Total
1615 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-26362 | 1 Q-free | 1 Maxtime | 2025-07-13 | 7.5 High |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests. | ||||
| CVE-2025-26363 | 1 Q-free | 1 Maxtime | 2025-07-13 | 7.5 High |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests. | ||||
| CVE-2025-26365 | 1 Q-free | 1 Maxtime | 2025-07-13 | 7.5 High |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests. | ||||
| CVE-2024-39364 | 1 Advantech | 1 Adam-5630 | 2025-07-12 | 6.3 Medium |
| Advantech ADAM-5630 has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by the device automatically, without discrimination of origin or level of privileges of the user sending the commands. | ||||
| CVE-2024-52285 | 1 Siemens | 2 Sipass Integrated Ac5102 (acc-g2), Sipass Integrated Acc-ap | 2025-07-12 | 5.3 Medium |
| A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.8), SiPass integrated ACC-AP (All versions < V6.4.8). Affected devices expose several MQTT URLs without authentication. This could allow an unauthenticated remote attacker to access sensitive data. | ||||
| CVE-2024-32735 | 1 Cyberpower | 1 Powerpanel Enterprise | 2025-07-12 | 9.8 Critical |
| An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application. | ||||
| CVE-2025-26339 | 1 Q-free | 1 Maxtime | 2025-07-12 | 9.8 Critical |
| A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP requests. | ||||
| CVE-2025-26341 | 1 Q-free | 1 Maxtime | 2025-07-12 | 9.8 Critical |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests. | ||||
| CVE-2025-26342 | 1 Q-free | 1 Maxtime | 2025-07-12 | 9.8 Critical |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests. | ||||
| CVE-2025-26345 | 1 Q-free | 1 Maxtime | 2025-07-12 | 9.8 Critical |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests. | ||||
| CVE-2025-26347 | 1 Q-free | 1 Maxtime | 2025-07-12 | 9.8 Critical |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests. | ||||
| CVE-2025-26360 | 1 Q-free | 1 Maxtime | 2025-07-12 | 5.3 Medium |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests. | ||||
| CVE-2025-26361 | 1 Q-free | 1 Maxtime | 2025-07-12 | 9.1 Critical |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests. | ||||
| CVE-2025-26364 | 1 Q-free | 1 Maxtime | 2025-07-12 | 7.5 High |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests. | ||||
| CVE-2025-26366 | 1 Q-free | 1 Maxtime | 2025-07-12 | 7.5 High |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests. | ||||
| CVE-2025-32440 | 1 Netalertx | 1 Netalertx | 2025-07-11 | 10 Critical |
| NetAlertX is a network, presence scanner and alert framework. Prior to version 25.4.14, it is possible to bypass the authentication mechanism of NetAlertX to update settings without authentication. An attacker can trigger sensitive functions within util.php by sending crafted requests to /index.php. This issue has been patched in version 25.4.14. | ||||
| CVE-2025-25268 | 1 Phoenixcontact | 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more | 2025-07-11 | 8.8 High |
| An unauthenticated adjacent attacker can modify configuration by sending specific requests to an API-endpoint resulting in read and write access due to missing authentication. | ||||
| CVE-2025-44039 | 1 Cpplusworld | 2 Cp-xr-de21-s, Cp-xr-de21-s Firmware | 2025-07-11 | 5.1 Medium |
| CP-XR-DE21-S -4G Router Firmware version 1.031.022 was discovered to contain insecure protections for its UART console. This vulnerability allows local attackers to connect to the UART port via a serial connection, read all boot sequence, and revealing internal system details and sensitive information without any authentication. | ||||
| CVE-2024-38143 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-07-10 | 4.2 Medium |
| Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability | ||||
| CVE-2024-5718 | 1 Logsign | 2 Unified Secops, Unified Secops Platform | 2025-07-10 | 8.1 High |
| Logsign Unified SecOps Platform Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the cluster HTTP API, which listens on TCP port 1924 by default when enabled. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24166. | ||||