VYPR

CWE-307

Improper Restriction of Excessive Authentication Attempts

BaseDraft

Description

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (225)

page 5 of 12
  • CVE-2025-11566MedNov 12, 2025
    risk 0.45cvss epss 0.00

    CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the…

  • CVE-2025-1714MedMar 5, 2025
    risk 0.45cvss epss 0.00

    Lack of Rate Limiting in Sign-up workflow in Perforce Gliffy prior to version 4.14.0-7 on Gliffy online allows attacker to enumerate valid user emails and potentially DOS the server

  • CVE-2025-31991MedApr 13, 2026
    risk 0.44cvss 6.8epss 0.00

    Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.  This vulnerability is fixed in 5.1.7.

  • CVE-2018-11082MedOct 5, 2018
    risk 0.43cvss 6.6epss 0.01

    Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundry UAA Release, all versions prior to 61.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user.

  • CVE-2026-36612MedJun 3, 2026
    risk 0.42cvss 6.4epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).

  • CVE-2026-7255MedMay 12, 2026
    risk 0.42cvss 6.5epss 0.00

    ** UNSUPPORTED WHEN ASSIGNED ** An improper restriction of excessive authentication attempts vulnerability in the web management interface of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to brute-force the password and bypass…

  • CVE-2026-41893HigMay 9, 2026
    risk 0.42cvss 7.5epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via…

  • CVE-2026-40586HigApr 21, 2026
    risk 0.42cvss 7.5epss 0.00

    blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary…

  • CVE-2026-22616MedApr 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton…

  • CVE-2026-33935HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.01

    MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three…

  • CVE-2026-33419HigMar 24, 2026
    risk 0.42cvss 7.5epss 0.00

    MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error…

  • CVE-2026-32295HigMar 17, 2026
    risk 0.42cvss 7.5epss 0.00

    JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials.

  • CVE-2026-25577HigFeb 10, 2026
    risk 0.42cvss 7.5epss 0.00

    Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500…

  • CVE-2025-53544HigAug 5, 2025
    risk 0.42cvss 7.5epss 0.00

    Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. In versions below 0.97.0, a brute-force protection bypass in the initial sync seed retrieval endpoint allows unauthenticated attackers to…

  • CVE-2025-1496MedMar 20, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in BG-TEK Coslat Hotspot allows Password Brute Forcing, Authentication Abuse. This issue affects Coslat Hotspot: before 6.26.0.R.20250227.

  • CVE-2024-5682MedSep 18, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Yordam Information Technology Yordam Library Automation System allows Interface Manipulation. This issue affects Yordam Library Automation System: before 20.1.

  • CVE-2026-43926MedJun 4, 2026
    risk 0.41cvss epss 0.00

    FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint `/client/reset-password-confirm/:hash` is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only…

  • CVE-2026-1816MedMay 21, 2026
    risk 0.41cvss 6.3epss 0.00

    Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13.

  • CVE-2025-36758MedSep 10, 2025
    risk 0.41cvss epss 0.00

    It is possible to bypass the clipping level of authentication attempts in SolaX Cloud through the use of the 'Forgot Password' functionality as an oracle.

  • CVE-2026-45364HigMay 28, 2026
    risk 0.40cvss 7.3epss 0.00

    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients…