Total
2009 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9160 | 2025-09-09 | N/A | N/A | ||
|
A code execution security issue exists in the affected product. An attacker with physical access could abuse the maintenance menu of the controller with a crafted payload. The security issue can result in arbitrary code execution.
|
|||||
| CVE-2025-7045 | 2025-09-08 | N/A | 6.5 MEDIUM | ||
|
The Cloud SAML SSO plugin for WordPress is vulnerable to Identity Provider Deletion due to a missing capability check on the delete_config action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. This makes it possible for unauthenticated attackers to delete any configured IdP, breaking the SSO authentication flow and causing a denial-of-service.
|
|||||
| CVE-2014-9197 | 1 Schneider-electric | 5 Etg3000 Factorycast Hmi Gateway Firmware, Tsxetg3000, Tsxetg3010 and 2 more | 2025-09-05 | 10.0 HIGH | N/A |
|
The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request.
|
|||||
| CVE-2014-9195 | 1 Phoenixcontact-software | 2 Multiprog, Proconos Eclr | 2025-09-05 | 10.0 HIGH | N/A |
|
Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.
|
|||||
| CVE-2025-21623 | 1 Oxygenz | 1 Clipbucket | 2025-09-05 | N/A | 7.5 HIGH |
|
ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allows unauthenticated attackers to change the template directory via a directory traversal, which results in a denial of service.
|
|||||
| CVE-2025-7031 | 1 Config Pages Viewer Project | 1 Config Pages Viewer | 2025-09-04 | N/A | 5.3 MEDIUM |
|
Missing Authentication for Critical Function vulnerability in Drupal Config Pages Viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Config Pages Viewer: from 0.0.0 before 1.0.4.
|
|||||
| CVE-2025-9815 | 2 Alaneuler, Apple | 2 Batterykid, Macos | 2025-09-04 | 6.8 MEDIUM | 7.8 HIGH |
|
A weakness has been identified in alaneuler batteryKid up to 2.1 on macOS. The affected element is an unknown function of the file PrivilegeHelper/PrivilegeHelper.swift of the component NSXPCListener. This manipulation causes missing authentication. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be exploited.
|
|||||
| CVE-2025-7679 | 2025-09-04 | N/A | 8.1 HIGH | ||
|
The ASPECT system allows users to bypass authentication.
This issue affects all versions of ASPECT
|
|||||
| CVE-2025-5310 | 2025-09-04 | N/A | 9.8 CRITICAL | ||
|
Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented and unauthenticated target communication framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution.
|
|||||
| CVE-2012-10030 | 1 Freefloat | 1 Freefloat Ftp Server | 2025-09-03 | N/A | 9.8 CRITICAL |
|
FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, defaults user access to the root of the C:\ drive, and imposes no restrictions on file type or destination path. These conditions enable attackers to upload executable payloads and .mof files to locations such as system32 and wbem\mof, where Windows Management Instrumentation (WMI) automatically p ...
Show More |
|||||
| CVE-2025-52551 | 2025-09-02 | N/A | N/A | ||
|
E2 Facility Management Systems use a proprietary protocol that allows for unauthenticated file operations on any file in the file system.
|
|||||
| CVE-2012-10062 | 2025-09-02 | N/A | N/A | ||
|
A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server.
|
|||||
| CVE-2025-58318 | 2025-09-02 | N/A | N/A | ||
|
Delta Electronics DIAView has an authentication bypass vulnerability.
|
|||||
| CVE-2025-7405 | 2025-09-02 | N/A | 7.3 HIGH | ||
|
Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to read or write the device values of the product and stop the operation of the programs, since MODBUS/TCP in the products does not have authentication features.
|
|||||
| CVE-2024-4332 | 2025-08-29 | N/A | N/A | ||
|
An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional "Auto-synchronize LDAP Users, Roles, and Groups" feature is enabled. This vulnerability allows unauthenticated attackers to bypass authentication if a valid username is known. Exploitation of this vulnerability could allow remote attackers to gain privileged access to the APIs and l ...
Show More |
|||||
| CVE-2025-8450 | 2025-08-29 | N/A | 8.2 HIGH | ||
|
Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.
|
|||||
| CVE-2025-8861 | 2025-08-29 | N/A | 9.8 CRITICAL | ||
|
TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents.
|
|||||
| CVE-2025-30041 | 2025-08-29 | N/A | N/A | ||
|
The paths "/cgi-bin/CliniNET.prd/utils/userlogstat.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl" expose data containing session IDs.
|
|||||
| CVE-2025-30040 | 2025-08-29 | N/A | N/A | ||
|
The vulnerability allows unauthenticated users to download a file containing session ID data by directly accessing the "/cgi-bin/CliniNET.prd/utils/userlogxls.pl" endpoint.
|
|||||
| CVE-2025-30048 | 2025-08-29 | N/A | N/A | ||
|
The "serverConfig" endpoint, which returns the module configuration including credentials, is accessible without authentication.
