Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-64526

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-14 May, 2026 | 18:32
Updated At-16 May, 2026 | 00:49
Rejected At-
Credits

Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:14 May, 2026 | 18:32
Updated At:16 May, 2026 | 00:49
Rejected At:
▼CVE Numbering Authority (CNA)
Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.

Affected Products
Vendor
Strapi, Inc.strapi
Product
strapi
Versions
Affected
  • < 5.45.0
Vendor
Strapi, Inc.strapi
Product
@strapi/plugin-users-permissions
Versions
Affected
  • < 5.45.0
Problem Types
TypeCWE IDDescription
CWECWE-307CWE-307: Improper Restriction of Excessive Authentication Attempts
Type: CWE
CWE ID: CWE-307
Description: CWE-307: Improper Restriction of Excessive Authentication Attempts
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fw
x_refsource_CONFIRM
https://github.com/strapi/strapi/pull/24818
x_refsource_MISC
https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468db
x_refsource_MISC
https://github.com/strapi/strapi/releases/tag/v5.45.0
x_refsource_MISC
Hyperlink: https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fw
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/strapi/strapi/pull/24818
Resource:
x_refsource_MISC
Hyperlink: https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468db
Resource:
x_refsource_MISC
Hyperlink: https://github.com/strapi/strapi/releases/tag/v5.45.0
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:14 May, 2026 | 19:16
Updated At:16 May, 2026 | 03:30

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Type: Secondary
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CPE Matches
Strapi, Inc.
strapi
>>strapi>>Versions before 5.45.0(exclusive)
cpe:2.3:a:strapi:strapi:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-307Primarysecurity-advisories@github.com
CWE ID: CWE-307
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468dbsecurity-advisories@github.com
Patch
https://github.com/strapi/strapi/pull/24818security-advisories@github.com
Issue Tracking
https://github.com/strapi/strapi/releases/tag/v5.45.0security-advisories@github.com
Patch
Product
https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fwsecurity-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468db
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/strapi/strapi/pull/24818
Source: security-advisories@github.com
Resource:
Issue Tracking
Hyperlink: https://github.com/strapi/strapi/releases/tag/v5.45.0
Source: security-advisories@github.com
Resource:
Patch
Product
Hyperlink: https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fw
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

12Records found
CVE-2025-20196
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 49.26%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 17:38
Updated-11 Jul, 2025 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the Cisco IOx application hosting environment of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the Cisco IOx application hosting environment to stop responding, resulting in a denial of service (DoS) condition. This vulnerability is due to the improper handling of HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the Cisco IOx application hosting environment to stop responding. The IOx process will need to be manually restarted to recover services.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_9105829_industrial_integrated_services_routercatalyst_9130axicatalyst_9124catalyst_9124axicatalyst_9105wcatalyst_9130catalyst_9105axicatalyst_9120_apcatalyst_9124d809_industrial_integrated_services_routerir510_wpan_firmware807_industrial_integrated_services_routercatalyst_9115catalyst_9136catalyst_9115axir510_wpancatalyst_9117_apcatalyst_9115axicatalyst_9120axpcatalyst_9105icatalyst_9124icatalyst_9130ax807_industrial_integrated_services_router_firmwarecatalyst_9117catalyst_9124axdcatalyst_9120axicatalyst_9115_apcatalyst_9166catalyst_9166d1catalyst_9117axios_xe809_industrial_integrated_services_router_firmwarecatalyst_9164catalyst_9120catalyst_9130axeic3000_industrial_compute_gatewaycatalyst_9100cgr1000catalyst_9162catalyst_9117axicatalyst_9105axwcatalyst_9124axcatalyst_9130_ap829_industrial_integrated_services_router_firmwarecatalyst_9120axcgr1000_firmwareic3000_industrial_compute_gateway_firmwarecatalyst_9105axcatalyst_9124ecatalyst_9120axecatalyst_9115axeIOSCisco IOS XE Software
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-35925
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.52% / 67.09%
||
7 Day CHG~0.00%
Published-02 Aug, 2022 | 20:15
Updated-22 Apr, 2025 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing rate limit in Authentication in bookwyrm

BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their `nginx.conf` file that was created when the instance was set up. Users are advised advised to upgrade. Users unable to upgrade may update their nginx.conf files with the changes manually.

Action-Not Available
Vendor-joinbookwyrmbookwyrm-social
Product-bookwyrmbookwyrm
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-29056
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-3.5||LOW
EPSS-24.20% / 96.19%
||
7 Day CHG~0.00%
Published-09 Mar, 2023 | 14:54
Updated-22 Oct, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiMail version 6.4.0, version 6.2.0 through 6.2.4 and before 6.0.9 allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortimailFortiMail
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2024-30390
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.08% / 22.91%
||
7 Day CHG~0.00%
Published-12 Apr, 2024 | 15:24
Updated-06 Feb, 2025 | 20:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS Evolved: Connection limits is not being enforced while the resp. rate limit is being enforced

An Improper Restriction of Excessive Authentication Attempts vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a limited Denial of Service (DoS) to the management plane. When an incoming connection was blocked because it exceeded the connections-per-second rate-limit, the system doesn't consider existing connections anymore for subsequent connection attempts so that the connection limit can be exceeded. This issue affects Junos OS Evolved: * All versions before 21.4R3-S4-EVO, * 22.1-EVO versions before 22.1R3-S3-EVO, * 22.2-EVO versions before 22.2R3-S2-EVO,  * 22.3-EVO versions before 22.3R2-S1-EVO, 22.3R3-EVO.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-junos_os_evolvedJunos OS Evolved
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2026-2402
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-6.9||MEDIUM
EPSS-0.07% / 20.62%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 15:16
Updated-22 Apr, 2026 | 14:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints.

Action-Not Available
Vendor-Schneider Electric SE
Product-powerchute_serial_shutdownPowerChute™ Serial Shutdown
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2024-0787
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.92%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 10:57
Updated-19 Nov, 2024 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of Excessive Authentication Attempts in phpipam/phpipam

phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0.

Action-Not Available
Vendor-phpipamphpipamphpipam
Product-phpipamphpipam/phpipamphpipam
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-49792
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.41% / 61.65%
||
7 Day CHG~0.00%
Published-22 Dec, 2023 | 16:31
Updated-27 Aug, 2024 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bruteforce protection can be bypassed with misconfigured proxy

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

Action-Not Available
Vendor-Nextcloud GmbH
Product-nextcloud_serversecurity-advisories
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-4625
Matching Score-4
Assigner-Mitsubishi Electric Corporation
ShareView Details
Matching Score-4
Assigner-Mitsubishi Electric Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 28.12%
||
7 Day CHG~0.00%
Published-06 Nov, 2023 | 04:57
Updated-27 Feb, 2025 | 20:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial-of-Service(DoS) Vulnerability in Web server function on MELSEC Series CPU module

Improper Restriction of Excessive Authentication Attempts vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F/iQ-R Series CPU modules Web server function allows a remote unauthenticated attacker to prevent legitimate users from logging into the Web server function for a certain period after the attacker has attempted to log in illegally by continuously attempting unauthorized login to the Web server function. The impact of this vulnerability will persist while the attacker continues to attempt unauthorized login.

