Total
1640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-36756 | 2025-09-11 | N/A | N/A | ||
| A problem with missing authorization on SolaX Cloud platform allows taking over any SolaX solarpanel inverter of which the serial number is known. | |||||
| CVE-2025-36757 | 2025-09-11 | N/A | N/A | ||
| It is possible to bypass the administrator login screen on SolaX Cloud. An attacker could use parameter tampering to bypass the login screen and gain limited access to the system. | |||||
| CVE-2025-6678 | 1 Autel | 18 Maxicharger Ac Elite Business C50, Maxicharger Ac Elite Business C50 Firmware, Maxicharger Ac Pro and 15 more | 2025-09-10 | N/A | 7.5 HIGH |
| Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Pile API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-26352. | |||||
| CVE-2025-9994 | 2025-09-10 | N/A | 9.8 CRITICAL | ||
| The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access. | |||||
| CVE-2023-7308 | 1 Nsfocusglobal | 2 Secgate3600, Secgate3600 Firmware | 2025-09-09 | N/A | 7.5 HIGH |
| SecGate3600, a network firewall product developed by NSFOCUS, contains a sensitive information disclosure vulnerability in the /cgi-bin/authUser/authManageSet.cgi endpoint. The affected component fails to enforce authentication checks on POST requests to retrieve user data. An unauthenticated remote attacker can exploit this flaw to obtain sensitive information, including user identifiers and configuration details, by sending crafted requests to the vulnerable endpoint. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-18 UTC. | |||||
| CVE-2025-55583 | 1 Dlink | 2 Dir-868l, Dir-868l Firmware | 2025-09-09 | N/A | 9.8 CRITICAL |
| D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The endpoint /dws/api/UploadFile accepts a pre_api_arg parameter that is passed directly to system-level shell execution functions without sanitization or authentication. Remote attackers can exploit this to execute arbitrary commands as root via crafted HTTP requests. | |||||
| CVE-2025-42926 | 2025-09-09 | N/A | 5.3 MEDIUM | ||
| SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these files to gather additional sensitive information about the system.This vulnerability has a low impact on confidentiality and does not affect the integrity or availability of the server. | |||||
| CVE-2025-9160 | 2025-09-09 | N/A | N/A | ||
| A code execution security issue exists in the affected product. An attacker with physical access could abuse the maintenance menu of the controller with a crafted payload. The security issue can result in arbitrary code execution. | |||||
| CVE-2025-7045 | 2025-09-08 | N/A | 6.5 MEDIUM | ||
| The Cloud SAML SSO plugin for WordPress is vulnerable to Identity Provider Deletion due to a missing capability check on the delete_config action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. This makes it possible for unauthenticated attackers to delete any configured IdP, breaking the SSO authentication flow and causing a denial-of-service. | |||||
| CVE-2014-9197 | 1 Schneider-electric | 5 Etg3000 Factorycast Hmi Gateway Firmware, Tsxetg3000, Tsxetg3010 and 2 more | 2025-09-05 | 10.0 HIGH | N/A |
| The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request. | |||||
| CVE-2014-9195 | 1 Phoenixcontact-software | 2 Multiprog, Proconos Eclr | 2025-09-05 | 10.0 HIGH | N/A |
| Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic. | |||||
| CVE-2025-21623 | 1 Oxygenz | 1 Clipbucket | 2025-09-05 | N/A | 7.5 HIGH |
| ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allows unauthenticated attackers to change the template directory via a directory traversal, which results in a denial of service. | |||||
| CVE-2025-7031 | 1 Config Pages Viewer Project | 1 Config Pages Viewer | 2025-09-04 | N/A | 5.3 MEDIUM |
| Missing Authentication for Critical Function vulnerability in Drupal Config Pages Viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Config Pages Viewer: from 0.0.0 before 1.0.4. | |||||
| CVE-2025-9815 | 2 Alaneuler, Apple | 2 Batterykid, Macos | 2025-09-04 | 6.8 MEDIUM | 7.8 HIGH |
| A weakness has been identified in alaneuler batteryKid up to 2.1 on macOS. The affected element is an unknown function of the file PrivilegeHelper/PrivilegeHelper.swift of the component NSXPCListener. This manipulation causes missing authentication. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-7679 | 2025-09-04 | N/A | 8.1 HIGH | ||
| The ASPECT system allows users to bypass authentication. This issue affects all versions of ASPECT | |||||
| CVE-2025-5310 | 2025-09-04 | N/A | 9.8 CRITICAL | ||
| Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented and unauthenticated target communication framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution. | |||||
| CVE-2012-10030 | 1 Freefloat | 1 Freefloat Ftp Server | 2025-09-03 | N/A | 9.8 CRITICAL |
| FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, defaults user access to the root of the C:\ drive, and imposes no restrictions on file type or destination path. These conditions enable attackers to upload executable payloads and .mof files to locations such as system32 and wbem\mof, where Windows Management Instrumentation (WMI) automatically processes and executes them. This results in remote code execution with SYSTEM-level privileges, without requiring user interaction. | |||||
| CVE-2020-24363 | 1 Tp-link | 2 Tl-wa855re, Tl-wa855re Firmware | 2025-09-03 | 8.3 HIGH | 8.8 HIGH |
| TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password. | |||||
| CVE-2012-10062 | 2025-09-02 | N/A | N/A | ||
| A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server. | |||||
| CVE-2025-7405 | 2025-09-02 | N/A | 7.3 HIGH | ||
| Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to read or write the device values of the product and stop the operation of the programs, since MODBUS/TCP in the products does not have authentication features. | |||||