CWE-307— Improper Restriction of Excessive Authentication Attempts
539 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-307page 11 of 11
- CVE-2025-9551MEDIUMCVSS 6.5EG 6.52025-10-10
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.This issue affects Protected Pages: from 0.0.0 before 1.8.0, from 7.X-1.0 before 7.X-2.5.
- CVE-2026-0972MEDIUMCVSS 5.4EG 7.32026-04-21
HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing.
- CVE-2026-10216LOWCVSS 3.7EG 3.72026-06-01
A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of exc…
- CVE-2026-1409LOWCVSS 2.0EG 2.02026-01-26
A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication …
- CVE-2026-1685LOWCVSS 3.7EG 3.72026-01-30
A vulnerability was identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_40AC74 of the component Login. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be pe…
- CVE-2026-1816MEDIUMCVSS 6.3EG 6.32026-05-21
Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13.
- CVE-2026-2110LOWCVSS 3.7EG 3.72026-02-07
A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper rest…
- CVE-2026-22278HIGHCVSS 8.1EG 8.12026-01-22
Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper restriction of excessive authentication attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to U…
- CVE-2026-22603MEDIUMCVSS 6.5EG 6.52026-01-10
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that ap…
- CVE-2026-22616MEDIUMCVSS 6.5EG 6.52026-04-16
Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eat…
- CVE-2026-2402MEDIUMCVSS 5.3EG 5.32026-04-14
CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials …
- CVE-2026-24436CRITICALCVSS 9.8EG 9.82026-01-26
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts again…
- CVE-2026-25577HIGHCVSS 7.5EG 7.52026-02-10
Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauth…
- CVE-2026-26206MEDIUMCVSS 6.5EG 6.52026-04-29
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by se…
- CVE-2026-27753MEDIUMCVSS 6.5EG 6.52026-02-27
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interface. Attackers can conduct online passw…
- CVE-2026-33667HIGHCVSS 7.4EG 7.42026-04-15
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tr…
- CVE-2026-35597MEDIUMCVSS 5.9EG 5.92026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/…
- CVE-2026-35623MEDIUMCVSS 4.8EG 4.82026-04-09
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password gu…
- CVE-2026-35628MEDIUMCVSS 4.8EG 4.82026-04-09
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without thrott…
- CVE-2026-35646MEDIUMCVSS 4.8EG 4.82026-04-09
OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are reje…
- CVE-2026-35675HIGHCVSS 8.2EG 8.22026-05-20
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can e…
- CVE-2026-35902MEDIUMCVSS 6.2EG 6.22026-04-27
The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest authentication attempts. By repeatedly sending RTSP requests with invalid authentication parameters, an unauthenticated attacker can caus…
- CVE-2026-36607HIGHCVSS 8.8EG 0.02026-06-03
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker o…
- CVE-2026-36959HIGHCVSS 7.5EG 7.52026-04-30
U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks …
- CVE-2026-40485MEDIUMCVSS 5.3EG 5.32026-04-18
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent u…
- CVE-2026-40586HIGHCVSS 7.5EG 7.52026-04-21
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-ac…
- CVE-2026-41037HIGHCVSS 8.8EG 8.82026-04-21
This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by p…
- CVE-2026-41213MEDIUMCVSS 5.9EG 5.92026-04-23
@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers ar…
- CVE-2026-41893HIGHCVSS 7.5EG 7.52026-05-09
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10…
- CVE-2026-43914HIGHCVSS 7.3EG 7.32026-05-11
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the un…
- CVE-2026-44195MEDIUMCVSS 5.3EG 5.32026-05-13
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By i…
- CVE-2026-45010CRITICALCVSS 9.1EG 9.12026-05-15
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated at…
- CVE-2026-45364HIGHCVSS 7.3EG 7.32026-05-15
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configur…
- CVE-2026-49324MEDIUMCVSS 4.6EG 4.62026-05-29
Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize t…
- CVE-2026-6947HIGHCVSS 7.5EG 7.52026-04-24
DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the de…
- CVE-2026-7255MEDIUMCVSS 6.5EG 6.52026-05-12
** UNSUPPORTED WHEN ASSIGNED ** An improper restriction of excessive authentication attempts vulnerability in the web management interface of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to …
- CVE-2026-7671LOWCVSS 3.7EG 3.72026-05-03
A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attem…
- CVE-2026-7820MEDIUMCVSS 6.5EG 6.52026-05-11
Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically…
- CVE-2026-8760CRITICALCVSS 9.8EG 9.82026-05-27
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was …
Map vulnerabilities like CWE-307 to your infrastructure
EchelonGraph correlates every CVE — across CWE-307 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →