Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-58375

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-30 Jun, 2026 | 15:58
Updated At-01 Jul, 2026 | 14:44
Rejected At-
Credits

JimuReport 2.5.0 - Unauthenticated Report Export via /jmreport/auto/export

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:30 Jun, 2026 | 15:58
Updated At:01 Jul, 2026 | 14:44
Rejected At:
▼CVE Numbering Authority (CNA)
JimuReport 2.5.0 - Unauthenticated Report Export via /jmreport/auto/export

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.

Affected Products
Vendor
jeecgboot
Product
jimureport
Repo
https://github.com/jeecgboot/jimureport
Default Status
unaffected
Versions
Affected
  • From 0 through 2.5.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-306Missing Authentication for Critical Function
Type: CWE
CWE ID: CWE-306
Description: Missing Authentication for Critical Function
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
George Chen
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/jeecgboot/jimureport/issues/4694
technical-description
exploit
https://www.vulncheck.com/advisories/jimureport-unauthenticated-report-export-via-jmreport-auto-export
third-party-advisory
Hyperlink: https://github.com/jeecgboot/jimureport/issues/4694
Resource:
technical-description
exploit
Hyperlink: https://www.vulncheck.com/advisories/jimureport-unauthenticated-report-export-via-jmreport-auto-export
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:30 Jun, 2026 | 17:16
Updated At:02 Jul, 2026 | 18:45

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
N/A
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-306Secondarydisclosure@vulncheck.com
CWE ID: CWE-306
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/jeecgboot/jimureport/issues/4694disclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/jimureport-unauthenticated-report-export-via-jmreport-auto-exportdisclosure@vulncheck.com
N/A
Hyperlink: https://github.com/jeecgboot/jimureport/issues/4694
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/jimureport-unauthenticated-report-export-via-jmreport-auto-export
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

278Records found

CVE-2025-25224
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.3||MEDIUM
EPSS-0.53% / 41.06%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 00:12
Updated-15 Sep, 2025 | 17:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.

Action-Not Available
Vendor-luxsoftLuxSoft
Product-luxcal_web_calendarThe LuxCal Web Calendar
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-6376
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.7||HIGH
EPSS-0.50% / 38.96%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 20:10
Updated-16 Jun, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing authentication for critical function in SpiceJet Online Booking System

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function.

Action-Not Available
Vendor-SpiceJet
Product-Online Booking System
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-4240
Matching Score-4
Assigner-Honeywell International Inc.
ShareView Details
Matching Score-4
Assigner-Honeywell International Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.53% / 40.72%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 16:15
Updated-09 Jan, 2025 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated API allowing an attacker to obtain the information about network resources

Missing Authentication for Critical Function vulnerability in Honeywell OneWireless allows Authentication Bypass. This issue affects OneWireless version 322.1

Action-Not Available
Vendor-Honeywell International Inc.
Product-onewireless_network_wireless_device_manageronewireless_network_wireless_device_manager_firmwareOneWireless
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-41629
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.59% / 43.87%
||
7 Day CHG~0.00%
Published-31 Oct, 2022 | 19:51
Updated-16 Apr, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the “RunningConfigs” directory. The attacker could then view and modify configuration files such as UserListInfo.xml, which would allow them to see existing administrative passwords.

Action-Not Available
Vendor-Delta Electronics, Inc.
Product-infrasuite_device_masterInfraSuite Device Master
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-4228
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.21% / 64.74%
||
7 Day CHG~0.00%
Published-30 Nov, 2022 | 00:00
Updated-19 Nov, 2024 | 20:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Book Store Management System information disclosure

A vulnerability classified as problematic has been found in SourceCodester Book Store Management System 1.0. This affects an unknown part of the file /bsms_ci/index.php/user/edit_user/. The manipulation of the argument password leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-214587.

Action-Not Available
Vendor-book_store_management_system_projectSourceCodester
Product-book_store_management_systemBook Store Management System
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-5749
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-8.7||HIGH
EPSS-0.27% / 18.63%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 13:23
Updated-19 May, 2026 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inadequate access control vulnerability in Fullstep

Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise the confidentiality of the affected resource, provided they have a valid token with which to interact with the API.

