Total
436 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-44022 | 1 Pwndoc Project | 1 Pwndoc | 2025-05-07 | 5.3 Medium |
| PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts. | ||||
| CVE-2023-27172 | 1 Xpand-it | 1 Write-back Manager | 2025-05-06 | 9.1 Critical |
| Xpand IT Write-back Manager v2.3.1 uses weak secret keys to sign JWT tokens. This allows attackers to easily obtain the secret key used to sign JWT tokens via a bruteforce attack. | ||||
| CVE-2024-1104 | 1 Areal-topkapi | 1 Webserv2 | 2025-05-06 | 7.5 High |
| An unauthenticated remote attacker can bypass the brute force prevention mechanism and disturb the webservice for all users. | ||||
| CVE-2024-38176 | 1 Microsoft | 1 Groupme | 2025-05-05 | 8.1 High |
| An improper restriction of excessive authentication attempts in GroupMe allows a unauthenticated attacker to elevate privileges over a network. | ||||
| CVE-2022-27516 | 1 Citrix | 3 Application Delivery Controller, Application Delivery Controller Firmware, Gateway | 2025-05-01 | 5.3 Medium |
| User login brute force protection functionality bypass | ||||
| CVE-2024-39874 | 1 Siemens | 1 Sinema Remote Connect Server | 2025-05-01 | 7.5 High |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly implement brute force protection against user credentials in its Client Communication component. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks. | ||||
| CVE-2024-39873 | 1 Siemens | 1 Sinema Remote Connect Server | 2025-05-01 | 7.5 High |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly implement brute force protection against user credentials in its web API. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks. | ||||
| CVE-2022-3945 | 1 Kavitareader | 1 Kavita | 2025-04-30 | 5.3 Medium |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. | ||||
| CVE-2022-40903 | 1 Aiphone | 8 Gt-db-vn, Gt-db-vn Firmware, Gt-dmb and 5 more | 2025-04-30 | 6.5 Medium |
| Aiphone GT-DMB-N 3-in-1 Video Entrance Station with NFC Reader 1.0.3 does not mitigate against repeated failed access attempts, which allows an attacker to gain administrative privileges. | ||||
| CVE-2022-3993 | 1 Kavitareader | 1 Kavita | 2025-04-30 | 9.4 Critical |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. | ||||
| CVE-2022-2166 | 1 Joinmastodon | 1 Mastodon | 2025-04-29 | 9.8 Critical |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. | ||||
| CVE-2022-37772 | 1 Maarch | 1 Maarch Rm | 2025-04-25 | 7.5 High |
| Maarch RM 2.8.3 solution contains an improper restriction of excessive authentication attempts due to excessive verbose responses from the application. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to compromised accounts. | ||||
| CVE-2022-2650 | 1 Wger | 1 Wger | 2025-04-25 | 9.8 Critical |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository wger-project/wger prior to 2.2. | ||||
| CVE-2022-23746 | 1 Checkpoint | 1 Ssl Network Extender | 2025-04-25 | 7.5 High |
| The IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender (SNX). If the portal is configured for username/password authentication, it is vulnerable to a brute-force attack on usernames and passwords. | ||||
| CVE-2022-31118 | 1 Nextcloud | 1 Nextcloud Server | 2025-04-23 | 6.5 Medium |
| Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`. | ||||
| CVE-2022-35932 | 1 Nextcloud | 1 Talk | 2025-04-23 | 3.5 Low |
| Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7, and 14.0.3, password protected conversations are susceptible to brute force attacks if the attacker has the link/conversation token. It is recommended that the Nextcloud Talk application is upgraded to 12.2.7, 13.0.7 or 14.0.3. There are currently no known workarounds available apart from not having password protected conversations. | ||||
| CVE-2022-39314 | 1 Getkirby | 1 Kirby | 2025-04-23 | 3.7 Low |
| Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the `code` or `password-reset` auth method with the `auth.methods` option or if you have enabled the `debug` option in production. By using two or more IP addresses and multiple login attempts, valid user accounts will lock, but invalid accounts will not, leading to account enumeration. This issue has been patched in versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1. If you cannot update immediately, you can work around the issue by setting the `auth.methods` option to `password`, which disables the code-based login and password reset forms. | ||||
| CVE-2025-42600 | 2025-04-23 | N/A | ||
| This vulnerability exists in Meon KYC solutions due to missing restrictions on the number of incorrect One-Time Password (OTP) attempts through certain API endpoints of login process. A remote attacker could exploit this vulnerability by performing a brute force attack on OTP, which could lead to gain unauthorized access to other user accounts. | ||||
| CVE-2022-35925 | 1 Joinbookwyrm | 1 Bookwyrm | 2025-04-22 | 5.3 Medium |
| BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their `nginx.conf` file that was created when the instance was set up. Users are advised advised to upgrade. Users unable to upgrade may update their nginx.conf files with the changes manually. | ||||
| CVE-2017-15887 | 1 Synology | 1 Carddav Server | 2025-04-20 | N/A |
| An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack. | ||||