Total
473 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11441 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 3.7 Low |
| A vulnerability was identified in JhumanJ OpnForm up to 1.9.3. The affected element is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is described as difficult. The exploit is publicly available and might be used. The identifier of the patch is 11e99960e14ca986b1a001a56e7533223d2cfa5b. It is suggested to install a patch to address this issue. | ||||
| CVE-2025-58587 | 2025-10-06 | 6.5 Medium | ||
| The application does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it possible for an attacker to guess user credentials. | ||||
| CVE-2025-49186 | 2025-10-06 | 5.3 Medium | ||
| The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | ||||
| CVE-2025-36064 | 1 Ibm | 2 Sterling Connect, Sterling Connect\ | 2025-10-03 | 5.9 Medium |
| IBM Sterling Connect:Express for Microsoft Windows 3.1.0.0 through 3.1.0.22 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | ||||
| CVE-2025-8118 | 1 Pad | 1 Pad Cms | 2025-10-02 | N/A |
| PAD CMS implements weak client-side brute-force protection by utilizing two cookies: login_count and login_timeout. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting those cookies. This issue affects all 3 templates: www, bip and www+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability. | ||||
| CVE-2025-8679 | 1 Extreme Networks | 1 Extremeguest Essentials | 2025-10-02 | N/A |
| In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials captive-portal SSID configurations, repeated manual login attempts may allow an unauthenticated device to be marked as authenticated and obtain network access. Client360 logs may display the client MAC as the username despite no MAC-authentication being enabled. | ||||
| CVE-2025-6533 | 1 Xxyopen | 1 Novel-plus | 2025-10-01 | 5.6 Medium |
| A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA Handler. The manipulation leads to authentication bypass by capture-replay. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-35041 | 1 Airship Ai | 1 Acropolis | 2025-09-30 | 7.5 High |
| Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9. | ||||
| CVE-2024-53647 | 3 Apple, Google, Trendmicro | 4 Iphone Os, Android, Id Security and 1 more | 2025-09-29 | 6.5 Medium |
| Trend Micro ID Security, version 3.0 and below contains a vulnerability that could allow an attacker to send an unlimited number of email verification requests without any restriction, potentially leading to abuse or denial of service. | ||||
| CVE-2023-48028 | 1 Kodcloud | 1 Kodbox | 2025-09-29 | 9.8 Critical |
| kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack. | ||||
| CVE-2025-23368 | 1 Redhat | 8 Build Keycloak, Integration, Jboss Data Grid and 5 more | 2025-09-25 | 8.1 High |
| A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. | ||||
| CVE-2022-2457 | 1 Redhat | 1 Process Automation Manager | 2025-09-24 | 6.5 Medium |
| A flaw was found in Red Hat Process Automation Manager 7 where an attacker can benefit from a brute force attack against Administration Console as the application does not limit the number of unsuccessful login attempts. | ||||
| CVE-2025-10761 | 1 Harness | 1 Harness | 2025-09-22 | 3.7 Low |
| A vulnerability has been found in Harness 3.3.0. Affected is an unknown function of the file /api/v1/login of the component Login Endpoint. The manipulation leads to improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10658 | 2 Supportcandy, Wordpress | 2 Supportcandy, Wordpress | 2025-09-22 | 6.5 Medium |
| The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code. | ||||
| CVE-2024-57610 | 1 Sylius | 1 Sylius | 2025-09-19 | 7.5 High |
| A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core software is not intended to address brute-force attacks; instead, customers deploying a Sylius-based system are supposed to use "firewalls, rate-limiting middleware, or authentication providers" for that functionality. | ||||
| CVE-2025-54860 | 1 Cognex | 2 In-sight Camera Firmware, In Sight Explorer | 2025-09-19 | 7.7 High |
| Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 in order to allow management operations on the device such as firmware upgrades and device reboot requiring an authentication. A wrong management of login failures of the service allows a denial-of-service attack, leaving the telnet service into an unreachable state. | ||||
| CVE-2024-24721 | 1 Innovaphone | 1 Innovaphone Pbx | 2025-09-18 | 6.5 Medium |
| An issue was discovered on Innovaphone PBX before 14r1 devices. The password form, used to authenticate, allows a Brute Force Attack through which an attacker may be able to access the administration panel | ||||
| CVE-2025-43863 | 1 Vantage6 | 1 Vantage6 | 2025-09-17 | 9.8 Critical |
| vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct. This vulnerability is fixed in 4.11. | ||||
| CVE-2025-54833 | 1 Opexus | 1 Foiaxpress Public Access Link | 2025-09-12 | 5.3 Medium |
| OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords. | ||||
| CVE-2025-36758 | 1 Solax | 1 Solax Cloud | 2025-09-12 | N/A |
| It is possible to bypass the clipping level of authentication attempts in SolaX Cloud through the use of the 'Forgot Password' functionality as an oracle. | ||||