Total
67 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28710 | 2026-03-06 | N/A | 8.1 HIGH | ||
|
Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
|
|||||
| CVE-2025-15595 | 2026-03-03 | N/A | N/A | ||
|
Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions.
|
|||||
| CVE-2026-1693 | 2026-02-27 | N/A | N/A | ||
|
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials.
|
|||||
| CVE-2025-40552 | 1 Solarwinds | 1 Web Help Desk | 2026-02-26 | N/A | 9.8 CRITICAL |
|
SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.
|
|||||
| CVE-2025-30411 | 2026-02-20 | N/A | 10.0 CRITICAL | ||
|
Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.
|
|||||
| CVE-2025-30412 | 2026-02-20 | N/A | 10.0 CRITICAL | ||
|
Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.
|
|||||
| CVE-2025-57713 | 1 Qnap | 1 File Station | 2026-02-12 | N/A | 7.5 HIGH |
|
A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information.
We have already fixed the vulnerability in the following version:
File Station 5 5.5.6.5166 and later
|
|||||
| CVE-2025-40554 | 1 Solarwinds | 1 Web Help Desk | 2026-02-03 | N/A | 9.8 CRITICAL |
|
SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.
|
|||||
| CVE-2023-53894 | 1 Dulldusk | 1 Phpfilemanager | 2026-01-21 | N/A | 9.8 CRITICAL |
|
phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server.
|
|||||
| CVE-2025-63807 | 1 2dogz | 1 Blogin | 2026-01-15 | N/A | 9.8 CRITICAL |
|
An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.
|
|||||
| CVE-2025-49201 | 1 Fortinet | 2 Fortipam, Fortiswitchmanager | 2026-01-14 | N/A | 8.1 HIGH |
|
A weak authentication vulnerability in Fortinet FortiPAM 1.5.0, FortiPAM 1.4.0 through 1.4.2, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiSwitchManager 7.2.0 through 7.2.4 allows attacker to execute unauthorized code or commands via specially crafted http requests
|
|||||
| CVE-2025-1293 | 1 Hashicorp | 1 Hermes | 2025-12-18 | N/A | 8.2 HIGH |
|
Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.
|
|||||
| CVE-2024-29837 | 1 Cs-technologies | 1 Evolution | 2025-12-10 | N/A | 8.8 HIGH |
|
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in.
|
|||||
| CVE-2024-52541 | 1 Dell | 784 Alienware M15 R6, Alienware M15 R6 Firmware, Alienware M15 R7 and 781 more | 2025-12-01 | N/A | 8.2 HIGH |
|
Dell Client Platform BIOS contains a Weak Authentication vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.
|
|||||
| CVE-2025-12870 | 1 Aenrich | 1 A\+hrd | 2025-11-18 | N/A | 9.8 CRITICAL |
|
The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges.
|
|||||
| CVE-2025-12871 | 1 Aenrich | 1 A\+hrd | 2025-11-18 | N/A | 9.8 CRITICAL |
|
The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges.
|
|||||
| CVE-2025-1387 | 1 Learningdigital | 1 Orca Hcm | 2025-11-17 | N/A | 9.8 CRITICAL |
|
Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user.
|
|||||
| CVE-2024-38182 | 1 Microsoft | 1 Dynamics 365 | 2025-11-14 | N/A | 9.0 CRITICAL |
|
Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.
|
|||||
| CVE-2025-11084 | 2025-11-12 | N/A | N/A | ||
|
A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period.
|
|||||
| CVE-2024-29038 | 1 Tpm2-tools Project | 1 Tpm2-tools | 2025-11-04 | N/A | 4.3 MEDIUM |
|
tpm2-tools is the source repository for the Trusted Platform Module (TPM2.0) tools. A malicious attacker can generate arbitrary quote data which is not detected by `tpm2 checkquote`. This issue was patched in version 5.7.
|
|||||
| CVE-2025-30468 | 1 Apple | 2 Ipados, Iphone Os | 2025-11-03 | N/A | 6.5 MEDIUM |
|
This issue was addressed through improved state management. This issue is fixed in iOS 26 and iPadOS 26. Private Browsing tabs may be accessed without authentication.
|
|||||
| CVE-2025-59249 | 1 Microsoft | 1 Exchange Server | 2025-10-28 | N/A | 8.8 HIGH |
|
Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
|
|||||
| CVE-2025-26343 | 1 Q-free | 1 Maxtime | 2025-10-24 | N/A | 8.1 HIGH |
|
A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.
|
|||||
| CVE-2024-45551 | 1 Qualcomm | 484 Aqt1000, Aqt1000 Firmware, Ar8035 and 481 more | 2025-10-06 | N/A | 6.2 MEDIUM |
|
Cryptographic issue occurs during PIN/password verification using Gatekeeper, where RPMB writes can be dropped on verification failure, potentially leading to a user throttling bypass.
|
|||||
| CVE-2024-6580 | 1 Nsoftware | 1 Ipworks Ssh | 2025-09-26 | N/A | 6.5 MEDIUM |
|
The /n software IPWorks SSH library SFTPServer component can be induced to make unintended filesystem or network path requests when loading a SSH public key or certificate. To be exploitable, an application calling the SFTPServer component must grant user access without verifying the SSH public key or certificate (which would most likely be a separate vulnerability in the calling application). IPWorks SSH versions 22.0.8945 and 24.0.8945 were released to address this condition by blocking all fi ...
