VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 26 of 49
  • CVE-2026-32646HigApr 3, 2026
    risk 0.49cvss 7.5epss 0.00

    A specific administrative endpoint is accessible without proper authentication, exposing device management functions.

  • CVE-2026-29132HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker with access to a victim's GINA account to bypass a second-password check and read protected emails.

  • CVE-2026-34472HigMar 30, 2026
    risk 0.49cvss 7.1epss 0.09

    Unauthenticated credential disclosure in the wizard interface in ZTE ZXHN H188A V6.0.10P2_TE and V6.0.10P3N3_TE allows unauthenticated attackers on the local network to retrieve sensitive credentials from the router's web management interface, including the default administrator…

  • CVE-2026-4640HigMar 24, 2026
    risk 0.49cvss 7.5epss 0.00

    Vitals ESP developed by Galaxy Software Services has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to execute certain functions to obtain sensitive information.

  • CVE-2026-32297HigMar 17, 2026
    risk 0.49cvss 7.5epss 0.01

    The Angeet ES3 KVM allows a remote, unauthenticated attacker to write arbitrary files, including configuration files or system binaries. Modified configuration files or system binaries could allow an attacker to take complete control of a vulnerable system.

  • CVE-2017-20222HigMar 16, 2026
    risk 0.49cvss 7.5epss 0.01

    Telesquare SKT LTE Router SDT-CS3B1 software version 1.2.0 contains an unauthenticated remote reboot vulnerability that allows attackers to trigger device reboot without authentication. Attackers can send POST requests to the lte.cgi endpoint with the Command=Reboot parameter to…

  • CVE-2017-20220HigMar 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without…

  • CVE-2017-20217HigMar 16, 2026
    risk 0.49cvss 7.5epss 0.01

    Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API…

  • CVE-2026-2339HigMar 10, 2026
    risk 0.49cvss 7.5epss 0.01

    Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion, Privilege Abuse, Command Injection. This issue affects Liderahenk: before 3.5.1.

  • CVE-2026-2754HigMar 6, 2026
    risk 0.49cvss 7.5epss 0.01

    Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters…

  • CVE-2026-27449HigFeb 26, 2026
    risk 0.49cvss 7.5epss 0.00

    Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed…

  • CVE-2026-26048HigFeb 20, 2026
    risk 0.49cvss 7.5epss 0.00

    The Wi-Fi router is vulnerable to de-authentication attacks due to the absence of management frame protection, allowing forged deauthentication and disassociation frames to be broadcast without authentication or encryption. An attacker can use this to cause unauthorized…

  • CVE-2026-26055HigFeb 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster…

  • CVE-2020-37157HigFeb 7, 2026
    risk 0.49cvss 7.5epss 0.00

    DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and…

  • CVE-2020-37146HigFeb 7, 2026
    risk 0.49cvss 7.5epss 0.00

    ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration files. Attackers can access the camera's configuration backup by sending a GET request to the /config_backup.bin endpoint,…

  • CVE-2022-50978HigFeb 2, 2026
    risk 0.49cvss 7.5epss 0.00

    An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (TCP).

  • CVE-2022-50977HigFeb 2, 2026
    risk 0.49cvss 7.5epss 0.00

    An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP.

  • CVE-2020-36963HigJan 28, 2026
    risk 0.49cvss 7.5epss 0.00

    Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypass vulnerability that allows unauthenticated attackers to download router configuration files. Attackers can send a specific HTTP GET request to /cgi-bin/DownloadCfg/RouterCfm.cfg to retrieve…

  • CVE-2017-20213HigJan 8, 2026
    risk 0.49cvss 7.5epss 0.00

    FLIR Thermal Camera F/FC/PT/D Stream firmware version 8.0.0.64 contains an unauthenticated vulnerability that allows remote attackers to access live camera streams without credentials. Attackers can exploit the vulnerability to view unauthorized thermal camera video feeds across…

  • CVE-2020-36904HigDec 31, 2025
    risk 0.49cvss 7.5epss 0.00

    Selea CarPlateServer 4.0.1.6 contains a remote program execution vulnerability that allows attackers to execute arbitrary Windows binaries by manipulating the NO_LIST_EXE_PATH configuration parameter. Attackers can bypass authentication through the /cps/ endpoint and modify…