Action-Not Available
Vendor-Mitsubishi Electric Corporation
Product-fx5uj-40mt\/dsfx5uj-24mt\/essfx5uj-24mt\/dssfx5u-80mr\/dsfx5u-32mt\/dsfx5u-64mr\/esfx5s-40mt\/es_firmwarefx5s-80mr\/esfx5u-64mt\/es_firmwarefx5uj-24mt\/es_firmwarefx5u-32mt\/dssfx5uj-60mr\/es_firmwarefx5uj-60mt\/essfx5s-40mt\/esfx5u-32mr\/ds_firmwarefx5uj-24mr\/dsfx5uj-40mt\/es_firmwarefx5u-64mr\/es_firmwarefx5uj-24mt\/ess_firmwarefx5uc-32mt\/ds-tsfx5uj-24mr\/es-afx5s-60mt\/es_firmwarefx5u-32mt\/dss_firmwarefx5uj-60mt\/dss_firmwarefx5u-32mr\/dsfx5u-64mr\/ds_firmwarefx5u-64mt\/dssfx5uj-40mt\/ds_firmwarefx5uj-60mr\/esfx5uj-60mt\/ess_firmwarefx5s-40mr\/es_firmwarefx5uj-24mr\/esfx5u-32mt\/esfx5uj-24mr\/ds_firmwarefx5s-30mr\/es_firmwarefx5s-60mr\/esfx5uj-60mt\/es-afx5uc-64mt\/dfx5uc-32mt\/dssfx5s-30mt\/esfx5s-60mr\/es_firmwarefx5u-80mt\/dss_firmwarefx5u-80mt\/ds_firmwarefx5s-30mt\/ess_firmwarefx5uj-40mr\/es_firmwarefx5u-64mt\/ds_firmwarefx5s-60mt\/esfx5s-40mt\/ess_firmwarefx5uj-24mt\/es-a_firmwarefx5u-32mt\/ess_firmwarefx5u-80mt\/dsfx5uj-24mt\/esfx5s-30mt\/es_firmwarefx5uj-40mr\/esfx5s-60mt\/essfx5u-64mt\/ess_firmwarefx5u-64mt\/essfx5u-80mr\/es_firmwarefx5uc-64mt\/dss_firmwarefx5u-64mr\/dsfx5uj-60mr\/ds_firmwarefx5u-32mt\/es_firmwarefx5u-32mr\/esfx5uj-40mt\/dssfx5uc-96mt\/d_firmwarefx5uc-32mt\/dss_firmwarefx5uj-60mr\/es-a_firmwarefx5s-60mt\/ess_firmwarefx5u-80mr\/esfx5u-64mt\/esfx5s-80mt\/esfx5uj-40mr\/es-afx5u-64mt\/dsfx5s-40mr\/esfx5uj-40mr\/ds_firmwarefx5s-40mt\/essfx5uj-60mt\/esfx5uc-32mt\/dss-tsfx5uj-24mr\/es-a_firmwarefx5uc-32mt\/dfx5uj-60mt\/dssfx5uj-60mt\/es_firmwarefx5u-80mt\/essfx5s-30mt\/essfx5uj-60mr\/es-afx5u-32mt\/essfx5uj-40mt\/es-afx5s-80mt\/essfx5s-80mr\/es_firmwarefx5uc-64mt\/dssfx5u-80mr\/ds_firmwarefx5uj-60mt\/dsfx5uc-96mt\/dfx5u-32mt\/ds_firmwarefx5uc-32mr\/ds-ts_firmwarefx5s-30mr\/esfx5uj-24mt\/dsfx5uj-40mt\/ess_firmwarefx5s-80mt\/es_firmwarefx5uc-32mr\/ds-tsfx5uc-32mt\/ds-ts_firmwarefx5uj-24mt\/ds_firmwarefx5u-80mt\/ess_firmwarefx5uj-60mt\/ds_firmwarefx5uj-60mt\/es-a_firmwarefx5uj-40mt\/es-a_firmwarefx5u-32mr\/es_firmwarefx5u-80mt\/dssfx5uj-24mr\/es_firmwarefx5uj-24mt\/es-afx5uj-24mt\/dss_firmwarefx5uj-40mt\/essfx5uj-40mt\/esfx5uc-64mt\/d_firmwarefx5u-64mt\/dss_firmwarefx5uj-40mr\/dsfx5u-80mt\/esfx5uj-60mr\/dsfx5uc-32mt\/dss-ts_firmwarefx5uc-96mt\/dss_firmwarefx5u-80mt\/es_firmwarefx5uj-40mr\/es-a_firmwarefx5s-80mt\/ess_firmwarefx5uj-40mt\/dss_firmwarefx5uc-32mt\/d_firmwarefx5uc-96mt\/dssMELSEC iQ-F Series FX5U-32MR/ESMELSEC iQ-F Series FX5UJ-60MT/ESMELSEC iQ-R Series R02CPUMELSEC iQ-F Series FX5S-40MT/ESMELSEC iQ-F Series FX5UJ-40MT/ESMELSEC iQ-F Series FX5U-80MT/ESSMELSEC iQ-F Series FX5S-60MT/ESMELSEC iQ-F Series FX5UC-32MT/DMELSEC iQ-F Series FX5U-32MT/DSMELSEC iQ-F Series FX5UC-32MT/DSS-TSMELSEC iQ-F Series FX5UJ-60MT/DSSMELSEC iQ-R Series R00CPUMELSEC iQ-R Series R120PCPUMELSEC iQ-F Series FX5UJ-24MT/DSSMELSEC iQ-F Series FX5U-32MR/DSMELSEC iQ-F Series FX5UJ-60MT/DSMELSEC iQ-F Series FX5UJ-40MR/ESMELSEC iQ-F Series FX5S-80MR/ESMELSEC iQ-F Series FX5UC-96MT/DSSMELSEC iQ-R Series R120CPUMELSEC iQ-F Series FX5U-64MR/DSMELSEC iQ-F Series FX5U-80MR/ESMELSEC iQ-F Series FX5UJ-40MT/DSSMELSEC iQ-F Series FX5U-80MT/DSMELSEC iQ-R Series R04ENCPUMELSEC iQ-F Series