Lucene search
+L

29 matches found

cvelist
cvelist
added last week29 views

CVE-2026-38059 ST Engineering iDirect iQ-Series Terminals Missing authentication for critical function

The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID DID, Terminal Private Key identifier TPK, MAC address, and exact firmwa...

8.7CVSS0.00592EPSS
Exploits0References3
cve
cve
added last week11 views

CVE-2026-38059

The CVE-2026-38059 entry concerns iDirect iQ200 devices where the /api/identity and /api/ REST endpoints are exposed without authentication. An unauthenticated attacker with network access can retrieve sensitive device data including serial number, Device ID (DID), Terminal Private Key (TPK) iden...

8.7CVSS6.1AI score0.00592EPSS
Exploits0References3
nvd
nvd
added 2026/07/07 5:16 p.m.8 views

CVE-2026-13019

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API...

9.8CVSS0.0041EPSS
Exploits0References1
euvd
euvd
added 2026/07/07 4:40 p.m.7 views

EUVD-2026-42058

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API...

9.8CVSS6AI score0.0041EPSS
Exploits0References1
cvelist
cvelist
added 2026/04/28 1:6 p.m.35 views

CVE-2026-5944 Cisco Intersight Device Connector for Nutanix Prism Central Unauthenticated API Access

An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central. The service exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without authentication. An unauthenticated...

8.8CVSS0.00533EPSS
Exploits0References3
susecve
susecve
added 2026/03/04 12:26 a.m.5 views

SUSE CVE-2026-26190

Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath...

9.8CVSS5.8AI score0.34346EPSS
Exploits1References3
redhatcve
redhatcve
added 2026/02/04 3:15 a.m.10 views

CVE-2025-69970

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API...

9.3CVSS5.5AI score0.00463EPSS
Exploits0References1
veracode
veracode
added 2026/01/16 8:13 a.m.6 views

Authentication Bypass

github.com/karmada-io/dashboard is vulnerable to an Authentication Bypass. The vulnerability is due to missing authentication enforcement on backend API endpoints, which allows an unauthenticated attacker with network access to directly invoke the APIs and retrieve sensitive cluster data such as...

8.7CVSS5.9AI score0.00607EPSS
Exploits0References7Affected Software1
osv
osv
added 2026/01/12 9:40 p.m.7 views

CVE-2026-22788 WebErpMesv2 allows unauthenticated API Access

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies,...

8.2CVSS7.1AI score0.00527EPSS
Exploits1References4
vulnrichment
vulnrichment
added 2025/11/17 3:30 a.m.4 views

CVE-2025-13283 Chunghwa Telecom|TenderDocTransfer - Arbitrary File Copy and Paste

TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could...

7.1CVSS6.5AI score0.00232EPSS
Exploits0References2
cvelist
cvelist
added 2025/11/12 12:0 a.m.15 views

CVE-2025-63667

Incorrect access control in SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, ASECAM v1.14.10-20240725 allows attackers to access sensitive API endpoints without authentication...

0.00486EPSS
Exploits0References3
nvd
nvd
added 2025/08/20 4:16 a.m.12 views

CVE-2025-57788

A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk...

6.9CVSS0.02721EPSS
Exploits4References2
cvelist
cvelist
added 2025/08/20 12:0 a.m.17 views

CVE-2025-57788 Unauthorized API Access Risk

A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk...

6.9CVSS0.02721EPSS
Exploits4References1
osv
osv
added 2025/03/05 6:15 a.m.2 views

CVE-2025-27641

Vasion Print formerly PrinterLogic before Virtual Appliance Host 22.0.951 Application 20.0.2368 allows Unauthenticated APIs for Single-Sign On V-2024-009...

9.8CVSS5.8AI score0.00832EPSS
Exploits1References3
vulnrichment
vulnrichment
added 2025/02/11 8:59 a.m.8 views

CVE-2025-0589

In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly...

6.9CVSS6.8AI score0.00357EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2024/04/29 7:58 a.m.11 views

CVE-2024-33566 WordPress OrderConvo plugin <= 12.4 - Unauthenticated API Access to Arbitrary File Upload vulnerability

Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4...

10CVSS7AI score0.01071EPSS
Exploits0References1
osv
osv
added 2023/11/17 1:15 p.m.3 views

CVE-2023-44324

Adobe FrameMaker Publishing Server versions 2022 and earlier are affected by an Improper Authentication vulnerability that could result in a Security feature bypass. An unauthenticated attacker can abuse this vulnerability to access the API and leak default admin's password. Exploitation of this...

9.8CVSS5.8AI score0.01373EPSS
Exploits0References1
attackerkb
attackerkb
added 2023/08/15 12:0 a.m.43 views

CVE-2023-35082

An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier. Recent assessments: sfewer-r7 at...

10CVSS9.8AI score0.99999EPSS
In wildExploits14References3
nessus
nessus
added 2023/08/03 12:0 a.m.68 views

Ivanti Endpoint Manager Mobile < 11.3 Remote Unauthenticated API Access (CVE-2023-35082)

The version of Ivanti Endpoint Manager Mobile, formerly MobileIron Core, running on the remote host is 11.3. It is, therefore, affected by an undisclosed unauthenticated API access vulnerability. Note that Nessus has not tested for these issues but has instead relied only on the service's...

10CVSS8.8AI score0.99999EPSS
Exploits2References3
rapid7blog
rapid7blog
added 2023/08/02 4:5 p.m.252 views

CVE-2023-35082 - MobileIron Core Unauthenticated API Access Vulnerability

When this blog was originally published on August 2, it said that CVE-2023-35082 only affected MobileIron Core 11.2 and earlier, which are unsupported. On August 7, Ivanti published an updated advisory noting that since originally disclosing CVE-2023-35082, they have continued their investigation...

7.5CVSS8.7AI score0.99999EPSS
Exploits14
Rows per page
Query Builder