VYPR

CWE-307

Improper Restriction of Excessive Authentication Attempts

BaseDraft

Description

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (225)

page 3 of 12
  • CVE-2026-41037HigApr 21, 2026
    risk 0.57cvss 8.8epss 0.00

    This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing brute force attacks against…

  • CVE-2026-33879CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.00

    Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling…

  • CVE-2016-10321CriApr 10, 2017
    risk 0.57cvss 9.8epss 0.03

    web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.

  • CVE-2025-2417HigSep 4, 2025
    risk 0.56cvss 8.6epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft e-Mutabakat allows Authentication Bypass. This issue affects e-Mutabakat: from 2.02.06 before v2.02.06.

  • CVE-2025-2411HigSep 4, 2025
    risk 0.56cvss 8.6epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft TaskPano allows Authentication Bypass. This issue affects TaskPano: from s1.06.04 before v1.06.06.

  • CVE-2025-2416HigSep 3, 2025
    risk 0.56cvss 8.6epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft LimonDesk allows Authentication Bypass. This issue affects LimonDesk: from s1.02.14 before v1.02.17.

  • CVE-2025-2415HigSep 3, 2025
    risk 0.56cvss 8.6epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass. This issue affects MyRezzta: from s2.03.01 before v2.05.01.

  • CVE-2025-2413HigSep 2, 2025
    risk 0.56cvss 8.6epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft ProKuafor allows Authentication Bypass. This issue affects ProKuafor: from s1.02.08 before v1.02.08.

  • CVE-2025-2414HigSep 2, 2025
    risk 0.56cvss 8.6epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft OctoCloud allows Authentication Bypass. This issue affects OctoCloud: from s1.09.03 before v1.11.01.

  • CVE-2025-2412HigSep 1, 2025
    risk 0.56cvss 8.6epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft QR Menu allows Authentication Bypass. This issue affects QR Menu: from s1.05.07 before v1.05.12.

  • CVE-2025-42615HigDec 8, 2025
    risk 0.53cvss epss 0.00

    In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes…

  • CVE-2025-46414HigAug 8, 2025
    risk 0.53cvss 8.1epss 0.00

    The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback…

  • CVE-2025-46739HigMay 12, 2025
    risk 0.53cvss 8.1epss 0.00

    An unauthenticated user could discover account credentials via a brute-force attack without rate limiting

  • CVE-2025-42600HigApr 23, 2025
    risk 0.53cvss epss 0.00

    This vulnerability exists in Meon KYC solutions due to missing restrictions on the number of incorrect One-Time Password (OTP) attempts through certain API endpoints of login process. A remote attacker could exploit this vulnerability by performing a brute force attack on OTP,…

  • CVE-2026-45010CriMay 15, 2026
    risk 0.52cvss 9.1epss 0.00

    phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's…

  • CVE-2025-2171HigJun 23, 2025
    risk 0.51cvss epss 0.00

    Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 do not enforce rate limiting on password reset attempts, allowing adversaries to brute force guess the 6-digit password reset PIN

  • CVE-2025-54860HigSep 18, 2025
    risk 0.50cvss 7.7epss 0.00

    Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 in order to allow management operations on the device such as firmware upgrades and device reboot requiring an authentication. A wrong management of login failures of the service…

  • CVE-2023-54347HigMay 5, 2026
    risk 0.49cvss 7.5epss 0.01

    OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically…

  • CVE-2026-36959HigApr 30, 2026
    risk 0.49cvss 7.5epss 0.00

    U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and…

  • CVE-2026-6947HigApr 24, 2026
    risk 0.49cvss 7.5epss 0.00

    DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the device.