VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 33 of 49
  • CVE-2026-25058HigApr 20, 2026
    risk 0.42cvss 7.5epss 0.00

    Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without…

  • CVE-2026-6588MedApr 20, 2026
    risk 0.42cvss 6.5epss 0.00

    A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The…

  • CVE-2026-6579MedApr 19, 2026
    risk 0.42cvss 6.5epss 0.00

    A weakness has been identified in liangliangyy DjangoBlog up to 2.1.0.0. This impacts an unknown function of the file blog/views.py of the component Clean Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made…

  • CVE-2025-53847MedApr 14, 2026
    risk 0.42cvss 6.5epss 0.00

    A missing authentication for critical function vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiOS 6.2.9 through 6.2.17 allows attacker to execute…

  • CVE-2026-39848MedApr 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Dockyard is a Docker container management app. Prior to 1.1.0, Docker container start and stop operations are performed through GET requests without CSRF protection. A remote attacker can cause a logged-in administrator's browser to request /apps/action.php?action=stop&name=<cont…

  • CVE-2026-39363HigApr 7, 2026
    risk 0.42cvss 7.5epss 0.03

    Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and…

  • CVE-2026-35523HigApr 7, 2026
    risk 0.42cvss 7.5epss 0.00

    Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been…

  • CVE-2026-1900MedApr 7, 2026
    risk 0.42cvss 6.5epss 0.00

    The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates.

  • CVE-2026-26027HigApr 6, 2026
    risk 0.42cvss 7.5epss 0.00

    GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

  • CVE-2026-33951HigApr 2, 2026
    risk 0.42cvss 7.5epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT…

  • CVE-2026-34731HigMar 31, 2026
    risk 0.42cvss 7.5epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the…

  • CVE-2026-34200HigMar 31, 2026
    risk 0.42cvss 7.5epss 0.00

    Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on…

  • CVE-2026-3527MedMar 26, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.

  • CVE-2026-31846MedMar 23, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing authentication in the /goform/ate endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows an adjacent unauthenticated attacker to retrieve sensitive device information, including the administrator password. The endpoint returns a raw response…

  • CVE-2025-13778MedMar 13, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing authentication for critical function vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This issue affects AWIN GW100 rev.2: 2.0-0, 2.0-1; AWIN GW120: 1.2-0, 1.2-1.

  • CVE-2022-50980MedFeb 2, 2026
    risk 0.42cvss 6.5epss 0.00

    A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN.

  • CVE-2022-50979MedFeb 2, 2026
    risk 0.42cvss 6.5epss 0.00

    An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485).

  • CVE-2026-1410MedJan 26, 2026
    risk 0.42cvss 6.4epss 0.00

    A vulnerability was detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. Impacted is an unknown function of the component UART Interface. The manipulation results in missing authentication. An attack on the physical device is feasible. This attack is characterized by high…

  • CVE-2025-64307MedNov 15, 2025
    risk 0.42cvss 6.5epss 0.00

    The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, including initiating or halting runners, assigning jobs, clearing stations, and …

  • CVE-2025-40817MedNov 11, 2025
    risk 0.42cvss 6.5epss 0.00

    A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA2) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA2) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA2) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA2)…