sim CVE Vulnerabilities & Metrics

Focus on sim vulnerabilities and metrics.

Last updated: 08 Mar 2026, 23:25 UTC

About sim Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with sim. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total sim CVEs: 3
Earliest CVE date: 26 Dec 2025, 04:15 UTC
Latest CVE date: 02 Mar 2026, 13:16 UTC

Latest CVE reference: CVE-2026-3432

Rolling Stats

30-day Count (Rolling): 2
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical sim CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.5

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	0
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS sim CVEs

These are the five CVEs with the highest CVSS scores for sim, sorted by severity first and recency.

CVE-2025-15099 sim Published on 26 Dec 2025, 04:15 UTC (CVSS: 7.5)
A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the pat...
CVE-2026-3432 sim Published on 02 Mar 2026, 13:16 UTC (CVSS: 0)
On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrieve OAuth access tokens for any user by supplying their user ID and a provider name, effectively stealing credentials to third-party services.
CVE-2026-3431 sim Published on 02 Mar 2026, 13:16 UTC (CVSS: 0)
On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data.

All CVEs for sim

CVE-2026-3432 sim vulnerability CVSS: 0 02 Mar 2026, 13:16 UTC

On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrieve OAuth access tokens for any user by supplying their user ID and a provider name, effectively stealing credentials to third-party services.

CVE-2026-3431 sim vulnerability CVSS: 0 02 Mar 2026, 13:16 UTC

On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data.

CVE-2025-15099 sim vulnerability CVSS: 7.5 26 Dec 2025, 04:15 UTC

A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.