Total
69 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-47938 | 1 Typo3 | 1 Typo3 | 2026-06-17 | N/A | 3.8 LOW |
| TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification. This behavior may lower the protection against unauthorized access in scenarios where an admin session is hijacked or left unattended, as it enables password changes without additional authentication. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem. | |||||
| CVE-2025-46748 | 2026-06-17 | N/A | 2.7 LOW | ||
| An authenticated user attempting to change their password could do so without using the current password. | |||||
| CVE-2025-46389 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| CWE-620: Unverified Password Change | |||||
| CVE-2025-3849 | 1 Yxj2018 | 1 Springboot-vue-onlineexam | 2026-06-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic was found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. This vulnerability affects unknown code of the file /api/studentPWD. The manipulation of the argument studentId leads to unverified password change. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3793 | 2026-06-17 | N/A | 4.2 MEDIUM | ||
| The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts. | |||||
| CVE-2025-3607 | 2026-06-17 | N/A | 8.8 HIGH | ||
| The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.8. This is due to the plugin not properly validating a user's identity prior to updating a password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |||||
| CVE-2025-3603 | 1 Flynax | 1 Flynax Bridge | 2026-06-17 | N/A | 9.8 CRITICAL |
| The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |||||
| CVE-2025-2253 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known. | |||||
| CVE-2025-22381 | 2026-06-17 | N/A | 8.2 HIGH | ||
| Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password. | |||||
| CVE-2025-1107 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current password. To exploit the vulnerability, the attacker must create a specific POST request and send it to the endpoint ‘/public/cgi/Gateway.php’. | |||||
| CVE-2025-14751 | 2026-06-17 | N/A | N/A | ||
| A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation. | |||||
| CVE-2025-13148 | 2 Ibm, Linux | 2 Aspera Orchestrator, Linux Kernel | 2026-06-17 | N/A | 8.1 HIGH |
| IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password. | |||||
| CVE-2025-11235 | 1 Progress | 1 Moveit Transfer | 2026-06-17 | N/A | 3.7 LOW |
| Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10. | |||||
| CVE-2025-10159 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7). | |||||
| CVE-2024-9431 | 1 Superagi | 1 Superagi | 2026-06-17 | N/A | 8.8 HIGH |
| In version v0.0.14 of transformeroptimus/superagi, there is an improper privilege management vulnerability. After logging into the system, users can change the passwords of other users, leading to potential account takeover. | |||||
| CVE-2024-8794 | 1 Ba-booking | 1 Ba Book Everything | 2026-06-17 | N/A | 5.3 MEDIUM |
| The BA Book Everything plugin for WordPress is vulnerable to arbitrary password reset in all versions up to, and including, 1.6.20. This is due to the reset_user_password() function not verifying a user's identity prior to setting a password. This makes it possible for unauthenticated attackers to reset any user's passwords, including administrators. It's important to note that the attacker will not have access to the generated password, therefore, privilege escalation is not possible. | |||||
| CVE-2024-51493 | 1 Octoprint | 1 Octoprint | 2026-06-17 | N/A | 5.3 MEDIUM |
| OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted. This vulnerability will be patched in version 1.10.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-48887 | 1 Fortinet | 1 Fortiswitch | 2026-06-17 | N/A | 9.8 CRITICAL |
| A unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request | |||||
| CVE-2024-47784 | 2026-06-17 | N/A | 2.6 LOW | ||
| Unverified Password Change for ANC software that allows an authenticated attacker to bypass the old Password check in the password change form via a web HMI This issue affects ANC software version 1.1.4 and earlier. | |||||
| CVE-2024-45647 | 1 Ibm | 2 Security Verify Access, Security Verify Access Docker | 2026-06-17 | N/A | 5.6 MEDIUM |
| IBM Security Verify Access 10.0.0 through 10.0.8 and IBM Security Verify Access Docker 10.0.0 through 10.0.8 could allow could an unverified user to change the password of an expired user without prior knowledge of that password. | |||||