CWE-307
Improper Restriction of Excessive Authentication Attempts
Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (225)
page 3 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41037 | Hig | 0.57 | 8.8 | 0.00 | Apr 21, 2026 | This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing brute force attacks against… | ||
| CVE-2026-33879 | Cri | 0.57 | 9.8 | 0.00 | Mar 27, 2026 | Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling… | ||
| CVE-2016-10321 | — | Cri | 0.57 | 9.8 | 0.03 | Apr 10, 2017 | web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks. | |
| CVE-2025-2417 | Hig | 0.56 | 8.6 | 0.00 | Sep 4, 2025 | Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft e-Mutabakat allows Authentication Bypass. This issue affects e-Mutabakat: from 2.02.06 before v2.02.06. | ||
| CVE-2025-2411 | Hig | 0.56 | 8.6 | 0.00 | Sep 4, 2025 | Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft TaskPano allows Authentication Bypass. This issue affects TaskPano: from s1.06.04 before v1.06.06. | ||
| CVE-2025-2416 | Hig | 0.56 | 8.6 | 0.00 | Sep 3, 2025 | Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft LimonDesk allows Authentication Bypass. This issue affects LimonDesk: from s1.02.14 before v1.02.17. | ||
| CVE-2025-2415 | Hig | 0.56 | 8.6 | 0.00 | Sep 3, 2025 | Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass. This issue affects MyRezzta: from s2.03.01 before v2.05.01. | ||
| CVE-2025-2413 | Hig | 0.56 | 8.6 | 0.00 | Sep 2, 2025 | Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft ProKuafor allows Authentication Bypass. This issue affects ProKuafor: from s1.02.08 before v1.02.08. | ||
| CVE-2025-2414 | Hig | 0.56 | 8.6 | 0.00 | Sep 2, 2025 | Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft OctoCloud allows Authentication Bypass. This issue affects OctoCloud: from s1.09.03 before v1.11.01. | ||
| CVE-2025-2412 | Hig | 0.56 | 8.6 | 0.00 | Sep 1, 2025 | Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft QR Menu allows Authentication Bypass. This issue affects QR Menu: from s1.05.07 before v1.05.12. | ||
| CVE-2025-42615 | — | Hig | 0.53 | — | 0.00 | Dec 8, 2025 | In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes… | |
| CVE-2025-46414 | — | Hig | 0.53 | 8.1 | 0.00 | Aug 8, 2025 | The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback… | |
| CVE-2025-46739 | — | Hig | 0.53 | 8.1 | 0.00 | May 12, 2025 | An unauthenticated user could discover account credentials via a brute-force attack without rate limiting | |
| CVE-2025-42600 | Hig | 0.53 | — | 0.00 | Apr 23, 2025 | This vulnerability exists in Meon KYC solutions due to missing restrictions on the number of incorrect One-Time Password (OTP) attempts through certain API endpoints of login process. A remote attacker could exploit this vulnerability by performing a brute force attack on OTP,… | ||
| CVE-2026-45010 | Cri | 0.52 | 9.1 | 0.00 | May 15, 2026 | phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's… | ||
| CVE-2025-2171 | Hig | 0.51 | — | 0.00 | Jun 23, 2025 | Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 do not enforce rate limiting on password reset attempts, allowing adversaries to brute force guess the 6-digit password reset PIN | ||
| CVE-2025-54860 | Hig | 0.50 | 7.7 | 0.00 | Sep 18, 2025 | Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 in order to allow management operations on the device such as firmware upgrades and device reboot requiring an authentication. A wrong management of login failures of the service… | ||
| CVE-2023-54347 | Hig | 0.49 | 7.5 | 0.01 | May 5, 2026 | OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically… | ||
| CVE-2026-36959 | Hig | 0.49 | 7.5 | 0.00 | Apr 30, 2026 | U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and… | ||
| CVE-2026-6947 | Hig | 0.49 | 7.5 | 0.00 | Apr 24, 2026 | DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the device. |
- risk 0.57cvss 8.8epss 0.00
This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing brute force attacks against…
- risk 0.57cvss 9.8epss 0.00
Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling…
- risk 0.57cvss 9.8epss 0.03
web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.
- risk 0.56cvss 8.6epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft e-Mutabakat allows Authentication Bypass. This issue affects e-Mutabakat: from 2.02.06 before v2.02.06.
- risk 0.56cvss 8.6epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft TaskPano allows Authentication Bypass. This issue affects TaskPano: from s1.06.04 before v1.06.06.
- risk 0.56cvss 8.6epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft LimonDesk allows Authentication Bypass. This issue affects LimonDesk: from s1.02.14 before v1.02.17.
- risk 0.56cvss 8.6epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass. This issue affects MyRezzta: from s2.03.01 before v2.05.01.
- risk 0.56cvss 8.6epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft ProKuafor allows Authentication Bypass. This issue affects ProKuafor: from s1.02.08 before v1.02.08.
- risk 0.56cvss 8.6epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft OctoCloud allows Authentication Bypass. This issue affects OctoCloud: from s1.09.03 before v1.11.01.
- risk 0.56cvss 8.6epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft QR Menu allows Authentication Bypass. This issue affects QR Menu: from s1.05.07 before v1.05.12.
- risk 0.53cvss —epss 0.00
In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes…
- risk 0.53cvss 8.1epss 0.00
The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback…
- risk 0.53cvss 8.1epss 0.00
An unauthenticated user could discover account credentials via a brute-force attack without rate limiting
- risk 0.53cvss —epss 0.00
This vulnerability exists in Meon KYC solutions due to missing restrictions on the number of incorrect One-Time Password (OTP) attempts through certain API endpoints of login process. A remote attacker could exploit this vulnerability by performing a brute force attack on OTP,…
- risk 0.52cvss 9.1epss 0.00
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's…
- risk 0.51cvss —epss 0.00
Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 do not enforce rate limiting on password reset attempts, allowing adversaries to brute force guess the 6-digit password reset PIN
- risk 0.50cvss 7.7epss 0.00
Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 in order to allow management operations on the device such as firmware upgrades and device reboot requiring an authentication. A wrong management of login failures of the service…
- risk 0.49cvss 7.5epss 0.01
OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically…
- risk 0.49cvss 7.5epss 0.00
U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and…
- risk 0.49cvss 7.5epss 0.00
DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the device.