Export limit exceeded: 46349 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (586 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-48745 | 2026-04-15 | 5.3 Medium | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in WebFactory Ltd Captcha Code allows Functionality Bypass.This issue affects Captcha Code: from n/a through 2.9. | ||||
| CVE-2025-2171 | 1 Aviatrix | 1 Controller | 2026-04-15 | N/A |
| Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 do not enforce rate limiting on password reset attempts, allowing adversaries to brute force guess the 6-digit password reset PIN | ||||
| CVE-2024-41276 | 1 Kaiten | 1 Kaiten | 2026-04-15 | 9.8 Critical |
| A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application. | ||||
| CVE-2024-46442 | 2026-04-15 | 9.8 Critical | ||
| An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack. | ||||
| CVE-2024-48143 | 1 Digitory | 1 Multi-channel Integrated Pos | 2026-04-15 | 9.1 Critical |
| A lack of rate limiting in the OTP validation component of Digitory Multi Channel Integrated POS v1.0 allows attackers to gain access to the ordering system and place an excessive amount of food orders. | ||||
| CVE-2025-0417 | 1 Valmet | 1 Dna | 2026-04-15 | N/A |
| Lack of protection against brute force attacks in Valmet DNA visualization in DNA Operate. The possibility to make an arbitrary number of login attempts without any rate limit gives an attacker an increased chance of guessing passwords and then performing switching operations. | ||||
| CVE-2025-48014 | 2026-04-15 | 7.5 High | ||
| Password guessing limits could be bypassed when using LDAP authentication. | ||||
| CVE-2025-11566 | 1 Schneider-electric | 1 Powerchute Serial Shutdown | 2026-04-15 | N/A |
| CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint. | ||||
| CVE-2025-46739 | 2026-04-15 | 8.1 High | ||
| An unauthenticated user could discover account credentials via a brute-force attack without rate limiting | ||||
| CVE-2025-1629 | 2026-04-15 | 3.5 Low | ||
| A vulnerability was found in Excitel Broadband Private my Excitel App 3.13.0 on Android. It has been classified as problematic. Affected is an unknown function of the component One-Time Password Handler. The manipulation leads to improper restriction of excessive authentication attempts. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-42615 | 1 Circl | 1 Vulnerability-lookup | 2026-04-15 | N/A |
| In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the account to be locked or generating any specific alert for administrators. This lack of rate-limiting and lockout on OTP failures significantly lowers the cost of online brute-force attacks against 2FA codes and increases the risk of successful account takeover, especially if OTP entropy is reduced (e.g. short numeric codes, user reuse, or predictable tokens). Additionally, administrators had no direct visibility into accounts experiencing repeated 2FA failures, making targeted attacks harder to detect and investigate. The patch introduces a persistent failed_otp_attempts counter on user accounts, locks the user after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces an account lockout policy for OTP brute-force attempts and improves monitoring capabilities for suspicious 2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0. | ||||
| CVE-2025-1714 | 2026-04-15 | N/A | ||
| Lack of Rate Limiting in Sign-up workflow in Perforce Gliffy prior to version 4.14.0-7 on Gliffy online allows attacker to enumerate valid user emails and potentially DOS the server | ||||
| CVE-2025-26862 | 1 Pingidentity | 1 Pingfederate | 2026-04-15 | N/A |
| Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks. | ||||
| CVE-2025-24806 | 1 Authelia | 1 Authelia | 2026-04-15 | N/A |
| Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. If users are allowed to sign in via both username and email the regulation system treats these as separate login events. This leads to the regulation limitations being effectively doubled assuming an attacker using brute-force to find a user password. It's important to note that due to the effective operation of regulation where no user-facing sign of their regulation ban being visible either via timing or via API responses, it's effectively impossible to determine if a failure occurs due to a bad username password combination, or a effective ban blocking the attempt which heavily mitigates any form of brute-force. This occurs because the records and counting process for this system uses the method utilized for sign in rather than the effective username attribute. This has a minimal impact on account security, this impact is increased naturally in scenarios when there is no two-factor authentication required and weak passwords are used. This makes it a bit easier to brute-force a password. A patch for this issue has been applied to versions 4.38.19, and 4.39.0. Users are advised to upgrade. Users unable to upgrade should 1. Not heavily modify the default settings in a way that ends up with shorter or less frequent regulation bans. The default settings effectively mitigate any potential for this issue to be exploited. and 2. Disable the ability for users to login via an email address. | ||||
| CVE-2025-1740 | 1 Akinsoft | 1 Myrezzta | 2026-04-15 | 9.8 Critical |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brute Force.This issue affects MyRezzta: from s2.03.01 before v2.05.01. | ||||
| CVE-2024-51720 | 1 Blackberry | 1 Secusuite | 2026-04-15 | 4.8 Medium |
| An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim’s account and telephone number. | ||||
| CVE-2024-5862 | 2026-04-15 | 7.5 High | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Interface Manipulation.This issue affects Mia-Med Health Aplication: before 1.0.14. | ||||
| CVE-2024-9832 | 1 Baxter | 1 Life2000 Ventilator Firmware | 2026-04-15 | 9.3 Critical |
| There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password. An attacker could execute a brute-force attack to gain unauthorized access to the ventilator, and then make changes to device settings that could disrupt the function of the device and/or result in unauthorized information disclosure. | ||||
| CVE-2025-6030 | 2026-04-15 | N/A | ||
| Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack. Research was completed on the 2024 KIA Soluto. Attack confirmed on other KIA Models in Ecuador. | ||||
| CVE-2025-6029 | 2026-04-15 | N/A | ||
| Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of release. CVE Record will be updated once this is clarified. | ||||