ReportizFlow
Filtered by vendor
Subscriptions
Total
533 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-26227 | 1 Videolan | 2 Vlc, Vlc For Android | 2026-03-05 | 3.7 Low |
| VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user. | ||||
| CVE-2026-24436 | 1 Tenda | 2 W30e, W30e Firmware | 2026-03-05 | 9.8 Critical |
| Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials. | ||||
| CVE-2025-36363 | 1 Ibm | 1 Devops Plan | 2026-03-05 | 5.9 Medium |
| IBM DevOps Plan 3.0.0 through 3.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | ||||
| CVE-2026-27824 | 2 Calibre-ebook, Kovidgoyal | 2 Calibre, Calibre | 2026-03-04 | 5.3 Medium |
| calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue. | ||||
| CVE-2026-27753 | 3 Shenzhen Hongyavision Technology Co, Sodola-network, Sodolanetworks | 4 Sodola Sl902-swtgw124as, Sl902-swtgw124as, Sl902-swtgw124as Firmware and 1 more | 2026-03-03 | 6.5 Medium |
| SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interface. Attackers can conduct online password guessing attacks without account lockout or rate limiting restrictions to gain unauthorized access to the device management interface. | ||||
| CVE-2026-27521 | 1 Binardat | 3 10g08-0800gsm, 10g08-0800gsm Firmware, 10g08-0800gsm Network Switch | 2026-03-02 | 7.5 High |
| Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior do not implement rate limiting or account lockout on failed login attempts, enabling brute-force attacks against user credentials. | ||||
| CVE-2026-22278 | 1 Dell | 1 Powerscale Onefs | 2026-02-26 | 8.1 High |
| Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper restriction of excessive authentication attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | ||||
| CVE-2023-6912 | 1 M-files | 1 M-files Server | 2026-02-23 | 7.5 High |
| Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords. | ||||
| CVE-2026-1685 | 2 D-link, Dlink | 3 Dir-823x, Dir-823x, Dir-823x Firmware | 2026-02-23 | 3.7 Low |
| A vulnerability was identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_40AC74 of the component Login. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. This attack is characterized by high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. | ||||
| CVE-2026-1409 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2026-02-23 | 2 Low |
| A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack on the physical device. The attack's complexity is rated as high. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2021-41807 | 1 M-files | 2 M-files Server, M-files Web | 2026-02-23 | 7.5 High |
| Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. | ||||
| CVE-2025-7630 | 1 Doruk Communication And Automation Industry And Trade Inc. | 1 Wispotter | 2026-02-19 | 5.3 Medium |
| Improper Restriction of Excessive Authentication Attempts, Improper Authentication vulnerability in Doruk Communication and Automation Industry and Trade Inc. Wispotter allows Password Brute Forcing, Brute Force.This issue affects Wispotter: from 1.0 before v2025.10.08.1. | ||||
| CVE-2026-25577 | 1 Emmett-framework | 1 Core | 2026-02-12 | 7.5 High |
| Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11. | ||||
| CVE-2025-67853 | 1 Moodle | 1 Moodle | 2026-02-11 | 7.5 High |
| A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts. | ||||
| CVE-2024-38176 | 1 Microsoft | 1 Groupme | 2026-02-11 | 8.1 High |
| An improper restriction of excessive authentication attempts in GroupMe allows a unauthenticated attacker to elevate privileges over a network. | ||||
| CVE-2025-27456 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-02-06 | 7.5 High |
| The SMB server's login mechanism does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | ||||
| CVE-2025-27449 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-02-06 | 7.5 High |
| The MEAC300-FNADE4 does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | ||||
| CVE-2025-1710 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-02-06 | 7.5 High |
| The maxView Storage Manager does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | ||||
| CVE-2025-49186 | 2 Avaya, Sick | 6 Media Server, Baggage Analytics, Field Analytics and 3 more | 2026-02-03 | 5.3 Medium |
| The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | ||||
| CVE-2025-53968 | 1 Evmapa | 1 Evmapa | 2026-02-02 | 7.5 High |
| This vulnerability arises because there are no limitations on the number of authentication attempts a user can make. An attacker can exploit this weakness by continuously sending authentication requests, leading to a denial-of-service (DoS) condition. This can overwhelm the authentication system, rendering it unavailable to legitimate users and potentially causing service disruption. This can also allow attackers to conduct brute-force attacks to gain unauthorized access. | ||||