Action-Not Available
Vendor-Fullstep
Product-Fullstep
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-56270
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.38% / 30.25%
||
7 Day CHG~0.00%
Published-24 Jun, 2026 | 11:53
Updated-26 Jun, 2026 | 02:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flowise - Unauthenticated OAuth Secrets Disclosure via /api/v1/loginmethod Endpoint

Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including OAuth client secrets in cleartext, by providing an organizationId parameter. Remote attackers can send a GET request to harvest sensitive API credentials for Google, Microsoft/Azure, GitHub, and Auth0 integrations. This affects FlowiseAI Cloud and self-hosted instances where the endpoint is exposed.

Action-Not Available
Vendor-flowiseaiFlowise
Product-flowiseFlowise
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-17517
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-2.27% / 80.89%
||
7 Day CHG~0.00%
Published-27 Apr, 2021 | 08:22
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ozone S3 Gateway allows bucket and key access to non authenticated users

The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.

Action-Not Available
Vendor-The Apache Software Foundation
Product-ozoneApache Ozone
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-15078
Matching Score-4
Assigner-OpenVPN Inc.
ShareView Details
Matching Score-4
Assigner-OpenVPN Inc.
CVSS Score-7.5||HIGH
EPSS-5.11% / 91.34%
||
7 Day CHG~0.00%
Published-26 Apr, 2021 | 13:19
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Action-Not Available
Vendor-openvpnn/aCanonical Ltd.Fedora ProjectDebian GNU/Linux
Product-ubuntu_linuxdebian_linuxfedoraopenvpnOpenVPN
CWE ID-CWE-305
Authentication Bypass by Primary Weakness
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-14567
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.68% / 48.03%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 16:02
Updated-23 Dec, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
haxxorsid Stock-Management-System employees missing authentication

A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This affects an unknown function of the file /api/employees. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-haxxorsidhaxxorsid
Product-stock-management-systemStock-Management-System
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-38817
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.94% / 85.44%
||
7 Day CHG~0.00%
Published-03 Oct, 2022 | 12:32
Updated-03 Aug, 2024 | 11:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.

Action-Not Available
Vendor-n/aThe Linux Foundation
Product-dapr_dashboardn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-11949
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.43% / 34.41%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 06:49
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Digiwin|EasyFlow .NET and EasyFlow AiNet - Missing Authentication

EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality.

Action-Not Available
Vendor-Digiwin
Product-EasyFlow AiNetEasyFlow .NET
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-13856
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.16% / 63.42%
||
7 Day CHG~0.00%
Published-01 Feb, 2021 | 01:18
Updated-04 Aug, 2024 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. Authentication is not required to download the support file that contains sensitive information such as cleartext credentials and password hashes.

Action-Not Available
Vendor-mofinetworkn/a
Product-mofi4500-4gxelte_firmwaremofi4500-4gxelten/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-11579
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-26.46% / 97.76%
||
7 Day CHG~0.00%
Published-03 Sep, 2020 | 17:15
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Chadha PHPKB 9.0 Enterprise Edition. installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before 7.2.16, or on hosts where the MySQL ALLOW LOCAL DATA INFILE option is enabled.

Action-Not Available
Vendor-chadhaajayn/aThe PHP Group
Product-phpphpkbn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-12266
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.72% / 74.72%
||
7 Day CHG~0.00%
Published-27 Apr, 2020 | 14:33
Updated-04 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered where there are multiple externally accessible pages that do not require any sort of authentication, and store system information for internal usage. The devices automatically query these pages to update dashboards and other statistics, but the pages can be accessed externally without any authentication. All the pages follow the naming convention live_(string).shtml. Among the information disclosed is: interface status logs, IP address of the device, MAC address of the device, model and current firmware version, location, all running processes, all interfaces and their statuses, all current DHCP leases and the associated hostnames, all other wireless networks in range of the router, memory statistics, and components of the configuration of the device such as enabled features. Affected devices: Affected devices are: Wavlink WN530HG4, Wavlink WN575A3, Wavlink WN579G3,Wavlink WN531G3, Wavlink WN533A8, Wavlink WN531A6, Wavlink WN551K1, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, WN572HG3, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wn531g3wn531a6_firmwarewn531a6wn578a2_firmwarewn579g3_firmwarewn579x3wl-wn575a3_firmwarewn579x3_firmwarewn579g3wn57x93wl-wn530hg4wn551k1wl-wn579g3wn535g3_firmwarewn531g3_firmwarewn551k1_firmwarewn535g3wn530h4_firmwarewn530h4wl-wn575a3jetstream_erac3000_firmwarewl-wn579g3_firmwarewl-wn530hg4_firmwarewn533a8_firmwarewn57x93_firmwarejetstream_ac3000_firmwarewn533a8jetstream_erac3000wn578a2jetstream_ac3000n/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-10833
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.40% / 31.71%
||
7 Day CHG~0.00%
Published-24 Mar, 2020 | 17:14
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Samsung mobile devices with Q(10.0) software. The DeX Lockscreen allows attackers to access the quick panel and notifications. The Samsung ID is SVE-2019-16532 (March 2020).

