Lucene search
K

227 matches found

Nuclei
Nuclei
added yesterday15 views

Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control

Apache ActiveMQ 6.x contains an unauthenticated API web context caused by default configuration lacking security measures in the Jetty server, letting anyone interact with broker APIs and messaging layers, exploit requires no authentication. id: CVE-2024-32114 info: name: Apache ActiveMQ 6.x 6.1....

8.8CVSS7AI score0.0692EPSS
Exploits1References4
NVD
NVD
added 4 days ago6 views

CVE-2026-38059

The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID DID, Terminal Private Key identifier TPK, MAC address, and exact firmwa...

8.7CVSS0.00592EPSS
Exploits0References3
CVE
CVE
added 4 days ago9 views

CVE-2026-38059

The CVE-2026-38059 entry concerns iDirect iQ200 devices where the /api/identity and /api/ REST endpoints are exposed without authentication. An unauthenticated attacker with network access can retrieve sensitive device data including serial number, Device ID (DID), Terminal Private Key (TPK) iden...

8.7CVSS6.1AI score0.00592EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago28 views

CVE-2026-38059 ST Engineering iDirect iQ-Series Terminals Missing authentication for critical function

The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID DID, Terminal Private Key identifier TPK, MAC address, and exact firmwa...

8.7CVSS0.00592EPSS
Exploits0References3
NVD
NVD
added last week8 views

CVE-2026-13019

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API...

9.8CVSS0.0041EPSS
Exploits0References1
EUVD
EUVD
added last week7 views

EUVD-2026-42058

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API...

9.8CVSS6AI score0.0041EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.2 views

PT-2026-56242

Name of the Vulnerable Software and Affected Versions Serena versions prior to 1.5.2 Description The built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port. This API lacks authentication, Cross-Site Request Forgery CSRF protection, and Host header validation. A D...

8.3CVSS6.7AI score0.00237EPSS
Exploits0References10
NVD
NVD
added 2026/06/23 5:16 p.m.7 views

CVE-2026-13007

Tenable Identity Exposure contains multiple unauthenticated API endpoints under /w/api/ that expose sensitive application configuration data including cleartext LDAP credentials, SAML configuration, user accounts, and directory settings to unauthenticated remote attackers. Affected responses are...

8.7CVSS0.00432EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/10 3:37 p.m.32 views

CVE-2026-45567 Roxy-WI: Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publication, there are no publicly available patches...

8.3CVSS0.00244EPSS
Exploits0References1
OSV
OSV
added 2026/06/04 5:49 p.m.10 views

GHSA-C82X-F4XR-QV33 epa4all-client: Unauthenticated REST API for Patient Record Writes

Impact Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment e.g., following the production Docker example in the README, this is exploitable from the local network without...

6.5CVSS5.9AI score0.00162EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/04 6:25 a.m.9 views

CVE-2026-49203 Unauthenticated eSIM Configuration Manipulation

Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted...

7.2CVSS5.8AI score0.00168EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 3:41 p.m.54 views

CVE-2026-44326 free5GC: NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete traffic-influence subscriptio...

9.4CVSS0.00311EPSS
Exploits1References3
OSV
OSV
added 2026/05/26 4:16 p.m.7 views

DEBIAN-CVE-2026-48692

FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials src/fastnetmon.cpp line 477 and a source code comment explicitly acknowledges 'Listen on the given address without an...

8.1CVSS6.2AI score0.00233EPSS
Exploits0References1
UbuntuCve
UbuntuCve
added 2026/05/26 4:16 p.m.16 views

CVE-2026-48692

FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials src/fastnetmon.cpp line 477 and a source code comment explicitly acknowledges 'Listen on the given address without an...

8.1CVSS6.2AI score0.00233EPSS
Exploits0References5
OSV
OSV
added 2026/05/26 4:16 p.m.33 views

UBUNTU-CVE-2026-48692

FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials src/fastnetmon.cpp line 477 and a source code comment explicitly acknowledges 'Listen on the given address without an...

8.1CVSS6.2AI score0.00233EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/05/26 12:0 a.m.9 views

CVE-2026-48692

FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials src/fastnetmon.cpp line 477 and a source code comment explicitly acknowledges 'Listen on the given address without an...

6.2AI score0.00233EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/26 12:0 a.m.44 views

CVE-2026-48692

FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials src/fastnetmon.cpp line 477 and a source code comment explicitly acknowledges 'Listen on the given address without an...

0.00233EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/07 9:18 p.m.9 views

CVE-2026-7541 Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodie...

8.9CVSS5.8AI score0.00388EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/07 9:18 p.m.43 views

CVE-2026-7541 Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodie...

8.9CVSS0.00388EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/07 12:0 a.m.30 views

CVE-2026-30496

The Optoma CinemaX P2 projector firmware TVOS-04.24.010.04.01, Android 8.0.0 exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration 74 endpoints and writing/modifying settings including volume, mute,...

0.00326EPSS
Exploits0References1
Rows per page
Query Builder