CVE-2025-63435

Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official...

PT-2025-47949

Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official...

PT-2025-47710

The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the "saveFutureActionData" function in all versions up to, and including,...

CVE-2025-12937 ACF Flexible Layouts Manager <= 1.1.6 - Missing Authorization to Unauthenticated Custom Field Update

The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acfflmupdatetemplatewithpastedlayout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to...

SolarWinds Serv-U 安全漏洞

SolarWinds Serv-U is an FTP File Transfer Protocol server software from SolarWinds USA. A security vulnerability exists in SolarWinds Serv-U that stems from a lack of an authentication process that could lead to code execution by an attacker with administrator privileges...

CVE-2025-63225

The Eurolab ELTS100UBX device firmware version ELTS100v1.UBX is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized...

CVE-2025-64307

The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, including initiating or halting runners, assigning jobs, clearing stations, and deploying storage totes...

General Industrial Controls Lynx+ Gateway 访问控制错误漏洞

General Industrial Controls Lynx+ Gateway is an industrial automation gateway from General Industrial Controls India. An access control error vulnerability exists in the General Industrial Controls Lynx+ Gateway that stems from a lack of critical authentication on the embedded web server, which...

SAP HANA 访问控制错误漏洞

SAP HANA is a high-performance real-time data analytics platform from Germany's SAP SAP. The platform provides data query functionality to support users to query and analyze real-time business data. An access control error vulnerability exists in SAP HANA version 2.0 that stems from a lack of...

kgateway 安全漏洞

kgateway is a cloud-native API gateway and AI gateway open-sourced by kgateway-dev. A security vulnerability exists in kgateway version 2.0.4 and earlier and versions 2.1.0-agw-cel-rbac through 2.1.0-rc.2, which stems from a lack of authentication and could lead to unauthorized clients obtaining...

Missing Authentication

Overview Affected versions of this package are vulnerable to Missing Authentication in the xDS interface. An attacker can access sensitive configuration data, including certificate information, backend service details, routing rules, and cluster metadata, by connecting to the exposed port without...

GHSA-4766-X535-JW3R kgateway is missing xDS authorization

Summary The xDS interface in Kgateway versions 2.0.0 through 2.0.4 lacks authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster...

CVE-2025-61956 Missing Authentication for Critical Function in Radiometrics VizAir

Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests. Attackers can modify configurations without authentication, potentially manipulating active runway settings and misleading air traffic control ATC and pilots...

PT-2025-45013

Name of the Vulnerable Software and Affected Versions lakeFS versions prior to 1.71.0 Description lakeFS is a tool that transforms object storage into Git-like repositories. Versions 1.69.0 and below lack authentication for the /api/v1/usage-report/summary endpoint, allowing unauthorized access t...

CVE-2025-59461 API does not require authentication

A remote unauthenticated attacker may use the unauthenticated C++ API to access or modify sensitive data and disrupt services...

CVE-2025-59461

CVE-2025-59461 is an externally exploitable issue described as a remote, unauthenticated access via an unauthenticated C++ API that can disclose/modify sensitive data and disrupt services. Connected docs associate the vulnerability with the SICK TLOC100-100 product and reflect ER/Red Hat/NVD entr...

CVE-2025-62169 OctoPrint-SpoolManager Plugin APIs do not enforce authentication

OctoPrint-SpoolManager is a plugin for managing spools and all their usage metadata. In versions 1.8.0a2 and older of the testing branch and versions 1.7.7 and older of the stable branch, the APIs of the OctoPrint-SpoolManager plugin do not correctly enforce authentication or authorization checks...

CVE-2025-11942 70mai X200 Pairing missing authentication

A flaw has been found in 70mai X200 up to 20251010. Affected is an unknown function of the component Pairing. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early abo...

WSO2 API Manager和WSO2 API Control Plane 安全漏洞

WSO2 API Manager and WSO2 API Control Plane are products of WSO2, Inc. WSO2 API Manager is an API lifecycle management solution and WSO2 API Control Plane is a control panel. A security vulnerability exists in WSO2 API Manager and WSO2 API Control Plane that stems from a lack of authentication an...

CVE-2025-59403

The Flock Safety Android Collins application aka com.flocksafety.android.collins 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include b...