CVE-2026-21854

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Tarkov Data Manager versions prior to 02 January 2025

Description The Tarkov Data Manager, a tool for managing Tarkov item data, contains an authentication bypass issue in the login endpoint. This allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel. The issue is due to a JavaScript prototype property access vulnerability combined with loose equality type coercion. The vulnerability was addressed with a series of fix commits on 02 January 2025. The API endpoint affected is /login. The vulnerability allows bypassing authentication through manipulation of the username and password parameters.

Recommendations Versions prior to 02 January 2025 should be updated to the latest version to address this authentication bypass.

Exploit

Fix

Type Confusion

Prototype Pollution

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-843CWE-1321CWE-287

Related Identifiers

CVE-2026-21854

GHSA-R8W6-9XWG-6H73

Affected Products

Tarkov Data Manager

CVE-2026-21854

Weakness Enumeration

Related Identifiers

Affected Products

References · 11