Show More |
|||||
| CVE-2024-50563 | 1 Fortinet | 4 Fortianalyzer, Fortianalyzer Cloud, Fortimanager and 1 more | 2025-09-24 | N/A | 7.3 HIGH |
|
A weak authentication in Fortinet FortiManager Cloud, FortiAnalyzer versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3, FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3 allows attacker to execute unauthorized code or commands via a brute-force attack.
|
|||||
| CVE-2025-50173 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-08-19 | N/A | 7.8 HIGH |
|
Weak authentication in Windows Installer allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2025-47995 | 1 Microsoft | 1 Azure Machine Learning | 2025-08-14 | N/A | 6.5 MEDIUM |
|
Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.
|
|||||
| CVE-2025-47479 | 1 Wpcompress | 1 Wp Compress | 2025-08-14 | N/A | 5.3 MEDIUM |
|
Weak Authentication vulnerability in AresIT WP Compress allows Authentication Abuse. This issue affects WP Compress: from n/a through 6.30.30.
|
|||||
| CVE-2025-7326 | 2025-07-22 | N/A | 7.0 HIGH | ||
|
Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.
|
|||||
| CVE-2024-32119 | 1 Fortinet | 1 Forticlientems | 2025-07-16 | N/A | 4.8 MEDIUM |
|
An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an unauthenticated attacker with the knowledge of the targeted user's FCTUID and VDOM to perform operations such as uploading or tagging on behalf of the targeted user via specially crafted TCP requests.
|
|||||
| CVE-2025-1727 | 2025-07-15 | N/A | 8.1 HIGH | ||
|
The protocol used for remote linking over RF for End-of-Train and
Head-of-Train (also known as a FRED) relies on a BCH checksum for packet
creation. It is possible to create these EoT and HoT packets with a
software defined radio and issue brake control commands to the EoT
device, disrupting operations or potentially overwhelming the brake
systems.
|
|||||
| CVE-2025-27740 | 1 Microsoft | 7 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 4 more | 2025-07-10 | N/A | 8.8 HIGH |
|
Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network.
|
|||||
| CVE-2024-54092 | 2025-07-08 | N/A | 9.8 CRITICAL | ||
|
A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - arm64 V1.21 (All versions < V1.21.1-1), Industrial Edge Device Kit - x86-64 V1.17 (All versions), Industrial Edge Device Kit - x86-64 V1.18 (All versions), Industrial Edge Device Kit - x86-64 ...
Show More |
|||||
| CVE-2025-26635 | 1 Microsoft | 8 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 5 more | 2025-07-03 | N/A | 6.5 MEDIUM |
|
Weak authentication in Windows Hello allows an authorized attacker to bypass a security feature over a network.
|
|||||
| CVE-2025-24070 | 1 Microsoft | 2 Asp.net Core, Visual Studio 2022 | 2025-07-02 | N/A | 7.0 HIGH |
|
Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network.
|
|||||
| CVE-2025-21552 | 1 Oracle | 1 Jd Edwards Enterpriseone Orchestrator | 2025-06-23 | N/A | 6.5 MEDIUM |
|
Vulnerability in the JD Edwards EnterpriseOne Orchestrator product of Oracle JD Edwards (component: E1 IOT Orchestrator Security). Supported versions that are affected are Prior to 9.2.9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Orchestrator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Orchestrator acces ...
Show More |
|||||
| CVE-2024-34451 | 1 Ghost | 1 Ghost | 2025-06-20 | N/A | 9.1 CRITICAL |
|
Ghost through 5.85.1 allows remote attackers to bypass an authentication rate-limit protection mechanism by using many X-Forwarded-For headers with different values. NOTE: the vendor's position is that Ghost should be installed with a reverse proxy that allows only trusted X-Forwarded-For headers.
|
|||||
| CVE-2025-32885 | 1 Gotenna | 3 Gotenna, Mesh, Mesh Firmware | 2025-06-20 | N/A | 6.5 MEDIUM |
|
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app there makes it possible to inject any custom message (into existing v1 networks) with any GID and Callsign via a software defined radio. This can be exploited if the device is being used in an unencrypted environment or if the cryptography has already been compromised.
|
|||||
| CVE-2025-5484 | 2025-06-16 | N/A | 8.3 HIGH | ||
|
A username and password are required to authenticate to the central
SinoTrack device management interface. The username for all devices is
an identifier printed on the receiver. The default password is
well-known and common to all devices. Modification of the default
password is not enforced during device setup. A malicious actor can
retrieve device identifiers with either physical access or by capturing
identifiers from pictures of the devices posted on publicly accessible
websites such ...
Show More |
|||||