FX5S-60MT/ESSMELSEC iQ-F Series FX5U-80MR/DSMELSEC iQ-F Series FX5S-30MR/ESMELSEC iQ-F Series FX5UJ-24MT/ES-AMELSEC iQ-F Series FX5S-40MT/ESSMELSEC iQ-R Series R08PCPUMELSEC iQ-F Series FX5S-30MT/ESMELSEC iQ-R Series R01CPUMELSEC iQ-R Series R16PCPUMELSEC iQ-F Series FX5UJ-60MR/ES-AMELSEC iQ-F Series FX5UJ-40MT/ES-AMELSEC iQ-F Series FX5UC-32MT/DSSMELSEC iQ-F Series FX5U-80MT/ESMELSEC iQ-F Series FX5S-60MR/ESMELSEC iQ-R Series R32PCPUMELSEC iQ-F Series FX5UJ-40MT/DSMELSEC iQ-F Series FX5UJ-40MR/ES-AMELSEC iQ-F Series FX5UC-32MT/DS-TSMELSEC iQ-R Series R04CPUMELSEC iQ-F Series FX5UJ-24MT/ESMELSEC iQ-F Series FX5UJ-60MT/ES-AMELSEC iQ-F Series FX5UJ-40MT/ESSMELSEC iQ-F Series FX5UJ-60MR/ESMELSEC iQ-F Series FX5S-30MT/ESSMELSEC iQ-F Series FX5UJ-24MT/DSMELSEC iQ-F Series FX5S-80MT/ESSMELSEC iQ-F Series FX5U-32MT/ESMELSEC iQ-R Series R120ENCPUMELSEC iQ-F Series FX5S-80MT/ESMELSEC iQ-R Series R16ENCPUMELSEC iQ-F Series FX5U-64MT/DSMELSEC iQ-F Series FX5UJ-24MR/DSMELSEC iQ-F Series FX5UJ-24MR/ESMELSEC iQ-R Series R32CPUMELSEC iQ-F Series FX5U-64MT/ESSMELSEC iQ-R Series R16CPUMELSEC iQ-F Series FX5S-40MR/ESMELSEC iQ-F Series FX5U-32MT/ESSMELSEC iQ-F Series FX5U-64MT/DSSMELSEC iQ-F Series FX5UJ-60MT/ESSMELSEC iQ-R Series R32ENCPUMELSEC iQ-F Series FX5UC-32MR/DS-TSMELSEC iQ-R Series R08CPUMELSEC iQ-F Series FX5UJ-40MR/DSMELSEC iQ-F Series FX5U-64MT/ESMELSEC iQ-F Series FX5UJ-24MT/ESSMELSEC iQ-F Series FX5U-80MT/DSSMELSEC iQ-F Series FX5UC-96MT/DMELSEC iQ-F Series FX5UC-64MT/DSSMELSEC iQ-F Series FX5UJ-60MR/DSMELSEC iQ-R Series R08ENCPUMELSEC iQ-F Series FX5UC-64MT/DMELSEC iQ-F Series FX5U-32MT/DSSMELSEC iQ-F Series FX5UJ-24MR/ES-AMELSEC iQ-F Series FX5U-64MR/ES
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-26209
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-3.5||LOW
EPSS-19.61% / 95.55%
||
7 Day CHG~0.00%
Published-09 Mar, 2023 | 14:55
Updated-22 Oct, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiDeceptor 3.1.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortideceptorFortiDeceptor
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-26208
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-3.5||LOW
EPSS-19.70% / 95.57%
||
7 Day CHG~0.00%
Published-09 Mar, 2023 | 14:55
Updated-22 Oct, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiAuthenticator 6.4.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiauthenticatorFortiAuthenticator
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-8202
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 60.16%
||
7 Day CHG~0.00%
Published-30 Jul, 2020 | 12:53
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password.

Action-Not Available
Vendor-n/aNextcloud GmbH
Product-preferred_providersNextcloud Preferred Providers
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-8228
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-0.45% / 64.07%
||
7 Day CHG~0.00%
Published-05 Oct, 2020 | 13:15
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times.

Action-Not Available
Vendor-n/aopenSUSENextcloud GmbH
Product-preferred_providersbackports_sleleapNextcloud Preferred Provider
CWE ID-CWE-840
Not Available
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
Details not found