VYPR

CWE-1390

Weak Authentication

ClassIncomplete

Description

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

Hierarchy (View 1000)

CVEs mapped to this weakness (33)

page 2 of 2
  • CVE-2025-7326HigJul 8, 2025
    risk 0.46cvss 7.0epss 0.01

    Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon…

  • CVE-2025-62844MedMar 20, 2026
    risk 0.36cvss 5.5epss 0.00

    A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later

  • CVE-2026-32497MedMar 25, 2026
    risk 0.34cvss 5.3epss 0.00

    Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45.

  • CVE-2025-47479MedJul 4, 2025
    risk 0.34cvss 5.3epss 0.00

    Weak Authentication vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Authentication Abuse.This issue affects WP Compress: from n/a through <= 6.30.30.

  • CVE-2023-41862MedDec 13, 2024
    risk 0.34cvss 5.3epss 0.01

    Weak Authentication vulnerability in Guido VS Contact Form allows Authentication Abuse.This issue affects VS Contact Form: from n/a through 14.0.

  • CVE-2026-49323MedMay 29, 2026
    risk 0.28cvss 4.3epss 0.00

    Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM…

  • CVE-2026-49322MedMay 29, 2026
    risk 0.28cvss 4.3epss 0.00

    Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN…

  • CVE-2025-29991LowApr 3, 2025
    risk 0.14cvss 2.2epss 0.00

    Yubico YubiKey 5.4.1 through 5.7.3 before 5.7.4 has an incorrect FIDO CTAP PIN/UV Auth Protocol Two implementation. It uses the signature length from CTAP PIN/UV Auth Protocol One, even when CTAP PIN/UV Auth Protocol Two was chosen, resulting in a partial signature verification.

  • CVE-2026-27478Mar 11, 2026
    risk 0.00cvss epss 0.00

    Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens). The endpoint extracts the issuer (iss) claim from…

  • CVE-2025-47889May 14, 2025
    risk 0.00cvss epss 0.01

    In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames…

  • CVE-2025-24070Mar 11, 2025
    risk 0.00cvss epss 0.01

    Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2025-1293Feb 20, 2025
    risk 0.00cvss epss 0.00

    Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.

  • CVE-2023-41900Sep 15, 2023
    risk 0.00cvss epss 0.01

    Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already…