CWE-307: Improper Restriction of Excessive Authentication Attempts — known CVE vulnerabilities
CVEs classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-6853 — CVSS 9.8 (critical): Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co…
CVE-2026-8760 — CVSS 9.8 (critical): The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an…
CVE-2020-37228 — CVSS 9.8 (critical): iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by…
CVE-2026-33879 — CVSS 9.8 (critical): Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging…
CVE-2026-33640 — CVSS 9.8 (critical): Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with…
CVE-2026-31851 — CVSS 9.8 (critical): Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on…
CVE-2025-69246 — CVSS 9.8 (critical): Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests…
CVE-2026-24436 — CVSS 9.8 (critical): Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms…
CVE-2025-64310 — CVSS 9.8 (critical): EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An…
CVE-2025-63807 — CVSS 9.8 (critical): An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak…
CVE-2025-64102 — CVSS 9.8 (critical): Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force…
CVE-2025-56221 — CVSS 9.8 (critical): A lack of rate limiting in the login mechanism of SigningHub v8.6.8 allows attackers to bypass authentication via a brute force attack.
CVE-2025-8679 — CVSS 9.8 (critical): In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain…
CVE-2025-1740 — CVSS 9.8 (critical): Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password…
CVE-2025-7393 — CVSS 9.8 (critical): Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Mail Login allows Brute Force.This issue affects Mail…
CVE-2024-9342 — CVSS 9.8 (critical): In Eclipse GlassFish versions before 8.0.3 it is possible to perform Login Brute Force attacks as there is no limitation in the number of…
CVE-2025-43863 — CVSS 9.8 (critical): vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and…
CVE-2025-3709 — CVSS 9.8 (critical): Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this…
CVE-2025-25595 — CVSS 9.8 (critical): A lack of rate limiting in the login page of Safe App version a3.0.9 allows attackers to bypass authentication via a brute force attack.
CVE-2024-46442 — CVSS 9.8 (critical): An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.
CVE-2024-51558 — CVSS 9.8 (critical): This vulnerability exists in the Wave 2.0 due to missing restrictions for excessive failed authentication attempts on its API based login…
CVE-2024-47656 — CVSS 9.8 (critical): This vulnerability exists in Shilpi Client Dashboard due to missing restrictions for incorrect login attempts on its API based login. A…
CVE-2024-41276 — CVSS 9.8 (critical): A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application…
CVE-2024-47088 — CVSS 9.8 (critical): This vulnerability exists in Apex Softcell LD Geo due to missing restrictions for excessive failed authentication attempts on its API based…
CVE-2024-45790 — CVSS 9.8 (critical): This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing restrictions for excessive failed authentication attempts on its…
CVE-2024-43042 — CVSS 9.8 (critical): Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack.
CVE-2024-42466 — CVSS 9.8 (critical): Improper Restriction of Excessive Authentication Attempts vulnerability in upKeeper Solutions product upKeeper Manager allows…
CVE-2024-42465 — CVSS 9.8 (critical): Improper Restriction of Excessive Authentication Attempts vulnerability in upKeeper Solutions product upKeeper Manager allows…
CVE-2024-21652 — CVSS 9.8 (critical): Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can…
CVE-2024-2051 — CVSS 9.8 (critical): CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover and unauthorized…
CVE-2023-33759 — CVSS 9.8 (critical): SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass…
CVE-2023-6928 — CVSS 9.8 (critical): EuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password…
CVE-2023-6272 — CVSS 9.8 (critical): The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force…
CVE-2023-49443 — CVSS 9.8 (critical): DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows…
CVE-2023-35039 — CVSS 9.8 (critical): Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for…
CVE-2023-24051 — CVSS 9.8 (critical): A client side rate limit issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via brute…
CVE-2023-48028 — CVSS 9.8 (critical): kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify…
CVE-2023-2675 — CVSS 9.8 (critical): Improper Restriction of Excessive Authentication Attempts in GitHub repository linagora/twake prior to 2023.Q1.1223.
CVE-2023-42769 — CVSS 9.8 (critical): The cookie session ID is of insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid…
CVE-2023-37635 — CVSS 9.8 (critical): UVDesk Community Skeleton v1.1.1 allows unauthenticated attackers to perform brute force attacks on the login page to gain access to the…
CVE-2023-27152 — CVSS 9.8 (critical): DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass…
CVE-2023-40834 — CVSS 9.8 (critical): OpenCart CMS v4.0.2.2 was discovered to lack a protective mechanism on its login page against excessive login attempts, allowing…