CVE-2026-46356

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances...

CVE-2026-46356

Fleet (open-source device management) before v4.80.1 is vulnerable: an IP extraction flaw lets unauthenticated attackers bypass per-IP rate limits by rotating headers like True-Client-IP, X-Real-IP, or X-Forwarded-For, enabling brute-force or credential stuffing on exposed instances. Root cause: ...

CVE-2026-46356 Fleet: IP spoofing allows bypassing API rate limiting

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances...

CVE-2026-43914

A flaw was found in Vaultwarden, a Bitwarden-compatible server. A remote attacker can exploit an unprotected two-factor authentication 2FA function, sendemaillogin, to bypass login brute-force protection. This allows the attacker to repeatedly attempt password guesses without rate-limiting,...

EUVD-2026-29342

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function sendemaillogin email.rs, api endpoi...

PT-2026-37162

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.25.0 Description The WebSocket login path, which involves sending login: username, password messages over an established connection, calls the app.securityStrategy.login function directly without rate...

CVE-2026-0972

CVE-2026-0972 concerns Fortra’s GoAnywhere MFT up to version 7.10.0. Connected sources document two concrete issues: 1) HTML injection in system-generated emails, and 2) the SFTP login limit is not enforced prior to 7.10.0 when a user logs in with an SSH key, potentially enabling brute-force key ...

CVE-2025-14362 GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force...

Brute Force

Overview Affected versions of this package are vulnerable to Brute Force due to improper enforcement of authentication lockout in the login process. An attacker can gain unauthorized access to accounts protected by two-factor authentication by repeatedly submitting incorrect TOTP codes without...

Federated Learning and Interoperability Platform 安全漏洞

Federated Learning and Interoperability Platform is an open-source medical imaging learning platform developed by the London AI Centre. Versions of the Federated Learning and Interoperability Platform FLIP prior to 0.1.1 contained security vulnerabilities. These vulnerabilities stemmed from the...

CVE-2026-32295

JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials...

PT-2026-6918

Name of the Vulnerable Software and Affected Versions Tasin1025 SwiftBuy versions prior to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7 Description A security flaw exists in Tasin1025 SwiftBuy. The issue involves improper restriction of excessive authentication attempts within an unknown functionalit...

GHSA-3JQF-V4MV-747G Moonraker affected by LDAP search filter injection

Impact Instances of Moonraker configured with the ldap component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover...

CVE-2025-60538

A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack...

CVE-2025-65427

An issue was discovered in Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router on firmware version V1.0.0 does not implement rate limiting to /api/login allowing attackers to brute force password enumerations...

CVE-2025-59116

Windu CMS (v4.1) is vulnerable to User Enumeration during login, where login-response differences enable brute-force validation of usernames. Only v4.1 was tested as vulnerable; fix is available in v4.1 build 2250. Affected components, root cause (message-based distinction on login) and impact (f...

CVE-2025-59116 User enumeration in Windu CMS

Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. Only version 4.1 was tested and confirmed as vulnerable. This issue was...

📄 Soosyze CMS 2.0 Missing Rate Limiting

Soosyze CMS version 2.0 suffers from missing rate limiting that allows for brute force login attacks. Exploit Title: Soosyze CMS 2.0 - Brute Force Login Google Dork: N/A Date: 2025-08-13 Exploit Author: Beatriz Fresno Naumova beafn28 Vendor Homepage: https://soosyze.com/ Software Link:...

CVE-2024-9342

In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts...

GHSA-99F7-HP6J-V6Q4 Eclipse GlassFish is vulnerable to Login Brute Force attacks through unlimited failed login attempts

In Eclipse GlassFish version 7.0.16 or earlier, it is possible to perform login brute force attacks as there is no limitation on the number of failed login attempts...