CWE-307
Improper Restriction of Excessive Authentication Attempts
Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (225)
page 4 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-31904 | Hig | 0.49 | 7.5 | 0.00 | Mar 20, 2026 | The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct… | ||
| CVE-2026-31903 | Hig | 0.49 | 7.5 | 0.00 | Mar 20, 2026 | The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct… | ||
| CVE-2026-32292 | Hig | 0.49 | 7.5 | 0.01 | Mar 17, 2026 | The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials. | ||
| CVE-2026-24696 | Hig | 0.49 | 7.5 | 0.00 | Mar 6, 2026 | The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct… | ||
| CVE-2026-20882 | Hig | 0.49 | 7.5 | 0.00 | Mar 6, 2026 | The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct… | ||
| CVE-2026-27778 | Hig | 0.49 | 7.5 | 0.01 | Mar 6, 2026 | The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct… | ||
| CVE-2025-48014 | — | Hig | 0.49 | 7.5 | 0.00 | May 20, 2025 | Password guessing limits could be bypassed when using LDAP authentication. | |
| CVE-2024-5862 | Hig | 0.49 | 7.5 | 0.00 | Jun 24, 2024 | Improper Restriction of Excessive Authentication Attempts vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Interface Manipulation. This issue affects Mia-Med Health Aplication: before 1.0.14. | ||
| CVE-2018-1373 | Hig | 0.49 | 7.5 | 0.03 | Mar 2, 2018 | IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 137773. | ||
| CVE-2017-12316 | Hig | 0.49 | 7.5 | 0.02 | Nov 16, 2017 | A vulnerability in the Guest Portal login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform multiple login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side login… | ||
| CVE-2017-14423 | Hig | 0.49 | 7.5 | 0.01 | Sep 13, 2017 | htdocs/parentalcontrols/bind.php on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices does not prevent unauthenticated nonce-guessing attacks, which makes it easier for remote attackers to change the DNS configuration via a series of requests. | ||
| CVE-2002-0628 | Hig | 0.49 | 7.5 | 0.02 | Jan 7, 2003 | The Telnet service for Polycom ViewStation before 7.2.4 does not restrict the number of failed login attempts, which makes it easier for remote attackers to guess usernames and passwords via a brute force attack. | ||
| CVE-1999-1152 | Hig | 0.49 | 7.5 | 0.02 | Jun 3, 1998 | Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack. | ||
| CVE-2026-33667 | Hig | 0.48 | 7.4 | 0.00 | Apr 15, 2026 | OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing… | ||
| CVE-2025-66413 | Hig | 0.48 | 7.4 | 0.00 | Mar 10, 2026 | Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password.… | ||
| CVE-2025-14362 | Hig | 0.47 | 7.3 | 0.00 | Apr 21, 2026 | The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force. | ||
| CVE-2025-10161 | Hig | 0.47 | 7.3 | 0.00 | Nov 11, 2025 | Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass,… | ||
| CVE-2026-35675 | Hig | 0.46 | 8.2 | 0.00 | May 28, 2026 | phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain… | ||
| CVE-2025-0417 | Hig | 0.46 | — | 0.00 | Apr 1, 2025 | Lack of protection against brute force attacks in Valmet DNA visualization in DNA Operate. The possibility to make an arbitrary number of login attempts without any rate limit gives an attacker an increased chance of guessing passwords and then performing switching operations. | ||
| CVE-2025-23368 | Hig | 0.46 | 8.1 | 0.01 | Mar 4, 2025 | A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. |
- risk 0.49cvss 7.5epss 0.00
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct…
- risk 0.49cvss 7.5epss 0.00
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct…
- risk 0.49cvss 7.5epss 0.01
The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials.
- risk 0.49cvss 7.5epss 0.00
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct…
- risk 0.49cvss 7.5epss 0.00
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct…
- risk 0.49cvss 7.5epss 0.01
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct…
- risk 0.49cvss 7.5epss 0.00
Password guessing limits could be bypassed when using LDAP authentication.
- risk 0.49cvss 7.5epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Interface Manipulation. This issue affects Mia-Med Health Aplication: before 1.0.14.
- risk 0.49cvss 7.5epss 0.03
IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 137773.
- risk 0.49cvss 7.5epss 0.02
A vulnerability in the Guest Portal login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform multiple login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side login…
- risk 0.49cvss 7.5epss 0.01
htdocs/parentalcontrols/bind.php on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices does not prevent unauthenticated nonce-guessing attacks, which makes it easier for remote attackers to change the DNS configuration via a series of requests.
- risk 0.49cvss 7.5epss 0.02
The Telnet service for Polycom ViewStation before 7.2.4 does not restrict the number of failed login attempts, which makes it easier for remote attackers to guess usernames and passwords via a brute force attack.
- risk 0.49cvss 7.5epss 0.02
Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack.
- risk 0.48cvss 7.4epss 0.00
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing…
- risk 0.48cvss 7.4epss 0.00
Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password.…
- risk 0.47cvss 7.3epss 0.00
The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.
- risk 0.47cvss 7.3epss 0.00
Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass,…
- risk 0.46cvss 8.2epss 0.00
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain…
- risk 0.46cvss —epss 0.00
Lack of protection against brute force attacks in Valmet DNA visualization in DNA Operate. The possibility to make an arbitrary number of login attempts without any rate limit gives an attacker an increased chance of guessing passwords and then performing switching operations.
- risk 0.46cvss 8.1epss 0.01
A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.