Total
1982 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1729 | 2026-02-12 | N/A | 9.8 CRITICAL | ||
| The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.0.12. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the 'sb_login_user_with_otp_fun' function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators. | |||||
| CVE-2025-52024 | 1 Aptsys | 1 Gemscms Backend | 2026-02-11 | N/A | 9.4 CRITICAL |
| A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries. | |||||
| CVE-2026-24789 | 2026-02-11 | N/A | 9.8 CRITICAL | ||
| An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication. | |||||
| CVE-2026-25084 | 2026-02-11 | N/A | 9.8 CRITICAL | ||
| Authentication for ZLAN5143D can be bypassed by directly accessing internal URLs. | |||||
| CVE-2025-8025 | 2026-02-11 | N/A | 9.8 CRITICAL | ||
| Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dinosoft ERP: from < 3.0.1 through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-25751 | 1 Frangoteam | 1 Fuxa | 2026-02-10 | N/A | 7.5 HIGH |
| FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. | |||||
| CVE-2020-37157 | 2026-02-09 | N/A | 7.5 HIGH | ||
| DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessing the /tmpfs/config_backup.bin resource. | |||||
| CVE-2020-37146 | 2026-02-09 | N/A | 7.5 HIGH | ||
| ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration files. Attackers can access the camera's configuration backup by sending a GET request to the /config_backup.bin endpoint, exposing credentials and system settings. | |||||
| CVE-2026-2234 | 2026-02-09 | N/A | 9.1 CRITICAL | ||
| C&Cm@il developed by HGiga has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read and modify any user's mail content. | |||||
| CVE-2026-24423 | 1 Smartertools | 1 Smartermail | 2026-02-06 | N/A | 9.8 CRITICAL |
| SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application. | |||||
| CVE-2025-59367 | 1 Asus | 6 Dsl-ac51, Dsl-ac51 Firmware, Dsl-ac750 and 3 more | 2026-02-06 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system. Refer to the 'Security Update for DSL Series Router' section on the ASUS Security Advisory for more information. | |||||
| CVE-2026-24728 | 2026-02-04 | N/A | N/A | ||
| A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication. | |||||
| CVE-2026-1453 | 2026-02-04 | N/A | 9.8 CRITICAL | ||
| A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant the attacker full administrative control over the product. | |||||
| CVE-2026-1632 | 2026-02-04 | N/A | 9.1 CRITICAL | ||
| MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device. | |||||
| CVE-2026-1341 | 2026-02-04 | N/A | N/A | ||
| Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control. | |||||
| CVE-2026-1633 | 2026-02-04 | N/A | 10.0 CRITICAL | ||
| The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter exposes its web management interface without requiring authentication, allowing unauthenticated users to modify critical device settings or factory reset the device. | |||||
| CVE-2025-5192 | 1 Scshr | 1 Hr Portal | 2026-02-04 | N/A | 7.5 HIGH |
| A missing authentication for critical function vulnerability in the client application of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to bypass authentication and access application functions. | |||||
| CVE-2023-54335 | 1 Extplorer | 1 Extplorer | 2026-02-03 | N/A | 9.8 CRITICAL |
| eXtplorer 2.1.14 contains an authentication bypass vulnerability that allows attackers to login without a password by manipulating the login request. Attackers can exploit this flaw to upload malicious PHP files and execute remote commands on the vulnerable file management system. | |||||
| CVE-2025-3646 | 1 Petlibro | 1 Petlibro | 2026-02-03 | N/A | 7.3 HIGH |
| Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authorization bypass vulnerability that allows unauthorized users to add users as shared owners to any device by exploiting missing permission checks. Attackers can send requests to the device share API to gain unauthorized access to devices and view owner information without proper authorization validation. | |||||
| CVE-2022-50981 | 2026-02-03 | N/A | 9.8 CRITICAL | ||
| An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced. | |||||