Total
2009 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2552 | 1 Awesomemotive | 1 Duplicator | 2026-02-02 | N/A | 5.3 MEDIUM |
|
The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site.
|
|||||
| CVE-2025-69285 | 1 Fit2cloud | 1 Sqlbot | 2026-02-02 | N/A | 6.1 MEDIUM |
|
SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas a ...
Show More |
|||||
| CVE-2026-1410 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2026-01-30 | 6.2 MEDIUM | 6.4 MEDIUM |
|
A vulnerability was detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. Impacted is an unknown function of the component UART Interface. The manipulation results in missing authentication. An attack on the physical device is feasible. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-54942 | 1 Sun.net | 1 Ehrd Ctms | 2026-01-30 | N/A | 9.8 CRITICAL |
|
A missing authentication for critical function vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to access deployment functionality without prior authentication.
|
|||||
| CVE-2025-65731 | 1 Dlink | 2 Dir-605l, Dir-605l Firmware | 2026-01-30 | N/A | 6.8 MEDIUM |
|
An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control.
|
|||||
| CVE-2025-68715 | 1 Pandawireless | 2 Pwru01, Pwru01 Firmware | 2026-01-30 | N/A | 9.1 CRITICAL |
|
An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modify WAN, LAN, and wireless settings directly, leading to privilege escalation and denial of service.
|
|||||
| CVE-2020-36963 | 2026-01-29 | N/A | 7.5 HIGH | ||
|
Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypass vulnerability that allows unauthenticated attackers to download router configuration files. Attackers can send a specific HTTP GET request to /cgi-bin/DownloadCfg/RouterCfm.cfg to retrieve sensitive router configuration without authentication.
|
|||||
| CVE-2026-0492 | 1 Sap | 1 Hana Database | 2026-01-27 | N/A | 8.8 HIGH |
|
SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability.
|
|||||
| CVE-2023-31594 | 1 Icrealtime | 2 Icip-p2012t, Icip-p2012t Firmware | 2026-01-27 | N/A | 7.5 HIGH |
|
IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control via an exposed HTTP channel using VLC network.
|
|||||
| CVE-2025-12386 | 2026-01-27 | N/A | N/A | ||
|
Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
|
|||||
| CVE-2025-11198 | 1 Juniper | 1 Security Director Policy Enforcer | 2026-01-26 | N/A | 7.4 HIGH |
|
A Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-based attacker to replace legitimate vSRX images with malicious ones.
If a trusted user initiates deployment, Security Director Policy Enforcer will deliver the attacker's uploaded image to VMware NSX instead of a legitimate one.
This issue affects Security Director Policy Enforcer:
* All versions before 23.1R1 Hotpatch v3.
This i ...
Show More |
|||||
| CVE-2025-15026 | 1 Centreon | 1 Awie | 2026-01-26 | N/A | 9.8 CRITICAL |
|
Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3.
|
|||||
| CVE-2026-23744 | 2026-01-26 | N/A | 9.8 CRITICAL | ||
|
MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.
|
|||||
| CVE-2026-0778 | 2026-01-26 | N/A | 8.8 HIGH | ||
|
Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Enel X JuiceBox 40 charging stations. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the telnet service, which listens on TCP port 2000 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker ca ...
Show More |
|||||
| CVE-2026-1364 | 2026-01-26 | N/A | 9.8 CRITICAL | ||
|
IAQS and I6 developed by JNC has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly operate system administrative functionalities.
|
|||||
| CVE-2021-47891 | 2026-01-26 | N/A | 9.8 CRITICAL | ||
|
Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads.
|
|||||
| CVE-2025-59090 | 2026-01-26 | N/A | N/A | ||
|
On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards.
|
|||||
| CVE-2025-59097 | 2026-01-26 | N/A | N/A | ||
|
The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx ...
Show More |
|||||
| CVE-2024-5143 | 1 Hp | 16 W1a75a, W1a75a Firmware, W1a76a and 13 more | 2026-01-26 | N/A | 6.8 MEDIUM |
|
A user with device administrative privileges can change existing SMTP server settings on the device, without having to re-enter SMTP server credentials. By redirecting send-to-email traffic to the new server, the original SMTP server credentials may potentially be exposed.
|
|||||
| CVE-2026-1019 | 1 Gotac | 1 Police Statistics Database System | 2026-01-23 | N/A | 9.8 CRITICAL |
|
Police Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality.
|
|||||
| CVE-2026-1023 | 1 Gotac | 1 Statistics Database System | 2026-01-23 | N/A | 7.5 HIGH |
|
Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents.
|
|||||
| CVE-2024-50375 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 9.8 CRITICAL |
|
A CWE-306 "Missing Authentication for Critical Function" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point.
|
|||||
| CVE-2024-10924 | 1 Really-simple-plugins | 1 Really Simple Security | 2026-01-23 | N/A | 9.8 CRITICAL |
|
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
|
|||||
| CVE-2025-63391 | 1 Openwebui | 1 Open Webui | 2026-01-22 | N/A | 7.5 HIGH |
|
An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers.
|
|||||
| CVE-2025-63390 | 1 Mintplexlabs | 1 Anythingllm | 2026-01-22 | N/A | 5.3 MEDIUM |
|
An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length ...
