CVE-2026-5386

The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings...

CVE-2026-5076

CVE-2026-5076 concerns ARMember Premium for WordPress (

WordPress WP Promoter plugin <= 1.3 - Missing Authorization to Unauthenticated Statistics Reset vulnerability

Missing Authorization to Unauthenticated Statistics Reset vulnerability discovered by Muhammad Nur Ibnu Hubab - Pondok Teknologi in WordPress Plugin WP Promoter versions = 1.3...

GHSA-9QV9-8XV6-5P35 phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation

Summary The password reset API can be triggered without authentication and without any out-of-band confirmation step. If an attacker knows a valid username + email pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and...

Weak Password Recovery Mechanism for Forgotten Password

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the updatePassword function. An attacker can enumerate valid user accounts and forcibly chan...

EUVD-2026-30185

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockouthandler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a success keyword...

CVE-2026-31881

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

EUVD-2026-14015

The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0. This is due to missing authentication and capability checks on the configuration reset functionality in the global scope of smarter-analytics.php. This makes it possible for...

CVE-2026-31881

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

CVE-2026-31881 Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

CVE-2026-23813

CVE-2026-23813 pertains to Aruba AOS-CX switches, where the web-based management interface may allow an unauthenticated remote actor to bypass authentication and potentially reset the admin password. Technical details across sources confirm an authentication bypass with high impact (CVE-2026-2381...

CVE-2025-15030 User Profile Builder < 3.15.2 - Unauthenticated Arbitrary Password Reset

The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account...

CVE-2021-31326

D-Link DIR-816 A2 1.10 B05 allows unauthenticated attackers to arbitrarily reset the device via a crafted tokenid parameter to /goform/form2Reboot.cgi...

CVE-2023-53964

The CVE-2023-53964 entry concerns SOUND4 IMPACT/FIRST/PULSE/Eco v2.x. The vulnerability is an unauthenticated factory-reset flaw in the /usr/cgi-bin/restorefactory.cgi endpoint that allows remote attackers to trigger a device factory reset by sending a crafted POST request, bypassing authenticati...

CVE-2025-12696 HelloLeads CRM Form Shortcode <= 1.0 - Unauthenticated Settings Reset

The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them...

CVE-2025-12579 Reuters Direct <= 3.0.0 - Missing Authorization to Unauthenticated Settings Reset

The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin's settings...

CVE-2025-12157

CVE-2025-12157 concerns the WordPress plugin Simple User Capabilities . The connected documents confirm an unauthenticated modification risk due to a missing permission check on the AJAX endpoint wp_ajax_nopriv_reset_capability , affecting versions up to and including 1.0 . This can allow an unau...

Fortinet Fortigate FGFM protocol allows unauthenticated reset of the connection (FG-IR-24-041)

The version of Fortigate installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-24-041 advisory. - An improper check or handling of exceptional conditions vulnerability CWE-703 in FortiOS version 7.4.0 through 7.4.3 and...

CVE-2025-9893

The vulnerability CVE-2025-9893 affects the VM Menu Reorder plugin for WordPress (Product: VM Menu Reorder plugin). The issue is Cross-Site Request Forgery (CSRF) in versions up to and including 1.0.0, caused by missing or incorrect nonce validation on the vm_set_to_default function. This weaknes...

WordPress plugin Frontend Dashboard 授权问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. An authorization issue...