HIGH
code100x
CVE published 2026-05-26
CVE-2026-8890
CVE-2026-8890 documents an authentication bypass vulnerability in the code100x CMS Mobile API, published 2026-05-26. The flaw resides in middleware.ts, where the presence of an Auth-Key header—without validation of its value—causes the middleware to skip legitimate identity header generation. Attackers can exploit this by supplying a crafted JSON payload in the 'g' HTTP header, injecting a spoofed user id [truncated]