Critical
CVSS: 9.3
The MAVLink communication protocol does not require cryptographic
authentication by default. When MAVLink 2.0 message signing is not
enabled, any message -- including SERIAL_CONTROL, which provides
interactive shell access -- can be sent…
Critical
CVSS: 9.3
The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication,…
Medium
CVSS: 5.9
Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click on a malicious link gives an unauthenticated attacker immediate, silent control over every active C2 session or beacon,…
High
CVSS: 7.7
Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This a…
Critical
CVSS: 10.0
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a use…
Critical
CVSS: 9.8
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and au…
High
CVSS: 8.6
SIPP 3.3 contains a stack-based buffer overflow vulnerability that allows local unauthenticated attackers to execute arbitrary code by supplying malicious input in the configuration file. Attackers can craft a configuration file with oversi…
High
CVSS: 8.6
PMS 0.42 contains a stack-based buffer overflow vulnerability that allows local unauthenticated attackers to execute arbitrary code by supplying malicious values in the configuration file. Attackers can craft configuration files with oversi…
Medium
CVSS: 6.9
Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuratio…
Medium
CVSS: 6.9
Missing authentication for critical function vulnerability in BUFFALO Wi-Fi router products may allow an attacker to forcibly reboot the product without authentication.
Medium
CVSS: 6.5
Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.
High
CVSS: 8.8
The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not va…
Medium
CVSS: 6.8
GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to access API tokens of self-hosted AI models due to im…
Medium
CVSS: 6.9
SHARP routers do not perform authentication for some web APIs. The device information may be retrieved without authentication. If the administrative password of the device is left as the initial one, the device may be taken over.
Critical
CVSS: 9.3
A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privile…
Medium
CVSS: 6.9
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-cha…
Critical
CVSS: 9.1
LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.…
Medium
CVSS: 6.9
phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fm_current_dir, and filename parameters. Attackers can send GET requests to index.p…
Medium
CVSS: 5.3
Apache Artemis before version 2.52.0 is affected by an authentication bypass flaw which allows reading all messages exchanged via the broker and injection of new message ( CVE-2026-27446 https://www.cve.org/CVERecord ). Since KNIME Business…
High
CVSS: 8.7
Vitals ESP developed by Galaxy Software Services has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to execute certain functions to obtain sensitive information.