088HIGH 8.2
CVE-2026-24088 is a cryptographic flaw in Qualcomm wireless and networking chipsets that allows a high-privileged attacker to bypass security controls and load a custom bootloader onto affected devices. The vulnerability stems from improper validation during firmware partition processing, enabling unauthorized modification of the boot sequence. This could allow an attacker with administrative or hardware-level access to inject malicious code that executes before the operating system, potentially taking complete control of the device.
- CVE-2026-36603HIGH 8.1
The Mercusys AC12G (EU) V1 router running firmware version AC12G(EU)_V1_200909 contains a critical authentication bypass vulnerability in its UPnP (Universal Plug and Play) implementation. Any device connected to the router's local network can manipulate port forwarding rules and retrieve WAN connection details without providing credentials. Since UPnP is enabled by default, attackers with LAN access gain the ability to redirect internet traffic, expose internal services, or exfiltrate data—creating a serious risk for home and small-office networks.
- CVE-2026-10243HIGH 7.3
A critical authentication flaw exists in code-projects Smart Parking System version 1.0 that allows unauthenticated remote attackers to bypass security controls on multiple administrative endpoints. An attacker can interact with these endpoints without valid credentials, potentially gaining unauthorized access to sensitive parking system functions. The vulnerability has been publicly disclosed and exploit code is available, elevating the risk of active exploitation.
- CVE-2026-10281HIGH 7.3
Enderfga's claw-orchestrator contains an authentication bypass in its API endpoint handler. Versions up to 3.5.5 fail to enforce authentication checks in the EmbeddedServer component, allowing unauthenticated remote attackers to access protected functionality. The flaw has been publicly disclosed and exploit code is available. Version 3.5.6 addresses the issue.
- CVE-2026-10617HIGH 7.3
GoClaw, a component by nextlevelbuilder, contains a flaw in its webhook verification handler that allows attackers to bypass authentication checks. An unauthenticated remote attacker can exploit this weakness to gain unauthorized access to protected webhook endpoints. The vulnerability affects GoClaw versions up to and including 3.11.3, and exploit code has already been made public, increasing the practical risk.
- CVE-2026-24090HIGH 7.1
A cryptographic weakness in how Qualcomm processors handle partition table entries during boot allows a local attacker with standard user privileges to modify the boot process without authorization. This could enable an attacker to alter how a device loads its operating system or firmware, potentially leading to installation of malicious code or bypass of security controls. The vulnerability requires direct access to the device and cannot be exploited remotely.
- CVE-2026-10283MEDIUM 6.3
Bottelet DaybydayCRM contains an authentication bypass vulnerability in its Settings Handler component. An authenticated attacker can manipulate application settings to gain unauthorized access to functionality they should not have, potentially viewing sensitive data, modifying records, or disrupting service availability. The vulnerability affects versions up to 2.2.1 and requires an attacker to already have valid login credentials to exploit it.
- CVE-2026-25599MEDIUM 6.3
This vulnerability affects Orca heat pump devices and their control portal. An attacker can intercept unencrypted communications between older Orca heat pumps and the control server, impersonate a legitimate device, and inject malicious code into the web portal. This injected code can steal user session cookies, compromise accounts, expose sensitive information, and grant attackers unauthorized access to the portal. The core issues are the lack of authentication, unencrypted HTTP connections, and missing input validation.