Search Results (3569 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-11126 2026-04-15 3.1 Low
A vulnerability was found in Digistar AG-30 Plus 2.6b. It has been classified as problematic. Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of excessive authentication attempts. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2021-47710 1 Commax 1 Smart Home System 2026-04-15 N/A
COMMAX Smart Home System is a smart IoT home solution that allows an unauthenticated attacker to disclose RTSP credentials in plain-text by exploiting the /overview.asp endpoint. Attackers can access sensitive information, including login credentials and DVR settings, by submitting a GET request to this endpoint.
CVE-2024-48777 1 Ledvance 1 Smartplus Firmware 2026-04-15 7.5 High
LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process.
CVE-2024-9137 1 Moxa 7 Edf-g1002-bp, Edr-8010, Edr-g9004 and 4 more 2026-04-15 9.4 Critical
The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise.
CVE-2024-36457 1 Broadcom 1 Symantec Privileged Access Management 2026-04-15 N/A
The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint.
CVE-2024-48143 1 Digitory 1 Multi-channel Integrated Pos 2026-04-15 9.1 Critical
A lack of rate limiting in the OTP validation component of Digitory Multi Channel Integrated POS v1.0 allows attackers to gain access to the ordering system and place an excessive amount of food orders.
CVE-2025-15346 1 Wolfssl 1 Wolfssl 2026-04-15 N/A
A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.  Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided.  This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake.  The issue affects versions up to and including 5.8.2.
CVE-2024-12957 1 Asus 1 Armoury Crate 2026-04-15 N/A
A file handling command vulnerability in certain versions of Armoury Crate may result in arbitrary file deletion. Refer to the '01/23/2025 Security Update for Armoury Crate App' section on the ASUS Security Advisory for more information.
CVE-2024-12054 2026-04-15 5.4 Medium
ZF Roll Stability Support Plus (RSSPlus) is vulnerable to an authentication bypass vulnerability targeting deterministic RSSPlus SecurityAccess service seeds, which may allow an attacker to remotely (proximal/adjacent with RF equipment or via pivot from J2497 telematics devices) call diagnostic functions intended for workshop or repair scenarios. This can impact system availability, potentially degrading performance or erasing software, however the vehicle remains in a safe vehicle state.
CVE-2025-7679 1 Abb 3 Aspect Enterprise, Matrix Series, Nexus Series 2026-04-15 8.1 High
The ASPECT system allows users to bypass authentication. This issue affects all versions of ASPECT
CVE-2025-41651 2026-04-15 9.8 Critical
Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configuration files and leading to full system compromise.
CVE-2025-41654 2026-04-15 8.2 High
An unauthenticated remote attacker can access information about running processes via the SNMP protocol. The amount of returned data can trigger a reboot by the watchdog.
CVE-2025-41655 2026-04-15 7.5 High
An unauthenticated remote attacker can access a URL which causes the device to reboot.
CVE-2025-7882 2026-04-15 3.1 Low
A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been rated as problematic. This issue affects some unknown processing of the component Login. The manipulation leads to improper restriction of excessive authentication attempts. The attack can only be initiated within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-32738 2026-04-15 5.3 Medium
Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings.
CVE-2025-11566 1 Schneider-electric 1 Powerchute Serial Shutdown 2026-04-15 N/A
CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint.
CVE-2025-32782 2026-04-15 5.3 Medium
Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client. This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only. This vulnerability is fixed in 4.7.0.
CVE-2025-10772 1 Huggingface 1 Lerobot 2026-04-15 6.3 Medium
A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robot_devices/robots/lekiwi_remote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can only be initiated within the local network. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-25060 2026-04-15 N/A
Missing authentication for critical function vulnerability exists in AssetView and AssetView CLOUD. If exploited, the files on the server where the product is running may be obtained and/or deleted by a remote unauthenticated attacker.
CVE-2025-11949 1 Digiwin 1 Easyflow .net 2026-04-15 7.5 High
EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality.