Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-14622

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-04 Jul, 2026 | 08:45
Updated At-04 Jul, 2026 | 08:45
Rejected At-
Credits

jairiidriss restaurant-website-php-mysql AJAX Endpoint ajax_files missing authentication

A vulnerability was found in jairiidriss restaurant-website-php-mysql up to 521428b5b612449df0cf4a5d15ee40cba67f3d35. This vulnerability affects unknown code of the file /admin/ajax_files of the component AJAX Endpoint. Performing a manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:04 Jul, 2026 | 08:45
Updated At:04 Jul, 2026 | 08:45
Rejected At:
â–¼CVE Numbering Authority (CNA)
jairiidriss restaurant-website-php-mysql AJAX Endpoint ajax_files missing authentication

A vulnerability was found in jairiidriss restaurant-website-php-mysql up to 521428b5b612449df0cf4a5d15ee40cba67f3d35. This vulnerability affects unknown code of the file /admin/ajax_files of the component AJAX Endpoint. Performing a manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

Affected Products
Vendor
jairiidriss
Product
restaurant-website-php-mysql
CPEs
  • cpe:2.3:a:jairiidriss:restaurant-website-php-mysql:*:*:*:*:*:*:*:*
Modules
  • AJAX Endpoint
Versions
Affected
  • 521428b5b612449df0cf4a5d15ee40cba67f3d35
Problem Types
TypeCWE IDDescription
CWECWE-306Missing Authentication
CWECWE-287Improper Authentication
Type: CWE
CWE ID: CWE-306
Description: Missing Authentication
Type: CWE
CWE ID: CWE-287
Description: Improper Authentication
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3.07.3HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2.07.5N/A
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 3.0
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 2.0
Base score: 7.5
Base severity: N/A
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Fklov (VulDB User)
coordinator
VulDB CNA Team
Timeline
EventDate
Advisory disclosed2026-07-03 00:00:00
VulDB entry created2026-07-03 02:00:00
VulDB entry last update2026-07-03 19:00:31
Event: Advisory disclosed
Date: 2026-07-03 00:00:00
Event: VulDB entry created
Date: 2026-07-03 02:00:00
Event: VulDB entry last update
Date: 2026-07-03 19:00:31
Replaced By

Rejected Reason

References
HyperlinkResource
https://vuldb.com/vuln/376138
vdb-entry
https://vuldb.com/vuln/376138/cti
signature
permissions-required
https://vuldb.com/cve/CVE-2026-14622
third-party-advisory
https://vuldb.com/submit/845099
third-party-advisory
https://github.com/jairiidriss/restaurant-website-php-mysql/issues/6
exploit
issue-tracking
https://github.com/jairiidriss/restaurant-website-php-mysql/
product
Hyperlink: https://vuldb.com/vuln/376138
Resource:
vdb-entry
Hyperlink: https://vuldb.com/vuln/376138/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/cve/CVE-2026-14622
Resource:
third-party-advisory
Hyperlink: https://vuldb.com/submit/845099
Resource:
third-party-advisory
Hyperlink: https://github.com/jairiidriss/restaurant-website-php-mysql/issues/6
Resource:
exploit
issue-tracking
Hyperlink: https://github.com/jairiidriss/restaurant-website-php-mysql/
Resource:
product
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:04 Jul, 2026 | 09:16
Updated At:04 Jul, 2026 | 09:16

A vulnerability was found in jairiidriss restaurant-website-php-mysql up to 521428b5b612449df0cf4a5d15ee40cba67f3d35. This vulnerability affects unknown code of the file /admin/ajax_files of the component AJAX Endpoint. Performing a manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.5MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Secondary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Secondary
Version: 4.0
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-287Primarycna@vuldb.com
CWE-306Primarycna@vuldb.com
CWE ID: CWE-287
Type: Primary
Source: cna@vuldb.com
CWE ID: CWE-306
Type: Primary
Source: cna@vuldb.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/jairiidriss/restaurant-website-php-mysql/cna@vuldb.com
N/A
https://github.com/jairiidriss/restaurant-website-php-mysql/issues/6cna@vuldb.com
N/A
https://vuldb.com/cve/CVE-2026-14622cna@vuldb.com
N/A
https://vuldb.com/submit/845099cna@vuldb.com
N/A
https://vuldb.com/vuln/376138cna@vuldb.com
N/A
https://vuldb.com/vuln/376138/cticna@vuldb.com
N/A
Hyperlink: https://github.com/jairiidriss/restaurant-website-php-mysql/
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/jairiidriss/restaurant-website-php-mysql/issues/6
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/cve/CVE-2026-14622
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/845099
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/376138
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/376138/cti
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

934Records found

CVE-2022-31013
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-1.37% / 68.63%
||
7 Day CHG~0.00%
Published-31 May, 2022 | 22:35
Updated-23 Apr, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication bypass in Vartalap chat-server

Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function `this.authProvider.verifyAccessKey` is an async function, as the code is not using `await` to wait for the verification result. Every time the function responds back with success, along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0.

Action-Not Available
Vendor-chat_server_projectramank775
Product-chat_serverchat-server
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-20
Improper Input Validation
CVE-2019-6808
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-8.16% / 94.17%
||
7 Day CHG~0.00%
Published-22 May, 2019 | 20:05
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-284: Improper Access Control vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a remote code execution by overwriting configuration settings of the controller over Modbus.

Action-Not Available
Vendor-n/a
Product-modicon_quantummodicon_quantum_firmwaremodicon_m580_firmwaremodicon_premium_firmwaremodicon_premiummodicon_m340modicon_m340_firmwaremodicon_m580Modicon M580 Modicon M340 Modicon Quantum Modicon Premium
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-31266
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.80% / 52.16%
||
7 Day CHG~0.00%
Published-29 Jun, 2022 | 00:46
Updated-20 Mar, 2025 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take over accounts.

Action-Not Available
Vendor-iliasn/a
Product-iliasn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-31125
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-19.73% / 97.08%
||
7 Day CHG+3.80%
Published-06 Jul, 2022 | 00:00
Updated-23 Apr, 2025 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass in Roxy-wi

Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This affects Roxywi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

Action-Not Available
Vendor-roxy-wihap-wi
Product-roxy-wiroxy-wi
CWE ID-CWE-287
Improper Authentication
CVE-2022-29775
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-59.92% / 99.02%
||
7 Day CHG~0.00%
Published-21 Jun, 2022 | 13:59
Updated-03 Aug, 2024 | 06:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

iSpyConnect iSpy v7.2.2.0 allows attackers to bypass authentication via a crafted URL.

Action-Not Available
Vendor-ispyconnectn/a
Product-ispyn/a
CWE ID-CWE-287
Improper Authentication
CVE-2022-30238
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-8.3||HIGH
EPSS-0.92% / 55.82%
||
7 Day CHG~0.00%
Published-02 Jun, 2022 | 22:45
Updated-17 Sep, 2024 | 03:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-287: Improper Authentication vulnerability exists that could allow an attacker to take over the admin account when an attacker hijacks a session. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

Action-Not Available
Vendor-
Product-wiser_smart_eer21000wiser_smart_eer21001_firmwarewiser_smart_eer21000_firmwarewiser_smart_eer21001Wiser Smart
CWE ID-CWE-287
Improper Authentication
CVE-2022-30230
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-9.3||CRITICAL
EPSS-1.03% / 59.43%
||
7 Day CHG+0.01%
Published-14 Jun, 2022 | 09:21
Updated-12 Nov, 2025 | 08:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.6.6). The affected application does not require authenticated access for privileged functions. This could allow an unauthenticated attacker to create a new user with administrative permissions.

Action-Not Available
Vendor-Siemens AG
Product-sicam_gridedge_essentialSICAM GridEdge (Classic)
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-6521
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.6||HIGH
EPSS-1.93% / 77.51%
||
7 Day CHG~0.00%
Published-05 Feb, 2019 | 21:00
Updated-04 Aug, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WebAccess/SCADA, Version 8.3. Specially crafted requests could allow a possible authentication bypass that could allow an attacker to obtain and manipulate sensitive information.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/scadan/a
CWE ID-CWE-287
Improper Authentication
CVE-2017-2628
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-4.01% / 89.31%
||
7 Day CHG~0.00%
Published-12 Mar, 2018 | 15:00
Updated-05 Aug, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.

Action-Not Available
Vendor-Red Hat, Inc.CURL
Product-curlenterprise_linux_desktopenterprise_linux_workstationenterprise_linux_servercurl
CWE ID-CWE-287
Improper Authentication
CVE-2022-28660
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.06% / 60.32%
||
7 Day CHG~0.00%
Published-20 May, 2022 | 14:32
Updated-03 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in microservices mode

Action-Not Available
Vendor-n/aGrafana Labs
Product-grafanan/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2010-4333
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-7.12% / 93.48%
||
7 Day CHG~0.00%
Published-22 Dec, 2010 | 01:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pointter PHP Micro-Blogging Social Network 1.8 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.

Action-Not Available
Vendor-pangramsoftn/a
Product-pointter_php_micro-blogging_social_networkn/a
CWE ID-CWE-287
Improper Authentication
CVE-2010-4478
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.24% / 89.82%
||
7 Day CHG~0.00%
Published-06 Dec, 2010 | 22:00
Updated-28 May, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.

Action-Not Available
Vendor-n/aOpenBSD
Product-opensshn/a
CWE ID-CWE-287
Improper Authentication
CVE-2010-4252
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-8.08% / 94.10%
||
7 Day CHG~0.00%
Published-06 Dec, 2010 | 21:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

Action-Not Available
Vendor-n/aOpenSSL
Product-openssln/a
CWE ID-CWE-287
Improper Authentication
CVE-2017-18908
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.18% / 64.02%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:16
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-51767
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.3||HIGH
EPSS-1.14% / 62.66%
||
7 Day CHG~0.00%
Published-14 Jul, 2025 | 10:18
Updated-15 Jul, 2025 | 13:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-HPE AutoPass License Server
CWE ID-CWE-287
Improper Authentication
CVE-2010-3905
Matching Score-4
Assigner-Canonical Ltd.
ShareView Details
Matching Score-4
Assigner-Canonical Ltd.
CVSS Score-7.5||HIGH
EPSS-2.86% / 85.06%
||
7 Day CHG~0.00%
Published-22 Dec, 2010 | 20:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The password reset feature in the administrator interface for Eucalyptus 2.0.0 and 2.0.1 does not perform authentication, which allows remote attackers to gain privileges by sending password reset requests for other users.

Action-Not Available
Vendor-eucalyptusn/a
Product-eucalyptusn/a
CWE ID-CWE-287
Improper Authentication
CVE-2010-3896
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.63% / 73.26%
||
7 Day CHG~0.00%
Published-12 Nov, 2010 | 21:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ESSearchApplication directory tree in IBM OmniFind Enterprise Edition 8.x and 9.x does not require authentication, which allows remote attackers to modify the server configuration via a request to palette.do.

Action-Not Available
Vendor-n/aIBM Corporation
Product-omnifindn/a
CWE ID-CWE-287
Improper Authentication
CVE-2026-10777
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.40% / 32.48%
||
7 Day CHG~0.00%
Published-03 Jun, 2026 | 22:30
Updated-04 Jun, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ealpha072 Student-Management-System Administrative Backend config.php improper authentication

A vulnerability was identified in ealpha072 Student-Management-System up to 01451bd7a2f58cdda07bd0b86e3967582e3ecd08. Affected by this issue is some unknown functionality of the file admin/config.php of the component Administrative Backend. Such manipulation leads to improper authentication. The attack may be performed from remote. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-ealpha072
Product-Student-Management-System
CWE ID-CWE-287
Improper Authentication
CVE-2017-20133
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-0.62% / 45.13%
||
7 Day CHG~0.00%
Published-16 Jul, 2022 | 06:15
Updated-14 Apr, 2025 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Itech Job Portal Script admin improper authentication

A vulnerability, which was classified as critical, was found in Itech Job Portal Script 9.13. This affects an unknown part of the file /admin. The manipulation leads to improper authentication. It is possible to initiate the attack remotely.

Action-Not Available
Vendor-itechscriptsItech
Product-job_portal_scriptJob Portal Script
CWE ID-CWE-287
Improper Authentication
CVE-2022-26082
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-18.61% / 96.91%
||
7 Day CHG~0.00%
Published-25 May, 2022 | 20:15
Updated-15 Apr, 2025 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

Action-Not Available
Vendor-openautomationsoftwareOpen Automation Software
Product-oas_platformOAS Platform
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-15819
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.21% / 86.62%
||
7 Day CHG~0.00%
Published-30 Aug, 2019 | 12:37
Updated-05 Aug, 2024 | 00:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The nd-restaurant-reservations plugin before 1.5 for WordPress has no requirement for nd_rst_import_settings_php_function authentication.

