Total
76 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-41862 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Weak Authentication vulnerability in Guido VS Contact Form allows Authentication Abuse.This issue affects VS Contact Form: from n/a through 14.0. | |||||
| CVE-2023-24890 | 1 Microsoft | 1 Onedrive | 2026-06-17 | N/A | 6.5 MEDIUM |
| Microsoft OneDrive for iOS Security Feature Bypass Vulnerability | |||||
| CVE-2026-0274 | 2026-06-11 | N/A | N/A | ||
| An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources. | |||||
| CVE-2026-6274 | 2026-06-08 | N/A | 9.8 CRITICAL | ||
| Improper Authentication, Missing authentication for critical function, Weak Authentication vulnerability in DTS Electronics Industry and Trade Ltd. Co. Redline WR3200 allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Redline WR3200: from 7.1.3 before 7.1.8. | |||||
| CVE-2026-40417 | 1 Microsoft | 1 Dynamics 365 Business Central | 2026-06-03 | N/A | 7.8 HIGH |
| Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-44237 | 1 Sangoma | 1 Freepbx | 2026-06-01 | N/A | 8.1 HIGH |
| FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8. | |||||
| CVE-2026-49323 | 2026-05-29 | N/A | 4.3 MEDIUM | ||
| Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. The WCM derives its response using a reversible, non-cryptographic operation rather than a cryptographic challenge-response, so the persistent immobilizer secret can be reconstructed from one captured exchange. With this secret the attacker can authenticate to the ECM independently of the WCM and start the engine, defeating the immobilizer. Specific protocol details have been withheld pending vendor remediation. | |||||
| CVE-2026-49322 | 2026-05-29 | N/A | 4.3 MEDIUM | ||
| Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control. Specific protocol details have been withheld pending vendor remediation. | |||||
| CVE-2026-6886 | 2026-05-19 | N/A | 9.8 CRITICAL | ||
| Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user. | |||||
| CVE-2026-0204 | 1 Sonicwall | 64 Nsa 2650, Nsa 2700, Nsa 2800 and 61 more | 2026-05-05 | N/A | 8.0 HIGH |
| A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions. | |||||
| CVE-2026-32497 | 2026-04-29 | N/A | 5.3 MEDIUM | ||
| Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45. | |||||
| CVE-2025-70994 | 2026-04-24 | N/A | 7.3 HIGH | ||
| Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack. | |||||
| CVE-2025-62844 | 1 Qnap | 1 Qurouter | 2026-04-14 | N/A | 5.5 MEDIUM |
| A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later | |||||
| CVE-2026-4828 | 1 Devolutions | 1 Devolutions Server | 2026-04-03 | N/A | 8.2 HIGH |
| Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request. | |||||
| CVE-2026-4924 | 1 Devolutions | 1 Devolutions Server | 2026-04-03 | N/A | 8.2 HIGH |
| Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session token. | |||||
| CVE-2026-27478 | 1 Unitycatalog | 1 Unitycatalog | 2026-03-16 | N/A | 9.1 CRITICAL |
| Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens). The endpoint extracts the issuer (iss) claim from incoming JWTs and uses it to dynamically fetch the JWKS endpoint for signature validation without validating that the issuer is a trusted identity provider. | |||||