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-10973
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-7.76% / 93.91%
||
7 Day CHG~0.00%
Published-07 May, 2020 | 17:50
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wn551k1wn531g3wn531g3_firmwarewn551k1_firmwarewn530hg4_firmwarewn530hg4wn533a8_firmwarewn533a8n/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-10974
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.69% / 74.22%
||
7 Day CHG~0.00%
Published-07 May, 2020 | 17:42
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered affecting a backup feature where a crafted POST request returns the current configuration of the device in cleartext, including the administrator password. No authentication is required. Affected devices: Wavlink WN575A3, Wavlink WN579G3, Wavlink WN531A6, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, Wavlink WN572HG3, Wavlink WN575A4, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wn531a6_firmwarewn531a6wn578a2_firmwarewn579g3_firmwarewn575a4wn579x3wl-wn575a3_firmwarewn579x3_firmwarewn572hg3_firmwarewn579g3wn572hg3wn57x93wl-wn579g3wn535g3_firmwarewn530h4wn535g3wn530h4_firmwarewl-wn575a3wn575a4_firmwarejetstream_erac3000_firmwarewl-wn579g3_firmwarewn57x93_firmwarejetstream_ac3000_firmwarejetstream_erac3000wn578a2jetstream_ac3000n/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-0355
Matching Score-4
Assigner-NEC Corporation
ShareView Details
Matching Score-4
Assigner-NEC Corporation
CVSS Score-7.5||HIGH
EPSS-0.52% / 40.17%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 07:23
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing Authentication for Critical Function vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WF1200CRS Ver.1.6.0 and earlier, WG1200CRS Ver.1.5.0 and earlier, GB1200PE Ver.1.3.0 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier, WG2600HS2 Ver.1.3.2 and earlier, WX3000HP Ver.2.4.2 and earlier and WX4200D5 Ver.1.2.4 and earlier allows a attacker to get a Wi-Fi password via the network.

Action-Not Available
Vendor-NEC Corporation
Product-WX4200D5WX3000HPWG1200CRWF1200CRWG2600HM4WG2600HS2GB1200PEWG2600HSWG2600HP4
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-25058
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.40% / 32.13%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 16:03
Updated-23 Apr, 2026 | 14:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vexa's unauthenticated internal transcript endpoint exposed by default

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue.

Action-Not Available
Vendor-vexaVexa-ai
Product-vexavexa
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-862
Missing Authorization
CVE-2026-25071
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.51% / 39.87%
||
7 Day CHG~0.00%
Published-07 Mar, 2026 | 00:20
Updated-11 May, 2026 | 23:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XikeStor SKS8310-8X switch_config.src Missing Authentication

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a missing authentication vulnerability in the /switch_config.src endpoint that allows unauthenticated remote attackers to download device configuration files. Attackers can access this endpoint without credentials to retrieve sensitive configuration information including VLAN settings and IP addressing details.

Action-Not Available
Vendor-seekswanAnhui Seeker Electronic Technology Co., LTD.
Product-zikestor_sks8310-8xzikestor_sks8310-8x_firmwareXikeStor SKS8310-8X
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2011-4322
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.17% / 63.69%
||
7 Day CHG~0.00%
Published-21 Jan, 2020 | 14:57
Updated-07 Aug, 2024 | 00:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

websitebaker prior to and including 2.8.1 has an authentication error in backup module.

Action-Not Available
Vendor-websitebakerwebsitebaker
Product-websitebakerwebsitebaker
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-35572
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.75% / 50.32%
||
7 Day CHG~0.00%
Published-12 Sep, 2022 | 21:17
Updated-03 Aug, 2024 | 09:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On Linksys E5350 WiFi Router with firmware version 1.0.00.037 and lower, (and potentially other vendors/devices due to code reuse), the /SysInfo.htm URI does not require a session ID. This web page calls a show_sysinfo function which retrieves WPA passwords, SSIDs, MAC Addresses, serial numbers, WPS Pins, and hardware/firmware versions, and prints this information into the web page. This web page is visible when remote management is enabled. A user who has access to the web interface of the device can extract these secrets. If the device has remote management enabled and is connected directly to the internet, this vulnerability is exploitable over the internet without interaction.

