29 matches found
CVE-2026-38059 ST Engineering iDirect iQ-Series Terminals Missing authentication for critical function
The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID DID, Terminal Private Key identifier TPK, MAC address, and exact firmwa...
CVE-2026-38059
The CVE-2026-38059 entry concerns iDirect iQ200 devices where the /api/identity and /api/ REST endpoints are exposed without authentication. An unauthenticated attacker with network access can retrieve sensitive device data including serial number, Device ID (DID), Terminal Private Key (TPK) iden...
CVE-2026-13019
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API...
EUVD-2026-42058
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API...
CVE-2026-5944 Cisco Intersight Device Connector for Nutanix Prism Central Unauthenticated API Access
An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central. The service exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without authentication. An unauthenticated...
SUSE CVE-2026-26190
Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath...
CVE-2025-69970
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API...
Authentication Bypass
github.com/karmada-io/dashboard is vulnerable to an Authentication Bypass. The vulnerability is due to missing authentication enforcement on backend API endpoints, which allows an unauthenticated attacker with network access to directly invoke the APIs and retrieve sensitive cluster data such as...
CVE-2026-22788 WebErpMesv2 allows unauthenticated API Access
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies,...
CVE-2025-13283 Chunghwa Telecom|TenderDocTransfer - Arbitrary File Copy and Paste
TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could...
CVE-2025-63667
Incorrect access control in SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, ASECAM v1.14.10-20240725 allows attackers to access sensitive API endpoints without authentication...
CVE-2025-57788
A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk...
CVE-2025-57788 Unauthorized API Access Risk
A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk...
CVE-2025-27641
Vasion Print formerly PrinterLogic before Virtual Appliance Host 22.0.951 Application 20.0.2368 allows Unauthenticated APIs for Single-Sign On V-2024-009...
CVE-2025-0589
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly...
CVE-2024-33566 WordPress OrderConvo plugin <= 12.4 - Unauthenticated API Access to Arbitrary File Upload vulnerability
Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4...
CVE-2023-44324
Adobe FrameMaker Publishing Server versions 2022 and earlier are affected by an Improper Authentication vulnerability that could result in a Security feature bypass. An unauthenticated attacker can abuse this vulnerability to access the API and leak default admin's password. Exploitation of this...
CVE-2023-35082
An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier. Recent assessments: sfewer-r7 at...
Ivanti Endpoint Manager Mobile < 11.3 Remote Unauthenticated API Access (CVE-2023-35082)
The version of Ivanti Endpoint Manager Mobile, formerly MobileIron Core, running on the remote host is 11.3. It is, therefore, affected by an undisclosed unauthenticated API access vulnerability. Note that Nessus has not tested for these issues but has instead relied only on the service's...
CVE-2023-35082 - MobileIron Core Unauthenticated API Access Vulnerability
When this blog was originally published on August 2, it said that CVE-2023-35082 only affected MobileIron Core 11.2 and earlier, which are unsupported. On August 7, Ivanti published an updated advisory noting that since originally disclosing CVE-2023-35082, they have continued their investigation...