Total
4317 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55340 | 1 Microsoft | 21 Remote Desktop Protocol, Windows, Windows 10 and 18 more | 2026-02-22 | 7 High |
| Improper authentication in Windows Remote Desktop Protocol allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2025-68663 | 1 Getoutline | 1 Outline | 2026-02-20 | 5.3 Medium |
| Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a vulnerability was found in Outline's WebSocket authentication mechanism that allows suspended users to maintain or establish real-time WebSocket connections and continue receiving sensitive operational updates after their account has been suspended. This vulnerability is fixed in 1.1.0. | ||||
| CVE-2025-54918 | 1 Microsoft | 28 Windows, Windows 10, Windows 10 1507 and 25 more | 2026-02-20 | 8.8 High |
| Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2019-12749 | 3 Canonical, Freedesktop, Redhat | 5 Ubuntu Linux, Dbus, Enterprise Linux and 2 more | 2026-02-13 | 7.1 High |
| dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. | ||||
| CVE-2024-25699 | 3 Esri, Linux, Microsoft | 4 Arcgis Enterprise, Portal For Arcgis, Linux Kernel and 1 more | 2026-02-13 | 8.5 High |
| There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and below on Kubernetes, which under unique circumstances could allow a remote, authenticated attacker with low‑privileged access to compromise the confidentiality, integrity, and availability of the software. Successful exploitation allows the attacker to cross an authentication and authorization boundary beyond their originally assigned access, resulting in a scope change. | ||||
| CVE-2025-26685 | 1 Microsoft | 1 Defender For Identity | 2026-02-13 | 6.5 Medium |
| Improper authentication in Microsoft Defender for Identity allows an unauthorized attacker to perform spoofing over an adjacent network. | ||||
| CVE-2025-53771 | 1 Microsoft | 6 Sharepoint Enterprise Server, Sharepoint Enterprise Server 2016, Sharepoint Enterprise Server 2019 and 3 more | 2026-02-13 | 6.5 Medium |
| Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-53793 | 1 Microsoft | 4 Azure Stack Hub, Azure Stack Hub 2406, Azure Stack Hub 2408 and 1 more | 2026-02-13 | 7.5 High |
| Improper authentication in Azure Stack allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2024-57049 | 1 Tp-link | 2 Archer C20, Archer C20 Firmware | 2026-02-12 | 9.8 Critical |
| A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing the authentication. NOTE: this is disputed by the Supplier because the response to the API call is only "non-sensitive UI initialization variables." | ||||
| CVE-2025-70841 | 2 Amcoders, Dokans | 2 Dokans, Multitenancy Based Ecommerce Platform Saas | 2026-02-11 | 10 Critical |
| Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system. | ||||
| CVE-2024-38099 | 1 Microsoft | 9 Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 Sp2 and 6 more | 2026-02-10 | 5.9 Medium |
| Windows Remote Desktop Licensing Service Denial of Service Vulnerability | ||||
| CVE-2025-12810 | 1 Delinea | 1 Secret Server | 2026-02-06 | 6.5 Medium |
| Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password. Remediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails. | ||||
| CVE-2025-66698 | 2 Semantic, Semantic-machines | 2 Machines, Veda | 2026-02-05 | 8.6 High |
| An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints. | ||||
| CVE-2019-19006 | 1 Sangoma | 1 Freepbx | 2026-02-04 | 9.8 Critical |
| Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. | ||||
| CVE-2025-65397 | 1 Blurams | 3 Dome Flare, Dome Flare Firmware, Flare Camera | 2026-02-03 | 6.8 Medium |
| An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file system. The vulnerability can be triggered by providing a maliciously crafted auth.ini file on the device's SD card. | ||||
| CVE-2025-69822 | 1 Atomberg | 2 Erica Smart Fan, Erica Smart Fan Firmware | 2026-02-02 | 7.4 High |
| An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.36 allows an attacker to obtain sensitive information and escalate privileges via a crafted deauth frame | ||||
| CVE-2025-68717 | 1 Kaysus | 2 Ks-wr3600, Ks-wr3600 Firmware | 2026-02-02 | 9.4 Critical |
| KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw lets attackers piggyback on another user's active session to retrieve sensitive configuration data or execute privileged actions without authentication. | ||||
| CVE-2024-24771 | 1 Maykinmedia | 1 Open Forms | 2026-01-30 | 7.7 High |
| Open Forms allows users create and publish smart forms. Versions prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain a non-exploitable multi-factor authentication weakness. Superusers who have their credentials (username + password) compromised could potentially have the second-factor authentication bypassed if an attacker somehow managed to authenticate to Open Forms. The maintainers of Open Forms do not believe it is or has been possible to perform this login. However, if this were possible, the victim's account may be abused to view (potentially sensitive) submission data or have been used to impersonate other staff accounts to view and/or modify data. Three mitigating factors to help prevent exploitation include: the usual login page (at `/admin/login/`) does not fully log in the user until the second factor was succesfully provided; the additional non-MFA protected login page at `/api/v2/api-authlogin/` was misconfigured and could not be used to log in; and there are no additional ways to log in. This also requires credentials of a superuser to be compromised to be exploitable. Versions 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain the following patches to address these weaknesses: Move and only enable the API auth endpoints (`/api/v2/api-auth/login/`) with `settings.DEBUG = True`. `settings.DEBUG = True` is insecure and should never be applied in production settings. Additionally, apply a custom permission check to the hijack flow to only allow second-factor-verified superusers to perform user hijacking. | ||||
| CVE-2025-67158 | 1 Revotech | 2 I6032w-fhw, I6032w-fhw Firmware | 2026-01-30 | 7.5 High |
| An authentication bypass in the /cgi-bin/jvsweb.cgi endpoint of Revotech I6032W-FHW v1.0.0014 - 20210517 allows attackers to access sensitive information and escalate privileges via a crafted HTTP request. | ||||
| CVE-2025-3910 | 1 Redhat | 2 Build Keycloak, Build Of Keycloak | 2026-01-29 | 5.4 Medium |
| A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. | ||||