Total
250 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-30127 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Once access is gained either by default, common, or cracked passwords, the video recordings (containing sensitive routes, conversations, and footage) are open for downloading by creating a socket to command port 7777, and then downloading video via port 7778 and audio via port 7779. | |||||
| CVE-2025-46742 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| Users who were required to change their password could still access system information before changing their password | |||||
| CVE-2025-55034 | 2026-04-15 | N/A | 8.2 HIGH | ||
| General Industrial Controls Lynx+ Gateway is vulnerable to a weak password requirement vulnerability, which may allow an attacker to execute a brute-force attack resulting in unauthorized access and login. | |||||
| CVE-2019-19145 | 2026-04-15 | N/A | 5.8 MEDIUM | ||
| Quantum SuperLoader 3 V94.0 005E.0h devices allow attackers to access the hardcoded fa account because there are only 65536 possible passwords. | |||||
| CVE-2024-3263 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| YMS VIS Pro is an information system for veterinary and food administration, veterinarians and farm. Due to a combination of improper method for system credentials generation and weak password policy, passwords can be easily guessed and enumerated through brute force attacks. Successful attacks can lead to unauthorised access and execution of operations based on assigned user permissions. This vulnerability affects VIS Pro in versions <= 3.3.0.6. This vulnerability has been mitigated by changes in authentication mechanisms and implementation of additional authentication layer and strong password policies. | |||||
| CVE-2023-41923 | 2026-04-15 | N/A | 7.2 HIGH | ||
| The user management section of the web application permits the creation of user accounts with excessively weak passwords, including single-character passwords. | |||||
| CVE-2024-3735 | 2026-04-15 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability was found in Smart Office up to 20240405. It has been classified as problematic. Affected is an unknown function of the file Main.aspx. The manipulation of the argument New Password/Confirm Password with the input 1 leads to weak password requirements. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. VDB-260574 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-29208 | 2026-04-15 | N/A | 2.2 LOW | ||
| An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password. Affected Products: UniFi Connect EV Station (Version 1.1.18 and earlier) UniFi Connect EV Station Pro (Version 1.1.18 and earlier) UniFi Connect Display (Version 1.9.324 and earlier) UniFi Connect Display Cast (Version 1.6.225 and earlier) Mitigation: Update UniFi Connect Application to Version 3.10.7 or later. Update UniFi Connect EV Station to Version 1.2.15 or later. Update UniFi Connect EV Station Pro to Version 1.2.15 or later. Update UniFi Connect Display to Version 1.11.348 or later. Update UniFi Connect Display Cast to Version 1.8.255 or later. | |||||
| CVE-2026-33771 | 2026-04-13 | N/A | 7.4 HIGH | ||
| A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS might allow an unauthenticated, network-based attacker to exploit weak passwords of local accounts and potentially take full control of the device. The password management menu enables the administrator to set password complexity requirements, but these settings are not saved. The issue can be verified with the menu option "Show password requirements". Failure to enforce the intended requirements can lead to weak passwords being used, which significantly increases the likelihood that an attacker can guess these and subsequently attain unauthorized access. This issue affects CTP OS versions 9.2R1 and 9.2R2. | |||||
| CVE-2026-34203 | 1 Networktocode | 1 Nautobot | 2026-04-07 | N/A | 2.7 LOW |
| Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10. | |||||
| CVE-2025-55269 | 1 Hcltech | 1 Aftermarket Cloud | 2026-03-26 | N/A | 4.2 MEDIUM |
| HCL Aftermarket DPC is affected by Weak Password Policy vulnerability, which makes it easier for attackers to guess weak passwords or use brute-force techniques to gain unauthorized access to user accounts. | |||||
| CVE-2026-27575 | 1 Vikunja | 1 Vikunja | 2026-03-05 | N/A | 9.1 CRITICAL |
| Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix. | |||||
| CVE-2022-29098 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | 5.0 MEDIUM | 8.1 HIGH |
| Dell PowerScale OneFS versions 8.2.0.x through 9.3.0.x, contain a weak password requirement vulnerability. An administrator may create an account with no password. A remote attacker may potentially exploit this leading to a user account compromise. | |||||
| CVE-2025-68716 | 1 Kaysus | 2 Ks-wr3600, Ks-wr3600 Firmware | 2026-02-02 | N/A | 8.4 HIGH |
| KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges. | |||||
| CVE-2025-68963 | 1 Huawei | 2 Emui, Harmonyos | 2026-01-15 | N/A | 5.7 MEDIUM |
| Man-in-the-middle attack vulnerability in the Clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2025-11200 | 1 Lfprojects | 1 Mlflow | 2025-12-31 | N/A | 9.8 CRITICAL |
| MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916. | |||||
| CVE-2025-63800 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2025-12-19 | N/A | 7.5 HIGH |
| The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectively disables authentication and may allow unauthorized access to user or administrative accounts. | |||||
| CVE-2025-23408 | 1 Apache | 1 Fineract | 2025-12-18 | N/A | 6.5 MEDIUM |
| Weak Password Requirements vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.10.1. The issue is fixed in version 1.11.0. Users are encouraged to upgrade to version 1.13.0, the latest release. | |||||
| CVE-2025-53963 | 1 Thermofisher | 2 Ion Torrent Onetouch 2, Ion Torrent Onetouch 2 Firmware | 2025-12-16 | N/A | 9.8 CRITICAL |
| An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. They run an SSH server accessible over the default port 22. The root account has a weak default password of ionadmin, and a password change policy for the root account is not enforced. Thus, an attacker with network connectivity can achieve root code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-9514 | 1 Macrozheng | 1 Mall | 2025-11-26 | 2.6 LOW | 3.7 LOW |
| A vulnerability has been found in macrozheng mall up to 1.0.3. This impacts an unknown function of the component Registration. Such manipulation leads to weak password requirements. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. The vendor deleted the GitHub issue for this vulnerability without and explanation. | |||||