Action-Not Available
Vendor-restaurant_reservations_projectn/a
Product-restaurant_reservationsn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-2664
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-0.58% / 43.41%
||
7 Day CHG~0.00%
Published-05 Aug, 2022 | 10:45
Updated-14 Apr, 2025 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Private Cloud Management Platform POST Request global_config_query improper authentication

A vulnerability classified as critical has been found in Private Cloud Management Platform. Affected is an unknown function of the file /management/api/rcx_management/global_config_query of the component POST Request Handler. The manipulation leads to improper authentication. It is possible to launch the attack remotely. VDB-205614 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-private_cloud_management_platform_projectunspecified
Product-private_cloud_management_platformPrivate Cloud Management Platform
CWE ID-CWE-287
Improper Authentication
CVE-2019-15106
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-25.48% / 97.69%
||
7 Day CHG~0.00%
Published-16 Aug, 2019 | 02:44
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_opmanagern/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-10243
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.63% / 45.71%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 09:00
Updated-01 Jun, 2026 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Smart Parking System Admin Endpoint missing authentication

A security vulnerability has been detected in code-projects Smart Parking System 1.0. Affected is an unknown function of the component Admin Endpoint. Such manipulation leads to missing authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected.

Action-Not Available
Vendor-Source Code & Projects
Product-Smart Parking System
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-26562
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.12% / 79.62%
||
7 Day CHG~0.00%
Published-01 Apr, 2022 | 00:00
Updated-03 Aug, 2024 | 05:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in provider/libserver/ECKrbAuth.cpp of Kopano Core <= v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired. It also exists in the predecessor Zarafa Collaboration Platform (ZCP) in provider/libserver/ECPamAuth.cpp of Zarafa >= 6.30 (introduced between 6.30.0 RC1e and 6.30.8 final).

Action-Not Available
Vendor-kopanon/a
Product-groupware_coren/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-14985
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-11.32% / 95.45%
||
7 Day CHG~0.00%
Published-13 Aug, 2019 | 19:17
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because this interface can access the CMD_EXEC virtual device type 28.

Action-Not Available
Vendor-eq-3n/a
Product-homematic_ccu2_firmwarehomematic_ccu3_firmwarehomematic_ccu3homematic_ccu2n/a
CWE ID-CWE-287
Improper Authentication
CVE-2022-25251
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-1.80% / 75.80%
||
7 Day CHG~0.00%
Published-16 Mar, 2022 | 14:03
Updated-16 Apr, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PTC Axeda agent and Axeda Desktop Server Missing Authentication For Critical Function

When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send certain XML messages to a specific port without proper authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to read and modify the affected product’s configuration.

Action-Not Available
Vendor-ptcPTC
Product-axeda_desktop_serveraxeda_agentAxeda Desktop Server for WindowsAxeda agent
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-3899
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.3||HIGH
EPSS-1.41% / 69.47%
||
7 Day CHG~0.00%
Published-22 Apr, 2019 | 15:20
Updated-04 Aug, 2024 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11.

Action-Not Available
Vendor-heketi_projectThe Heketi ProjectRed Hat, Inc.
Product-openshift_container_platformheketiheketi
CWE ID-CWE-592
DEPRECATED: Authentication Bypass Issues
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-24259
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.00% / 78.36%
||
7 Day CHG~0.00%
Published-04 Feb, 2022 | 16:10
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An incorrect check in the component cdr.php of Voipmonitor GUI before v24.96 allows unauthenticated attackers to escalate privileges via a crafted request.

Action-Not Available
Vendor-voipmonitorn/a
Product-voipmonitorn/a
CWE ID-CWE-287
Improper Authentication
CVE-2022-24047
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-5.3||MEDIUM
EPSS-1.87% / 76.74%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 19:51
Updated-03 Aug, 2024 | 03:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It! 20.21.01.102. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of HTTP requests. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-14618.

