Total
502 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9551 | 1 Protected Pages Project | 1 Protected Pages | 2026-01-05 | N/A | 6.5 MEDIUM |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.This issue affects Protected Pages: from 0.0.0 before 1.8.0. | |||||
| CVE-2025-65427 | 1 Dbitnet | 2 Dbit N300 T1 Pro, Dbit N300 T1 Pro Firmware | 2025-12-31 | N/A | 6.5 MEDIUM |
| An issue was discovered in Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router on firmware version V1.0.0 does not implement rate limiting to /api/login allowing attackers to brute force password enumerations. | |||||
| CVE-2025-64310 | 2025-12-23 | N/A | 9.8 CRITICAL | ||
| EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack. | |||||
| CVE-2025-12995 | 1 Medtronic | 1 Carelink Network | 2025-12-22 | N/A | 8.1 HIGH |
| Medtronic CareLink Network allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint that could be used to determine a valid password under certain circumstances. This issue affects CareLink Network: before December 4, 2025. | |||||
| CVE-2025-35041 | 1 Airship.ai | 1 Acropolis | 2025-12-19 | N/A | 7.5 HIGH |
| Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9. | |||||
| CVE-2025-10928 | 1 Access Code Project | 1 Access Code | 2025-12-12 | N/A | 6.3 MEDIUM |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5. | |||||
| CVE-2025-66204 | 1 Wbce | 1 Wbce Cms | 2025-12-11 | N/A | 8.1 HIGH |
| WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5. | |||||
| CVE-2025-42615 | 2025-12-08 | N/A | N/A | ||
| In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the account to be locked or generating any specific alert for administrators. This lack of rate-limiting and lockout on OTP failures significantly lowers the cost of online brute-force attacks against 2FA codes and increases the risk of successful account takeover, especially if OTP entropy is reduced (e.g. short numeric codes, user reuse, or predictable tokens). Additionally, administrators had no direct visibility into accounts experiencing repeated 2FA failures, making targeted attacks harder to detect and investigate. The patch introduces a persistent failed_otp_attempts counter on user accounts, locks the user after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces an account lockout policy for OTP brute-force attempts and improves monitoring capabilities for suspicious 2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0. | |||||
| CVE-2025-59113 | 1 Windu | 1 Windu Cms | 2025-12-05 | N/A | 7.5 HIGH |
| Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | |||||
| CVE-2025-8118 | 1 Widzialni | 1 Pad Cms | 2025-11-26 | N/A | 6.5 MEDIUM |
| PAD CMS implements weak client-side brute-force protection by utilizing two cookies: login_count and login_timeout. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting those cookies. This issue affects all 3 templates: www, bip and www+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability. | |||||
| CVE-2023-32251 | 2025-11-21 | N/A | 3.7 LOW | ||
| A vulnerability has been identified in the Linux kernel's ksmbd component (kernel SMB/CIFS server). A security control designed to prevent dictionary attacks, which introduces a 5-second delay during session setup, can be bypassed through the use of asynchronous requests. This bypass negates the intended anti-brute-force protection, potentially allowing attackers to conduct dictionary attacks more efficiently against user credentials or other authentication mechanisms. | |||||
| CVE-2025-62399 | 1 Moodle | 1 Moodle | 2025-11-14 | N/A | 7.5 HIGH |
| Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks. | |||||
| CVE-2025-54998 | 1 Openbao | 1 Openbao | 2025-11-13 | N/A | 5.3 MEDIUM |
| OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. This is fixed in version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the authentication endpoints:, see https://openbao.org/api-docs/system/rate-limit-quotas/. | |||||
| CVE-2025-12896 | 2025-11-12 | N/A | 4.4 MEDIUM | ||
| Improper resource management in firmware of some Solidigm DC Products may allow an attacker with local or physical access to gain un-authorized access to a locked storage device. | |||||
| CVE-2025-10161 | 2025-11-12 | N/A | 7.3 HIGH | ||
| Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass, Functionality Bypass.This issue affects Perfektive: before Version: 12574 Build: 2701. | |||||
| CVE-2025-11566 | 2025-11-12 | N/A | N/A | ||
| CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint. | |||||
| CVE-2025-62257 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-11-10 | N/A | 5.3 MEDIUM |
| Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack. | |||||
| CVE-2025-12547 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 2.6 LOW | 3.7 LOW |
| A vulnerability was identified in LogicalDOC Community Edition up to 9.2.1. This vulnerability affects unknown code of the file /login.jsp of the component Admin Login Page. Such manipulation leads to improper restriction of excessive authentication attempts. The attack can be executed remotely. This attack is characterized by high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-60424 | 1 Nagios | 1 Fusion | 2025-11-05 | N/A | 7.6 HIGH |
| A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce attack. | |||||
| CVE-2014-5414 | 1 Beckhoff | 2 Embedded Pc Images, Twincat | 2025-11-05 | 9.4 HIGH | 9.1 CRITICAL |
| Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack. | |||||