VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 38 of 49
  • CVE-2026-10283MedJun 1, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to…

  • CVE-2026-8737MedMay 17, 2026
    risk 0.34cvss 5.3epss 0.00

    A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java of the component Trade Address Query Handler. Executing a…

  • CVE-2026-45248MedMay 14, 2026
    risk 0.34cvss 5.3epss 0.00

    Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication…

  • CVE-2026-31245MedMay 12, 2026
    risk 0.34cvss 5.3epss 0.00

    The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint (POST /memories). The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can…

  • CVE-2026-8031MedMay 6, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was detected in PicoTronica e-Clinic Healthcare System ECHS 5.7. The affected element is an unknown function of the file /cdemos/echs/api/v2/patient-records of the component API Endpoint. The manipulation results in missing authentication. The attack can be…

  • CVE-2026-32962MedApr 20, 2026
    risk 0.34cvss 5.3epss 0.00

    SD-330AC and AMC Manager provided by silex technology, Inc. contain a missing authentication for critical function issue. The device configuration may be altered without authentication.

  • CVE-2026-32957MedApr 20, 2026
    risk 0.34cvss 5.3epss 0.00

    SD-330AC and AMC Manager provided by silex technology, Inc. contain a missing authentication for critical function issue on firmware maintenance. Arbitrary file may be uploaded on the device without authentication.

  • CVE-2026-35450MedApr 6, 2026
    risk 0.34cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints…

  • CVE-2026-28767MedApr 3, 2026
    risk 0.34cvss 5.3epss 0.00

    A specific administrative endpoint notifications is accessible without proper authentication.

  • CVE-2026-33366MedMar 27, 2026
    risk 0.34cvss 5.3epss 0.00

    Missing authentication for critical function vulnerability in BUFFALO Wi-Fi router products may allow an attacker to forcibly reboot the product without authentication.

  • CVE-2026-4187MedMar 16, 2026
    risk 0.34cvss 5.3epss 0.01

    A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Impacted is an unknown function of the file /WebService/UpdateLocalDevInfo.jsp of the component Device Identifier Handler. Such manipulation of the argument username/password leads to missing…

  • CVE-2025-14294MedFeb 19, 2026
    risk 0.34cvss 5.3epss 0.00

    The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback…

  • CVE-2025-6792MedFeb 14, 2026
    risk 0.34cvss 5.3epss 0.00

    The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint in all versions up to, and including, 1.1.4. This makes it possible for…

  • CVE-2026-0942MedJan 16, 2026
    risk 0.34cvss 5.3epss 0.00

    The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.5. This makes it possible…

  • CVE-2025-11771MedNov 21, 2025
    risk 0.34cvss 5.3epss 0.00

    The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up…

  • CVE-2025-12349MedNov 19, 2025
    risk 0.34cvss 5.3epss 0.00

    The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the…

  • CVE-2025-11986MedNov 11, 2025
    risk 0.34cvss 5.3epss 0.00

    The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft…

  • CVE-2025-11852MedOct 16, 2025
    risk 0.34cvss 5.3epss 0.01

    A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely.…

  • CVE-2025-11728MedOct 15, 2025
    risk 0.34cvss 5.3epss 0.00

    The Oceanpayment CreditCard Gateway plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'return_payment' and 'notice_payment' functions in all versions up to, and including, 6.0.…

  • CVE-2025-11672MedOct 13, 2025
    risk 0.34cvss 5.3epss 0.00

    Uniweb/SoliPACS WebServer developed by EBM Technologies has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access a specific page to obtain user group names.