CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 32 of 49
- CVE-2025-12049CRITICALCVSS 9.8EG 9.82025-12-22
Missing Authentication for Critical Function vulnerability in Sharp Display Solutions Media Player MP-01 All Verisons allows a attacker may access to the web interface of the affected product without authentication and change settings or p…
- CVE-2025-12108CRITICALCVSS 9.3EG 9.32025-11-04
The Survision LPR Camera system does not enforce password protection by default. This allows access to the configuration wizard immediately without a login prompt or credentials check.
- CVE-2025-12348MEDIUMCVSS 5.3EG 5.32025-12-12
The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a use…
- CVE-2025-12349MEDIUMCVSS 5.3EG 5.32025-11-19
The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is aut…
- CVE-2025-12386MEDIUMCVSS 6.9EG 6.92026-01-27
Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point. The vendor was noti…
- CVE-2025-12436MEDIUMCVSS 5.9EG 5.92025-11-10
Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (…
- CVE-2025-12444MEDIUMCVSS 4.2EG 4.22025-11-10
Incorrect security UI in Fullscreen UI in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Lo…
- CVE-2025-12447MEDIUMCVSS 4.2EG 4.22025-11-10
Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severit…
- CVE-2025-12476CRITICALCVSS 9.8EG 9.82025-10-29
Resource Lacking AuthN.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
- CVE-2025-12477CRITICALCVSS 9.8EG 9.82025-10-29
Server Version Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
- CVE-2025-12548CRITICALCVSS 9.0EG 9.02026-01-13
A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauth…
- CVE-2025-1272HIGHCVSS 7.7EG 7.72026-02-18
The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappin…
- CVE-2025-1283CRITICALCVSS 9.8EG 9.82025-02-13
The Dingtian DT-R0 Series is vulnerable to an exploit that allows attackers to bypass login requirements by directly navigating to the main page.
- CVE-2025-12941MEDIUMCVSS 5.7EG 5.72025-12-09
Denial of Service Vulnerability in NETGEAR C6220 and C6230 (DOCSIS® 3.0 Two-in-one Cable Modem + WiFi Router) allows authenticated local WiFi users reboot the router.
- CVE-2025-12969MEDIUMCVSS 6.5EG 6.52025-11-24
Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forwa…
- CVE-2025-13030HIGHCVSS 7.1EG 7.12026-04-30
All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks …
- CVE-2025-1315CRITICALCVSS 9.8EG 9.82025-03-07
The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password…
- CVE-2025-13483HIGHCVSS 8.8EG 8.82025-11-25
SiRcom SMART Alert (SiSA) allows unauthorized access to backend APIs. This allows an unauthenticated attacker to bypass the login screen using browser developer tools, gaining access to restricted parts of the application.
- CVE-2025-13510CRITICALCVSS 9.3EG 9.32025-12-02
The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings.
- CVE-2025-13607CRITICALCVSS 9.4EG 9.42025-12-10
A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL.
- CVE-2025-13778MEDIUMCVSS 6.5EG 6.52026-03-13
Missing authentication for critical function vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This issue affects AWIN GW100 rev.2: 2.0-0, 2.0-1; AWIN GW120: 1.2-0, 1.2-1.
- CVE-2025-13779HIGHCVSS 8.3EG 8.32026-03-13
Missing authentication for critical function vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This issue affects AWIN GW100 rev.2: 2.0-0, 2.0-1; AWIN GW120: 1.2-0, 1.2-1.
