Total
1982 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-50977 | 2026-02-03 | N/A | 7.5 HIGH | ||
| An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP. | |||||
| CVE-2022-50978 | 2026-02-03 | N/A | 7.5 HIGH | ||
| An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (TCP). | |||||
| CVE-2022-50979 | 2026-02-03 | N/A | 6.5 MEDIUM | ||
| An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485). | |||||
| CVE-2022-50980 | 2026-02-03 | N/A | 6.5 MEDIUM | ||
| A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN. | |||||
| CVE-2026-25137 | 2026-02-03 | N/A | 9.1 CRITICAL | ||
| The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05. | |||||
| CVE-2025-54816 | 1 Evmapa | 1 Evmapa | 2026-02-02 | N/A | 9.4 CRITICAL |
| This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system. | |||||
| CVE-2021-47802 | 1 Tenda | 4 D151, D151 Firmware, D301 and 1 more | 2026-02-02 | N/A | 7.5 HIGH |
| Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without authentication. | |||||
| CVE-2025-68716 | 1 Kaysus | 2 Ks-wr3600, Ks-wr3600 Firmware | 2026-02-02 | N/A | 8.4 HIGH |
| KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges. | |||||
| CVE-2026-22238 | 1 Blusparkglobal | 1 Bluvoyix | 2026-02-02 | N/A | 9.8 CRITICAL |
| The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user. | |||||
| CVE-2026-23944 | 1 Arcane | 1 Arcane | 2026-02-02 | N/A | 9.8 CRITICAL |
| Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability. | |||||
| CVE-2025-69285 | 1 Fit2cloud | 1 Sqlbot | 2026-02-02 | N/A | 6.1 MEDIUM |
| SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via to_sql() with if_exists='replace' mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available. | |||||
| CVE-2026-1410 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2026-01-30 | 6.2 MEDIUM | 6.4 MEDIUM |
| A vulnerability was detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. Impacted is an unknown function of the component UART Interface. The manipulation results in missing authentication. An attack on the physical device is feasible. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-54942 | 1 Sun.net | 1 Ehrd Ctms | 2026-01-30 | N/A | 9.8 CRITICAL |
| A missing authentication for critical function vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to access deployment functionality without prior authentication. | |||||
| CVE-2025-65731 | 1 Dlink | 2 Dir-605l, Dir-605l Firmware | 2026-01-30 | N/A | 6.8 MEDIUM |
| An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control. | |||||
| CVE-2025-68715 | 1 Pandawireless | 2 Pwru01, Pwru01 Firmware | 2026-01-30 | N/A | 9.1 CRITICAL |
| An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modify WAN, LAN, and wireless settings directly, leading to privilege escalation and denial of service. | |||||
| CVE-2020-36963 | 2026-01-29 | N/A | 7.5 HIGH | ||
| Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypass vulnerability that allows unauthenticated attackers to download router configuration files. Attackers can send a specific HTTP GET request to /cgi-bin/DownloadCfg/RouterCfm.cfg to retrieve sensitive router configuration without authentication. | |||||
| CVE-2026-0492 | 1 Sap | 1 Hana Database | 2026-01-27 | N/A | 8.8 HIGH |
| SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability. | |||||
| CVE-2023-31594 | 1 Icrealtime | 2 Icip-p2012t, Icip-p2012t Firmware | 2026-01-27 | N/A | 7.5 HIGH |
| IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control via an exposed HTTP channel using VLC network. | |||||
| CVE-2025-12386 | 2026-01-27 | N/A | N/A | ||
| Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-11198 | 1 Juniper | 1 Security Director Policy Enforcer | 2026-01-26 | N/A | 7.4 HIGH |
| A Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-based attacker to replace legitimate vSRX images with malicious ones. If a trusted user initiates deployment, Security Director Policy Enforcer will deliver the attacker's uploaded image to VMware NSX instead of a legitimate one. This issue affects Security Director Policy Enforcer: * All versions before 23.1R1 Hotpatch v3. This issue does not affect Junos Space Security Director Insights. | |||||