Vendor
code100x Mobile API contains an authentication bypass vulnerability (CVE-2026-8890) allowing unauthenticated attackers to impersonate arbitrary users by crafting a JSON payload in the 'g' HTTP header, skipping identity header validation and granting unauthorized access to course data.