VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 25 of 49
  • CVE-2026-39310HigMay 20, 2026
    risk 0.49cvss 8.6epss 0.00

    Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Clipper API in Trilium Desktop (v0.101.3) allows full authentication bypass when running in an Electron environment.…

  • CVE-2026-31240HigMay 12, 2026
    risk 0.49cvss 7.5epss 0.00

    The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records (PUT /memories/{memory_id}) are exposed without any verification of the requester's identity or permissions. A remote…

  • CVE-2026-3323HigApr 28, 2026
    risk 0.49cvss 7.5epss 0.00

    An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes.

  • CVE-2026-35064HigApr 24, 2026
    risk 0.49cvss 7.5epss 0.00

    A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, identifiers, and management interfaces without requiring credentials. Because…

  • CVE-2026-41039HigApr 21, 2026
    risk 0.49cvss 7.5epss 0.00

    This vulnerability exists in Quantum Networks router due to improper access control and insecure default configuration in the web-based management interface. An unauthenticated attacker could exploit this vulnerability by accessing exposed API endpoints on the targeted device. …

  • CVE-2026-40461HigApr 17, 2026
    risk 0.49cvss 7.5epss 0.00

    Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate later compromise.

  • CVE-2026-34160HigApr 14, 2026
    risk 0.49cvss 8.6epss 0.00

    Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter…

  • CVE-2019-25686HigApr 5, 2026
    risk 0.49cvss 7.5epss 0.00

    Core FTP 2.0 build 653 contains a denial of service vulnerability in the PBSZ command that allows unauthenticated attackers to crash the service by sending a malformed command with an oversized buffer. Attackers can send a PBSZ command with a payload exceeding 211 bytes to…

  • CVE-2018-25246HigApr 4, 2026
    risk 0.49cvss 7.5epss 0.00

    Wikipedia 12.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of repeated characters into the search bar to trigger an…

  • CVE-2018-25241HigApr 4, 2026
    risk 0.49cvss 7.5epss 0.00

    VPN Browser+ 1.1.0.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of characters into the search bar to trigger an…

  • CVE-2026-32646HigApr 3, 2026
    risk 0.49cvss 7.5epss 0.00

    A specific administrative endpoint is accessible without proper authentication, exposing device management functions.

  • CVE-2026-29132HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker with access to a victim's GINA account to bypass a second-password check and read protected emails.

  • CVE-2026-34472HigMar 30, 2026
    risk 0.49cvss 7.1epss 0.09

    Unauthenticated credential disclosure in the wizard interface in ZTE ZXHN H188A V6.0.10P2_TE and V6.0.10P3N3_TE allows unauthenticated attackers on the local network to retrieve sensitive credentials from the router's web management interface, including the default administrator…

  • CVE-2026-4640HigMar 24, 2026
    risk 0.49cvss 7.5epss 0.00

    Vitals ESP developed by Galaxy Software Services has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to execute certain functions to obtain sensitive information.

  • CVE-2026-32297HigMar 17, 2026
    risk 0.49cvss 7.5epss 0.01

    The Angeet ES3 KVM allows a remote, unauthenticated attacker to write arbitrary files, including configuration files or system binaries. Modified configuration files or system binaries could allow an attacker to take complete control of a vulnerable system.

  • CVE-2017-20222HigMar 16, 2026
    risk 0.49cvss 7.5epss 0.01

    Telesquare SKT LTE Router SDT-CS3B1 software version 1.2.0 contains an unauthenticated remote reboot vulnerability that allows attackers to trigger device reboot without authentication. Attackers can send POST requests to the lte.cgi endpoint with the Command=Reboot parameter to…

  • CVE-2017-20220HigMar 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without…

  • CVE-2017-20217HigMar 16, 2026
    risk 0.49cvss 7.5epss 0.01

    Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API…

  • CVE-2026-2339HigMar 10, 2026
    risk 0.49cvss 7.5epss 0.01

    Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion, Privilege Abuse, Command Injection. This issue affects Liderahenk: before 3.5.1.

  • CVE-2026-2754HigMar 6, 2026
    risk 0.49cvss 7.5epss 0.01

    Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters…