Total
1908 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-68715 | 2026-01-09 | 9.1 Critical | ||
| An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modify WAN, LAN, and wireless settings directly, leading to privilege escalation and denial of service. | ||||
| CVE-2025-65731 | 1 D-link | 1 Dir-605l | 2026-01-09 | 6.8 Medium |
| An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control. | ||||
| CVE-2025-69425 | 2026-01-09 | N/A | ||
| The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise. | ||||
| CVE-2025-35050 | 1 Newforma | 2 Project Center, Project Center Server | 2026-01-09 | 9.8 Critical |
| Newforma Info Exchange (NIX) accepts serialized .NET data via the '/remoteweb/remote.rem' endpoint, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. The vulnerable endpoint is used by Newforma Project Center Server (NPCS), so a compromised NIX system can be used to attack an associated NPCS system. To mitigate this vulnerability, restrict network access to the '/remoteweb/remote.rem' endpoint, for example using the IIS URL Rewrite Module. | ||||
| CVE-2025-35051 | 1 Newforma | 2 Project Center, Project Center Server | 2026-01-09 | 9.8 Critical |
| Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible on an internal network. To mitigate this vulnerability, restrict network access to NPCS. | ||||
| CVE-2025-66049 | 2026-01-09 | N/A | ||
| Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, potentially compromising user privacy and security. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | ||||
| CVE-2025-64056 | 1 Fanvil | 3 X210, X210 Firmware, X210 V2 | 2026-01-09 | 4.3 Medium |
| File upload vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store arbitrary files on the filesystem. | ||||
| CVE-2026-21446 | 1 Webkul | 1 Bagisto | 2026-01-08 | 9.8 Critical |
| Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue. | ||||
| CVE-2025-68716 | 2026-01-08 | 8.4 High | ||
| KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges. | ||||
| CVE-2025-14300 | 1 Tp-link | 4 Tapo, Tapo C200, Tapo C200 Firmware and 1 more | 2026-01-08 | 8.1 High |
| The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS). | ||||
| CVE-2025-15346 | 1 Wolfssl | 1 Wolfssl | 2026-01-08 | N/A |
| A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced. Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided. This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake. The issue affects versions up to and including 5.8.2. | ||||
| CVE-2017-20213 | 1 Flir | 1 Thermal Camera | 2026-01-08 | 7.5 High |
| FLIR Thermal Camera F/FC/PT/D Stream firmware version 8.0.0.64 contains an unauthenticated vulnerability that allows remote attackers to access live camera streams without credentials. Attackers can exploit the vulnerability to view unauthorized thermal camera video feeds across multiple camera series without requiring any authentication. | ||||
| CVE-2025-3646 | 1 Petlibro | 1 Smart Pet Feeder Platform | 2026-01-08 | 7.3 High |
| Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authorization bypass vulnerability that allows unauthorized users to add users as shared owners to any device by exploiting missing permission checks. Attackers can send requests to the device share API to gain unauthorized access to devices and view owner information without proper authorization validation. | ||||
| CVE-2026-21445 | 1 Langflow | 1 Langflow | 2026-01-08 | N/A |
| Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch. | ||||
| CVE-2025-15026 | 1 Centreon | 1 Centreon | 2026-01-08 | 9.8 Critical |
| Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. | ||||
| CVE-2025-14346 | 2026-01-08 | 9.8 Critical | ||
| WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction. | ||||
| CVE-2026-0625 | 1 D-link | 4 Dsl-2640b, Dsl-2740r, Dsl-2780b and 1 more | 2026-01-08 | N/A |
| Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). | ||||
| CVE-2026-0650 | 1 Openflagr | 1 Flagr | 2026-01-08 | N/A |
| OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data. | ||||
| CVE-2025-31963 | 1 Hcltech | 1 Bigfix Insights For Vulnerability Remediation | 2026-01-08 | 2.9 Low |
| Improper authentication and missing CSRF protection in the local setup interface component in HCL BigFix IVR version 4.2 allows a local attacker to perform unauthorized configuration changes via unauthenticated administrative configuration requests. | ||||
| CVE-2024-1573 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2026-01-08 | 5.9 Medium |
| Missing Authentication for Critical Function vulnerability in the mobile monitoring feature of Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.2, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.2, and Mitsubishi Electric MC Works64 all versions allows a remote unauthenticated attacker to bypass proper authentication and log in to the system when all of the following conditions are met: * Active Directory is used in the security setting. * “Automatic log in” option is enabled in the security setting. * The IcoAnyGlass IIS Application Pool is running under an Active Directory Domain Account. * The IcoAnyGlass IIS Application Pool account is included in GENESIS64 and MC Works64 Security and has permission to log in. | ||||