Action-Not Available
Vendor-n/aLinksys Holdings, Inc.
Product-e5350e5350_firmwaren/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-25751
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.27% / 18.48%
||
7 Day CHG~0.00%
Published-06 Feb, 2026 | 19:07
Updated-10 Feb, 2026 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FUXA Unauthenticated Exposure of Plaintext Database Credentials

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.

Action-Not Available
Vendor-frangoteamfrangoteam
Product-fuxaFUXA
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2022-34908
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.2||HIGH
EPSS-0.64% / 46.12%
||
7 Day CHG~0.00%
Published-27 Feb, 2023 | 00:00
Updated-30 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the A4N (Aremis 4 Nomad) application 1.5.0 for Android. It possesses an authentication mechanism; however, some features do not require any token or cookie in a request. Therefore, an attacker may send a simple HTTP request to the right endpoint, and obtain authorization to retrieve application data.

Action-Not Available
Vendor-aremisn/a
Product-aremis_4_nomadsn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-287
Improper Authentication
CVE-2024-58336
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.35% / 26.93%
||
7 Day CHG~0.00%
Published-30 Dec, 2025 | 22:41
Updated-16 Jan, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Akuvox Smart Intercom S539 Unauthenticated Video Stream Disclosure

Akuvox Smart Intercom S539 contains an unauthenticated vulnerability that allows remote attackers to access live video streams by requesting the video.cgi endpoint on port 8080. Attackers can retrieve video stream data without authentication by directly accessing the specified endpoint on affected Akuvox doorphone and intercom devices.

Action-Not Available
Vendor-The Akuvox CompanyAkuvox (SMART-PLUS PTE. LTD.)
Product-r20a-2x915s539s532_firmwarer20k-2r29ns-2c313w-2x915_firmwares539_firmwarenx-2_firmwarenc-2_firmwarenx-2x916x912nc-2x916_firmwarens-2_firmwarex912_firmwarec313w-2_firmwares532r20a-2_firmwarer20k-2_firmwarer29_firmwareAkuvox Smart IntercomAkuvox Smart Doorphone
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-58300
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.35% / 26.74%
||
7 Day CHG~0.00%
Published-11 Dec, 2025 | 21:39
Updated-07 Apr, 2026 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Siklu MultiHaul TG Series < 2.0.0 Unauthenticated Credential Disclosure Vulnerability

Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device.

Action-Not Available
Vendor-Siklu
Product-MultiHaul TG series
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-32157
Matching Score-4
Assigner-Splunk Inc.
ShareView Details
Matching Score-4
Assigner-Splunk Inc.
CVSS Score-7.5||HIGH
EPSS-1.26% / 65.94%
||
7 Day CHG+0.03%
Published-15 Jun, 2022 | 16:50
Updated-17 Sep, 2024 | 02:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Splunk Enterprise deployment servers allow unauthenticated forwarder bundle downloads

Splunk Enterprise deployment servers in versions before 9.0 allow unauthenticated downloading of forwarder bundles. Remediation requires you to update the deployment server to version 9.0 and Configure authentication for deployment servers and clients (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/ConfigDSDCAuthEnhancements#Configure_authentication_for_deployment_servers_and_clients). Once enabled, deployment servers can manage only Universal Forwarder versions 9.0 and higher. Though the vulnerability does not directly affect Universal Forwarders, remediation requires updating all Universal Forwarders that the deployment server manages to version 9.0 or higher prior to enabling the remediation.

Action-Not Available
Vendor-Splunk LLC (Cisco Systems, Inc.)
Product-splunkSplunk Enterprise
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-5749
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-7.5||HIGH
EPSS-1.21% / 64.82%
||
7 Day CHG~0.00%
Published-15 Oct, 2024 | 17:27
Updated-24 Feb, 2026 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Certain HP DesignJet products – Credential reflection

Certain HP DesignJet products may be vulnerable to credential reflection which allow viewing SMTP server credentials.

