Total
435 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-47951 | 1 Weblate | 1 Weblate | 2025-07-16 | N/A | 4.9 MEDIUM |
| Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12. | |||||
| CVE-2024-51476 | 2 Ibm, Linux | 2 Concert Software, Linux Kernel | 2025-07-16 | N/A | 7.5 HIGH |
| IBM Concert Software 1.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | |||||
| CVE-2024-23106 | 1 Fortinet | 1 Forticlientems | 2025-07-16 | N/A | 8.1 HIGH |
| An improper restriction of excessive authentication attempts [CWE-307] in FortiClientEMS version 7.2.0 through 7.2.4 and before 7.0.10 allows an unauthenticated attacker to try a brute force attack against the FortiClientEMS console via crafted HTTP or HTTPS requests. | |||||
| CVE-2024-12039 | 1 Langgenius | 1 Dify | 2025-07-15 | N/A | 8.1 HIGH |
| langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in a complete compromise of the application. | |||||
| CVE-2025-20196 | 1 Cisco | 52 807 Industrial Integrated Services Router, 807 Industrial Integrated Services Router Firmware, 809 Industrial Integrated Services Router and 49 more | 2025-07-11 | N/A | 5.3 MEDIUM |
| A vulnerability in the Cisco IOx application hosting environment of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the Cisco IOx application hosting environment to stop responding, resulting in a denial of service (DoS) condition. This vulnerability is due to the improper handling of HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the Cisco IOx application hosting environment to stop responding. The IOx process will need to be manually restarted to recover services. | |||||
| CVE-2025-52916 | 2025-07-10 | N/A | 2.2 LOW | ||
| Yealink RPS before 2025-06-04 lacks SN verification attempt limits, enabling brute-force enumeration (last five digits). | |||||
| CVE-2024-5716 | 1 Logsign | 1 Unified Secops Platform | 2025-07-10 | N/A | 9.8 CRITICAL |
| Logsign Unified SecOps Platform Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password reset mechanism. The issue results from the lack of restriction of excessive authentication attempts. An attacker can leverage this vulnerability to reset a user's password and bypass authentication on the system. Was ZDI-CAN-24164. | |||||
| CVE-2023-34732 | 1 Flytxt | 1 Neon-dx | 2025-07-09 | N/A | 5.4 MEDIUM |
| An issue in the userId parameter in the change password function of Flytxt NEON-dX v0.0.1-SNAPSHOT-6.9-qa-2-9-g5502a0c allows attackers to execute brute force attacks to discover user passwords. | |||||
| CVE-2025-27456 | 2025-07-03 | N/A | 7.5 HIGH | ||
| The SMB server's login mechanism does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | |||||
| CVE-2025-1710 | 2025-07-03 | N/A | 7.5 HIGH | ||
| The maxView Storage Manager does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | |||||
| CVE-2025-27449 | 2025-07-03 | N/A | 7.5 HIGH | ||
| The MEAC300-FNADE4 does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | |||||
| CVE-2023-34001 | 1 Wpplugins | 1 Hide My Wp Ghost | 2025-06-30 | N/A | 5.3 MEDIUM |
| Improper Restriction of Excessive Authentication Attempts vulnerability in WPPlugins – WordPress Security Plugins Hide My WP Ghost allows Functionality Bypass.This issue affects Hide My WP Ghost: from n/a through 5.0.25. | |||||
| CVE-2025-4383 | 2025-06-26 | N/A | 9.3 CRITICAL | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in Art-in Bilişim Teknolojileri ve Yazılım Hizm. Tic. Ltd. Şti. Wi-Fi Cloud Hotspot allows Authentication Abuse, Authentication Bypass.This issue affects Wi-Fi Cloud Hotspot: before 30.05.2025. | |||||
| CVE-2024-55008 | 1 Jatos | 1 Jatos | 2025-06-24 | N/A | 7.5 HIGH |
| JATOS 3.9.4 contains a denial-of-service (DoS) vulnerability in the authentication system, where an attacker can prevent legitimate users from accessing their accounts by repeatedly sending multiple failed login attempts. Specifically, by submitting 3 incorrect login attempts every minute, the attacker can trigger the account lockout mechanism on the account level, effectively locking the user out indefinitely. Since the lockout is applied to the user account and not based on the IP address, any attacker can trigger the lockout on any user account, regardless of their privileges. | |||||
| CVE-2025-2171 | 2025-06-23 | N/A | N/A | ||
| Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 do not enforce rate limiting on password reset attempts, allowing adversaries to brute force guess the 6-digit password reset PIN | |||||
| CVE-2023-50123 | 1 Hozard | 1 Alarm System | 2025-06-20 | N/A | 8.1 HIGH |
| The number of attempts to bring the Hozard Alarm system (alarmsystemen) v1.0 to a disarmed state is not limited. This could allow an attacker to perform a brute force on the SMS authentication, to bring the alarm system to a disarmed state. | |||||
| CVE-2025-6030 | 2025-06-16 | N/A | N/A | ||
| Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack. Research was completed on the 2024 KIA Soluto. Attack confirmed on other KIA Models in Ecuador. | |||||
| CVE-2025-43863 | 2025-06-16 | N/A | N/A | ||
| vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct. This vulnerability is fixed in 4.11. | |||||
| CVE-2025-6029 | 2025-06-16 | N/A | N/A | ||
| Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of release. CVE Record will be updated once this is clarified. | |||||
| CVE-2025-49186 | 2025-06-13 | N/A | 5.3 MEDIUM | ||
| The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | |||||