Show More |
|||||
| CVE-2025-63389 | 1 Ollama | 1 Ollama | 2026-01-22 | N/A | 9.8 CRITICAL |
|
A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.
|
|||||
| CVE-2025-63896 | 1 Jxlindia | 2 Jxl 9 Inch Car Android Double Din Player, Jxl 9 Inch Car Android Double Din Player Firmware | 2026-01-22 | N/A | 7.6 HIGH |
|
An issue in the Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to inject arbitrary keystrokes via a spoofed Bluetooth HID device.
|
|||||
| CVE-2025-31963 | 1 Hcltech | 1 Bigfix Insights For Vulnerability Remediation | 2026-01-22 | N/A | 2.9 LOW |
|
Improper authentication and missing CSRF protection in the local setup interface component in HCL BigFix IVR version 4.2 allows a local attacker to perform unauthorized configuration changes via unauthenticated administrative configuration requests.
|
|||||
| CVE-2026-22788 | 1 Wem-project | 1 Wem | 2026-01-21 | N/A | 8.2 HIGH |
|
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19.
|
|||||
| CVE-2025-65824 | 1 Meatmeet | 2 Meatmeet Pro Wifi \& Bluetooth Meat Thermometer, Meatmeet Pro Wifi \& Bluetooth Meat Thermometer Firmware | 2026-01-21 | N/A | 8.8 HIGH |
|
An unauthenticated attacker within proximity of the Meatmeet device can perform an unauthorized Over The Air (OTA) firmware upgrade using Bluetooth Low Energy (BLE), resulting in the firmware on the device being overwritten with the attacker's code. As the device does not perform checks on upgrades, this results in Remote Code Execution (RCE) and the victim losing complete access to the Meatmeet.
|
|||||
| CVE-2026-22812 | 1 Anoma | 1 Opencode | 2026-01-21 | N/A | 8.8 HIGH |
|
OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.
|
|||||
| CVE-2025-62582 | 1 Deltaww | 1 Diaview | 2026-01-20 | N/A | 9.8 CRITICAL |
|
Delta Electronics DIAView has multiple vulnerabilities.
|
|||||
| CVE-2025-12941 | 1 Netgear | 4 C6220, C6220 Firmware, C6230 and 1 more | 2026-01-16 | N/A | 5.7 MEDIUM |
|
Denial of Service Vulnerability in NETGEAR C6220 and C6230 (DOCSIS® 3.0 Two-in-one Cable Modem + WiFi Router) allows authenticated local WiFi users reboot the router.
|
|||||
| CVE-2024-58336 | 1 Akuvox | 24 C313w-2, C313w-2 Firmware, Nc-2 and 21 more | 2026-01-16 | N/A | 5.3 MEDIUM |
|
Akuvox Smart Intercom S539 contains an unauthenticated vulnerability that allows remote attackers to access live video streams by requesting the video.cgi endpoint on port 8080. Attackers can retrieve video stream data without authentication by directly accessing the specified endpoint on affected Akuvox doorphone and intercom devices.
|
|||||
| CVE-2023-53964 | 1 Sound4 | 17 Big Voice2, Big Voice2 Firmware, Big Voice4 and 14 more | 2026-01-16 | N/A | 9.8 CRITICAL |
|
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated vulnerability in the /usr/cgi-bin/restorefactory.cgi endpoint that allows remote attackers to reset device configuration. Attackers can send a POST request to the endpoint with specific data to trigger a factory reset and bypass authentication, gaining full system control.
|
|||||
| CVE-2022-50790 | 1 Sound4 | 17 Big Voice2, Big Voice2 Firmware, Big Voice4 and 14 more | 2026-01-16 | N/A | 7.5 HIGH |
|
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated vulnerability that allows remote attackers to access live radio stream information through webplay or ffmpeg scripts. Attackers can exploit the vulnerability by calling specific web scripts to disclose radio stream details without requiring authentication.
|
|||||
| CVE-2026-21445 | 1 Langflow | 1 Langflow | 2026-01-16 | N/A | 9.1 CRITICAL |
|
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains ...
Show More |
|||||
| CVE-2025-14058 | 2026-01-16 | N/A | 3.2 LOW | ||
|
A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled.
|
|||||
| CVE-2026-23746 | 2026-01-16 | N/A | N/A | ||
|
Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to rea ...
Show More |
|||||
| CVE-2026-0942 | 2026-01-16 | N/A | 5.3 MEDIUM | ||
|
The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.2. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders.
|
|||||