Vulnerabilities (CVE)

Filtered by CWE-287
Total 4192 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-46548 2 Akka, Apache 2 Akka Management, Pekko Management 2026-06-17 N/A 6.5 MEDIUM
If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.
CVE-2025-46348 1 Yeswiki 1 Yeswiki 2026-06-17 N/A 10.0 CRITICAL
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4.
CVE-2025-45777 1 Abeltechsoft 1 Chavara Matrimony 2026-06-17 N/A 9.8 CRITICAL
An issue in the OTP mechanism of Chavara Family Welfare Centre Chavara Matrimony Site v2.0 allows attackers to bypass authentication via supplying a crafted request.
CVE-2025-45583 1 Audi 2 Universal Traffic Recorder, Universal Traffic Recorder Firmware 2026-06-17 N/A 9.1 CRITICAL
Incorrect access control in the FTP protocol of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to authenticate into the service using any combination of username and password.
CVE-2025-44083 1 Dlink 2 Di-8100, Di-8100 Firmware 2026-06-17 N/A 9.8 CRITICAL
An issue in D-Link DI-8100 16.07.26A1 allows a remote attacker to bypass administrator login authentication
CVE-2025-44005 2026-06-17 N/A 10.0 CRITICAL
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
CVE-2025-43995 1 Dell 1 Storage Manager 2026-06-17 N/A 9.8 CRITICAL
Dell Storage Center - Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for special purposes.
CVE-2025-43281 1 Apple 1 Macos 2026-06-17 N/A 7.8 HIGH
The issue was addressed with improved authentication. This issue is fixed in macOS Sequoia 15.6. A local attacker may be able to elevate their privileges.
CVE-2025-41459 2026-06-17 N/A 7.8 HIGH
Insufficient protection against brute-force and runtime manipulation in the local authentication component in Two App Studio Journey 5.5.6 on iOS allows local attackers to bypass biometric and PIN-based access control via repeated PIN attempts or dynamic code injection.
CVE-2025-41110 1 Ghostrobotics 2 Vision 60, Vision 60 Firmware 2026-06-17 N/A 8.8 HIGH
Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment.
CVE-2025-41108 1 Ghostrobotics 2 Vision 60, Vision 60 Firmware 2026-06-17 N/A 9.8 CRITICAL
The communication protocol implemented in Ghost Robotics Vision 60 v0.27.2 could allow an attacker to send commands to the robot from an external attack station, impersonating the control station (tablet) and gaining unauthorised full control of the robot. The absence of encryption and authentication mechanisms in the communication protocol allows an attacker to capture legitimate traffic between the robot and the controller, replicate it, and send any valid command to the robot from any attacking computer or device. The communication protocol used in this interface is based on MAVLink, a widely documented protocol, which increases the likelihood of attack. There are two methods for connecting to the robot remotely: Wi-Fi and 4G/LTE.
CVE-2025-41064 2026-06-17 N/A N/A
Incorrect authentication vulnerability in OpenSIAC, which could allow an attacker to impersonate a person using Cl@ve as an authentication method.
CVE-2025-41023 2026-06-17 N/A N/A
An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms. Once inside the web application, the attacker can use any of its features regardless of the authorisation method used.
CVE-2025-3910 1 Redhat 1 Build Of Keycloak 2026-06-17 N/A 5.4 MEDIUM
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.
CVE-2025-3850 1 Yxj2018 1 Springboot-vue-onlineexam 2026-06-17 2.6 LOW 3.7 LOW
A vulnerability, which was classified as problematic, has been found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. This issue affects some unknown processing of the component API. The manipulation leads to improper authentication. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
CVE-2025-3659 2026-06-17 N/A N/A
Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022 * Digi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020 * Digi One IAP – prior to and including 82000770 Z, build date 10/19/2020 A specially crafted POST request to the device’s web interface may allow an unauthenticated attacker to modify configuration settings.
CVE-2025-3634 1 Moodle 1 Moodle 2026-06-17 N/A 4.3 MEDIUM
A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.
CVE-2025-3627 1 Moodle 1 Moodle 2026-06-17 N/A 4.3 MEDIUM
A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).
CVE-2025-3621 2026-06-17 N/A 9.6 CRITICAL
Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems.  * vulnerabilities: * Improper Neutralization of Special Elements used in a Command ('Command Injection') * Use of Hard-coded Credentials * Improper Authentication * Binding to an Unrestricted IP Address The vulnerability has been rated as critical.This issue affects ActADUR: from v2.0.1.9 before v2.0.2.0., hence updating to version v2.0.2.0. or above is required.
CVE-2025-3268 1 Qinguoyi 1 Tinywebserver 2026-06-17 5.0 MEDIUM 5.3 MEDIUM
A vulnerability has been found in qinguoyi TinyWebServer up to 1.0 and classified as critical. This vulnerability affects unknown code of the file http/http_conn.cpp. The manipulation of the argument m_url_real leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.