Export limit exceeded: 351285 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2279 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-70146 | 1 Projectworlds | 1 Online Time Table Generator | 2026-02-20 | 9.1 Critical |
| Missing authentication in multiple administrative action scripts under /admin/ in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to perform unauthorized administrative operations (e.g.,adding records, deleting records) via direct HTTP requests to affected endpoints without a valid session. | ||||
| CVE-2025-70147 | 1 Projectworlds | 1 Online Time Table Generator | 2026-02-20 | 7.5 High |
| Missing authentication in /admin/student.php and /admin/teacher.php in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to obtain sensitive information (including plaintext password field values) via direct HTTP GET requests to these endpoints without a valid session. | ||||
| CVE-2024-22449 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | 6.6 Medium |
| Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access. | ||||
| CVE-2025-14038 | 1 Enterprisedb | 1 Hybrid Manager | 2026-02-18 | 7 High |
| EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause a denial-of-service by writing malformed data to certain gRPC endpoints. This flaw has been remediated in EDB Hybrid Manager 1.3.3, and customers should consider upgrading to 1.3.3 as soon as possible. The flaw is due to a misconfiguration in the Istio Gateway, which manages authentication and authorization for the affected endpoints. The security policy relies on an explicit definition of required permissions in the Istio Gateway configuration, and the affected endpoints were not defined in the configuration. This allowed requests to bypass both authentication and authorization within a Hybrid Manager service. All versions of Hybrid Manager - LTS should be upgraded to 1.3.3, and all versions of Hybrid Manager - Innovation should be upgraded to 2025.12. | ||||
| CVE-2025-21355 | 1 Microsoft | 1 Bing | 2026-02-13 | 8.6 High |
| Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network | ||||
| CVE-2025-48814 | 1 Microsoft | 22 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 19 more | 2026-02-13 | 7.5 High |
| Missing authentication for critical function in Windows Remote Desktop Licensing Service allows an unauthorized attacker to bypass a security feature over a network. | ||||
| CVE-2025-52024 | 1 Aptsys | 2 Gemscms Backend, Pos Platform Web Services | 2026-02-11 | 9.4 Critical |
| A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries. | ||||
| CVE-2025-5192 | 1 Scshr | 1 Hr Portal | 2026-02-04 | 7.5 High |
| A missing authentication for critical function vulnerability in the client application of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to bypass authentication and access application functions. | ||||
| CVE-2025-3646 | 1 Petlibro | 2 Petlibro, Smart Pet Feeder Platform | 2026-02-03 | 7.3 High |
| Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authorization bypass vulnerability that allows unauthorized users to add users as shared owners to any device by exploiting missing permission checks. Attackers can send requests to the device share API to gain unauthorized access to devices and view owner information without proper authorization validation. | ||||
| CVE-2025-54816 | 1 Evmapa | 1 Evmapa | 2026-02-02 | 9.4 Critical |
| This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system. | ||||
| CVE-2021-47802 | 1 Tenda | 4 D151, D151 Firmware, D301 and 1 more | 2026-02-02 | 7.5 High |
| Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without authentication. | ||||
| CVE-2025-68716 | 1 Kaysus | 2 Ks-wr3600, Ks-wr3600 Firmware | 2026-02-02 | 8.4 High |
| KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges. | ||||
| CVE-2022-2552 | 1 Awesomemotive | 1 Duplicator | 2026-02-02 | 5.3 Medium |
| The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. | ||||
| CVE-2025-69285 | 2 Dataease, Fit2cloud | 2 Sqlbot, Sqlbot | 2026-02-02 | 6.1 Medium |
| SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via to_sql() with if_exists='replace' mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available. | ||||
| CVE-2025-54942 | 1 Sun.net | 1 Ehrd Ctms | 2026-01-30 | 9.8 Critical |
| A missing authentication for critical function vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to access deployment functionality without prior authentication. | ||||
| CVE-2025-65731 | 2 D-link, Dlink | 3 Dir-605l, Dir-605l, Dir-605l Firmware | 2026-01-30 | 6.8 Medium |
| An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control. | ||||
| CVE-2025-68715 | 1 Pandawireless | 2 Pwru01, Pwru01 Firmware | 2026-01-30 | 9.1 Critical |
| An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modify WAN, LAN, and wireless settings directly, leading to privilege escalation and denial of service. | ||||
| CVE-2025-61777 | 2 Flagforge, Flagforgectf | 2 Flagforge, Flagforge | 2026-01-28 | 9.4 Critical |
| Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available. | ||||
| CVE-2023-31594 | 1 Icrealtime | 2 Icip-p2012t, Icip-p2012t Firmware | 2026-01-27 | 7.5 High |
| IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control via an exposed HTTP channel using VLC network. | ||||
| CVE-2025-11198 | 1 Juniper | 3 Junos, Security Director Policy Enforcer, Space Security Director | 2026-01-26 | 7.4 High |
| A Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-based attacker to replace legitimate vSRX images with malicious ones. If a trusted user initiates deployment, Security Director Policy Enforcer will deliver the attacker's uploaded image to VMware NSX instead of a legitimate one. This issue affects Security Director Policy Enforcer: * All versions before 23.1R1 Hotpatch v3. This issue does not affect Junos Space Security Director Insights. | ||||