CWE-306
Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (964)
page 29 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-27853 | Hig | 0.47 | 7.3 | 0.00 | May 13, 2026 | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any… | ||
| CVE-2026-7042 | — | Hig | 0.47 | 7.3 | 0.00 | Apr 26, 2026 | A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function create_app of the file backend/app/__init__.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The… | |
| CVE-2026-6582 | Hig | 0.47 | 7.3 | 0.00 | Apr 19, 2026 | A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing… | ||
| CVE-2026-6577 | — | Hig | 0.47 | 7.3 | 0.00 | Apr 19, 2026 | A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The… | |
| CVE-2026-33715 | Hig | 0.47 | 7.2 | 0.00 | Apr 14, 2026 | Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that… | ||
| CVE-2026-6126 | Hig | 0.47 | 7.3 | 0.00 | Apr 12, 2026 | A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element is an unknown function of the component Administrative HTTP Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit… | ||
| CVE-2026-5676 | Hig | 0.47 | 7.3 | 0.00 | Apr 6, 2026 | A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is… | ||
| CVE-2026-5632 | Hig | 0.47 | 7.3 | 0.00 | Apr 6, 2026 | A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown function of the component HTTP REST API Endpoint. Performing a manipulation results in missing authentication. It is possible to initiate the attack remotely. The exploit has been made… | ||
| CVE-2026-5320 | Hig | 0.47 | 7.3 | 0.00 | Apr 2, 2026 | A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authentication. The attack can be initiated… | ||
| CVE-2026-34072 | Hig | 0.47 | 8.3 | 0.00 | Apr 1, 2026 | Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated… | ||
| CVE-2026-5000 | Hig | 0.47 | 7.3 | 0.00 | Mar 28, 2026 | A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument BaseHTTPRequestHandler results in missing… | ||
| CVE-2026-4959 | Hig | 0.47 | 7.3 | 0.00 | Mar 27, 2026 | A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing… | ||
| CVE-2026-4562 | Hig | 0.47 | 7.3 | 0.01 | Mar 23, 2026 | A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The… | ||
| CVE-2026-3053 | Hig | 0.47 | 7.3 | 0.01 | Feb 24, 2026 | A vulnerability was determined in DataLinkDC dinky up to 1.2.5. This affects the function addInterceptors of the file dinky-admin/src/main/java/org/dinky/configure/AppConfig.java of the component OpenAPI Endpoint. Executing a manipulation can lead to missing authentication. It… | ||
| CVE-2026-2165 | Hig | 0.47 | 7.3 | 0.01 | Feb 8, 2026 | A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication.… | ||
| CVE-2025-11942 | Hig | 0.47 | 7.3 | 0.01 | Oct 19, 2025 | A flaw has been found in 70mai X200 up to 20251010. Affected is an unknown function of the component Pairing. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was… | ||
| CVE-2025-11661 | Hig | 0.47 | 7.3 | 0.01 | Oct 13, 2025 | A vulnerability was found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This affects an unknown part. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has… | ||
| CVE-2023-6215 | Hig | 0.47 | — | 0.00 | Oct 7, 2025 | A potential security vulnerability has been identified in HP Sure Start’s protection of the Intel Flash Descriptor in certain HP PC products, which might allow security bypass, arbitrary code execution, loss of integrity or confidentiality, or denial of service. HP is… | ||
| CVE-2025-7405 | Hig | 0.47 | 7.3 | 0.00 | Sep 1, 2025 | Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to read or write the device values of the product and stop the operation of the programs, since MODBUS/TCP in the… | ||
| CVE-2025-7862 | Hig | 0.47 | 7.3 | 0.01 | Jul 20, 2025 | A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument telnet_enabled with the… |
- risk 0.47cvss 7.3epss 0.00
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any…
- risk 0.47cvss 7.3epss 0.00
A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function create_app of the file backend/app/__init__.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The…
- risk 0.47cvss 7.3epss 0.00
A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The…
- risk 0.47cvss 7.2epss 0.00
Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that…
- risk 0.47cvss 7.3epss 0.00
A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element is an unknown function of the component Administrative HTTP Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown function of the component HTTP REST API Endpoint. Performing a manipulation results in missing authentication. It is possible to initiate the attack remotely. The exploit has been made…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authentication. The attack can be initiated…
- risk 0.47cvss 8.3epss 0.00
Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument BaseHTTPRequestHandler results in missing…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing…
- risk 0.47cvss 7.3epss 0.01
A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The…
- risk 0.47cvss 7.3epss 0.01
A vulnerability was determined in DataLinkDC dinky up to 1.2.5. This affects the function addInterceptors of the file dinky-admin/src/main/java/org/dinky/configure/AppConfig.java of the component OpenAPI Endpoint. Executing a manipulation can lead to missing authentication. It…
- risk 0.47cvss 7.3epss 0.01
A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication.…
- risk 0.47cvss 7.3epss 0.01
A flaw has been found in 70mai X200 up to 20251010. Affected is an unknown function of the component Pairing. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was…
- risk 0.47cvss 7.3epss 0.01
A vulnerability was found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This affects an unknown part. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has…
- risk 0.47cvss —epss 0.00
A potential security vulnerability has been identified in HP Sure Start’s protection of the Intel Flash Descriptor in certain HP PC products, which might allow security bypass, arbitrary code execution, loss of integrity or confidentiality, or denial of service. HP is…
- risk 0.47cvss 7.3epss 0.00
Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to read or write the device values of the product and stop the operation of the programs, since MODBUS/TCP in the…
- risk 0.47cvss 7.3epss 0.01
A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument telnet_enabled with the…