CVE-2026-45010

CVE-2026-45010 affects phpMyFAQ before 4.1.2. The /admin/check endpoint improperly restricts authentication attempts, accepting arbitrary user-id parameters without session binding or rate limiting. This enables unauthenticated attackers to brute-force any user’s six-digit TOTP code by submitting...

EUVD-2023-60570

OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and...

OpenEMR 安全漏洞

OpenEMR is a set of open-source medical management systems developed by the OpenEMR community. This system can be used for medical practice management, electronic medical records, prescription writing, and medical billing applications. Version 7.0.1 of OpenEMR contains a security vulnerability...

CVE-2024-41276

A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanis...

EUVD-2020-28633

Malware in sbrugna...

EUVD-2020-6080

Malware in sbrugna...

EUVD-2023-35492

Malicious code in bioql PyPI...

CVE-2025-41459 Insecure authentication due to missing bruteforce protection and runtime manipulation in Two App Studio Journey 5.5.6 for iOS

Insufficient protection against brute-force and runtime manipulation in the local authentication component in Two App Studio Journey 5.5.6 on iOS allows local attackers to bypass biometric and PIN-based access control via repeated PIN attempts or dynamic code injection...

CVE-2025-52101

linjiashop =0.9 is vulnerable to Incorrect Access Control. When using the default-generated JWT authentication, attackers can bypass the authentication and retrieve the encrypted "password" and "salt". The password can then be obtained through brute-force cracking...

CVE-2020-29136

In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach SEC-575...

CVE-2025-2911 Improper Restriction of Excessive Authentication Attempts vulnerability in MeetMe products

Unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to identify multiple users and perform brute force attacks via extensions...

CVE-2025-25595

A lack of rate limiting in the login page of Safe App version a3.0.9 allows attackers to bypass authentication via a brute force attack...

CVE-2023-27152

DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication...

PT-2023-6219 · Nextcloud +2 · Nextcloud Enterprise Server +3

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions 25.0.0 through 25.0.8 Nextcloud Server versions 26.0.0 through 26.0.3 Nextcloud Enterprise Server versions 22.0.0 through 22.2.10.13 Nextcloud Enterprise Server versions 23.0.0 through 23.0.12.8 Nextcloud Enterprise...

CVE-2022-22553

Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that can be exploited from UI and CLI. An adjacent unauthenticated attacker could potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is...

Ubiquiti Inc.: Two Factor Authentication Bypass

The researcher found a method to brute-force the 2FA code request in the www.ubnt.com login page. This method still requires the username/password from the account...

Symantec Reporter Authentication Bypass Vulnerability

Symantec Reporter is the United States Symantec Symantec company's set of logs for the collection, storage and viewing capabilities of the software. A security vulnerability exists in Symantec Reporter that stems from the program's failure to limit the number of authentication requests. A remote...

CVE-2016-8347

An issue was discovered in Kabona AB WebDatorCentral WDC application prior to Version 3.4.0. WDC does not limit authentication attempts that may allow a brute force attack method...

YASUO - Scans for Vulnerable & Exploitable 3rd-party Web Applications

Yasuo is a ruby script that scans for vulnerable 3rd-party web applications. While working on a network security assessment internal, external, redteam gigs etc., we often come across vulnerable 3rd-party web applications or web front-ends that allow us to compromise the remote server by exploiti...

CVE-2004-0939

changepassword.cgi in Neoteris Instant Virtual Extranet IVE 3.x and 4.x, with LDAP authentication or NT domain authentication enabled, does not limit the number of times a bad password can be entered, which allows remote attackers to guess passwords via a brute force attack...