Total
446 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2416 | 2025-09-04 | N/A | 8.6 HIGH | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft LimonDesk allows Authentication Bypass.This issue affects LimonDesk: from s1.02.14 before v1.02.17. | |||||
| CVE-2025-2411 | 2025-09-04 | N/A | 8.6 HIGH | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft TaskPano allows Authentication Bypass.This issue affects TaskPano: from s1.06.04 before v1.06.06. | |||||
| CVE-2025-2417 | 2025-09-04 | N/A | 8.6 HIGH | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft e-Mutabakat allows Authentication Bypass.This issue affects e-Mutabakat: from 2.02.06 before v2.02.06. | |||||
| CVE-2025-8742 | 1 Macrozheng | 1 Mall | 2025-09-02 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in macrozheng mall 1.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Admin Login. The manipulation leads to improper restriction of excessive authentication attempts. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3129 | 1 Access Code Project | 1 Access Code | 2025-09-02 | N/A | 4.8 MEDIUM |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.4. | |||||
| CVE-2025-2412 | 2025-09-02 | N/A | 8.6 HIGH | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft QR Menu allows Authentication Bypass.This issue affects QR Menu: from s1.05.07 before v1.05.12. | |||||
| CVE-2025-2414 | 2025-09-02 | N/A | 8.6 HIGH | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft OctoCloud allows Authentication Bypass.This issue affects OctoCloud: from s1.09.03 before v1.11.01. | |||||
| CVE-2025-2413 | 2025-09-02 | N/A | 8.6 HIGH | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft ProKuafor allows Authentication Bypass.This issue affects ProKuafor: from s1.02.08 before v1.02.08. | |||||
| CVE-2025-9004 | 1 Mtons | 1 Mblog | 2025-08-27 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /settings/password. The manipulation leads to improper restriction of excessive authentication attempts. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-8927 | 1 Mtons | 1 Mblog | 2025-08-27 | 2.6 LOW | 3.7 LOW |
| A vulnerability was determined in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality of the file /email/send_code of the component Verification Code Handler. The manipulation of the argument email leads to improper restriction of excessive authentication attempts. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-7393 | 1 Mqanneh | 1 Mail Login | 2025-08-27 | N/A | 9.8 CRITICAL |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Mail Login allows Brute Force.This issue affects Mail Login: from 3.0.0 before 3.2.0, from 4.0.0 before 4.2.0. | |||||
| CVE-2025-52392 | 2025-08-19 | N/A | 5.4 MEDIUM | ||
| Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. An attacker can repeatedly submit login attempts without restrictions, potentially gaining unauthorized administrative access. This vulnerability corresponds to CWE-307: Improper Restriction of Excessive Authentication Attempts. | |||||
| CVE-2025-6004 | 1 Hashicorp | 1 Vault | 2025-08-13 | N/A | 5.3 MEDIUM |
| Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | |||||
| CVE-2025-6015 | 1 Hashicorp | 1 Vault | 2025-08-13 | N/A | 5.7 MEDIUM |
| Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | |||||
| CVE-2025-54998 | 1 Openbao | 1 Openbao | 2025-08-12 | N/A | 5.3 MEDIUM |
| OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. This is fixed in version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the authentication endpoints:, see https://openbao.org/api-docs/system/rate-limit-quotas/. | |||||
| CVE-2025-55003 | 1 Openbao | 1 Openbao | 2025-08-12 | N/A | 5.7 MEDIUM |
| OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. This issue was fixed in version 2.3.2. To work around this, use of rate-limiting quotas can limit an attacker's ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/. | |||||
| CVE-2025-46414 | 2025-08-08 | N/A | 8.1 HIGH | ||
| The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback when the correct PIN is entered. This vulnerability was patched in a server-side update on April 6, 2025. | |||||
| CVE-2025-28172 | 1 Grandstream | 2 Ucm6510, Ucm6510 Firmware | 2025-08-06 | N/A | 6.5 MEDIUM |
| Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the targeted account using a brute force attack. | |||||
| CVE-2024-49342 | 1 Ibm | 1 Informix Dynamic Server | 2025-08-06 | N/A | 7.5 HIGH |
| IBM Informix Dynamic Server 12.10 and 14.10 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | |||||
| CVE-2025-53544 | 2025-08-05 | N/A | 7.5 HIGH | ||
| Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. In versions below 0.97.0, a brute-force protection bypass in the initial sync seed retrieval endpoint allows unauthenticated attackers to guess the login password without triggering rate limiting. Trilium is a single-user app without a username requirement, and brute-force protection bypass makes exploitation much more feasible. Multiple features provided by Trilium (e.g. MFA, share notes, custom request handler) indicate that Trilium can be exposed to the internet. This is fixed in version 0.97.0. | |||||