VYPR

CWE-307

Improper Restriction of Excessive Authentication Attempts

BaseDraft

Description

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (225)

page 8 of 12
  • CVE-2026-35646MedApr 9, 2026
    risk 0.24cvss 4.8epss 0.00

    OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated…

  • CVE-2026-35628MedApr 9, 2026
    risk 0.24cvss 4.8epss 0.00

    OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to…

  • CVE-2026-35623MedApr 9, 2026
    risk 0.24cvss 4.8epss 0.00

    OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password guesses to the webhook endpoint to…

  • CVE-2026-26227LowFeb 26, 2026
    risk 0.24cvss 3.7epss 0.00

    VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective…

  • CVE-2026-2110LowFeb 7, 2026
    risk 0.24cvss 3.7epss 0.01

    A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper restriction of excessive authentication…

  • CVE-2026-1685LowJan 30, 2026
    risk 0.24cvss 3.7epss 0.01

    A vulnerability was identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_40AC74 of the component Login. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. This attack is…

  • CVE-2025-12547LowOct 31, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability was identified in LogicalDOC Community Edition up to 9.2.1. This vulnerability affects unknown code of the file /login.jsp of the component Admin Login Page. Such manipulation leads to improper restriction of excessive authentication attempts. The attack can be…

  • CVE-2025-11441LowOct 8, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability was identified in JhumanJ OpnForm up to 1.9.3. The affected element is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack is…

  • CVE-2025-10761LowSep 21, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability has been found in Harness 3.3.0. Affected is an unknown function of the file /api/v1/login of the component Login Endpoint. The manipulation leads to improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The…

  • CVE-2025-9004LowAug 15, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability was found in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /settings/password. The manipulation leads to improper restriction of excessive authentication attempts. The attack may be initiated remotely. The complexity of an attack…

  • CVE-2025-8927LowAug 13, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability was determined in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality of the file /email/send_code of the component Verification Code Handler. The manipulation of the argument email leads to improper restriction of excessive…

  • CVE-2025-5864LowJun 9, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was found in Tenda TDSEE App up to 1.7.12. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /app/ConfirmSmsCode of the component Password Reset Confirmation Code Handler. The manipulation leads to…

  • CVE-2025-1629LowFeb 24, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in Excitel Broadband Private my Excitel App 3.13.0 on Android. It has been classified as problematic. Affected is an unknown function of the component One-Time Password Handler. The manipulation leads to improper restriction of excessive authentication…

  • CVE-2025-7882LowJul 20, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been rated as problematic. This issue affects some unknown processing of the component Login. The manipulation leads to improper restriction of excessive authentication attempts. The attack can…

  • CVE-2024-11126LowNov 12, 2024
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was found in Digistar AG-30 Plus 2.6b. It has been classified as problematic. Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of excessive authentication attempts. The complexity of an attack is rather…

  • CVE-2026-47203lowMay 29, 2026
    risk 0.19cvss 4.0epss 0.00

    ### Impact **CVSSv4 Baseline Score:** Moderate 6.3 **CVSSv4 Weighted Score:** Low 2.9 The full CVSSv4 Vector for this vulnerability is: > CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:L/IR:L/AR:L/MAV:N/MAC:H/MAT:N/MPR:N/MUI:N/MVC:L/MVI:N/MVA:N/MSC:N/M…

  • CVE-2026-41333LowApr 23, 2026
    risk 0.17cvss 3.7epss 0.00

    OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls…

  • CVE-2023-32251LowJul 31, 2025
    risk 0.17cvss 3.7epss 0.00

    A vulnerability has been identified in the Linux kernel's ksmbd component (kernel SMB/CIFS server). A security control designed to prevent dictionary attacks, which introduces a 5-second delay during session setup, can be bypassed through the use of asynchronous requests. This…

  • CVE-2024-8462LowSep 5, 2024
    risk 0.17cvss 3.7epss 0.01

    A vulnerability was found in Windmill 1.380.0. It has been classified as problematic. Affected is an unknown function of the file backend/windmill-api/src/users.rs of the component HTTP Request Handler. The manipulation leads to improper restriction of excessive authentication…

  • CVE-2025-52916LowJun 21, 2025
    risk 0.14cvss 2.2epss 0.00

    Yealink RPS before 2025-06-04 lacks SN verification attempt limits, enabling brute-force enumeration (last five digits).