Search Results (2534 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-9062 2026-04-15 7.8 High
The Archify application contains a local privilege escalation vulnerability due to insufficient client validation in its privileged helper tool, com.oct4pie.archifyhelper, which is exposed via XPC. Archify follows the "factored applications" model, delegating privileged operations—such as arbitrary file deletion and file permission changes—to this helper running as root. However, the helper does not verify the code signature, entitlements, or signing flags of the connecting client. Although macOS provides secure validation mechanisms like auditToken, these are not implemented. As a result, any local process can establish a connection to the helper and invoke privileged functionality, leading to unauthorized execution of actions with root-level privileges.
CVE-2024-9137 1 Moxa 7 Edf-g1002-bp, Edr-8010, Edr-g9004 and 4 more 2026-04-15 9.4 Critical
The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise.
CVE-2025-0355 2026-04-15 7.5 High
Missing Authentication for Critical Function vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WF1200CRS Ver.1.6.0 and earlier, WG1200CRS Ver.1.5.0 and earlier, GB1200PE Ver.1.3.0 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier, WG2600HS2 Ver.1.3.2 and earlier, WX3000HP Ver.2.4.2 and earlier and WX4200D5 Ver.1.2.4 and earlier allows a attacker to get a Wi-Fi password via the network.
CVE-2025-10452 1 Gotac 1 Statistical Database System 2026-04-15 9.8 Critical
Statistical Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents with high-level privileges.
CVE-2025-10906 2 Apple, Magnetism Studios 2 Macos, Endurance 2026-04-15 8.4 High
A flaw has been found in Magnetism Studios Endurance up to 3.3.0 on macOS. This affects the function loadModuleNamed:WithReply of the file /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper of the component NSXPC Interface. Executing manipulation can lead to missing authentication. The attack needs to be launched locally. The exploit has been published and may be used.
CVE-2025-10991 1 Tp-link 3 Tapo, Tapo D230s1, Tp-link 2026-04-15 N/A
The attacker may obtain root access by connecting to the UART port and this vulnerability requires the attacker to have the physical access to the device. This issue affects Tapo D230S1 V1.20: before 1.2.2 Build 20250907.
CVE-2025-11007 2 Ce21, Wordpress 2 Ce21-suite, Wordpress 2026-04-15 9.8 Critical
The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's API settings including a secret key used for authentication. This allows unauthenticated attackers to create new admin accounts on an affected site.
CVE-2025-12108 1 Survision 1 License Plate Recognition Camera 2026-04-15 N/A
The Survision LPR Camera system does not enforce password protection by default. This allows access to the configuration wizard immediately without a login prompt or credentials check.
CVE-2025-14346 2026-04-15 9.8 Critical
WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction.
CVE-2025-15346 1 Wolfssl 1 Wolfssl 2026-04-15 N/A
A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.  Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided.  This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake.  The issue affects versions up to and including 5.8.2.
CVE-2025-1907 2026-04-15 9.8 Critical
Instantel Micromate lacks authentication on a configuration port which could allow an attacker to execute commands if connected.
CVE-2025-2344 2026-04-15 5.3 Medium
A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-2407 2026-04-15 N/A
Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5.
CVE-2025-24924 2026-04-15 9.8 Critical
Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username
CVE-2025-25265 2026-04-15 4.9 Medium
A web application for configuring the controller is accessible at a specific path. It contains an endpoint that allows a high privileged remote attacker to read files from the system’s file structure.
CVE-2025-27214 2026-04-15 9.8 Critical
A Missing Authentication for Critical Function vulnerability in the UniFi Connect EV Station Pro may allow a malicious actor with physical or adjacent access to perform an unauthorized factory reset. Affected Products: UniFi Connect EV Station Pro (Version 1.5.18 and earlier) Mitigation: Update UniFi Connect EV Station Pro to Version 1.5.27 or later
CVE-2025-27256 2026-04-15 8.3 High
Missing Authentication for Critical Function vulnerability in GE Vernova Enervista UR Setup application allows Authentication Bypass due to a missing SSH server authentication. Since the client connection is not authenticated, an attacker may perform a man-in-the-middle attack on the network.
CVE-2025-27803 2026-04-15 6.5 Medium
The devices do not implement any authentication for the web interface or the MQTT server. An attacker who has network access to the device immediately gets administrative access to the devices and can perform arbitrary administrative actions and reconfigure the devices or potentially gain access to sensitive data.
CVE-2025-27935 1 Pingidentity 1 Pingfederate 2026-04-15 N/A
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication.
CVE-2025-29870 2026-04-15 7.5 High
Missing authentication for critical function vulnerability exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, a remote unauthenticated attacker may obtain the product configuration information including authentication information.