Total
2009 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27603 | 2026-03-06 | N/A | N/A | ||
|
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_id/chart/:chart_id/filter is missing both verifyToken and checkPermissions middleware, allowing unauthenticated users to access chart data from any team/project. This issue has been patched in version 4.8.4.
|
|||||
| CVE-2026-22552 | 2026-03-06 | N/A | 9.4 CRITICAL | ||
|
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption o ...
Show More |
|||||
| CVE-2026-29606 | 2026-03-05 | N/A | 4.8 MEDIUM | ||
|
OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly reachable webhook endpoint without a valid X-Twilio-Signature header, resulting in unauthorized webhook event handling and potential request flooding attacks.
|
|||||
| CVE-2026-26125 | 2026-03-05 | N/A | 8.6 HIGH | ||
|
Payment Orchestrator Service Elevation of Privilege Vulnerability
|
|||||
| CVE-2026-29613 | 2026-03-05 | N/A | 7.5 HIGH | ||
|
OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operates behind a reverse proxy, unauthenticated remote attackers can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint.
|
|||||
| CVE-2026-28485 | 2026-03-05 | N/A | 8.4 HIGH | ||
|
OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.
|
|||||
| CVE-2026-28472 | 2026-03-05 | N/A | 9.8 CRITICAL | ||
|
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.
|
|||||
| CVE-2026-28468 | 2026-03-05 | N/A | 7.8 HIGH | ||
|
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve WebSocket URLs, execute JavaScript, and exfiltrate cookies and session data from authenticated browser contexts.
|
|||||
| CVE-2026-28458 | 2026-03-05 | N/A | 7.5 HIGH | ||
|
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.
|
|||||
| CVE-2026-28450 | 2026-03-05 | N/A | 6.2 MEDIUM | ||
|
OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key wh ...
Show More |
|||||
| CVE-2026-27772 | 1 Ev.energy | 1 Ev.energy | 2026-03-05 | N/A | 9.4 CRITICAL |
|
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corru ...
Show More |
|||||
| CVE-2026-27767 | 1 Swtchenergy | 1 Swtchenergy.com | 2026-03-05 | N/A | 9.4 CRITICAL |
|
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corru ...
Show More |
|||||
| CVE-2026-27028 | 1 Mobility46 | 1 Mobility46.se | 2026-03-05 | N/A | 9.4 CRITICAL |
|
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corru ...
Show More |
|||||
| CVE-2026-25851 | 1 Chargemap | 1 Chargemap.com | 2026-03-05 | N/A | 9.4 CRITICAL |
|
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corru ...
Show More |
|||||
| CVE-2026-24731 | 1 Ev2go | 1 Ev2go.io | 2026-03-05 | N/A | 9.4 CRITICAL |
|
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corru ...
Show More |
|||||
| CVE-2026-2065 | 1 Flycatcher | 2 Smart Pixelator, Smart Pixelator Firmware | 2026-03-05 | 5.8 MEDIUM | 6.3 MEDIUM |
|
A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-20781 | 1 Cloudcharge | 1 Cloudcharge.se | 2026-03-05 | N/A | 9.4 CRITICAL |
|
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corru ...
Show More |
|||||
| CVE-2026-23767 | 2026-03-05 | N/A | N/A | ||
|
ESC/POS, a printer control language designed by Seiko Epson Corporation, lacks mechanisms for user authentication and command authorization, does not provide controls to restrict sources or destinations of network communication, and transmits commands without encryption or integrity protection.
|
|||||
| CVE-2026-27944 | 2026-03-05 | N/A | 9.8 CRITICAL | ||
|
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
|
|||||
| CVE-2026-30784 | 2026-03-05 | N/A | N/A | ||
|
Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.
This issue affects RustDesk Server: thro ...
