Total
4320 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10906 | 2 Apple, Magnetism Studios | 2 Macos, Endurance | 2026-04-15 | 8.4 High |
| A flaw has been found in Magnetism Studios Endurance up to 3.3.0 on macOS. This affects the function loadModuleNamed:WithReply of the file /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper of the component NSXPC Interface. Executing manipulation can lead to missing authentication. The attack needs to be launched locally. The exploit has been published and may be used. | ||||
| CVE-2024-2244 | 2026-04-15 | 5.3 Medium | ||
| REST service authentication anomaly with “valid username/no password” credential combination for batch job processing resulting in successful service invocation. The anomaly doesn’t exist with other credential combinations. | ||||
| CVE-2025-27416 | 2026-04-15 | N/A | ||
| Scratch-Coding-Hut.github.io is the website for Coding Hut. The website as of 28 February 2025 contained a sign in with scratch username and password form. Any user who used the sign in page would be susceptible to any other user signing into their account. As of time of publication, a fix is not available but work on a fix is underway. As a workaround, users should avoid signing in. | ||||
| CVE-2022-25369 | 1 Dynamicweb | 1 Dynamicweb | 2026-04-15 | 9.8 Critical |
| An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later). | ||||
| CVE-2025-2344 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-3263 | 2026-04-15 | 9.8 Critical | ||
| YMS VIS Pro is an information system for veterinary and food administration, veterinarians and farm. Due to a combination of improper method for system credentials generation and weak password policy, passwords can be easily guessed and enumerated through brute force attacks. Successful attacks can lead to unauthorised access and execution of operations based on assigned user permissions. This vulnerability affects VIS Pro in versions <= 3.3.0.6. This vulnerability has been mitigated by changes in authentication mechanisms and implementation of additional authentication layer and strong password policies. | ||||
| CVE-2025-10672 | 1 Whuan132 | 1 Aibattery | 2026-04-15 | 7.8 High |
| A vulnerability was found in whuan132 AIBattery up to 1.0.9. The affected element is an unknown function of the file AIBatteryHelper/XPC/BatteryXPCService.swift of the component com.collweb.AIBatteryHelper. The manipulation results in missing authentication. The attack requires a local approach. The exploit has been made public and could be used. | ||||
| CVE-2025-61679 | 1 Anyquery | 1 Anyquery | 2026-04-15 | 7.7 High |
| Anyquery is an SQL query engine built on top of SQLite. Versions 0.4.3 and below allow attackers who have already gained access to localhost, even with low privileges, to use the http server through the port unauthenticated, and access private integration data like emails, without any warning of a foreign login from the provider. This issue is fixed in version 0.4.4. | ||||
| CVE-2024-6078 | 1 Rockwellautomation | 1 Datamosaix | 2026-04-15 | N/A |
| CVE-2024-6078 IMPACT An improper authentication vulnerability exists in the affected product, which could allow a malicious user to generate cookies for any user ID without the use of a username or password. If exploited, a malicious user could take over the account of a legitimate user. The malicious user would be able to view and modify data stored in the cloud. | ||||
| CVE-2025-6926 | 1 Mediawiki | 1 Mediawiki | 2026-04-15 | 8.8 High |
| Improper Authentication vulnerability in Wikimedia Foundation Mediawiki - CentralAuth Extension allows : Bypass Authentication.This issue affects Mediawiki - CentralAuth Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-44005 | 1 Smallstep | 1 Step-ca | 2026-04-15 | 10 Critical |
| An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks. | ||||
| CVE-2024-38523 | 2026-04-15 | 7.5 High | ||
| Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction and credentials are required. This vulnerability has been patched in version 0.10. | ||||
| CVE-2025-11852 | 1 Apeman | 1 Apeman | 2026-04-15 | 5.3 Medium |
| A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-27422 | 2026-04-15 | 7.5 High | ||
| FACTION is a PenTesting Report Generation and Collaboration Framework. Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing information, secure password, etc) but there are no other controls stopping them. This vulnerability is fixed in 1.4.3. | ||||
| CVE-2025-10463 | 1 Birtech Information Technologies Industry And Trade | 1 Senseway | 2026-04-15 | 7.3 High |
| Improper Authentication vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Authentication Abuse.This issue affects Senseway: through 09022026. NOTE: Because the product was developed using outdated technology, the manufacturer is unable to fix the relevant vulnerabilities. Users of the Sensaway application are advised to contact the manufacturer and review updated products developed with newer technology. | ||||
| CVE-2024-38825 | 2026-04-15 | 6.4 Medium | ||
| The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted. | ||||
| CVE-2025-24894 | 2026-04-15 | 9.1 Critical | ||
| SPID.AspNetCore.Authentication is an AspNetCore Remote Authenticator for SPID. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The validation logic of the signature is central as it ensures that you cannot create a SAML response with arbitrary assertions and then impersonate other users. There is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP's public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This vulnerability has been addressed in version 3.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-45346 | 1 Xiaomi | 1 Getapps Application | 2026-04-15 | 8.8 High |
| The Xiaomi Security Center expresses heartfelt thanks to Ken Gannon and Ilyes Beghdadi of NCC Group working with Trend Micro Zero Day Initiative! At the same time, we also welcome more outstanding and professional security experts and security teams to join the Mi Security Center (MiSRC) to jointly ensure the safe access of millions of Xiaomi users worldwide Life. | ||||
| CVE-2025-60772 | 1 Netlink | 1 Hg322g | 2026-04-15 | 9.8 Critical |
| Improper authentication in the web-based management interface of NETLINK HG322G V1.0.00-231017, allows a remote unauthenticated attacker to escalate privileges and lock out the legitimate administrator via crafted HTTP requests. | ||||
| CVE-2022-29083 | 1 Dell | 216 Chengming 3980, Chengming 3980 Firmware, Chengming 3990 and 213 more | 2026-04-14 | 6.8 Medium |
| Prior Dell BIOS versions contain an Improper Authentication vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability by bypassing drive security mechanisms in order to gain access to the system. | ||||