Action-Not Available
Vendor-HP Inc.
Product-f9a29c_firmwaref9a29e_firmwaref9a29b_firmwaref9a29g_firmwaref9a30cf9a30et5d66a_firmwaref9a29af9a29df9a30g_firmwaref9a30bf9a30d_firmwaref9a29gf9a30e_firmwaref9a30gf9a30a_firmware1jl02b_firmwaref9a29a_firmwaref9a30c_firmwaref9a29d_firmwaref9a29cf9a30a1jl02bf9a29et5d67a_firmwaref9a30b_firmwaret5d66at5d67af9a29bf9a30dCertain HP DesignJet productsdesignjet_t830_firmwaredesignjet_t730_firmware
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-33138
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-7.5||HIGH
EPSS-1.15% / 62.87%
||
7 Day CHG~0.00%
Published-12 Jul, 2022 | 10:06
Updated-03 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). Affected devices do not perform authentication for several web API endpoints. This could allow an unauthenticated remote attacker to read and download data from the device.

Action-Not Available
Vendor-Siemens AG
Product-simatic_mv540_s_firmwaresimatic_mv540_ssimatic_mv560_x_firmwaresimatic_mv560_usimatic_mv560_u_firmwaresimatic_mv550_s_firmwaresimatic_mv540_hsimatic_mv550_h_firmwaresimatic_mv550_ssimatic_mv560_xsimatic_mv550_hsimatic_mv540_h_firmwareSIMATIC MV560 USIMATIC MV540 SSIMATIC MV540 HSIMATIC MV550 HSIMATIC MV550 SSIMATIC MV560 X
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-15654
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.55% / 72.00%
||
7 Day CHG~0.00%
Published-19 Mar, 2020 | 17:18
Updated-05 Aug, 2024 | 00:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Comba AC2400 devices are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server. The request doesn't require any authentication and will lead to saving the DBconfig.cfg file. At the end of the file, the login information is stored in cleartext.

Action-Not Available
Vendor-comban/a
Product-ac2400_firmwareac2400n/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-53623
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.39% / 30.79%
||
7 Day CHG~0.00%
Published-29 Nov, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-n/aarcher_c7_firmware
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-1724
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.46% / 36.60%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:34
Updated-27 Mar, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authentication for Critical Function in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to access API tokens of self-hosted AI models due to improper access control.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-50589
Matching Score-4
Assigner-SEC Consult Vulnerability Lab
ShareView Details
Matching Score-4
Assigner-SEC Consult Vulnerability Lab
CVSS Score-7.5||HIGH
EPSS-0.56% / 42.72%
||
7 Day CHG~0.00%
Published-08 Nov, 2024 | 11:34
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unprotected FHIR API

An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR).

Action-Not Available
Vendor-HASOMEDhasomed
Product-Elefantelefant
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-50630
Matching Score-4
Assigner-Synology Inc.
ShareView Details
Matching Score-4
Assigner-Synology Inc.
CVSS Score-7.5||HIGH
EPSS-22.72% / 97.44%
||
7 Day CHG~0.00%
Published-19 Mar, 2025 | 05:50
Updated-19 Mar, 2025 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-Synology Drive Server
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-27169
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-7.5||HIGH
EPSS-1.64% / 73.51%
||
7 Day CHG~0.00%
Published-25 May, 2022 | 20:15
Updated-15 Apr, 2025 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability exists in the OAS Engine SecureBrowseFile functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability.

Action-Not Available
Vendor-openautomationsoftwareOpen Automation Software
Product-oas_platformOAS Platform
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-26067
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-4.9||MEDIUM
EPSS-1.22% / 65.03%
||
7 Day CHG~0.00%
Published-25 May, 2022 | 20:15
Updated-15 Apr, 2025 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnerability.

Action-Not Available
Vendor-openautomationsoftwareOpen Automation Software
Product-oas_platformOAS Platform
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-48771
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.44% / 35.55%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in almando GmbH Almando Play APP (com.almando.play) 1.8.2 allows a remote attacker to obtain sensitive information via the firmware update process

Action-Not Available
Vendor-n/aalmando
Product-n/aalmando_play_firmware
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-48774
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.50% / 39.34%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Fermax Asia Pacific Pte Ltd com.fermax.vida 2.4.6 allows a remote attacker to obtain sensitve information via the firmware update process.

Action-Not Available
Vendor-n/afermax
Product-n/avida
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-48777
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.51% / 39.85%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process.