|
|||||
| CVE-2025-30037 | 2025-08-29 | N/A | N/A | ||
|
The system exposes several endpoints, typically including "/int/" in their path, that should be restricted to internal services, but are instead publicly accessible without authentication to any host able to reach the application server on port 443/tcp.
|
|||||
| CVE-2025-30039 | 2025-08-29 | N/A | N/A | ||
|
Unauthenticated access to the "/cgi-bin/CliniNET.prd/GetActiveSessions.pl" endpoint allows takeover of any user session logged into the system, including users with admin privileges.
|
|||||
| CVE-2024-41968 | 2025-08-27 | N/A | 5.4 MEDIUM | ||
|
A low privileged remote attacker may modify the docker settings setup of the device, leading to a limited DoS.
|
|||||
| CVE-2024-41967 | 2025-08-27 | N/A | 8.1 HIGH | ||
|
A low privileged remote attacker may modify the boot mode configuration setup of the device, leading to modification of the firmware upgrade process or a denial-of-service attack.
|
|||||
| CVE-2024-37303 | 1 Matrix | 1 Synapse | 2025-08-26 | N/A | 5.3 MEDIUM |
|
Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 in ...
Show More |
|||||
| CVE-2025-53118 | 2025-08-25 | N/A | 9.8 CRITICAL | ||
|
An authentication bypass vulnerability exists which allows an unauthenticated attacker to control administrator backup functions, leading to compromise of passwords, secrets, and application session tokens stored by the Unified PAM.
|
|||||
| CVE-2022-43110 | 2025-08-25 | N/A | 9.8 CRITICAL | ||
|
Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a ...
Show More |
|||||
| CVE-2025-47870 | 1 Mattermost | 1 Mattermost Server | 2025-08-25 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.
|
|||||
| CVE-2025-41689 | 2025-08-25 | N/A | 7.5 HIGH | ||
|
An unauthenticated remote attacker can get access without password protection to the affected device. This enables the unprotected read-only access to the stored measurement data.
|
|||||
| CVE-2025-8610 | 1 Aomei | 1 Cyber Backup | 2025-08-25 | N/A | 9.8 CRITICAL |
|
AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of AOMEI Cyber Backup. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the StorageNode service, which listens on TCP port 9075 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage ...
Show More |
|||||
| CVE-2025-8611 | 1 Aomeitech | 1 Cyber Backup | 2025-08-22 | N/A | 9.8 CRITICAL |
|
AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of AOMEI Cyber Backup. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the DaoService service, which listens on TCP port 9074 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage t ...
Show More |
|||||
| CVE-2025-27214 | 2025-08-22 | N/A | 9.8 CRITICAL | ||
|
A Missing Authentication for Critical Function vulnerability in the UniFi Connect EV Station Pro may allow a malicious actor with physical or adjacent access to perform an unauthorized factory reset.
Affected Products:
UniFi Connect EV Station Pro (Version 1.5.18 and earlier)
Mitigation:
Update UniFi Connect EV Station Pro to Version 1.5.27 or later
|
|||||
| CVE-2024-39773 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-22 | N/A | 5.3 MEDIUM |
|
An information disclosure vulnerability exists in the testsave.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.
|
|||||
| CVE-2025-41654 | 2025-08-22 | N/A | 8.2 HIGH | ||
|
An unauthenticated remote attacker can access information about running processes via the SNMP protocol. The amount of returned data can trigger a reboot by the watchdog.
|
|||||
| CVE-2024-39608 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 10.0 CRITICAL |
|
A firmware update vulnerability exists in the login.cgi functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary firmware update. An attacker can send an unauthenticated message to trigger this vulnerability.
|
|||||
| CVE-2025-8995 | 1 Authenticator Login Project | 1 Authenticator Login | 2025-08-21 | N/A | 9.8 CRITICAL |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4.
|
|||||
| CVE-2024-39273 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.0 CRITICAL |
|
A firmware update vulnerability exists in the fw_check.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary firmware update. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
|
|||||
| CVE-2025-40736 | 1 Siemens | 1 Sinec Nms | 2025-08-21 | N/A | 9.8 CRITICAL |
|
A vulnerability has been identified in SINEC NMS (All versions < V4.0). The affected application exposes an endpoint that allows an unauthorized modification of administrative credentials. This could allow an unauthenticated attacker to reset the superadmin password and gain full control of the application (ZDI-CAN-26569).
|
|||||
| CVE-2025-51543 | 2025-08-20 | N/A | 9.8 CRITICAL | ||
|
An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/reset_password endpoint.
|
|||||
| CVE-2025-6920 | 1 Redhat | 1 Ai Inference Server | 2025-08-18 | N/A | 5.3 MEDIUM |
|
A flaw was found in the authentication enforcement mechanism of a model inference API in ai-inference-server. All /v1/* endpoints are expected to enforce API key validation. However, the POST /invocations endpoint failed to do so, resulting in an authentication bypass. This vulnerability allows unauthorized users to access the same inference features available on protected endpoints, potentially exposing sensitive functionality or allowing unintended access to backend resources.
|
|||||