Vulnerabilities (CVE)

Filtered by CWE-287
Total 4193 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-5597 2026-06-17 N/A N/A
Improper Authentication vulnerability in WF Steuerungstechnik GmbH airleader MASTER allows Authentication Bypass.This issue affects airleader MASTER: 3.00571.
CVE-2025-5512 1 Quequnlong 1 Shiyi-blog 2026-06-17 7.5 HIGH 7.3 HIGH
A vulnerability, which was classified as critical, was found in quequnlong shiyi-blog up to 1.2.1. Affected is an unknown function of the file /api/sys/user/verifyPassword/ of the component Administrator Backend. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-5495 1 Netgear 2 Wnr614, Wnr614 Firmware 2026-06-17 7.5 HIGH 7.3 HIGH
A vulnerability was found in Netgear WNR614 1.1.0.28_1.0.1WW. It has been classified as critical. This affects an unknown part of the component URL Handler. The manipulation with the input %00currentsetting.htm leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This issue appears to have been circulating as an 0day since 2024.
CVE-2025-5437 2026-06-17 5.0 MEDIUM 5.3 MEDIUM
A vulnerability classified as critical has been found in Multilaser Sirius RE016 MLT1.0. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi of the component Password Change Handler. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-5247 2026-06-17 7.5 HIGH 7.3 HIGH
A vulnerability, which was classified as critical, has been found in Gowabby HFish 0.1. This issue affects the function LoadUrl of the file \view\url.go. The manipulation of the argument r leads to improper authentication. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-5149 1 Wcms 1 Wcms 2026-06-17 5.1 MEDIUM 5.6 MEDIUM
A vulnerability was found in WCMS up to 8.3.11. It has been declared as critical. Affected by this vulnerability is the function getMemberByUid of the file /index.php?articleadmin/getallcon of the component Login. The manipulation of the argument uid leads to improper authentication. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-59934 2026-06-17 N/A 9.4 CRITICAL
Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine that only decodes JWTs (jwt.decode) without verifying their signatures. Both the email verification token login path and the password reset server action use the same validator, which does not check the token’s signature, expiration, issuer, or audience. If an attacker learns the victim’s actual user.id, they can craft an arbitrary JWT with an alg: "none" header and use it to authenticate and reset the victim’s password. This issue has been patched in version 4.0.1.
CVE-2025-59704 1 Entrust 10 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc Base and 7 more 2026-06-17 N/A 4.6 MEDIUM
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an attacker to gain access the the BIOS menu because is has no password.
CVE-2025-59280 1 Microsoft 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more 2026-06-17 N/A 3.1 LOW
Improper authentication in Windows SMB Client allows an unauthorized attacker to perform tampering over a network.
CVE-2025-58443 1 Fogproject 1 Fogproject 2026-06-17 N/A 9.1 CRITICAL
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1673 and below contain an authentication bypass vulnerability. It is possible for an attacker to perform an unauthenticated DB dump where they could pull a full SQL DB without credentials. A fix is expected to be released 9/15/2025. To address this vulnerability immediately, upgrade to the latest version of either the dev-branch or working-1.6 branch. This will patch the issue for users concerned about immediate exposure. See the FOG Project documentation for step-by-step upgrade instructions: https://docs.fogproject.org/en/latest/install-fog-server#choosing-a-fog-version.
CVE-2025-58065 1 Dpgaspar 1 Flask-appbuilder 2026-06-17 N/A 6.5 MEDIUM
Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.
CVE-2025-58060 1 Openprinting 1 Cups 2026-06-17 N/A 8.0 HIGH
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, when the `AuthType` is set to anything but `Basic`, if the request contains an `Authorization: Basic ...` header, the password is not checked. This results in authentication bypass. Any configuration that allows an `AuthType` that is not `Basic` is affected. Version 2.4.13 fixes the issue.
CVE-2025-57434 1 Creacast 1 Creabox Manager 2026-06-17 N/A 8.8 HIGH
Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows.
CVE-2025-57278 1 Lb-link 2 Bl-cpe300m, Bl-cpe300m Firmware 2026-06-17 N/A 8.8 HIGH
The LB-Link BL-CPE300M AX300 4G LTE Router firmware version BL-R8800_B10_ALK_SL_V01.01.02P42U14_06 does not implement proper session handling. After a user authenticates from a specific IP address, the router grants access to any other client using that same IP, without requiring credentials or verifying client identity. There are no session tokens, cookies, or unique identifiers in place. This flaw allows an attacker to obtain full administrative access simply by configuring their device to use the same IP address as a previously authenticated user. This results in a complete authentication bypass.
CVE-2025-56752 1 Ruijie 40 Rg-es205gc, Rg-es205gc-p, Rg-es205gc-p Firmware and 37 more 2026-06-17 N/A 9.4 CRITICAL
A vulnerability in the Ruijie RG-ES series switch firmware ESW_1.0(1)B1P39 enables remote attackers to fully bypass authentication mechanisms, providing them with unrestricted access to alter administrative settings and potentially seize control of affected devices via crafted HTTP POST request to /user.cgi.
CVE-2025-56578 2026-06-17 N/A 5.7 MEDIUM
An issue in RTSPtoWeb v.2.4.3 allows a remote attacker to obtain sensitive information and executearbitrary code via the lack of authentication mechanisms
CVE-2025-56447 2026-06-17 N/A 9.8 CRITICAL
TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.
CVE-2025-56333 1 Pangolin 1 Pangolin 2026-06-17 N/A 9.8 CRITICAL
An issue in Fossorial fosrl/pangolin v.1.6.2 and before allows a remote attacker to escalate privileges via the 2FA component
CVE-2025-55340 1 Microsoft 9 Windows 10 21h2, Windows 10 22h2, Windows 11 22h2 and 6 more 2026-06-17 N/A 7.0 HIGH
Improper authentication in Windows Remote Desktop Protocol allows an authorized attacker to bypass a security feature locally.
CVE-2025-55293 1 Meshtastic 1 Meshtastic Firmware 2026-06-17 N/A 9.4 CRITICAL
Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.