VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 16 of 49
  • CVE-2026-42864CriMay 11, 2026
    risk 0.57cvss 9.9epss 0.00

    FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authentication (permission_classes = [permissions.AllowAny]). Its attachments payload is fetched server-side via…

  • CVE-2026-42302CriMay 8, 2026
    risk 0.57cvss 9.8epss 0.01

    FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and…

  • CVE-2026-41930CriMay 6, 2026
    risk 0.57cvss 9.8epss 0.00

    Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the…

  • CVE-2026-42796CriMay 4, 2026
    risk 0.57cvss 9.8epss 0.01

    Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a…

  • CVE-2024-54013HigApr 28, 2026
    risk 0.57cvss epss 0.00

    Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw,…

  • CVE-2026-6376HigApr 23, 2026
    risk 0.57cvss epss 0.01

    A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any…

  • CVE-2026-41179CriApr 23, 2026
    risk 0.57cvss 9.8epss 0.09

    Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs`…

  • CVE-2026-5749HigApr 22, 2026
    risk 0.57cvss epss 0.00

    Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated…

  • CVE-2026-40884CriApr 21, 2026
    risk 0.57cvss 9.8epss 0.00

    goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does…

  • CVE-2026-26944HigApr 20, 2026
    risk 0.57cvss 8.8epss 0.01

    Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a missing authentication for critical function vulnerability. An unauthenticated attacker with remote access…

  • CVE-2026-6348HigApr 16, 2026
    risk 0.57cvss 8.8epss 0.00

    WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed.

  • CVE-2026-5777HigApr 10, 2026
    risk 0.57cvss epss 0.00

    This vulnerability exists in the Atom 3x Projector due to improper exposure of the Android Debug Bridge (ADB) service over the local network without authentication or access controls. An unauthenticated attacker on the same network can exploit this vulnerability to obtain…

  • CVE-2026-35053CriApr 2, 2026
    risk 0.57cvss 9.8epss 0.01

    OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) without any authentication…

  • CVE-2026-34227HigMar 31, 2026
    risk 0.57cvss 8.8epss 0.00

    Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click on a malicious link gives an unauthenticated attacker immediate, silent control over every active C2 session or beacon, capable of exfiltrating all collected…

  • CVE-2026-24068HigMar 26, 2026
    risk 0.57cvss 8.8epss 0.00

    The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that…

  • CVE-2025-14349HigFeb 13, 2026
    risk 0.57cvss 8.8epss 0.00

    Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation. This issue affects FlexCity/Kiosk: from 1.0 before…

  • CVE-2026-0778HigJan 23, 2026
    risk 0.57cvss 8.8epss 0.01

    Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Enel X JuiceBox 40 charging stations. Authentication is not required to…

  • CVE-2025-65007HigDec 18, 2025
    risk 0.57cvss epss 0.00

    In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of authentication in the configuration change module in the adm.cgi endpoint, the unauthenticated attacker can execute commands including backup creation, device restart and resetting the device to…

  • CVE-2024-58300HigDec 11, 2025
    risk 0.57cvss epss 0.00

    Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and…

  • CVE-2024-2104HigDec 10, 2025
    risk 0.57cvss 8.8epss 0.00

    Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable.