Total
240 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9514 | 1 Macrozheng | 1 Mall | 2025-11-26 | 3.7 Low |
| A vulnerability has been found in macrozheng mall up to 1.0.3. This impacts an unknown function of the component Registration. Such manipulation leads to weak password requirements. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. The vendor deleted the GitHub issue for this vulnerability without and explanation. | ||||
| CVE-2025-63747 | 2 Qatraq, Testmanagement | 2 Qatraq, Qatraq | 2025-11-26 | 9.8 Critical |
| QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the account provides administrative privileges in the default configuration, an attacker who can reach the login page can gain administrative access. | ||||
| CVE-2025-65014 | 1 Librenms | 1 Librenms | 2025-11-20 | 3.7 Low |
| LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0. | ||||
| CVE-2025-63800 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2025-11-19 | 7.5 High |
| The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectively disables authentication and may allow unauthorized access to user or administrative accounts. | ||||
| CVE-2025-55034 | 1 General Industrial Controls | 1 Lynx+ Gateway | 2025-11-18 | 8.2 High |
| General Industrial Controls Lynx+ Gateway is vulnerable to a weak password requirement vulnerability, which may allow an attacker to execute a brute-force attack resulting in unauthorized access and login. | ||||
| CVE-2025-12285 | 2 Azure-access, Azure Access Technology | 6 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 3 more | 2025-11-10 | 9.8 Critical |
| Missing Initial Password Change.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. | ||||
| CVE-2025-12364 | 2 Azure-access, Azure Access Technology | 6 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 3 more | 2025-11-10 | 9.8 Critical |
| Weak Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. | ||||
| CVE-2025-12552 | 2 Azure-access, Azure Access Technology | 6 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 3 more | 2025-11-10 | 9.8 Critical |
| Insufficient Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. | ||||
| CVE-2019-18988 | 1 Teamviewer | 1 Teamviewer | 2025-11-07 | 7.0 High |
| TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system. | ||||
| CVE-2025-11200 | 2 Lfprojects, Mlflow | 2 Mlflow, Mlflow | 2025-11-04 | 9.8 Critical |
| MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916. | ||||
| CVE-2024-35137 | 1 Ibm | 2 Security Access Manager, Security Verify Access Docker | 2025-11-03 | 6.2 Medium |
| IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. IBM X-Force ID: 292413. | ||||
| CVE-2023-43016 | 1 Ibm | 2 Security Verify Access, Security Verify Access Docker | 2025-11-03 | 7.3 High |
| IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote user to log into the server due to a user account with an empty password. IBM X-Force ID: 266154. | ||||
| CVE-2023-38369 | 1 Ibm | 1 Security Access Manager Container | 2025-11-03 | 6.2 Medium |
| IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 does not require that docker images should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 261196. | ||||
| CVE-2025-9964 | 1 Novakon | 1 P Series | 2025-11-03 | N/A |
| No password for the root user is set in Novakon P series. This allows phyiscal attackers to enter the console easily. This issue affects P series: P – V2001.A.C518o2. | ||||
| CVE-2025-60954 | 1 Microweber | 2 Cms, Microweber | 2025-10-28 | 8.3 High |
| Microweber CMS 2.0 has Weak Password Requirements. The application does not enforce minimum password length or complexity during password resets. Users can set extremely weak passwords, including single-character passwords, which can lead to account compromise, including administrative accounts. | ||||
| CVE-2025-25737 | 1 Kapsch | 4 Ris-9160, Ris-9160 Firmware, Ris-9260 and 1 more | 2025-10-22 | 6.8 Medium |
| Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 were discovered to lack secure password requirements for its BIOS Supervisor and User accounts, allowing attackers to bypass authentication via a bruteforce attack. | ||||
| CVE-2025-1341 | 1 Pmweb | 1 Pmweb | 2025-10-16 | 3.7 Low |
| A vulnerability, which was classified as problematic, was found in PMWeb 7.2.0. This affects an unknown part of the component Setting Handler. The manipulation leads to weak password requirements. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11322 | 1 Mangati | 1 Novosga | 2025-10-06 | 3.7 Low |
| A flaw has been found in Mangati NovoSGA up to 2.2.12. The impacted element is an unknown function of the file /novosga.users/new of the component User Creation Page. Executing manipulation of the argument Senha/Confirmação da senha can lead to weak password requirements. The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-49883 | 1 Ibm | 1 Transformation Extender Advanced | 2025-10-03 | 5.9 Medium |
| IBM Transformation Extender Advanced 10.0.1 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. | ||||
| CVE-2025-57295 | 1 H3c | 3 Magic Nx15, Magic Nx15 Firmware, Nx15v100r015 | 2025-10-03 | 8 High |
| H3C devices running firmware version NX15V100R015 are vulnerable to unauthorized access due to insecure default credentials. The root user account has no password set, and the H3C user account uses the default password "admin," both stored in the /etc/shadow file. Attackers with network access can exploit these credentials to gain unauthorized root-level access to the device via the administrative interface or other network services, potentially leading to privilege escalation, information disclosure, or arbitrary code execution. | ||||