CVEs classified under CWE-697, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2025-54336 — CVSS 9.8 (critical): In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string…
CVE-2024-24621 — CVSS 9.8 (critical): Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers…
CVE-2023-32571 — CVSS 9.8 (critical): Dynamic Linq 1.0.7.10 through 1.2.25 before 1.3.0 allows attackers to execute arbitrary code and commands when untrusted input to methods…
CVE-2022-47034 — CVSS 9.8 (critical): A type juggling vulnerability in the component /auth/fn.php of PlaySMS v1.4.5 and earlier allows attackers to bypass authentication.
CVE-2021-44971 — CVSS 9.8 (critical): Multiple Tenda devices are affected by authentication bypass, such as AC15V1.0 Firmware V15.03.05.20_multi?AC5V1.0 Firmware…
CVE-2021-3833 — CVSS 9.8 (critical): Integria IMS login check uses a loose comparator ("==") to compare the MD5 hash of the password provided by the user and the MD5 hash…
CVE-2021-35973 — CVSS 9.8 (critical): NETGEAR WAC104 devices before 1.0.4.15 are affected by an authentication bypass vulnerability in /usr/sbin/mini_httpd, allowing an…
CVE-2020-23360 — CVSS 9.8 (critical): oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the…
CVE-2020-23359 — CVSS 9.8 (critical): WeBid 1.2.2 admin/newuser.php has an issue with password rechecking during registration because it uses a loose comparison to check the…
CVE-2025-48952 — CVSS 9.4 (critical): NetAlertX is a network, presence scanner, and alert framework. Prior to version 25.6.7, a vulnerability in the authentication logic allows…
CVE-2023-45133 — CVSS 9.3 (critical): Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of…
CVE-2024-34340 — CVSS 9.1 (critical): Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when…
CVE-2020-13485 — CVSS 9.1 (critical): The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
CVE-2022-43621 — CVSS 8.8 (high): This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-1935 1.03 routers…
CVE-2022-27645 — CVSS 8.8 (high): This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700v3 routers…
CVE-2021-34865 — CVSS 8.8 (high): This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of multiple NETGEAR routers…
CVE-2020-8864 — CVSS 8.8 (high): This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and…
CVE-2025-20343 — CVSS 8.6 (high): A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE)…
CVE-2021-32779 — CVSS 8.6 (high): Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy…
CVE-2020-11072 — CVSS 8.6 (high): In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT…
CVE-2020-11071 — CVSS 8.6 (high): SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability where users could experience false-negative validation outcomes for…
CVE-2026-34210 — CVSS 8.1 (high): mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check…
CVE-2025-3102 — CVSS 8.1 (high): The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative…
CVE-2024-41657 — CVSS 8.1 (high): Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic…
CVE-2024-39742 — CVSS 8.1 (high): IBM MQ Operator 3.2.2 and IBM MQ Operator 2.0.24 could allow a user to bypass authentication under certain configurations due to a partial…
CVE-2024-2223 — CVSS 8.1 (high): An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request…
CVE-2021-44078 — CVSS 8.1 (high): An issue was discovered in split_region in uc.c in Unicorn Engine before 2.0.0-rc5. It allows local attackers to escape the sandbox. An…
CVE-2022-35962 — CVSS 8.0 (high): Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile through version 27.189, a crafted…
CVE-2023-46009 — CVSS 7.8 (high): gifsicle-1.94 was found to have a floating point exception (FPE) vulnerability via resize_stream at src/xform.c.
CVE-2022-22990 — CVSS 7.8 (high): A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate…
CVE-2020-10027 — CVSS 7.8 (high): An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This…
CVE-2020-10024 — CVSS 7.8 (high): The arm platform-specific code uses a signed integer comparison when validating system call numbers. An attacker who has obtained code…
CVE-2026-10097 — CVSS 7.5 (high): wolfSSL's AVX2-optimized ML-KEM implementation (mlkem_cmp_avx2) compares only 1536 of the 1568 ciphertext bytes during the Fujisaki-Okamoto…
CVE-2024-4032 — CVSS 7.5 (high): The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally…
CVE-2023-40271 — CVSS 7.5 (high): In Trusted Firmware-M through TF-Mv1.8.0, for platforms that integrate the CryptoCell accelerator, when the CryptoCell PSA Driver software…
CVE-2023-41936 — CVSS 7.5 (high): Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected…
CVE-2023-41935 — CVSS 7.5 (high): Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when…
CVE-2023-27579 — CVSS 7.5 (high): TensorFlow is an end-to-end open source platform for machine learning. Constructing a tflite model with a paramater `filter_input_channel`…
CVE-2023-25675 — CVSS 7.5 (high): TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, `tf.raw_ops.Bincount`…
CVE-2023-25673 — CVSS 7.5 (high): TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a Floating Point Exception in…
CVE-2023-25669 — CVSS 7.5 (high): TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not…
CVE-2023-25666 — CVSS 7.5 (high): TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a floating point exception in…
CVE-2022-24787 — CVSS 7.5 (high): Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. In version 0.3.1 and prior, bytestrings can have dirty bytes…
CVE-2021-41500 — CVSS 7.5 (high): Incomplete string comparison vulnerability exits in cvxopt.org cvxop <= 1.2.6 in APIs (cvxopt.cholmod.diag, cvxopt.cholmod.getfactor…
CVE-2020-23478 — CVSS 7.5 (high): Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component…
CVE-2021-27293 — CVSS 7.5 (high): RestSharp < 106.11.8-alpha.0.13 uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS) when…
CVE-2021-35970 — CVSS 7.5 (high): Talk 4 in Coral before 4.12.1 allows remote attackers to discover e-mail addresses and other sensitive information via GraphQL because…