Total
1982 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0919 | 1 Kavitareader | 1 Kavita | 2026-02-25 | N/A | 8.1 HIGH |
| Missing Authentication for Critical Function in GitHub repository kareadita/kavita prior to 0.7.0. | |||||
| CVE-2022-28771 | 1 Sap | 1 Business One License Service Api | 2026-02-25 | 5.0 MEDIUM | 7.5 HIGH |
| Due to missing authentication check, SAP Business one License service API - version 10.0 allows an unauthenticated attacker to send malicious http requests over the network. On successful exploitation, an attacker can break the whole application making it inaccessible. | |||||
| CVE-2026-23693 | 2026-02-24 | N/A | 10.0 CRITICAL | ||
| ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site. | |||||
| CVE-2025-54158 | 1 Synology | 1 Beedrive | 2026-02-24 | N/A | 7.8 HIGH |
| Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | |||||
| CVE-2026-27471 | 1 Frappe | 1 Erpnext | 2026-02-24 | N/A | 9.1 CRITICAL |
| ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1. | |||||
| CVE-2024-5749 | 1 Hp | 30 1jl02b, 1jl02b Firmware, F9a29a and 27 more | 2026-02-24 | N/A | 7.5 HIGH |
| Certain HP DesignJet products may be vulnerable to credential reflection which allow viewing SMTP server credentials. | |||||
| CVE-2025-11529 | 1 Churchcrm | 1 Churchcrm | 2026-02-24 | 7.5 HIGH | 7.3 HIGH |
| A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue. | |||||
| CVE-2021-47727 | 1 Selea | 23 Carplateserver, Izero Box Full, Izero Box Full Firmware and 20 more | 2026-02-23 | N/A | 5.3 MEDIUM |
| Selea Targa IP OCR-ANPR Camera contains an unauthenticated vulnerability that allows remote attackers to access live video streams without authentication. Attackers can directly connect to RTP/RTSP or M-JPEG streams by requesting specific endpoints like p1.mjpg or p1.264 to view camera footage. | |||||
| CVE-2021-47731 | 1 Selea | 23 Carplateserver, Izero Box Full, Izero Box Full Firmware and 20 more | 2026-02-23 | N/A | 9.8 CRITICAL |
| Selea Targa IP OCR-ANPR Camera contains a hard-coded developer password vulnerability that allows unauthorized configuration access through an undocumented page. Attackers can exploit the hidden endpoint by using the hard-coded password 'Selea781830' to enable configuration upload and overwrite device settings. | |||||
| CVE-2026-25791 | 1 Bishopfox | 1 Sliver | 2026-02-23 | N/A | 7.5 HIGH |
| Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion. This vulnerability is fixed in 1.7.0. | |||||
| CVE-2025-70141 | 1 Oretnom23 | 1 Customer Support System | 2026-02-23 | N/A | 9.4 CRITICAL |
| SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification. | |||||
| CVE-2024-3281 | 1 Hp | 6 Poly Ccx 350, Poly Ccx 400, Poly Ccx 500 and 3 more | 2026-02-20 | N/A | 8.8 HIGH |
| A vulnerability was discovered in the firmware builds after 8.0.2.3267 and prior to 8.1.3.1301 in CCX devices. A flaw in the firmware build process did not properly restrict access to a resource from an unauthorized actor. | |||||
| CVE-2026-25885 | 1 Polarlearn | 1 Polarlearn | 2026-02-20 | N/A | 7.5 HIGH |
| PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by providing a group UUID, and can also send messages to any group. The server accepts the message and stores it in the group’s chatContent, so this is not just a visual spam issue. | |||||
| CVE-2025-70146 | 1 Projectworlds | 1 Online Time Table Generator | 2026-02-20 | N/A | 9.1 CRITICAL |
| Missing authentication in multiple administrative action scripts under /admin/ in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to perform unauthorized administrative operations (e.g.,adding records, deleting records) via direct HTTP requests to affected endpoints without a valid session. | |||||
| CVE-2025-70147 | 1 Projectworlds | 1 Online Time Table Generator | 2026-02-20 | N/A | 7.5 HIGH |
| Missing authentication in /admin/student.php and /admin/teacher.php in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to obtain sensitive information (including plaintext password field values) via direct HTTP GET requests to these endpoints without a valid session. | |||||
| CVE-2026-26235 | 1 Jung-group | 2 Smart Visu Server, Smart Visu Server Firmware | 2026-02-20 | N/A | 7.5 HIGH |
| JUNG Smart Visu Server 1.1.1050 contains a denial of service vulnerability that allows unauthenticated attackers to remotely shutdown or reboot the server. Attackers can send a single POST request to trigger the server reboot without requiring any authentication. | |||||
| CVE-2026-26319 | 1 Openclaw | 1 Openclaw | 2026-02-20 | N/A | 7.5 HIGH |
| OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are expected to be authenticated via Ed25519 signature verification. In affected versions, TelnyxProvider.verifyWebhook() could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events. This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy). The issue has been fixed in version 2026.2.14. | |||||
| CVE-2026-24790 | 2026-02-20 | N/A | 8.2 HIGH | ||
| The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication. | |||||
| CVE-2026-26048 | 2026-02-20 | N/A | 7.5 HIGH | ||
| The Wi-Fi router is vulnerable to de-authentication attacks due to the absence of management frame protection, allowing forged deauthentication and disassociation frames to be broadcast without authentication or encryption. An attacker can use this to cause unauthorized disruptions and create a denial-of-service condition. | |||||
| CVE-2024-22449 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | N/A | 6.6 MEDIUM |
| Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access. | |||||