Action-Not Available
Vendor-n/aledvance
Product-n/asmartplus_firmware
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-26267
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.43% / 69.80%
||
7 Day CHG~0.00%
Published-18 Mar, 2022 | 22:57
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.

Action-Not Available
Vendor-n/aPiwigo
Product-piwigon/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-48775
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.51% / 39.85%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process.

Action-Not Available
Vendor-n/astarvedia
Product-n/aezset_firmware
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-48768
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.52% / 40.18%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in almaodo GmbH appinventor.ai_google.almando_control 2.3.1 allows a remote attacker to obtain sensitive information via the firmware update process

Action-Not Available
Vendor-n/aalmando
Product-n/aalmando_control_firmware
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-48791
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.48% / 38.24%
||
7 Day CHG~0.00%
Published-14 Oct, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Plug n Play Camera com.starvedia.mCamView.zwave 5.5.1 allows a remote attacker to obtain sensitive information via the firmware update process

Action-Not Available
Vendor-n/aplug_n_play_camera
Product-n/aplug_n_play_camera
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-24990
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-84.05% / 99.66%
||
7 Day CHG~0.00%
Published-07 Feb, 2023 | 00:00
Updated-07 Nov, 2025 | 19:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-03-03||Apply updates per vendor instructions.

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

Action-Not Available
Vendor-terra-mastern/aTerraMaster
Product-t6-423u12-322-9100f4-423f5-221u8-111u4-111u8-423u8-522-9400u16-722-2224f2-422u16-322-9100f4-421t12-423t12-450f2-221f5-422f4-422u4-423u8-322-9100t9-423f2-210u12-722-2224u12-423f2-423f2-223t9-450terramaster_operating_systemu24-722-2224u4-211u8-722-2224n/aTerraMaster OS
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-45276
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.21%
||
7 Day CHG~0.00%
Published-15 Oct, 2024 | 10:28
Updated-24 Jan, 2025 | 07:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MB connect line/Helmholz: tmp directory exposed via webservice

An unauthenticated remote attacker can get read access to files in the "/tmp" directory due to missing authentication.

Action-Not Available
Vendor-helmholzmbconnectlineHelmholzMB connect linemb_connect_linehelmholz
Product-mbnet.mini_firmwarembnet.minirex_100_firmwarerex_100REX100mbNET.minimbnet.minirex_100_firmware
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-25236
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.40% / 32.33%
||
7 Day CHG~0.00%
Published-24 Dec, 2025 | 19:27
Updated-29 Dec, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
iSeeQ Hybrid DVR WH-H4 1.03R Unauthenticated Live Stream Disclosure

iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication.

Action-Not Available
Vendor-iSeeQ
Product-Hybrid DVR WH-H4
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-54130
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.58% / 43.39%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 21:42
Updated-01 Jul, 2026 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
M365 Copilot Information Disclosure Vulnerability

Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-365_copilotMicrosoft 365 Copilot
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-42178
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-2.5||LOW
EPSS-0.17% / 6.15%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 21:24
Updated-16 May, 2025 | 13:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL MyXalytics is affected by a failure to restrict URL access vulnerability

HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_myxalyticsHCL MyXalytics
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-19822
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-8.67% / 94.47%
||
7 Day CHG~0.00%
Published-27 Jan, 2020 | 17:55
Updated-05 Aug, 2024 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords). This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12.

Action-Not Available
Vendor-kctvjejuhcn_max-c300n_projectcoshipcikteltbroadiodatasapidohiwififg-productsn/aTOTOLINKRealtek Semiconductor Corp.
Product-a702r_firmwarehcn_max-c300nwn-ac1167rn300rt_firmwaremax-c300n_firmwareemta_ap_firmwrea3002run150rtn200rewn-ac1167r_firmwren302rhcn_max-c300n_firmwarertk_11n_apmesh_router_firmwaren200re_firmwareemta_apwireless_ap_firmwarea3002ru_firmwaregr297n_firmwarefgn-r2gn-866acfgn-r2_firmwarertk_11n_ap_firmwaren301rt_firmwaremax-c300na702rgr297nn301rtn150rt_firmwaremesh_routern300rtn302r_firmwarewireless_apgn-866ac_firmwaren100re_firmwaren100ren/a
CWE ID-CWE-306
Missing Authentication for Critical Function
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found