CVEs classified under CWE-304, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (21)
CVE-2024-8954 — CVSS 9.8 (critical): In composiohq/composio version 0.5.10, the API does not validate the `x-api-key` header's value during the authentication step. This…
CVE-2024-2172 — CVSS 9.8 (critical): The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege…
CVE-2024-45764 — CVSS 9.0 (critical): Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) a Missing Critical Step in Authentication vulnerability. An unauthenticated…
CVE-2026-42452 — CVSS 8.1 (high): Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0…
CVE-2025-24322 — CVSS 8.1 (high): An unsafe default authentication vulnerability exists in the Initial Setup Authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A…
CVE-2024-9216 — CVSS 8.1 (high): An authentication bypass vulnerability exists in gaizhenbiao/ChuanhuChatGPT, as of commit 3856d4f, allowing any user to read and delete…
CVE-2024-11302 — CVSS 8.0 (high): A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to…
CVE-2024-20153 — CVSS 7.5 (high): In wlan STA, there is a possible way to trick a client to connect to an AP with spoofed SSID. This could lead to remote information…
CVE-2022-2821 — CVSS 7.5 (high): Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2.
CVE-2023-52424 — CVSS 7.4 (high): The IEEE 802.11 standard sometimes enables an adversary to trick a victim into connecting to an unintended or untrusted network with Home…
CVE-2026-55957 — CVSS 7.3 (high): Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI…
CVE-2026-57915 — CVSS 7.3 (high): It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported…
CVE-2026-40542 — CVSS 7.3 (high): Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256…
CVE-2024-52965 — CVSS 7.2 (high): A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5…
CVE-2024-12136 — CVSS 6.9 (medium): Missing Critical Step in Authentication vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Authentication Bypass. This issue…
CVE-2025-43798 — CVSS 6.5 (medium): Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time…
CVE-2023-3628 — CVSS 6.5 (medium): A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could…
CVE-2021-41179 — CVSS 6.5 (medium): Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the…
CVE-2025-43014 — CVSS 6.1 (medium): In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation
CVE-2023-3629 — CVSS 4.3 (medium): A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the…