Export limit exceeded: 362761 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (84 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-49340 | 2026-04-15 | 9.8 Critical | ||
| An issue was discovered in Newland Nquire 1000 Interactive Kiosk version NQ1000-II_G_V1.00.011, allows remote attackers to escalate privileges and bypass authentication via incorrect access control in the web management portal. | ||||
| CVE-2024-45367 | 1 Optigo | 1 Ons-s8 Firmware | 2026-04-15 | 9.1 Critical |
| The web server for ONS-S8 - Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker authenticating without a password. | ||||
| CVE-2024-47397 | 2026-04-15 | 7.5 High | ||
| Weak authentication issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier. If this vulnerability is exploited, the authentication may be bypassed with an undocumented specific string. | ||||
| CVE-2025-1727 | 2026-04-15 | 8.1 High | ||
| The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems. | ||||
| CVE-2024-54092 | 2026-04-15 | 9.8 Critical | ||
| A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - arm64 V1.21 (All versions < V1.21.1-1), Industrial Edge Device Kit - x86-64 V1.17 (All versions), Industrial Edge Device Kit - x86-64 V1.18 (All versions), Industrial Edge Device Kit - x86-64 V1.19 (All versions), Industrial Edge Device Kit - x86-64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - x86-64 V1.21 (All versions < V1.21.1-1), Industrial Edge Own Device (IEOD) (All versions < V1.21.1-1-a), Industrial Edge Virtual Device (All versions < V1.21.1-1-a), SCALANCE LPE9413 (6GK5998-3GS01-2AC2) (All versions < V2.1), SIMATIC IPC BX-39A Industrial Edge Device (All versions < V3.0), SIMATIC IPC BX-59A Industrial Edge Device (All versions < V3.0), SIMATIC IPC127E Industrial Edge Device (All versions < V3.0), SIMATIC IPC227E Industrial Edge Device (All versions < V3.0), SIMATIC IPC427E Industrial Edge Device (All versions < V3.0), SIMATIC IPC847E Industrial Edge Device (All versions < V3.0). Affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that identity federation is currently or has previously been used and the attacker has learned the identity of a legitimate user. | ||||
| CVE-2024-39848 | 1 Internet2 | 1 Grouper | 2026-04-15 | 9.1 Critical |
| Internet2 Grouper before 5.6 allows authentication bypass when LDAP authentication is used in certain ways. This is related to internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication and the use of the UyY29r password for the M3vwHr account. This also affects "Grouper for Web Services" before 4.13.1. | ||||
| CVE-2025-7326 | 1 Microsoft | 1 Aspnetcore | 2026-04-15 | 7 High |
| Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry. | ||||
| CVE-2025-11084 | 1 Rockwellautomation | 1 Factorytalk | 2026-04-15 | N/A |
| A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period. | ||||
| CVE-2025-29991 | 2026-04-15 | 2.2 Low | ||
| Yubico YubiKey 5.4.1 through 5.7.3 before 5.7.4 has an incorrect FIDO CTAP PIN/UV Auth Protocol Two implementation. It uses the signature length from CTAP PIN/UV Auth Protocol One, even when CTAP PIN/UV Auth Protocol Two was chosen, resulting in a partial signature verification. | ||||
| CVE-2025-62844 | 2 Qnap, Qnap Systems | 2 Qurouter, Qurouter | 2026-04-14 | 5.5 Medium |
| A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later | ||||
| CVE-2023-53894 | 1 Dulldusk | 2 Phpfilemanager, Phpfm | 2026-04-07 | 9.8 Critical |
| phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server. | ||||
| CVE-2026-4828 | 1 Devolutions | 2 Devolutions Server, Server | 2026-04-07 | 8.2 High |
| Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request. | ||||
| CVE-2026-4924 | 1 Devolutions | 2 Devolutions Server, Server | 2026-04-07 | 8.2 High |
| Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session token. | ||||
| CVE-2026-27478 | 1 Unitycatalog | 1 Unitycatalog | 2026-03-23 | 9.1 Critical |
| Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens). The endpoint extracts the issuer (iss) claim from incoming JWTs and uses it to dynamically fetch the JWKS endpoint for signature validation without validating that the issuer is a trusted identity provider. | ||||
| CVE-2025-15595 | 2 Jrsoftware, Mlsoft | 2 Inno Setup, Inno Setup | 2026-03-13 | 7.8 High |
| Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions. | ||||
| CVE-2025-30412 | 3 Acronis, Linux, Microsoft | 5 Acronis Cyber Protect 15, Acronis Cyber Protect 16, Cyber Protect and 2 more | 2026-03-12 | N/A |
| Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800. | ||||
| CVE-2025-30411 | 3 Acronis, Linux, Microsoft | 5 Acronis Cyber Protect 15, Acronis Cyber Protect 16, Cyber Protect and 2 more | 2026-03-12 | N/A |
| Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800. | ||||
| CVE-2025-40552 | 1 Solarwinds | 1 Web Help Desk | 2026-02-27 | 9.8 Critical |
| SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication. | ||||
| CVE-2025-47995 | 1 Microsoft | 1 Azure Machine Learning | 2026-02-26 | 6.5 Medium |
| Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-50173 | 2 Microsoft, Multimedia | 28 Windows, Windows 10 1507, Windows 10 1607 and 25 more | 2026-02-26 | 7.8 High |
| Weak authentication in Windows Installer allows an authorized attacker to elevate privileges locally. | ||||