CVE-2026-12183

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability CWE-287 in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 administrator in response to any HTTP POST request that supplie...

CVE-2026-44668

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke without checking for a valid session. Four action methods in BoilerPlateConfig perform no local...

CVE-2026-44668

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke without checking for a valid session. Four action methods in BoilerPlateConfig perform no local...

CVE-2026-44668

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke without checking for a valid session. Four action methods in BoilerPlateConfig perform no local...

CVE-2026-5146

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : Devolutions Server 2026.1.6.0 through...

CVE-2026-5146

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : Devolutions Server 2026.1.6.0 through...

CVE-2026-5146

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : Devolutions Server 2026.1.6.0 through...

PT-2026-40335

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : Devolutions Server 2026.1.6.0 through...

PT-2026-24639

An unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query the raw request query when Grant's session/state responses are empt...

CVE-2025-70147

Missing authentication in /admin/student.php and /admin/teacher.php in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to obtain sensitive information including plaintext password field values via direct HTTP GET requests to these endpoints without a valid session...

CVE-2025-65565

A denial-of-service vulnerability exists in the omec-project UPF pfcpiface component in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association is established, a PFCP Session Establishment Request that is missing the mandatory F-SEID CPF-SEID Information Element is not properly validated. The...

CVE-2025-36754 Authentication bypass on web interface

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an...

UBUNTU-CVE-2025-54995

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions...

CVE-2025-5095

Burk Technology ARC Solo is affected by CVE-2025-5095: the device’s password-change endpoint accepts requests without valid credentials due to missing authentication/session validation, enabling an attacker to take control of the device. Reports note high-impact outcomes (full compromise risk) wi...

CVE-2025-53938 WeGIA vulnerable to Authentication Bypass due to Missing Session Validation in multiple endpoints

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. An Authentication Bypass vulnerability was identified in the /dao/verificarrecursoscargo.php endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows unauthenticated...

PT-2024-31948 · Sourcecodester · Sourcecodester Online Medicine Ordering System

Name of the Vulnerable Software and Affected Versions: Sourcecodester Online Medicine Ordering System version 1.0 Description: The issue is related to Incorrect Access Control, where there is a lack of authorization checks for admin operations. Specifically, an attacker can perform admin-level...

PT-2024-20465 · Unknown · Raspberrymatic +1

Name of the Vulnerable Software and Affected Versions: RaspberryMatic / OCCU versions prior to 3.75.6.20240316 Description: RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. The issue is caused by multiple problems within the Java-based HMIPServer.jar...

CVE-2023-35794

An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint spawned console can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console...

Improper Authentication

asyncua is vulnerable to Improper Authentication. The vulnerability is due to a missing active session check, which lets an attacker access an Address Space without encryption and authentication allowing an attacker to steal sensitive data...

GHSA-2894-QCQF-G23G asyncua Improper Authentication vulnerability

Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. Note: This issue is a result of missing checks for services that require an active session...