CWE-307

Improper Restriction of Excessive Authentication Attempts

Parent: CWE-1390 - Weak Authentication

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

586 vulnerabilities with CWE-307
CVE-2026-6853 CRITICAL
OTP Bypass in Başbelen Group's Pause+ Mobile App
CVSS 9.8
CVE-2026-3329 HIGH
Nexus Repository Manager - Improper Restriction of Excessive Authentication Attempts
CVE-2026-43926 MEDIUM
FOSSBilling's password reset confirmation endpoint lacks rate limiting
CVE-2026-36612 MEDIUM
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Weak WPS Lockout Policy
CVSS 6.4
CVE-2026-36607 HIGH
Mercusys AC12G (EU) V1 - Unauthenticated Brute-Force Attack via TDDP Password Change Endpoint
CVSS 8.8
CVE-2026-10216 LOW
unitedbyai droidclaw claim Endpoint pairing.ts excessive authentication
CVSS 3.7
CVE-2026-49324 MEDIUM
Indian Scout Bobber 2025 WCM brute-force
CVSS 4.6
CVE-2026-45364 HIGH
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
CVSS 7.3
CVE-2026-35675 HIGH
phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/update
CVSS 8.2
CVE-2026-8760 CRITICAL
Login with OTP <= 1.6 - Unauthenticated Authentication Bypass via OTP Brute Force
CVSS 9.8
CVE-2026-1816 MEDIUM
OTP Bypass in TEİAŞ's Mobile Application
CVSS 6.3
CVE-2026-45010 CRITICAL
phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint
CVSS 9.1
CVE-2026-44195 MEDIUM
OPNsense: Authentication lockout bypass
CVSS 5.3
CVE-2026-7255 MEDIUM
Zyxel WRE6505 v2 Firmware - Improper Restriction of Excessive Authentication Attempts
CVSS 6.5
CVE-2026-43914 HIGH
Vaultwarden: Brute-force protection bypass vulnerability
CVSS 7.3
CVE-2026-7820 MEDIUM
pgAdmin 4: Account-lockout bypass via Flask-Security default /login view
CVSS 6.5
CVE-2026-41893 HIGH
Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)
CVSS 7.5
CVE-2026-7671 LOW
CodeWise Tornet Scooter Mobile App TwoFactor excessive authentication
CVSS 3.7
CVE-2026-36959 HIGH
U-SPEED N300 Firmware V1.0.0 - Unauthenticated Brute-Force Attack via Login Endpoint
CVSS 7.5
CVE-2026-26206 MEDIUM
Wazuh: API brute-force protection bypass via race condition in login attempt tracking
CVSS 6.5
CVE-2026-35902 MEDIUM
MERCURY IP camera MIPC252W 1.0.5 - DoS
CVSS 6.2
CVE-2026-6947 HIGH
D-Link|DWM-222W USB Wi-Fi Adapter - Brute-Force Protection Bypass
CVSS 7.5
CVE-2026-41213 MEDIUM
@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes
CVSS 5.9
CVE-2026-40586 HIGH
blueprintUE: Login Endpoint Has No Rate Limiting, Lockout, or Brute-Force Protection
CVSS 7.5
CVE-2026-41037 HIGH
Missing Rate Limiting Vulnerability in Quantum Networks Router QN-I-470
CVSS 8.8
Details
Vulnerabilities 586
Links
MITRE CWE Entry Search this CWE With Exploits