CVE-2026-46595
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed othe
CVSS
10.0
Crítico
EPSS
0.4%
p36
KEV
—
Exploit Today
11
0-100
Publicado: 22 may 2026 · Última mod.: 17 jul 2026 · CWE-863 · CWE-303
0.4%EPSS · 30 días0.4%
2026-06-302026-07-18
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
- go.devhttps://go.dev/cl/781642
- go.devhttps://go.dev/issue/79570
- groups.google.comhttps://groups.google.com/g/golang-announce/c/a082jnz-LvI
- pkg.go.devhttps://pkg.go.dev/vuln/GO-2026-5023
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:23262
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:23264
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26546
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26547
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:30650
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:30651
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33524
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33531
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36207
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36648
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36651
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36796
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36797
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36808
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36820
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:37275
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-350298.8 ALT97.8%
——29LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.4dCVE-2026-479967.6 ALT96.9%
——29Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.3dCVE-2025-324622.8 BAJ86.9%
——26Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.5dCVE-2021-289367.5 ALT78.9%
——24The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request. The administrator username has to be known (default:admin) whereas no previous authentication is required.10dCVE-2021-406397.5 ALT64.4%
——19Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.10dCVE-2022-366348.8 ALT59.9%
——18An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.10d