24 matches found
CVE-2026-55501 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail...
GO-2026-4916 Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server
Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
PT-2026-29956
Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS due to the lack of rate limiting in the login process. An attacker can exhaust server resources by sending a large number of parallel login requests via a single HTTP/2 packet, potentially causing the server to cra...
EUVD-2026-15756
Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service server crash and restart via HTTP/2 single packet attack with 100+ parallel login requests...
PT-2026-27961
Name of the Vulnerable Software and Affected Versions Mattermost versions 11.4.0 and earlier Mattermost versions 11.3.1 and earlier Mattermost versions 11.2.3 and earlier Mattermost versions 10.11.11 and earlier Description The software does not adequately limit the rate of login requests. This...
EUVD-2026-12608
JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials...
CVE-2026-32295
CVE-2026-32295 affects JetKVM prior to version 0.5.4, where there is no rate limiting on login attempts. This enables brute-force attempts to guess credentials, exposing potential unauthorized access. The vulnerability is mitigated by upgrading to version 0.5.4 (fix referenced in multiple sources...
EUVD-2026-1679
A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack...
CVE-2025-64422
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables...
CVE-2025-64422 Rate-limit bypass on login via X-Forwarded-Host header
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables...
CVE-2025-64422 Rate-limit bypass on login via X-Forwarded-Host header
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables...
EUVD-2025-206238
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables...
CVE-2025-66482 Misskey has a login rate limit bypass via spoofed X-Forwarded-For header
Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option trustProxy has been added in config file to...
CVE-2025-66482
Misskey CVE-2025-66482 affects the login rate-limiting mechanism via forged X-Forwarded-For headers. The vulnerability arises from an insecure default for trustProxy in the config, making instances vulnerable if not explicitly overridden. It is addressable starting with version 2025.9.1 by introd...
Misskey has a login rate limit bypass via spoofed X-Forwarded-For header
Summary When using an untrusted reverse proxy or not using a reverse proxy at all, attackers can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option trustProxy has been added in config file to prevent this from happening. However, it is...
GHSA-WWRJ-3HVJ-PRPM Misskey has a login rate limit bypass via spoofed X-Forwarded-For header
Summary When using an untrusted reverse proxy or not using a reverse proxy at all, attackers can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option trustProxy has been added in config file to prevent this from happening. However, it is...
GO-2025-3842 Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability in github.com/hashicorp/vault
Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability in github.com/hashicorp/vault...
DEBIAN-CVE-2025-52576
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine vali...
CVE-2024-47656
This vulnerability exists in Shilpi Client Dashboard due to missing restrictions for incorrect login attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack on password, which could lead to gain unauthorized access to other user...