VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 6 of 49
  • CVE-2025-8350CriFeb 19, 2026
    risk 0.64cvss 9.8epss 0.01

    Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting. This issue affects BiEticaret CMS: from 2.1.13 through 19022026. NOTE: The…

  • CVE-2026-1670CriFeb 17, 2026
    risk 0.64cvss 9.8epss 0.01

    The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address.

  • CVE-2026-1729CriFeb 12, 2026
    risk 0.64cvss 9.8epss 0.01

    The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.0.12. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the 'sb_login_user_with_otp_fun' function. This makes it…

  • CVE-2026-25084CriFeb 11, 2026
    risk 0.64cvss 9.8epss 0.01

    Authentication for ZLAN5143D can be bypassed by directly accessing internal URLs.

  • CVE-2026-24789CriFeb 11, 2026
    risk 0.64cvss 9.8epss 0.01

    An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication.

  • CVE-2026-2249CriFeb 11, 2026
    risk 0.64cvss 9.8epss 0.01

    METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in…

  • CVE-2026-2248CriFeb 11, 2026
    risk 0.64cvss 9.8epss 0.01

    METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) privileges. This results…

  • CVE-2025-8025CriFeb 11, 2026
    risk 0.64cvss 9.8epss 0.01

    Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dinosoft ERP: from < 3.0.1 through 11022026. NOTE: The vendor was…

  • CVE-2022-50981CriFeb 2, 2026
    risk 0.64cvss 9.8epss 0.01

    An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced.

  • CVE-2026-1453CriJan 29, 2026
    risk 0.64cvss 9.8epss 0.01

    A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant the attacker full administrative control over the product.

  • CVE-2021-47891CriJan 23, 2026
    risk 0.64cvss 9.8epss 0.01

    Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command…

  • CVE-2026-1364CriJan 23, 2026
    risk 0.64cvss 9.8epss 0.01

    IAQS and I6 developed by JNC has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly operate system administrative functionalities.

  • CVE-2025-62582CriJan 16, 2026
    risk 0.64cvss 9.8epss 0.00

    Delta Electronics DIAView has multiple vulnerabilities.

  • CVE-2025-14346CriJan 5, 2026
    risk 0.64cvss 9.8epss 0.05

    WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any…

  • CVE-2019-25240CriDec 24, 2025
    risk 0.64cvss 9.8epss 0.00

    Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without…

  • CVE-2019-25236CriDec 24, 2025
    risk 0.64cvss 9.8epss 0.00

    iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without…

  • CVE-2018-25134CriDec 24, 2025
    risk 0.64cvss 9.8epss 0.01

    Synaccess netBooter NP-02x/NP-08x 6.8 contains an authentication bypass vulnerability in the webNewAcct.cgi script that allows unauthenticated attackers to create admin user accounts. Attackers can exploit the missing control check by sending crafted POST requests to create…

  • CVE-2025-43428CriDec 17, 2025
    risk 0.64cvss 9.8epss 0.01

    A configuration issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Photos in the Hidden Photos Album may be viewed without authentication.

  • CVE-2025-11007CriNov 4, 2025
    risk 0.64cvss 9.8epss 0.00

    The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to…

  • CVE-2025-40771CriOct 14, 2025
    risk 0.64cvss 9.8epss 0.00

    A vulnerability has been identified in SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0) (All versions < V2.4.24), SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0) (All versions < V2.4.24), SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0) (All versions < V2.4.24), SIPLUS ET 200SP CP 1542SP-1 IRC TX…