69 matches found
CVE-2026-55501 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail...
CVE-2026-55501
The CVE concerns 9router prior to version 0.4.80, where the login rate limiter uses client identity from the attacker-controlled X-Forwarded-For header in src/lib/auth/loginLimiter.js. This allows remote attackers to rotate X-Forwarded-For per attempt, creating a fresh rate-limit bucket each time...
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
Summary The 9router dashboard login rate limiter derives the client identity from the attacker-controlled X-Forwarded-For HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can rotate the...
PT-2026-56084
Name of the Vulnerable Software and Affected Versions 9Router versions prior to 0.4.80 Description The dashboard login rate limiter derives client identity from the X-Forwarded-For HTTP header, which is controlled by the user. When the application is directly exposed or deployed behind a reverse...
CVE-2026-35098
KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where...
EUVD-2026-40325
KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where...
CVE-2026-7820 pgAdmin 4: Account-lockout bypass via Flask-Security default /login view
Improper restriction of excessive authentication attempts CWE-307 in pgAdmin 4. pgAdmin enforces MAXLOGINATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.initapp and is reachable on every server, never...
CVE-2023-54347 OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass
OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and...
CVE-2026-40586 blueprintUE: Login Endpoint Has No Rate Limiting, Lockout, or Brute-Force Protection
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressiv...
blueprintUE self-hosted edition 安全漏洞
The blueprintUE self-hosted edition is an open-source data modeling and visualization tool developed by blueprintUE. Versions prior to blueprintUE self-hosted edition 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the login form processor not implementing any type of...
CVE-2026-22616
Eaton Intelligent Power Protector IPP software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre...
CVE-2025-31991
Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability is fixed in 5.1.7...
GO-2026-4916 Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server
Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
PT-2026-29956
Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
CVE-2026-33879
Federated Learning and Interoperability Platform FLIP is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and...
CVE-2026-33879
Federated Learning and Interoperability Platform FLIP is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and...
CVE-2026-33879 FLIP doesn't have rate limiting or brute-force protection on login
Federated Learning and Interoperability Platform FLIP is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and...
Tandoor Recipes 安全漏洞
Tandoor Recipes is an open-source application designed for managing recipes, planning meals, creating shopping lists, and more. Versions of Tandoor Recipes prior to 2.6.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of BasicAuthentication as the default...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS due to the lack of rate limiting in the login process. An attacker can exhaust server resources by sending a large number of parallel login requests via a single HTTP/2 packet, potentially causing the server to cra...
EUVD-2026-15756
Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service server crash and restart via HTTP/2 single packet attack with 100+ parallel login requests...