- CVE-2025-13870LOWCVSS 3.1EG 3.12025-12-02
Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to …
- CVE-2025-14038HIGHCVSS 7.0EG 7.02025-12-15
EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause a denial-of-service by writing malforme…
- CVE-2025-14058LOWCVSS 3.2EG 3.22026-01-14
A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access…
- CVE-2025-14294MEDIUMCVSS 5.3EG 5.32026-02-19
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAut…
- CVE-2025-14300HIGHCVSS 8.1EG 8.12025-12-20
The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss o…
- CVE-2025-14346CRITICALCVSS 9.8EG 9.82026-01-05
WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulat…
- CVE-2025-14349HIGHCVSS 8.8EG 8.82026-02-13
Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation. This issue …
- CVE-2025-14567MEDIUMCVSS 5.3EG 5.32025-12-12
A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This affects an unknown function of the file /api/employees. Executing manipulation can lead to missing authentication. It …
- CVE-2025-1495MEDIUMCVSS 4.3EG 4.32025-05-03
IBM Business Automation Workflow 24.0.0 and 24.0.1 through 24.0.1 IF001 Center may leak sensitive information due to missing authorization validation.
- CVE-2025-15026CRITICALCVSS 9.8EG 9.82026-01-05
Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Infra Monitoring: from 25.10.0 …
- CVE-2025-15346CRITICALCVSS 9.3EG 9.32026-01-08
A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced. Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not incl…
- CVE-2025-15515MEDIUMCVSS 5.5EG 5.52026-03-13
The authentication mechanism for a specific feature in the EasyShare module contains a vulnerability. If specific conditions are met on a local network, it can cause data leakage
- CVE-2025-15620HIGHCVSS 8.6EG 8.62026-04-02
HiOS Switch Platform versions 09.1.00 through 09.4.04 and 10.0.00 through 10.3.00 contain a denial-of-service vulnerability in the web interface that allows remote attackers to reboot the affected device by sending a malicious HTTP GET req…
- CVE-2025-1701HIGHCVSS 8.9EG 8.92025-06-04
CVE-2025-1701 is a high-severity vulnerability in the MIM Admin service. An attacker could exploit this vulnerability by sending a specially crafted request over the RMI interface to execute arbitrary code with the privileges of the MIM Ad…
- CVE-2025-1717HIGHCVSS 8.1EG 8.12025-02-27
The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This m…
- CVE-2025-1754MEDIUMCVSS 5.3EG 5.32025-06-26
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by send…
- CVE-2025-1907CRITICALCVSS 9.8EG 9.82025-05-30
Instantel Micromate lacks authentication on a configuration port which could allow an attacker to execute commands if connected.
- CVE-2025-20085HIGHCVSS 7.2EG 7.22025-12-01
A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented…
- CVE-2025-20210HIGHCVSS 7.3EG 7.32025-05-07
A vulnerability in the management API of Cisco Catalyst Center, formerly Cisco DNA Center, could allow an unauthenticated, remote attacker to read and modify the outgoing proxy configuration settings. This vulnerability is due to the la…
- CVE-2025-20358CRITICALCVSS 9.4EG 9.42025-11-05
A vulnerability in the Contact Center Express (CCX) Editor application of Cisco Unified CCX could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative permissions pertaining to script creation and ex…
- CVE-2025-20700HIGHCVSS 8.8EG 8.82025-08-04
In the Airoha Bluetooth audio SDK, there is a possible permission bypass that allows access critical data of RACE protocol through Bluetooth LE GATT service. This could lead to remote escalation of privilege with no additional execution pr…
- CVE-2025-20702HIGHCVSS 8.8EG 8.82025-08-04
In the Airoha Bluetooth audio SDK, there is a possible unauthorized access to the RACE protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitat…
- CVE-2025-21198CRITICALCVSS 9.0EG 9.02025-02-11
Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
- CVE-2025-21355HIGHCVSS 8.6EG 8.62025-02-19
Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network
- CVE-2025-21515HIGHCVSS 8.8EG 8.82025-01-21
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with…
- CVE-2025-21524CRITICALCVSS 9.8EG 9.82025-01-21
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticat…
- CVE-2025-21535CRITICALCVSS 9.8EG 9.82025-01-21
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with …
- CVE-2025-21559MEDIUMCVSS 5.5EG 5.52025-01-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attack…
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →