Total
4187 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-10288 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was identified in code-projects Hotel and Tourism Reservation System 1.0. This issue affects the function password_verify of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Password leads to improper authentication. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | |||||
| CVE-2026-10283 | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2026-10281 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.5.6 mitigates this issue. Patch name: d0b02a800aa0689d9428cc4cc170e0b6589fb2c3. The affected component should be upgraded. | |||||
| CVE-2026-10243 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A security vulnerability has been detected in code-projects Smart Parking System 1.0. Affected is an unknown function of the component Admin Endpoint. Such manipulation leads to missing authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected. | |||||
| CVE-2026-10167 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A weakness has been identified in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. This impacts the function sign_auth_cookie of the file application/controllers/Login.php of the component MY_Controller. Executing a manipulation of the argument role can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-10157 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was identified in Open5GS up to 2.7.6. This impacts an unknown function of the file src/amf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is a188e36b1741ffc2252133f59b1bda4f14d3cb5c. It is suggested to install a patch to address this issue. | |||||
| CVE-2026-0953 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address. | |||||
| CVE-2026-0842 | 2026-06-17 | 5.8 MEDIUM | 6.3 MEDIUM | ||
| A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-0633 | 2026-06-17 | N/A | 3.7 LOW | ||
| The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes). | |||||
| CVE-2026-0629 | 2026-06-17 | N/A | N/A | ||
| Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security. | |||||
| CVE-2026-0589 | 1 Fabian | 1 Online Product Reservation System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. | |||||
| CVE-2026-0558 | 1 Lollms | 1 Lollms | 2026-06-17 | N/A | 9.8 CRITICAL |
| A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies. | |||||
| CVE-2026-0408 | 1 Netgear | 8 Ex2800, Ex2800 Firmware, Ex3110 and 5 more | 2026-06-17 | N/A | 8.0 HIGH |
| A path traversal vulnerability in NETGEAR WiFi range extenders allows an attacker with LAN authentication to access the router's IP and review the contents of the dynamically generated webproc file, which records the username and password submitted to the router GUI. | |||||
| CVE-2026-0407 | 1 Netgear | 8 Ex2800, Ex2800 Firmware, Ex3110 and 5 more | 2026-06-17 | N/A | 8.0 HIGH |
| An insufficient authentication vulnerability in NETGEAR WiFi range extenders allows a network adjacent attacker with WiFi authentication or a physical Ethernet port connection to bypass the authentication process and access the admin panel. | |||||
| CVE-2026-0405 | 1 Netgear | 50 Cbr750, Cbr750 Firmware, Nbr750 and 47 more | 2026-06-17 | N/A | 7.8 HIGH |
| An authentication bypass vulnerability in NETGEAR Orbi devices allows users connected to the local network to access the router web interface as an admin. | |||||
| CVE-2025-9994 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access. | |||||
| CVE-2025-9965 | 2026-06-17 | N/A | N/A | ||
| Improper authentication vulnerability in Novakon P series allows unauthenticated attackers to upload and download any application from/to the device.This issue affects P series: P – V2001.A.C518o2 until P-2.0.05 Build 2026.02.06 (commit d0f97fd9). | |||||
| CVE-2025-9815 | 2 Alaneuler, Apple | 2 Batterykid, Macos | 2026-06-17 | 6.8 MEDIUM | 7.8 HIGH |
| A weakness has been identified in alaneuler batteryKid up to 2.1 on macOS. The affected element is an unknown function of the file PrivilegeHelper/PrivilegeHelper.swift of the component NSXPCListener. This manipulation causes missing authentication. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-9803 | 1 Lunary | 1 Lunary | 2026-06-17 | N/A | 8.8 HIGH |
| lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35. | |||||
| CVE-2025-9533 | 1 Totolink | 2 T10, T10 Firmware | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in TOTOLINK T10 4.1.8cu.5241_B20210927. Affected is an unknown function of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||