| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An unauthenticated arbitrary file upload vulnerability exists in Idera Up.Time Monitoring Station versions up to and including 7.2. The `wizards/post2file.php` script accepts arbitrary POST parameters, allowing attackers to upload crafted PHP files to the webroot. Successful exploitation results in remote code execution as the web server user. NOTE: The bypass for this vulnerability is tracked as CVE-2015-9263. |
| A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Impacted is an unknown function of the file /WebService/UpdateLocalDevInfo.jsp of the component Device Identifier Handler. Such manipulation of the argument username/password leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The impacted element is an unknown function of the file home/web/ipc of the component CGI Endpoint. Performing a manipulation results in missing authentication. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins. |
| The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data. |
| NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure. |
| CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that host specific versions of LogScale and does not affect Next-Gen SIEM customers. The vulnerability exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without authentication.
Next-Gen SIEM customers are not affected and do not need to take any action. CrowdStrike mitigated the vulnerability for LogScale SaaS customers by deploying network-layer blocks to all clusters on April 7, 2026. We have proactively reviewed all log data and there is no evidence of exploitation.
LogScale Self-hosted customers should upgrade to a patched version immediately to remediate the vulnerability.
CrowdStrike identified this vulnerability during continuous and ongoing product testing. |
| Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API. |
| blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0. |
| A configuration issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Photos in the Hidden Photos Album may be viewed without authentication. |
| The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS). |
| A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| A weakness has been identified in liangliangyy DjangoBlog up to 2.1.0.0. This impacts an unknown function of the file blog/views.py of the component Clean Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. |
| A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. |
| Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre. |
| The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID. |
| Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access controls and gain unauthorized access to protected management functionality without valid credentials. |
| Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2. |
| A specific administrative endpoint is accessible without proper authentication, exposing device management functions. |
