Total
2286 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12484 | 2026-04-15 | N/A | 6.4 MEDIUM | ||
| When using special mode to connect to enterprise wifi, certain options are not properly configured and attackers can pretend to be enterprise wifi through a carefully constructed wifi with the same name, which can lead to man-in-the-middle attacks. | |||||
| CVE-2025-1907 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Instantel Micromate lacks authentication on a configuration port which could allow an attacker to execute commands if connected. | |||||
| CVE-2025-11852 | 2026-04-15 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2017-20213 | 2026-04-15 | N/A | 7.5 HIGH | ||
| FLIR Thermal Camera F/FC/PT/D Stream firmware version 8.0.0.64 contains an unauthenticated vulnerability that allows remote attackers to access live camera streams without credentials. Attackers can exploit the vulnerability to view unauthorized thermal camera video feeds across multiple camera series without requiring any authentication. | |||||
| CVE-2024-12957 | 2026-04-15 | N/A | N/A | ||
| A file handling command vulnerability in certain versions of Armoury Crate may result in arbitrary file deletion. Refer to the '01/23/2025 Security Update for Armoury Crate App' section on the ASUS Security Advisory for more information. | |||||
| CVE-2024-52285 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.8), SiPass integrated ACC-AP (All versions < V6.4.8). Affected devices expose several MQTT URLs without authentication. This could allow an unauthenticated remote attacker to access sensitive data. | |||||
| CVE-2024-14007 | 2026-04-15 | N/A | N/A | ||
| Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) versions prior to 1.3.4 contain an authentication bypass in the NVMS-9000 control protocol. By sending a single crafted TCP payload to an exposed NVMS-9000 control port, an unauthenticated remote attacker can invoke privileged administrative query commands without valid credentials. Successful exploitation discloses sensitive information including administrator usernames and passwords in cleartext, network and service configuration, and other device details via commands such as queryBasicCfg, queryUserList, queryEmailCfg, queryPPPoECfg, and queryFTPCfg. | |||||
| CVE-2025-59097 | 2026-04-15 | N/A | N/A | ||
| The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps. This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication: - Re-configure Access Managers (e.g. remove alarming system requirements) - Freely re-configure the inputs and outputs - Open all connected doors permanently - Open all doors for a defined time interval - Change the admin password - and many more Network level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet. | |||||
| CVE-2025-61778 | 2026-04-15 | N/A | N/A | ||
| Akka.NET is a .NET port of the Akka project from the Scala / Java community. In all versions of Akka.Remote from v1.2.0 to v1.5.51, TLS could be enabled via our `akka.remote.dot-netty.tcp` transport and this would correctly enforce private key validation on the server-side of inbound connections. Akka.Remote, however, never asked the outbound-connecting client to present ITS certificate - therefore it's possible for untrusted parties to connect to a private key'd Akka.NET cluster and begin communicating with it without any certificate. The issue here is that for certificate-based authentication to work properly, ensuring that all members of the Akka.Remote network are secured with the same private key, Akka.Remote needed to implement mutual TLS. This was not the case before Akka.NET v1.5.52. Those who run Akka.NET inside a private network that they fully control or who were never using TLS in the first place are now affected by the bug. However, those who use TLS to secure their networks must upgrade to Akka.NET V1.5.52 or later. One patch forces "fail fast" semantics if TLS is enabled but the private key is missing or invalid. Previous versions would only check that once connection attempts occurred. The second patch, a critical fix, enforces mutual TLS (mTLS) by default, so both parties must be keyed using the same certificate. As a workaround, avoid exposing the application publicly to avoid the vulnerability having a practical impact on one's application. However, upgrading to version 1.5.52 is still recommended by the maintainers. | |||||
| CVE-2025-7679 | 2026-04-15 | N/A | 8.1 HIGH | ||
| The ASPECT system allows users to bypass authentication. This issue affects all versions of ASPECT | |||||
| CVE-2025-12349 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects. | |||||
| CVE-2019-25248 | 2026-04-15 | N/A | 7.5 HIGH | ||
| Beward N100 M2.1.6.04C014 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve the camera's RTSP stream by exploiting the lack of authentication in the video access mechanism. | |||||
| CVE-2018-25137 | 2026-04-15 | N/A | 7.5 HIGH | ||
| FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability in the ExportConfig REST API that allows attackers to download sensitive configuration files. Attackers can exploit the getConfigExportFile.cgi endpoint to retrieve system configurations, potentially enabling authentication bypass and privilege escalation. | |||||
| CVE-2026-1632 | 2026-04-15 | N/A | 9.1 CRITICAL | ||
| MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device. | |||||
| CVE-2021-47709 | 2026-04-15 | N/A | N/A | ||
| COMMAX Smart Home System allows an unauthenticated attacker to change configuration and cause denial-of-service through the setconf endpoint. Attackers can trigger a denial-of-service scenario by sending a malformed request to the setconf endpoint. | |||||
| CVE-2025-32377 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| Rasa Pro is a framework for building scalable, dynamic conversational AI assistants that integrate large language models (LLMs). A vulnerability has been identified in Rasa Pro where voice connectors in Rasa Pro do not properly implement authentication even when a token is configured in the credentials.yml file. This could allow an attacker to submit voice data to the Rasa Pro assistant from an unauthenticated source. This issue has been patched for audiocodes, audiocodes_stream, and genesys connectors in versions 3.9.20, 3.10.19, 3.11.7 and 3.12.6. | |||||
| CVE-2025-55108 | 2026-04-15 | N/A | 10.0 CRITICAL | ||
| The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration). NOTE: * The vendor believes that this vulnerability only occurs when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent. * The vendor notifies that Control-M/Agent is not impacted in Control-M SaaS | |||||
| CVE-2025-1272 | 2026-04-15 | N/A | 7.7 HIGH | ||
| The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappings, I/O ports, BPF and kprobes. Additionally unsigned modules can be loaded, leading to execution of untrusted code breaking breaking any Secure Boot protection. This vulnerability affects only Fedora Linux. | |||||
| CVE-2025-8861 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents. | |||||
| CVE-2025-9574 | 2026-04-15 | N/A | 10.0 CRITICAL | ||
| Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP.This issue affects . All firmware versions with the Serial Number from 2000 to 5166 | |||||