Lucene search
+L

69 matches found

cvelist
cvelist
added 6 days ago29 views

CVE-2026-55501 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header

9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail...

7.3CVSS0.00515EPSS
Exploits0References3
cve
cve
added 6 days ago21 views

CVE-2026-55501

The CVE concerns 9router prior to version 0.4.80, where the login rate limiter uses client identity from the attacker-controlled X-Forwarded-For header in src/lib/auth/loginLimiter.js. This allows remote attackers to rotate X-Forwarded-For per attempt, creating a fresh rate-limit bucket each time...

7.3CVSS6.2AI score0.00515EPSS
Exploits0References3
github
github
added 2026/07/06 9:46 p.m.6 views

9router: Login brute-force protection bypass via spoofed X-Forwarded-For header

Summary The 9router dashboard login rate limiter derives the client identity from the attacker-controlled X-Forwarded-For HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can rotate the...

7.3CVSS6AI score0.00515EPSS
Exploits0References2Affected Software1
ptsecurity
ptsecurity
added 2026/07/06 12:0 a.m.12 views

PT-2026-56084

Name of the Vulnerable Software and Affected Versions 9Router versions prior to 0.4.80 Description The dashboard login rate limiter derives client identity from the X-Forwarded-For HTTP header, which is controlled by the user. When the application is directly exposed or deployed behind a reverse...

7.3CVSS6.2AI score0.00515EPSS
Exploits0References6
nvd
nvd
added 2026/06/30 2:16 p.m.11 views

CVE-2026-35098

KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where...

6.9CVSS0.00323EPSS
Exploits0References2
euvd
euvd
added 2026/06/30 1:37 p.m.9 views

EUVD-2026-40325

KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where...

6.9CVSS5.8AI score0.00323EPSS
Exploits0References2
osv
osv
added 2026/05/11 2:35 p.m.2 views

CVE-2026-7820 pgAdmin 4: Account-lockout bypass via Flask-Security default /login view

Improper restriction of excessive authentication attempts CWE-307 in pgAdmin 4. pgAdmin enforces MAXLOGINATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.initapp and is reachable on every server, never...

6.9CVSS6AI score0.00211EPSS
Exploits0References4
osv
osv
added 2026/05/05 11:24 a.m.4 views

CVE-2023-54347 OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass

OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and...

8.7CVSS6AI score0.00537EPSS
Exploits1References6
vulnrichment
vulnrichment
added 2026/04/21 5:10 p.m.3 views

CVE-2026-40586 blueprintUE: Login Endpoint Has No Rate Limiting, Lockout, or Brute-Force Protection

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressiv...

7.5CVSS5.8AI score0.00301EPSS
Exploits0References1
cnnvd
cnnvd
added 2026/04/21 12:0 a.m.9 views

blueprintUE self-hosted edition 安全漏洞

The blueprintUE self-hosted edition is an open-source data modeling and visualization tool developed by blueprintUE. Versions prior to blueprintUE self-hosted edition 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the login form processor not implementing any type of...

7.5CVSS5.8AI score0.00301EPSS
Exploits0References1
nvd
nvd
added 2026/04/16 5:16 a.m.11 views

CVE-2026-22616

Eaton Intelligent Power Protector IPP software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre...

7.5CVSS0.00319EPSS
Exploits0References1
nvd
nvd
added 2026/04/13 4:16 p.m.6 views

CVE-2025-31991

Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability is fixed in 5.1.7...

9.8CVSS0.00228EPSS
Exploits0References1
osv
osv
added 2026/04/02 6:42 p.m.10 views

GO-2026-4916 Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server

Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

6.5CVSS5.9AI score0.00305EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/04/02 12:0 a.m.5 views

PT-2026-29956

Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

6.5CVSS5.9AI score0.00305EPSS
Exploits0References4
redhatcve
redhatcve
added 2026/03/29 11:13 a.m.3 views

CVE-2026-33879

Federated Learning and Interoperability Platform FLIP is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and...

6.9CVSS5.9AI score0.00268EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/03/27 8:31 p.m.4 views

CVE-2026-33879

Federated Learning and Interoperability Platform FLIP is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and...

6.9CVSS5.9AI score0.00268EPSS
Exploits0References2Affected Software1
vulnrichment
vulnrichment
added 2026/03/27 8:31 p.m.2 views

CVE-2026-33879 FLIP doesn't have rate limiting or brute-force protection on login

Federated Learning and Interoperability Platform FLIP is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and...

6.9CVSS5.9AI score0.00268EPSS
Exploits0References1
cnnvd
cnnvd
added 2026/03/26 12:0 a.m.14 views

Tandoor Recipes 安全漏洞

Tandoor Recipes is an open-source application designed for managing recipes, planning meals, creating shopping lists, and more. Versions of Tandoor Recipes prior to 2.6.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of BasicAuthentication as the default...

9.1CVSS5.8AI score0.00513EPSS
Exploits1References2
snyk
snyk
added 2026/03/25 6:31 p.m.4 views

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS due to the lack of rate limiting in the login process. An attacker can exhaust server resources by sending a large number of parallel login requests via a single HTTP/2 packet, potentially causing the server to cra...

6.5CVSS6AI score0.00305EPSS
Exploits0References2
euvd
euvd
added 2026/03/25 6:31 p.m.6 views

EUVD-2026-15756

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service server crash and restart via HTTP/2 single packet attack with 100+ parallel login requests...

4.3CVSS5.8AI score0.00305EPSS
Exploits0References2
Rows per page
Query Builder