Search Results (3610 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-8419 2026-04-15 7.5 High
The endpoint hosts a script that allows an unauthorized remote attacker to put the system in a fail-safe state over the network due to missing authentication.
CVE-2025-36758 1 Solax 1 Solax Cloud 2026-04-15 N/A
It is possible to bypass the clipping level of authentication attempts in SolaX Cloud through the use of the 'Forgot Password' functionality as an oracle.
CVE-2025-68609 1 Palantir 1 Aries 2026-04-15 6.6 Medium
A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible client to view system logs and perform operations without valid credentials. No evidence of exploitation was identified during the vulnerability window.
CVE-2025-36756 1 Solax 1 Solax Cloud 2026-04-15 N/A
A problem with missing authorization on SolaX Cloud platform allows taking over any SolaX solarpanel inverter of which the serial number is known.
CVE-2025-30215 2026-04-15 9.6 Critical
NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. This vulnerability is fixed in v2.11.1 or v2.10.27.
CVE-2025-32738 2026-04-15 5.3 Medium
Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings.
CVE-2025-0132 1 Paloaltonetworks 1 Cortex Xdr Broker Vm 2026-04-15 N/A
A missing authentication vulnerability in Palo Alto Networks Cortex XDR® Broker VM allows an unauthenticated user to disable certain internal services on the Broker VM.  The attacker must have network access to the Broker VM to exploit this issue.
CVE-2025-10204 1 Lg 1 Ac Smart 2026-04-15 N/A
A vulnerability has been discovered in AC Smart II where passwords can be changed without authorization. This page contains a hidden form for resetting the administrator password. The attacker can manipulate the page using developer tools to display and use the form. This form allows you to change the administrator password without verifying login status or user permissions.
CVE-2024-49587 1 Palantir 1 Gotham 2026-04-15 9.1 Critical
Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to all Apollo-managed Gotham Instances
CVE-2024-27169 1 Toshibatec 50 E-studio-2010-ac, E-studio-2015-nc, E-studio-2018 A and 47 more 2026-04-15 8.4 High
Toshiba printers provides API without authentication for internal access. A local attacker can bypass authentication in applications, providing administrative access. As for the affected products/models/versions, see the reference URL.
CVE-2024-39707 2026-04-15 5.3 Medium
Insyde IHISI function 0x49 can restore factory defaults for certain UEFI variables without further authentication by default, which could lead to a possible roll-back attack in certain platforms. This is fixed in: kernel 5.2, version 05.29.19; kernel 5.3, version 05.38.19; kernel 5.4, version 05.46.19; kernel 5.5, version 05.54.19; kernel 5.6, version 05.61.19.
CVE-2025-54860 1 Cognex 2 In-sight Camera Firmware, In Sight Explorer 2026-04-15 7.7 High
Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 in order to allow management operations on the device such as firmware upgrades and device reboot requiring an authentication. A wrong management of login failures of the service allows a denial-of-service attack, leaving the telnet service into an unreachable state.
CVE-2025-41686 2026-04-15 7.8 High
A low-privileged local attacker can exploit improper permissions on nssm.exe to escalate their privileges and gain administrative access.
CVE-2024-39601 2026-04-15 6.5 Medium
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.40), SICORE Base system (All versions < V1.4.0). Affected devices allow a remote authenticated user or an unauthenticated user with physical access to downgrade the firmware of the device. This could allow an attacker to downgrade the device to older versions with known vulnerabilities.
CVE-2025-8861 2026-04-15 9.8 Critical
TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents.
CVE-2025-41655 2026-04-15 7.5 High
An unauthenticated remote attacker can access a URL which causes the device to reboot.
CVE-2025-41654 2026-04-15 8.2 High
An unauthenticated remote attacker can access information about running processes via the SNMP protocol. The amount of returned data can trigger a reboot by the watchdog.
CVE-2024-32720 2026-04-15 5.3 Medium
Improper Restriction of Excessive Authentication Attempts vulnerability in CodePeople Appointment Hour Booking allows Removing Important Client Functionality.This issue affects Appointment Hour Booking: from n/a through 1.4.56.
CVE-2025-41651 2026-04-15 9.8 Critical
Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configuration files and leading to full system compromise.
CVE-2024-32676 1 Wordpress 1 Wordpress 2026-04-15 5.3 Medium
Improper Restriction of Excessive Authentication Attempts vulnerability in LoginPress LoginPress Pro allows Removing Important Client Functionality.This issue affects LoginPress Pro: from n/a before 3.0.0.