Action-Not Available
Vendor-bmcBMC
Product-track-it\!Track-It!
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2010-1670
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.55% / 72.14%
||
7 Day CHG~0.00%
Published-06 Jul, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has improper configuration options for authentication plugins associated with logins that use the single sign-on (SSO) functionality, which allows remote attackers to bypass authentication via an empty password. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-n/aMahara
Product-maharan/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-45750
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.3||HIGH
EPSS-0.51% / 39.47%
||
7 Day CHG+0.02%
Published-25 Sep, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in TheGreenBow Windows Standard VPN Client 6.87.108 (and older), Windows Enterprise VPN Client 6.87.109 (and older), Windows Enterprise VPN Client 7.5.007 (and older), Android VPN Client 6.4.5 (and older) VPN Client Linux 3.4 (and older), VPN Client MacOS 2.4.10 (and older) allows a remote attacker to execute arbitrary code via the IKEv2 Authentication phase, it accepts malformed ECDSA signatures and establishes the tunnel.

Action-Not Available
Vendor-n/athegreenbow
Product-n/aandroid_vpnwindows_standard_vpnvpn_client_macoswindows_enterprise_vpnvpn_client_linux
CWE ID-CWE-287
Improper Authentication
CVE-2019-15585
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-1.63% / 73.40%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 02:21
Updated-05 Aug, 2024 | 00:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitlab CE/EE
CWE ID-CWE-287
Improper Authentication
CVE-2010-1022
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.48% / 70.83%
||
7 Day CHG~0.00%
Published-19 Mar, 2010 | 18:35
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The TYPO3 Security - Salted user password hashes (t3sec_saltedpw) extension before 0.2.13 for TYPO3 allows remote attackers to bypass authentication via unspecified vectors.

Action-Not Available
Vendor-marcus_krausen/aTYPO3 Association
Product-t3sec_saltedpwtypo3n/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-14910
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.3||CRITICAL
EPSS-1.05% / 60.24%
||
7 Day CHG~0.00%
Published-05 Dec, 2019 | 14:16
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-keycloakKeycloak
CWE ID-CWE-305
Authentication Bypass by Primary Weakness
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-592
DEPRECATED: Authentication Bypass Issues
CWE ID-CWE-295
Improper Certificate Validation
CVE-2025-7875
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.67% / 47.34%
||
7 Day CHG~0.00%
Published-20 Jul, 2025 | 07:14
Updated-27 Aug, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Metasoft 美特软件 MetaCRM debug.jsp improper authentication

A vulnerability classified as critical has been found in Metasoft 美特软件 MetaCRM up to 6.4.2. This affects an unknown part of the file /debug.jsp. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-metasoftMetasoft 美特软件
Product-metacrmMetaCRM
CWE ID-CWE-287
Improper Authentication
CVE-2022-28106
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.11% / 61.91%
||
7 Day CHG~0.00%
Published-20 May, 2022 | 12:48
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Online Sports Complex Booking System v1.0 was discovered to allow attackers to take over user accounts via a crafted POST request.

Action-Not Available
Vendor-online_sports_complex_booking_system_projectn/a
Product-online_sports_complex_booking_systemn/a
CWE ID-CWE-287
Improper Authentication
CVE-2009-4830
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.34% / 81.54%
||
7 Day CHG-0.07%
Published-27 Apr, 2010 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in OpenX 2.8.1 and 2.8.2 allows remote attackers to bypass authentication and obtain access to an Administrator account via unknown vectors, possibly related to www/admin/install.php, www/admin/install-plugins.php, and other www/admin/ files.

Action-Not Available
Vendor-openxn/a
Product-openxn/a
CWE ID-CWE-287
Improper Authentication
CVE-2009-4843
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.11% / 79.54%
||
7 Day CHG~0.00%
Published-07 May, 2010 | 17:43
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ToutVirtual VirtualIQ Pro before 3.5 build 8691 does not require administrative authentication for JBoss console access, which allows remote attackers to execute arbitrary commands via requests to (1) the JMX Management Console or (2) the Web Console.

Action-Not Available
Vendor-toutvirtualn/a
Product-virtualiqn/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-14909
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.3||CRITICAL
EPSS-1.08% / 60.93%
||
7 Day CHG~0.00%
Published-04 Dec, 2019 | 14:34
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-keycloakKeycloak
CWE ID-CWE-305
Authentication Bypass by Primary Weakness
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-592
DEPRECATED: Authentication Bypass Issues
CVE-2022-30034
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.6||HIGH
EPSS-1.34% / 67.85%
||
7 Day CHG~0.00%
Published-31 May, 2022 | 13:13
Updated-03 Aug, 2024 | 06:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.

