VYPR

CWE-307

Improper Restriction of Excessive Authentication Attempts

BaseDraft

Description

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (225)

page 6 of 12
  • CVE-2026-43914HigMay 11, 2026
    risk 0.40cvss 7.3epss 0.00

    Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login…

  • CVE-2026-35902MedApr 27, 2026
    risk 0.40cvss 6.2epss 0.00

    The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest authentication attempts. By repeatedly sending RTSP requests with invalid authentication parameters, an unauthenticated attacker can cause the RTSP service to enter a persistent…

  • CVE-2025-46606MedApr 17, 2026
    risk 0.40cvss 6.2epss 0.00

    Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this…

  • CVE-2026-41213MedApr 23, 2026
    risk 0.38cvss 5.9epss 0.00

    @node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts…

  • CVE-2025-52392MedAug 13, 2025
    risk 0.38cvss 5.4epss 0.01

    Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. An attacker can repeatedly submit login attempts without restrictions, potentially gaining unauthorized administrative access. This vulnerability…

  • CVE-2025-6533MedJun 24, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA…

  • CVE-2025-62313MedMay 14, 2026
    risk 0.35cvss 5.4epss 0.00

    HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced. This may allow repeated authentication attempts, potentially leading to unauthorized access or account compromise under certain conditions.

  • CVE-2026-7820MedMay 11, 2026
    risk 0.35cvss 6.5epss 0.00

    Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init_app() and is reachable…

  • CVE-2026-26206MedApr 29, 2026
    risk 0.35cvss 6.5epss 0.00

    Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication…

  • CVE-2026-33580MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by…

  • CVE-2026-34505MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit…

  • CVE-2025-10658MedSep 20, 2025
    risk 0.35cvss 6.5epss 0.00

    The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for…

  • CVE-2018-16703MedSep 7, 2018
    risk 0.35cvss 5.3epss 0.02

    A vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit. The vulnerability is due to…

  • CVE-2017-10604MedJul 17, 2017
    risk 0.35cvss 5.3epss 0.01

    When the device is configured to perform account lockout with a defined period of time, any unauthenticated user attempting to log in as root with an incorrect password can trigger a lockout of the root account. When an SRX Series device is in cluster mode, and a cluster sync or…

  • CVE-2025-2514MedMay 7, 2026
    risk 0.34cvss 5.3epss 0.00

    Improper restriction of excessive authentication attempts vulnerability in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual…

  • CVE-2026-2402MedApr 14, 2026
    risk 0.34cvss 5.3epss 0.00

    CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple…

  • CVE-2025-7630MedFeb 18, 2026
    risk 0.34cvss 5.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts, Improper Authentication vulnerability in Doruk Communication and Automation Industry and Trade Inc. Wispotter allows Password Brute Forcing, Brute Force. This issue affects Wispotter: from 1.0 before v2025.10.08.1.

  • CVE-2025-12310MedOct 27, 2025
    risk 0.34cvss 5.3epss 0.00

    A security vulnerability has been detected in VirtFusion up to 6.0.2. This vulnerability affects unknown code of the file /account/_settings of the component Email Change Handler. The manipulation leads to improper restriction of excessive authentication attempts. The attack can…

  • CVE-2025-2911MedMar 28, 2025
    risk 0.34cvss epss 0.00

    Unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to identify multiple users and perform brute force attacks via extensions.

  • CVE-2025-22645MedFeb 18, 2025
    risk 0.34cvss 5.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Rameez Iqbal Real Estate Manager real-estate-manager allows Password Brute Forcing.This issue affects Real Estate Manager: from n/a through <= 7.3.