Total
3738 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-0625 | 4 Adobe, Apple, Microsoft and 1 more | 4 Coldfusion, Mac Os X, Windows and 1 more | 2025-10-22 | 6.8 MEDIUM | 9.8 CRITICAL |
| Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013. | |||||
| CVE-2023-28461 | 1 Arraynetworks | 14 Ag1000, Ag1000t, Ag1000v5 and 11 more | 2025-10-22 | N/A | 9.8 CRITICAL |
| Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon." | |||||
| CVE-2021-33045 | 1 Dahuasecurity | 36 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 33 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | |||||
| CVE-2021-33044 | 1 Dahuasecurity | 38 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 35 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | |||||
| CVE-2021-32030 | 1 Asus | 4 Gt-ac2900, Gt-ac2900 Firmware, Lyra Mini and 1 more | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations. Note: All versions of Lyra Mini and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability, Consumers can mitigate this vulnerability by disabling the remote access features from WAN. | |||||
| CVE-2020-5849 | 1 Unraid | 1 Unraid | 2025-10-22 | 5.0 MEDIUM | 7.5 HIGH |
| Unraid 6.8.0 allows authentication bypass. | |||||
| CVE-2018-10561 | 1 Dasannetworks | 2 Gpon Router, Gpon Router Firmware | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device. | |||||
| CVE-2016-7836 | 1 Skygroup | 1 Skysea Client View | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| SKYSEA Client View Ver.11.221.03 and earlier allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program. | |||||
| CVE-2015-7755 | 1 Juniper | 1 Screenos | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session. | |||||
| CVE-2015-1187 | 2 Dlink, Trendnet | 30 Dir-626l, Dir-626l Firmware, Dir-636l and 27 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr parameter to ping.ccp. | |||||
| CVE-2024-53704 | 1 Sonicwall | 24 Nsa 2700, Nsa 3700, Nsa 4700 and 21 more | 2025-10-21 | N/A | 9.8 CRITICAL |
| An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication. | |||||
| CVE-2023-46805 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-10-21 | N/A | 8.2 HIGH |
| An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. | |||||
| CVE-2023-35082 | 1 Ivanti | 1 Endpoint Manager Mobile | 2025-10-21 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier. | |||||
| CVE-2023-35078 | 1 Ivanti | 1 Endpoint Manager Mobile | 2025-10-21 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication. | |||||
| CVE-2025-11852 | 2025-10-21 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-61922 | 2025-10-21 | N/A | 9.1 CRITICAL | ||
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | |||||
| CVE-2025-11942 | 2025-10-21 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in 70mai X200 up to 20251010. Affected is an unknown function of the component Pairing. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11625 | 2025-10-21 | N/A | N/A | ||
| Improper host authentication vulnerability in wolfSSH version 1.4.20 and earlier clients that allows authentication bypass and leaking of clients credentials. | |||||
| CVE-2025-59280 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-10-20 | N/A | 3.1 LOW |
| Improper authentication in Windows SMB Client allows an unauthorized attacker to perform tampering over a network. | |||||
| CVE-2025-55293 | 1 Meshtastic | 1 Meshtastic Firmware | 2025-10-17 | N/A | 9.4 CRITICAL |
| Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3. | |||||