CVE & Exploit Intelligence Database

CVE-2026-28710 8.1 HIGH EPSS 0.00

Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.

CWE-1390 Mar 06, 2026

CVE-2025-15595 EPSS 0.00

Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions.

CWE-1390 Mar 03, 2026

CVE-2026-1693 EPSS 0.00

The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials.

CWE-477 Feb 26, 2026

CVE-2025-30412 10.0 CRITICAL EPSS 0.00

Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.

CWE-1390 Feb 20, 2026

CVE-2025-30411 10.0 CRITICAL EPSS 0.00

Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.

CWE-1390 Feb 20, 2026

CVE-2025-57713 7.5 HIGH EPSS 0.00

A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later

CWE-1390 Feb 11, 2026

CVE-2025-40554 9.8 CRITICAL 2 PoCs Analysis NUCLEI EPSS 0.08

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

CWE-1390 Jan 28, 2026

CVE-2025-40552 9.8 CRITICAL 1 PoC Analysis NUCLEI EPSS 0.10

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

CWE-1390 Jan 28, 2026

CVE-2023-53894 9.8 CRITICAL 1 PoC Analysis EPSS 0.00

phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server.

CWE-1390 Dec 16, 2025

CVE-2025-63807 9.8 CRITICAL EPSS 0.00

An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.

CWE-1390 Nov 20, 2025

CVE-2025-12871 9.8 CRITICAL EPSS 0.00

The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges.

CWE-1390 Nov 12, 2025

CVE-2025-12870 9.8 CRITICAL EPSS 0.00

The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges.

CWE-1390 Nov 12, 2025

CVE-2025-11084 EPSS 0.00

A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period.

CWE-1390 Nov 11, 2025

CVE-2025-59249 8.8 HIGH EPSS 0.00

Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.

CWE-1390 Oct 14, 2025

CVE-2025-49201 8.1 HIGH EPSS 0.00

A weak authentication vulnerability in Fortinet FortiPAM 1.5.0, FortiPAM 1.4.0 through 1.4.2, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiSwitchManager 7.2.0 through 7.2.4 allows attacker to execute unauthorized code or commands via specially crafted http requests

CWE-1390 Oct 14, 2025

CVE-2025-30468 6.5 MEDIUM EPSS 0.00

This issue was addressed through improved state management. This issue is fixed in iOS 26 and iPadOS 26. Private Browsing tabs may be accessed without authentication.

CWE-1390 Sep 15, 2025

CVE-2025-50173 7.8 HIGH EPSS 0.00

Weak authentication in Windows Installer allows an authorized attacker to elevate privileges locally.

CWE-1390 Aug 12, 2025

CVE-2025-47995 6.5 MEDIUM EPSS 0.00

Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.

CWE-1390 Jul 18, 2025

CVE-2025-1727 8.1 HIGH EPSS 0.00

The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems.

CWE-1390 Jul 10, 2025

CVE-2025-7326 7.0 HIGH EPSS 0.00

Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.

CWE-1390 Jul 08, 2025