58 matches found
CVE-2026-40586
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressiv...
CVE-2026-36607
Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint code=10, which lacks the rate limiting applied to the login endpoint code=7. An attacker on the adjacent network can attempt unlimited passwords without...
CVE-2026-41893
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints POST /login and POST /signalk/v1/auth/login are protected by express-rate-limit default: 100 attempts per 10-minute window, configurable via HTTPRATELIMITS. The WebSocke...
CVE-2026-36959
U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthoriz...
PT-2026-34023
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressiv...
CVE-2025-53968
This vulnerability arises because there are no limitations on the number of authentication attempts a user can make. An attacker can exploit this weakness by continuously sending authentication requests, leading to a denial-of-service DoS condition. This can overwhelm the authentication system,...
CVE-2023-50123
The number of attempts to bring the Hozard Alarm system alarmsystemen v1.0 to a disarmed state is not limited. This could allow an attacker to perform a brute force on the SMS authentication, to bring the alarm system to a disarmed state...
CVE-2022-37145
The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an...
PT-2026-1871
Name of the Vulnerable Software and Affected Versions GL.Inet AX1800 versions 4.6.4 through 4.6.8 Description The LuCI web interface on GL.Inet AX1800 devices lacks rate limiting or account lockout mechanisms on the authentication endpoint /cgi-bin/luci. This allows an unauthenticated attacker on...
PT-2026-1331
Name of the Vulnerable Software and Affected Versions Coolify versions 4.0.0-beta.434 and later Description Coolify is a self-hostable tool for managing servers, applications, and databases. A rate limit on the /login endpoint can be bypassed by rotating the X-Forwarded-For header. This allows...
EUVD-2025-201840
WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying X-Forwarded-For on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The...
Vulnerability-Lookup 安全漏洞
Vulnerability-Lookup is an open source Vulnerability-Lookup platform for managing disclosure of vulnerabilities. A security vulnerability exists in Vulnerability-Lookup versions prior to 2.18.0, which stems from an unrestricted one-time password failure attempt that could lead to a brute-force...
EUVD-2025-23992
Malicious code in bioql PyPI...
CVE-2025-35041
Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9...
CVE-2025-35041
Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9...
CVE-2025-35041 Airship AI Acropolis MFA insufficient rate limiting
Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9...
CVE-2025-35041
Airship AI Acropolis MFA vulnerability: after a valid login, there is no rate limiting for MFA attempts, allowing unlimited tries within a 15-minute window to brute-force the 6-digit code. Affected versions include those prior to 10.2.35, 11.0.21, and 11.1.9. Remediation is to upgrade to 10.2.35,...
PT-2025-38737
Name of the Vulnerable Software and Affected Versions Airship AI Acropolis versions prior to 10.2.35 Airship AI Acropolis versions prior to 11.0.21 Airship AI Acropolis versions prior to 11.1.9 Description The software permits an unlimited number of multi-factor authentication MFA attempts within...
Airship AI Acropolis 安全漏洞
Airship AI Acropolis is a video and wear Blue Flag data management platform from Airship AI in the United States. A security vulnerability exists in Airship AI Acropolis versions prior to 10.2.35, prior to 11.0.21, and prior to 11.1.9, which stems from allowing unlimited attempts at MFA...
DRUPAL-CONTRIB-2025-101
This module enables you to protect individual pages with a password. The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks. This vulnerability is mitigated by the fact that an attacker must know the protected page's URL. CVSS risk score experimental...