Action-Not Available
Vendor-flower_projectn/a
Product-flowern/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-20033
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.10% / 61.67%
||
7 Day CHG~0.00%
Published-29 Jul, 2020 | 17:30
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On Aspire-derived NEC PBXes, including all versions of SV8100 devices, a set of documented, static login credentials may be used to access the DIM interface.

Action-Not Available
Vendor-n/aNEC Corporation
Product-sv8100_firmwaresv8100n/a
CWE ID-CWE-287
Improper Authentication
CVE-2010-0554
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.54% / 71.82%
||
7 Day CHG~0.00%
Published-04 Feb, 2010 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The HTTP Authentication implementation in Geo++ GNCASTER 1.4.0.7 and earlier uses the same nonce for all authentication, which allows remote attackers to hijack web sessions or bypass authentication via a replay attack.

Action-Not Available
Vendor-geoppn/a
Product-geo\+\+_gncastern/a
CWE ID-CWE-287
Improper Authentication
CVE-2009-5077
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.49% / 70.89%
||
7 Day CHG~0.00%
Published-08 Jun, 2011 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CRE Loaded before 6.2.14 allows remote attackers to bypass authentication and gain administrator privileges via vectors related to a modified PHP_SELF variable, which is not properly handled by (1) includes/application_top.php and (2) admin/includes/application_top.php.

Action-Not Available
Vendor-creloadedn/a
Product-cre_loadedn/a
CWE ID-CWE-287
Improper Authentication
CVE-2017-16613
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.35% / 94.27%
||
7 Day CHG~0.00%
Published-21 Nov, 2017 | 13:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1. The Swift object store and proxy server are saving (unhashed) tokens retrieved from the Swauth middleware authentication mechanism to a log file as part of a GET URI. This allows attackers to bypass authentication by inserting a token into an X-Auth-Token header of a new request. NOTE: github.com/openstack/swauth URLs do not mean that Swauth is maintained by an official OpenStack project team.

Action-Not Available
Vendor-n/aOpenStackDebian GNU/Linux
Product-debian_linuxswiftswauthn/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-41791
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-6.9||MEDIUM
EPSS-0.37% / 28.61%
||
7 Day CHG+0.03%
Published-08 Apr, 2025 | 08:22
Updated-23 Sep, 2025 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not authenticate report creation requests. This could allow an unauthenticated remote attacker to read or clear the log files on the device, reset the device or set the date and time.

Action-Not Available
Vendor-Siemens AG
Product-7kt_pac1260_data_manager7kt_pac1260_data_manager_firmwareSENTRON 7KT PAC1260 Data Manager
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2009-4929
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.46% / 82.44%
||
7 Day CHG~0.00%
Published-09 Jul, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters.

Action-Not Available
Vendor-sweetphpn/a
Product-totalcalendern/a
CWE ID-CWE-287
Improper Authentication
CVE-2009-4987
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-6.43% / 92.87%
||
7 Day CHG~0.00%
Published-25 Aug, 2010 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

admin/header.php in Scripteen Free Image Hosting Script 2.3 allows remote attackers to bypass authentication and gain administrative access by setting the cookgid cookie value to 1, a different vector than CVE-2008-3211.

Action-Not Available
Vendor-scripteenn/a
Product-free_image_hosting_scriptn/a
CWE ID-CWE-287
Improper Authentication
CVE-2009-4584
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.63% / 73.33%
||
7 Day CHG~0.00%
Published-06 Jan, 2010 | 21:33
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

admin.php in dB Masters Multimedia Links Directory 3.1.3 allows remote attackers to bypass authentication and gain administrative access via a certain value of the admin_log cookie.

Action-Not Available
Vendor-dbmastersn/a
Product-db_masters_multimedia_links_directoryn/a
CWE ID-CWE-287
Improper Authentication
CVE-2017-16634
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.87% / 88.91%
||
7 Day CHG~0.00%
Published-09 Nov, 2017 | 19:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method.

Action-Not Available
Vendor-n/aJoomla!
Product-joomla\!n/a
CWE ID-CWE-287
Improper Authentication
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 18
  • 19
  • Next
Details not found