Show More |
|||||
| CVE-2026-27012 | 1 Devcode | 1 Openstamanager | 2026-03-05 | N/A | 9.8 CRITICAL |
|
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
|
|||||
| CVE-2026-27446 | 2026-03-05 | N/A | N/A | ||
|
Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:
- incoming Core protocol connectio ...
Show More |
|||||
| CVE-2026-3192 | 1 Chia | 1 Blockchain | 2026-03-05 | 5.1 MEDIUM | 5.6 MEDIUM |
|
A security vulnerability has been detected in Chia Blockchain 2.1.0. This issue affects the function _authenticate of the file rpc_server_base.py of the component RPC Credential Handler. The manipulation leads to improper authentication. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was informed early via email. A separate report ...
Show More |
|||||
| CVE-2026-3194 | 1 Chia | 1 Blockchain | 2026-03-05 | 3.5 LOW | 4.5 MEDIUM |
|
A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes missing authentication. The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason ...
Show More |
|||||
| CVE-2026-1775 | 2026-03-04 | N/A | N/A | ||
|
The Labkotec LID-3300IP has an existing vulnerability in the ice detector software that enables an unauthenticated attacker to alter device parameters and run operational commands when specially crafted packets are sent to the device.
|
|||||
| CVE-2026-28352 | 1 Cern | 1 Indico | 2026-03-03 | N/A | 6.5 MEDIUM |
|
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series. This vulnerability ...
Show More |
|||||
| CVE-2026-22207 | 2026-03-02 | N/A | 9.8 CRITICAL | ||
|
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.
|
|||||
| CVE-2026-2844 | 2026-03-02 | N/A | N/A | ||
|
Missing Authentication for Critical Function vulnerability in Microchip TimePictra allows Configuration/Environment Manipulation.This issue affects TimePictra: from 11.0 through 11.3 SP2.
|
|||||
| CVE-2025-30035 | 2026-03-02 | N/A | N/A | ||
|
The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the system with the privileges of the targeted user.
|
|||||
| CVE-2025-14577 | 1 Slican | 15 Ipl-256.3u, Ipl-256.wm, Ipl-256 Firmware and 12 more | 2026-03-02 | N/A | 9.8 CRITICAL |
|
Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint.
This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU).
|
|||||
| CVE-2025-14349 | 1 Uni-yaz | 1 Flexcity | 2026-03-02 | N/A | 8.8 HIGH |
|
Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
|
|||||
| CVE-2026-25878 | 1 Friendsofshopware | 1 Froshadminer | 2026-02-28 | N/A | 5.3 MEDIUM |
|
FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1.
|
|||||
| CVE-2026-25505 | 1 Bambuddy | 1 Bambuddy | 2026-02-27 | N/A | 9.8 CRITICAL |
|
Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.
|
|||||
| CVE-2026-27595 | 1 Parseplatform | 1 Parse Dashboard | 2026-02-27 | N/A | 7.5 HIGH |
|
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha ...
Show More |
|||||
| CVE-2026-27509 | 2026-02-27 | N/A | 8.0 HIGH | ||
|
Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pre ...
Show More |
|||||
| CVE-2026-27846 | 2026-02-27 | N/A | 6.2 MEDIUM | ||
|
Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the network
to gain access to sensitive information, including the password for admin access to the web interface and the Wi-Fi passwords.This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
|
|||||
| CVE-2026-27449 | 2026-02-27 | N/A | 7.5 HIGH | ||
|
Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records. ...
Show More |
|||||
| CVE-2025-15509 | 2026-02-27 | N/A | N/A | ||
|
The SmartRemote module has insufficient restrictions on loading URLs, which may lead to some information leakage.
|
|||||
| CVE-2025-15567 | 2026-02-27 | N/A | N/A | ||
|
Insufficient protection mechanisms in the Health Module may lead to partial information disclosure.
|
|||||
| CVE-2026-26333 | 1 Calero | 1 Verasmart | 2026-02-26 | N/A | 9.8 CRITICAL |
|
Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as ...
Show More |
|||||