VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 21 of 49
  • CVE-2026-44413HigMay 11, 2026
    risk 0.53cvss 8.2epss 0.00

    In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users could expose server API to unauthorised access

  • CVE-2026-42222HigMay 4, 2026
    risk 0.53cvss 8.1epss 0.00

    Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.

  • CVE-2026-5944HigApr 28, 2026
    risk 0.53cvss 8.2epss 0.01

    An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central. The service exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without authentication. …

  • CVE-2026-41273HigApr 23, 2026
    risk 0.53cvss 8.2epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By…

  • CVE-2026-39393HigApr 8, 2026
    risk 0.53cvss 8.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file…

  • CVE-2026-4272HigApr 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Missing Authentication for Critical Function vulnerability in Honeywell Handheld Scanners allows Authentication Abuse.This issue affects Handheld Scanners: from C1 Base(Ingenic x1000) before GK000432BAA, from D1 Base(Ingenic x1600) before HE000085BAA, from A1/B1 Base(IMX25)…

  • CVE-2019-25678HigApr 5, 2026
    risk 0.53cvss 8.2epss 0.00

    C4G Basic Laboratory Information System 3.4 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the site parameter. Attackers can send GET requests to the users_select.php…

  • CVE-2025-15517HigMar 23, 2026
    risk 0.53cvss 8.1epss 0.03

    A missing authentication check in the HTTP server on TP-Link Archer NX200, NX210, NX500 and NX600 to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware…

  • CVE-2026-22731HigMar 19, 2026
    risk 0.53cvss 8.2epss 0.00

    Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring…

  • CVE-2026-3558HigMar 16, 2026
    risk 0.53cvss 8.1epss 0.00

    Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this…

  • CVE-2026-24790HigFeb 20, 2026
    risk 0.53cvss 8.2epss 0.00

    The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication.

  • CVE-2025-15346CriJan 8, 2026
    risk 0.53cvss epss 0.00

    A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.  Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched…

  • CVE-2026-0650CriJan 7, 2026
    risk 0.53cvss epss 0.00

    OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without…

  • CVE-2025-14300HigDec 20, 2025
    risk 0.53cvss 8.1epss 0.00

    The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service…

  • CVE-2025-12003HigNov 25, 2025
    risk 0.53cvss epss 0.01

    A path traversal vulnerability has been identified in WebDAV, which may allow unauthenticated remote attackers to impact the integrity of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.

  • CVE-2025-61778CriOct 6, 2025
    risk 0.53cvss epss 0.00

    Akka.NET is a .NET port of the Akka project from the Scala / Java community. In all versions of Akka.Remote from v1.2.0 to v1.5.51, TLS could be enabled via our `akka.remote.dot-netty.tcp` transport and this would correctly enforce private key validation on the server-side of…

  • CVE-2025-8450HigAug 19, 2025
    risk 0.53cvss 8.2epss 0.00

    Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.

  • CVE-2025-7679HigAug 11, 2025
    risk 0.53cvss 8.1epss 0.00

    The ASPECT system allows users to bypass authentication. This issue affects all versions of ASPECT

  • CVE-2025-3090HigJun 24, 2025
    risk 0.53cvss 8.2epss 0.00

    An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function.

  • CVE-2025-41654HigMay 26, 2025
    risk 0.53cvss 8.2epss 0.00

    An unauthenticated remote attacker can access information about running processes via the SNMP protocol. The amount of returned data can trigger a reboot by the watchdog.