Export limit exceeded: 351254 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2279 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2104 | 1 Jbl | 2 Live Pro 2 Tws, Tune Flex | 2026-04-15 | 8.8 High |
| Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable. | ||||
| CVE-2024-23815 | 1 Siemens | 1 Desigo Cc | 2026-04-15 | 7.5 High |
| A vulnerability has been identified in Desigo CC (All versions if access from Installed Clients to Desigo CC server is allowed from networks outside of a highly protected zone), Desigo CC (All versions if access from Installed Clients to Desigo CC server is only allowed within highly protected zones). The affected server application fails to authenticate specific client requests. Modification of the client binary could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database via the event port (default: 4998/tcp) | ||||
| CVE-2024-26519 | 1 Casa Systems | 1 Ntc-221 Firmware | 2026-04-15 | 9 Critical |
| An issue in Casa Systems NTC-221 version 2.0.99.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the /www/cgi-bin/nas.cgi component. | ||||
| CVE-2025-46275 | 2026-04-15 | 9.8 Critical | ||
| WGS-80HPT-V2 and WGS-4215-8T2S are missing authentication that could allow an attacker to create an administrator account without knowing any existing credentials. | ||||
| CVE-2024-27169 | 1 Toshibatec | 50 E-studio-2010-ac, E-studio-2015-nc, E-studio-2018 A and 47 more | 2026-04-15 | 8.4 High |
| Toshiba printers provides API without authentication for internal access. A local attacker can bypass authentication in applications, providing administrative access. As for the affected products/models/versions, see the reference URL. | ||||
| CVE-2025-5095 | 1 Burk | 1 Arc Solo | 2026-04-15 | 9.8 Critical |
| Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change request can be sent directly to the device's HTTP endpoint without providing valid credentials. The system does not enforce proper authentication or session validation, allowing the password change to proceed without verifying the request's legitimacy. | ||||
| CVE-2025-52551 | 2026-04-15 | N/A | ||
| E2 Facility Management Systems use a proprietary protocol that allows for unauthenticated file operations on any file in the file system. | ||||
| CVE-2024-27758 | 1 Rpyc Project | 1 Rpyc | 2026-04-15 | 8.4 High |
| In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution. | ||||
| CVE-2024-31218 | 2026-04-15 | 9.8 Critical | ||
| Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP request to the database (Pocketbase) admin API to create an admin account. The Pocketbase admin API does not check for authentication/authorization when creating an admin account when no admin accounts have been added. In its default deployment, Webhood does not create a database admin account. Therefore, unless users have manually created an admin account in the database, an admin account will not exist in the deployment and the deployment is vulnerable. Versions starting from 0.9.1 are patched. The patch creates a randomly generated admin account if admin accounts have not already been created i.e. the vulnerability is exploitable in the deployment. As a workaround, users can disable access to URL path starting with `/api/admins` entirely. With this workaround, the vulnerability is not exploitable via network. | ||||
| CVE-2024-32752 | 1 Johnsoncontrols | 2 Icu, Software House Istar Pro Door Controller | 2026-04-15 | 9.1 Critical |
| The iSTAR door controllers running firmware prior to version 6.6.B, does not support authenticated communications with ICU, which may allow an attacker to gain unauthorized access | ||||
| CVE-2025-5310 | 2026-04-15 | 9.8 Critical | ||
| Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented and unauthenticated target communication framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution. | ||||
| CVE-2024-36555 | 2026-04-15 | 9.8 Critical | ||
| Built-in SMS-configuration command in Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allows malicious users to change the device IMEI-number which allows for forging the identity of the device. | ||||
| CVE-2019-25226 | 1 Dongyoung | 1 Dm-ap240t/w Wireless Access Point | 2026-04-15 | N/A |
| Dongyoung Media DM-AP240T/W wireless access points contain an unauthenticated configuration disclosure vulnerability in the /cgi-bin/sys_system_config management endpoint. The endpoint allows remote retrieval of a compressed configuration archive without requiring authentication or authorization. The exposed configuration may include administrative credentials and other sensitive settings, enabling an unauthenticated attacker to obtain information that can facilitate further compromise of the device or network. | ||||
| CVE-2024-57725 | 2026-04-15 | 6.5 Medium | ||
| An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the /firstconnection.cgi endpoint. | ||||
| CVE-2024-58300 | 1 Siklu | 1 Multihaul Tg Series | 2026-04-15 | N/A |
| Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device. | ||||
| CVE-2024-45438 | 2026-04-15 | 9.1 Critical | ||
| An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a non-existent email address is provided as part of the email parameter, SpamTitan will automatically create a user record and associate quarantine settings with it - all without requiring authentication. | ||||
| CVE-2024-45356 | 2026-04-15 | 7.3 High | ||
| A unauthorized access vulnerability exists in the Xiaomi phone framework. The vulnerability is caused by improper validation and can be exploited by attackers to Access sensitive methods. | ||||
| CVE-2024-8310 | 1 Opwglobal | 1 Sitesentinel Firmware | 2026-04-15 | 9.8 Critical |
| OPW Fuel Management Systems SiteSentinel could allow an attacker to bypass authentication to the server and obtain full admin privileges. | ||||
| CVE-2024-4332 | 1 Fortra | 1 Tripwire Enterprise | 2026-04-15 | N/A |
| An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional "Auto-synchronize LDAP Users, Roles, and Groups" feature is enabled. This vulnerability allows unauthenticated attackers to bypass authentication if a valid username is known. Exploitation of this vulnerability could allow remote attackers to gain privileged access to the APIs and lead to unauthorized information disclosure or modification. | ||||
| CVE-2024-8419 | 2026-04-15 | 7.5 High | ||
| The endpoint hosts a script that allows an unauthorized remote attacker to put the system in a fail-safe state over the network due to missing authentication. | ||||