Search Results (2495 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-61673 1 Aiven 2 Aiven, Karapace 2026-04-15 8.6 High
Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token validation logic is skipped entirely, allowing an unauthenticated user to read and write to Schema Registry endpoints that should otherwise be protected. This effectively renders the OAuth authentication mechanism ineffective. This issue is fixed in version 5.0.2.
CVE-2024-57725 2026-04-15 6.5 Medium
An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the /firstconnection.cgi endpoint.
CVE-2025-59090 1 Dormakaba 1 Kaba Exos 9300 2026-04-15 N/A
On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards.
CVE-2025-52551 2026-04-15 N/A
E2 Facility Management Systems use a proprietary protocol that allows for unauthenticated file operations on any file in the file system.
CVE-2025-30037 1 Cgm 1 Clininet 2026-04-15 N/A
The system exposes several endpoints, typically including "/int/" in their path, that should be restricted to internal services, but are instead publicly accessible without authentication to any host able to reach the application server on port 443/tcp.
CVE-2019-25236 2026-04-15 9.8 Critical
iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication.
CVE-2018-25140 1 Flir 1 Thermal Traffic Cameras 2026-04-15 7.5 High
FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially initiate denial of service by sending crafted WebSocket messages without authentication.
CVE-2025-3758 2026-04-15 N/A
WF2220 exposes endpoint /cgi-bin-igd/netcore_get.cgi that returns configuration of the device to unauthorized users. Returned configuration includes cleartext password. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-41654 2026-04-15 8.2 High
An unauthenticated remote attacker can access information about running processes via the SNMP protocol. The amount of returned data can trigger a reboot by the watchdog.
CVE-2024-10776 1 Sick 2 Inspector61x Firmware, Inspector62x Firmware 2026-04-15 8.2 High
Lua apps can be deployed, removed, started, reloaded or stopped without authorization via AppManager. This allows an attacker to remove legitimate apps creating a DoS attack, read and write files or load apps that use all features of the product available to a customer.
CVE-2025-41716 1 Wago 1 Solution Builder 2026-04-15 5.3 Medium
The web application allows an unauthenticated remote attacker to learn information about existing user accounts with their corresponding role due to missing authentication for critical function.
CVE-2025-10906 2 Apple, Magnetism Studios 2 Macos, Endurance 2026-04-15 8.4 High
A flaw has been found in Magnetism Studios Endurance up to 3.3.0 on macOS. This affects the function loadModuleNamed:WithReply of the file /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper of the component NSXPC Interface. Executing manipulation can lead to missing authentication. The attack needs to be launched locally. The exploit has been published and may be used.
CVE-2025-34068 2026-04-15 N/A
An unauthenticated remote command execution vulnerability exists in Samsung WLAN AP WEA453e firmware prior to version 5.2.4.T1 via improper input validation in the “Tech Support” diagnostic functionality. The command1 and command2 POST or GET parameters accept arbitrary shell commands that are executed with root privileges on the underlying operating system. An attacker can exploit this by crafting a request that injects shell commands to create output files in writable directories and then access their contents via the download endpoint. This flaw allows complete compromise of the device without authentication. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.
CVE-2025-34115 1 Op5 1 Monitor 2026-04-15 N/A
An authenticated command injection vulnerability exists in OP5 Monitor through version 7.1.9 via the 'cmd_str' parameter in the command_test.php endpoint. A user with access to the web interface can exploit the 'Test this command' feature to execute arbitrary shell commands as the unprivileged web application user. The vulnerability resides in the configuration section of the application and requires valid login credentials with access to the command testing functionality. This issue is fixed in version 7.2.0.
CVE-2025-46275 2026-04-15 9.8 Critical
WGS-80HPT-V2 and WGS-4215-8T2S are missing authentication that could allow an attacker to create an administrator account without knowing any existing credentials.
CVE-2021-26278 2026-04-15 6.3 Medium
The wifi module exposes the interface and has improper permission control, leaking sensitive information about the device.
CVE-2021-26280 2026-04-15 7.9 High
Locally installed application can bypass the permission check and perform system operations that require permission.
CVE-2024-53623 1 Tp-link 1 Archer C7 Firmware 2026-04-15 7.5 High
Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information.
CVE-2025-12548 1 Redhat 1 Openshift Devspaces 2026-04-15 9 Critical
A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333.
CVE-2024-52285 1 Siemens 2 Sipass Integrated Ac5102 (acc-g2), Sipass Integrated Acc-ap 2026-04-15 5.3 Medium
A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.8), SiPass integrated ACC-AP (All versions < V6.4.8). Affected devices expose several MQTT URLs without authentication. This could allow an unauthenticated remote attacker to access sensitive data.