VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 21 of 121
  • CVE-2026-39322HigApr 7, 2026
    risk 0.57cvss 8.8epss 0.00

    PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account…

  • CVE-2026-39324CriApr 7, 2026
    risk 0.57cvss 9.8epss 0.00

    Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of…

  • CVE-2026-34121HigApr 2, 2026
    risk 0.57cvss 8.8epss 0.00

    An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append…

  • CVE-2026-33746CriApr 2, 2026
    risk 0.57cvss 9.8epss 0.00

    Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode() method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt,…

  • CVE-2026-31946CriMar 30, 2026
    risk 0.57cvss 9.8epss 0.00

    OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method…

  • CVE-2026-0558CriMar 29, 2026
    risk 0.57cvss 9.8epss 0.00

    A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the…

  • CVE-2026-33322CriMar 24, 2026
    risk 0.57cvss 9.8epss 0.00

    MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary…

  • CVE-2026-0629HigJan 16, 2026
    risk 0.57cvss epss 0.00

    Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to…

  • CVE-2025-6979HigOct 23, 2025
    risk 0.57cvss 8.8epss 0.01

    Captive Portal can allow authentication bypass

  • CVE-2025-10293HigOct 15, 2025
    risk 0.57cvss 8.8epss 0.00

    The Keyy Two Factor Authentication (like Clef) plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This…

  • CVE-2025-7955CriAug 28, 2025
    risk 0.57cvss 9.8epss 0.01

    The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within the ringcentral_admin_login_2fa_verify() function in versions 1.5 to 1.6.8. This makes it possible for unauthenticated attackers to log in as any user…

  • CVE-2024-57491HigAug 20, 2025
    risk 0.57cvss 8.8epss 0.00

    Authentication Bypass vulnerability in jobx up to v1.0.1-RELEASE allows an attacker can exploit this vulnerability to access sensitive API without any token via the preHandle function.

  • CVE-2025-6926HigJul 3, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper Authentication vulnerability in Wikimedia Foundation Mediawiki - CentralAuth Extension allows : Bypass Authentication.This issue affects Mediawiki - CentralAuth Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

  • CVE-2025-6916HigJun 30, 2025
    risk 0.57cvss 8.8epss 0.01

    A vulnerability, which was classified as critical, was found in TOTOLINK T6 4.1.5cu.748_B20211015. This affects the function Form_Login of the file /formLoginAuth.htm. The manipulation of the argument authCode/goURL leads to missing authentication. The attack needs to be…

  • CVE-2024-57190CriJun 10, 2025
    risk 0.57cvss 9.8epss 0.01

    Erxes <1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint.

  • CVE-2025-4144CriMay 1, 2025
    risk 0.57cvss 9.8epss 0.00

    PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: …

  • CVE-2025-1475CriMar 7, 2025
    risk 0.57cvss 9.8epss 0.01

    The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any…

  • CVE-2025-26326HigFeb 28, 2025
    risk 0.57cvss 8.8epss 0.01

    A vulnerability was identified in the NVDA Remote (version 2.6.4) and Tele NVDA Remote (version 2025.3.3) remote connection add-ons, which allows an attacker to obtain total control of the remote system by guessing a weak password. The problem occurs because these add-ons accept…

  • CVE-2024-1609HigDec 25, 2024
    risk 0.57cvss epss 0.00

    In OPPOStore iOS App, there's a possible escalation of privilege due to improper input validation.

  • CVE-2024-0130HigDec 6, 2024
    risk 0.57cvss 8.8epss 0.00

    NVIDIA UFM Enterprise, UFM Appliance, and UFM CyberAI contain a vulnerability where an attacker can cause an improper authentication issue by sending a malformed request through the Ethernet management interface. A successful exploit of this vulnerability might lead to…