Total
2224 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15517 | 1 Tp-link | 19 Archer Nx200, Archer Nx200 Firmware, Archer Nx200 V1.0 and 16 more | 2026-04-02 | 8.1 High |
| A missing authentication check in the HTTP server on TP-Link Archer NX200, NX210, NX500 and NX600 to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations. | ||||
| CVE-2026-3527 | 2 Ceriumsoft, Drupal | 2 Ajax Dashboard, Ajax Dashboard | 2026-04-02 | 6.5 Medium |
| Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0. | ||||
| CVE-2026-33366 | 1 Buffalo | 93 Fs-m1266, Fs-m1266 Firmware, Fs-s1266 and 90 more | 2026-04-02 | N/A |
| Missing authentication for critical function vulnerability in BUFFALO Wi-Fi router products may allow an attacker to forcibly reboot the product without authentication. | ||||
| CVE-2026-34162 | 2 Fastgpt, Labring | 2 Fastgpt, Fastgpt | 2026-04-02 | 10 Critical |
| FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5. | ||||
| CVE-2026-3356 | 1 Anritsu | 4 Remote Spectrum Monitor Ms27100a, Remote Spectrum Monitor Ms27101a, Remote Spectrum Monitor Ms27102a and 1 more | 2026-04-02 | N/A |
| The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error. | ||||
| CVE-2026-5000 | 1 Promtengineer | 1 Localgpt | 2026-04-01 | 7.3 High |
| A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument BaseHTTPRequestHandler results in missing authentication. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-34411 | 1 Appsmith | 1 Appsmith | 2026-03-31 | 5.3 Medium |
| Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning. | ||||
| CVE-2026-4959 | 1 Openbmb | 1 Xagent | 2026-03-31 | 7.3 High |
| A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing authentication. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-3611 | 1 Honeywell | 7 Iq3, Iq412, Iq41x and 4 more | 2026-03-30 | 10 Critical |
| The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration. | ||||
| CVE-2026-1724 | 1 Gitlab | 1 Gitlab | 2026-03-27 | 6.8 Medium |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to access API tokens of self-hosted AI models due to improper access control. | ||||
| CVE-2026-33413 | 1 Etcd | 1 Etcd | 2026-03-27 | 8.8 High |
| etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution. | ||||
| CVE-2026-33159 | 1 Craftcms | 2 Craft Cms, Craftcms | 2026-03-27 | 6.5 Medium |
| Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14. | ||||
| CVE-2026-31846 | 1 Nexxtsolutions | 1 Nebula300+ | 2026-03-26 | 6.5 Medium |
| Missing authentication in the /goform/ate endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows an adjacent unauthenticated attacker to retrieve sensitive device information, including the administrator password. The endpoint returns a raw response containing parameters such as Login_PW, which is Base64-encoded. An attacker can decode this value to obtain valid administrative credentials and authenticate to the device. | ||||
| CVE-2019-25632 | 2 Dulldusk, Sourceforge | 2 Phpfilemanager, Phpfilemanager | 2026-03-26 | 6.2 Medium |
| phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fm_current_dir, and filename parameters. Attackers can send GET requests to index.php with crafted parameter values to access sensitive files like /etc/passwd from the server. | ||||
| CVE-2026-32326 | 1 Sharp | 8 5g Mobile Router Sh-u01, Home 5g Hr01, Home 5g Hr02 and 5 more | 2026-03-25 | N/A |
| SHARP routers do not perform authentication for some web APIs. The device information may be retrieved without authentication. If the administrative password of the device is left as the initial one, the device may be taken over. | ||||
| CVE-2026-2417 | 1 Pharos Controls | 1 Mosaic Show Controller | 2026-03-25 | N/A |
| A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges. | ||||
| CVE-2026-4649 | 1 Knime | 1 Business Hub | 2026-03-25 | 6.1 Medium |
| Apache Artemis before version 2.52.0 is affected by an authentication bypass flaw which allows reading all messages exchanged via the broker and injection of new message ( CVE-2026-27446 https://www.cve.org/CVERecord ). Since KNIME Business Hub uses Apache Artemis it is also affected by the issue. However, since Apache Artemis is not exposed to the outside it requires at least normal user privileges and the ability to execute workflows in an executor. Such a user can install and register a federated mirror without authentication to the original Apache Artemis instance and thereby read all internal messages and inject new messages. The issue affects all versions of KNIME Business Hub. A fixed version of Apache Artemis is shipped with versions 1.18.0, 1.17.4, and 1.16.3. We recommend updating to a fixed version as soon as possible since no workaround is known. | ||||
| CVE-2026-33719 | 1 Wwbn | 1 Avideo | 2026-03-25 | 8.6 High |
| WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the `par` request parameter. Commit adeff0a31ba04a56f411eef256139fd7ed7d4310 contains a patch. | ||||
| CVE-2026-22174 | 1 Openclaw | 1 Openclaw | 2026-03-25 | 6.8 Medium |
| OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes to the /json/version endpoint and reuse the leaked token as Gateway bearer authentication. | ||||
| CVE-2026-4562 | 1 Maccms | 1 Maccms | 2026-03-25 | 7.3 High |
| A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | ||||