VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 11 of 49
  • CVE-2026-47281CriJun 9, 2026
    risk 0.62cvss 9.6epss 0.01

    Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2024-27892CriJun 4, 2026
    risk 0.62cvss 9.6epss 0.00

    Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.

  • CVE-2024-27890CriJun 4, 2026
    risk 0.62cvss 9.6epss 0.04

    Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.

  • CVE-2026-44211CriJun 1, 2026
    risk 0.62cvss 9.6epss 0.00

    Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. In versions 2.13.0 and prior, there is a cross-origin WebSocket hijack vulnerability in Cline Kanban servers. At time of publication, there are no publicly available patches.

  • CVE-2021-3825CriOct 1, 2021
    risk 0.62cvss 9.6epss 0.02

    On 2.1.15 version and below of Lider module in LiderAhenk software is leaking it's configurations via an unsecured API. An attacker with an access to the configurations API could get valid LDAP credentials.

  • CVE-2026-11535CriJun 12, 2026
    risk 0.61cvss epss 0.00

    An unauthorized access vulnerability exists in the PcSuite APP. The vulnerability can be exploited by attackers to Unauthorized access to the victim’s device.

  • CVE-2026-44592CriMay 14, 2026
    risk 0.61cvss 9.4epss 0.00

    Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto can register as a worker without any credentials by sending a fresh, never-registered worker UUID. The…

  • CVE-2026-3893CriApr 28, 2026
    risk 0.61cvss 9.4epss 0.00

    The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials.

  • CVE-2026-4810CriApr 13, 2026
    risk 0.61cvss epss 0.02

    A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting…

  • CVE-2026-29796CriMar 20, 2026
    risk 0.61cvss 9.4epss 0.00

    WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging…

  • CVE-2026-25192CriMar 20, 2026
    risk 0.61cvss 9.4epss 0.00

    WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging…

  • CVE-2026-26288CriMar 6, 2026
    risk 0.61cvss 9.4epss 0.01

    WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging…

  • CVE-2026-26051CriMar 6, 2026
    risk 0.61cvss 9.4epss 0.01

    WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging…

  • CVE-2026-22552CriMar 6, 2026
    risk 0.61cvss 9.4epss 0.01

    WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging…

  • CVE-2025-13607CriDec 10, 2025
    risk 0.61cvss 9.4epss 0.01

    A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL.

  • CVE-2025-34414CriDec 9, 2025
    risk 0.61cvss epss 0.01

    Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the Legacy Remoting Service that is enabled by default. The service registers a TCP…

  • CVE-2022-4980CriSep 19, 2025
    risk 0.61cvss epss 0.01

    General Bytes Crypto Application Server (CAS) beginning with version 20201208 prior to 20220531.38 (backport) and 20220725.22 (mainline) contains an authentication bypass in the admin web interface. An unauthenticated attacker could invoke the same URL used by the product's…

  • CVE-2025-8286CriJul 31, 2025
    risk 0.61cvss epss 0.01

    The affected products expose an unauthenticated Telnet-based command line interface that could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device.

  • CVE-2025-34068CriJul 15, 2025
    risk 0.61cvss epss 0.01

    An unauthenticated remote command execution vulnerability exists in Samsung WLAN AP WEA453e firmware prior to version 5.2.4.T1 via improper input validation in the “Tech Support” diagnostic functionality. The command1 and command2 POST or GET parameters accept arbitrary…

  • CVE-2024-10205CriDec 17, 2024
    risk 0.61cvss 9.4epss 0.01

    Authentication Bypass vulnerability in Hitachi Ops Center Analyzer on Linux, 64 bit (Hitachi Ops Center Analyzer detail view component), Hitachi Infrastructure Analytics Advisor on Linux, 64 bit (Hitachi Data Center Analytics component ).This issue affects Hitachi Ops Center…