CWE-620

Unverified Password Change

Parent: CWE-1390 - Weak Authentication

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

82 vulnerabilities with CWE-620
CVE-2026-5386 CRITICAL
KMW KM-IP521 - KMW CCTV Security Cameras Unverified Password Change
CVSS 9.1
CVE-2026-9249 LOW
Devolutions Server - Unverified Password Change
CVSS 3.1
CVE-2026-8327 MEDIUM
Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass.
CVSS 4.3
CVE-2026-42084 HIGH
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence
CVSS 8.1
CVE-2026-40588 HIGH
blueprintUE: Authenticated Password Change Does Not Verify Current Password
CVSS 8.1
CVE-2026-30458 CRITICAL
FuelCMS 1.5.2 - Unauthenticated Account Takeover via Password Reset Token Exfiltration
CVSS 9.1
CVE-2026-27757 HIGH
SODOLA SL902-SWTGW124AS <200.1.20 - Auth Bypass
CVSS 7.1
CVE-2026-24443 HIGH
EventSentry <6.0.1.20 - Auth Bypass
CVSS 8.8
CVE-2026-2543 LOW
vichan-devel vichan <5.1.5 - Auth Bypass
CVSS 2.7
CVE-2026-24440 HIGH
Shenzhen Tenda W30E V2 - Info Disclosure
CVSS 8.8
CVE-2025-70082 CRITICAL
Lantronix EDS3000PS 3.1.0.0R2 - Code Injection
CVSS 9.8
CVE-2025-67041 CRITICAL
Lantronix EDS3000PS 3.1.0.0R2 - Command Injection
CVSS 9.8
CVE-2025-14751 HIGH
Product - Privilege Escalation
CVE-2025-11235 LOW
Progress MOVEit Transfer <2023.1.3-2022.0.10 - Unverified Password ...
CVSS 3.7
CVE-2025-13148 HIGH
IBM Aspera Orchestrator <4.1.0 - Privilege Escalation
CVSS 8.1
CVE-2025-67719 HIGH
Ibexa <5.0.3 - Privilege Escalation
CVE-2025-59808 MEDIUM
Fortinet FortiSOAR <7.6.2 - Info Disclosure
CVSS 6.8
CVE-2025-63362 CRITICAL
Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gatewa...
CVSS 9.8
CVE-2025-61132 HIGH
levlaz braindump <0.4.14 - Host Header Injection
CVSS 7.1
CVE-2025-62425 HIGH
matrix-authentication-service 0.20.0-1.4.0 - Authenticated Unverified Password Change
CVSS 8.3
CVE-2025-61536 HIGH
FelixRiddle dev-jobs-handlebars 1.0 - Info Disclosure
CVSS 8.2
CVE-2025-22381 HIGH
Aggie 2.6.1 - Unauthenticated Password Reset via Host Header Injection
CVSS 8.2
CVE-2025-9286 CRITICAL
Appy Pie Connect <1.1.2 - Privilege Escalation
CVSS 9.8
CVE-2025-10159 CRITICAL
Sophos AP6 Series Wireless Access Points < 1.7.2563 (MR7) - Authentication Bypass
CVSS 9.8
CVE-2025-46389 MEDIUM
Emby/MediaBrowser >=4.9.0.35 - Unverified Password Change
CVSS 6.5
Details
Vulnerabilities 82
Links
MITRE CWE Entry Search this CWE With Exploits