VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 29 of 49
  • CVE-2025-27853HigMay 13, 2026
    risk 0.47cvss 7.3epss 0.00

    The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any…

  • CVE-2026-7042HigApr 26, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function create_app of the file backend/app/__init__.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The…

  • CVE-2026-6582HigApr 19, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing…

  • CVE-2026-6577HigApr 19, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The…

  • CVE-2026-33715HigApr 14, 2026
    risk 0.47cvss 7.2epss 0.00

    Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that…

  • CVE-2026-6126HigApr 12, 2026
    risk 0.47cvss 7.3epss 0.00

    A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element is an unknown function of the component Administrative HTTP Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit…

  • CVE-2026-5676HigApr 6, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is…

  • CVE-2026-5632HigApr 6, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown function of the component HTTP REST API Endpoint. Performing a manipulation results in missing authentication. It is possible to initiate the attack remotely. The exploit has been made…

  • CVE-2026-5320HigApr 2, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authentication. The attack can be initiated…

  • CVE-2026-34072HigApr 1, 2026
    risk 0.47cvss 8.3epss 0.00

    Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated…

  • CVE-2026-5000HigMar 28, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument BaseHTTPRequestHandler results in missing…

  • CVE-2026-4959HigMar 27, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing…

  • CVE-2026-4562HigMar 23, 2026
    risk 0.47cvss 7.3epss 0.01

    A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The…

  • CVE-2026-3053HigFeb 24, 2026
    risk 0.47cvss 7.3epss 0.01

    A vulnerability was determined in DataLinkDC dinky up to 1.2.5. This affects the function addInterceptors of the file dinky-admin/src/main/java/org/dinky/configure/AppConfig.java of the component OpenAPI Endpoint. Executing a manipulation can lead to missing authentication. It…

  • CVE-2026-2165HigFeb 8, 2026
    risk 0.47cvss 7.3epss 0.01

    A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication.…

  • CVE-2025-11942HigOct 19, 2025
    risk 0.47cvss 7.3epss 0.01

    A flaw has been found in 70mai X200 up to 20251010. Affected is an unknown function of the component Pairing. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was…

  • CVE-2025-11661HigOct 13, 2025
    risk 0.47cvss 7.3epss 0.01

    A vulnerability was found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This affects an unknown part. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has…

  • CVE-2023-6215HigOct 7, 2025
    risk 0.47cvss epss 0.00

    A potential security vulnerability has been identified in HP Sure Start’s protection of the Intel Flash Descriptor in certain HP PC products, which might allow security bypass, arbitrary code execution, loss of integrity or confidentiality, or denial of service. HP is…

  • CVE-2025-7405HigSep 1, 2025
    risk 0.47cvss 7.3epss 0.00

    Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to read or write the device values of the product and stop the operation of the programs, since MODBUS/TCP in the…

  • CVE-2025-7862HigJul 20, 2025
    risk 0.47cvss 7.3epss 0.01

    A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument telnet_enabled with the…