CWE-307— Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.— MITRE CWE catalog
573 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-307page 11 of 12
- CVE-2025-7882LOWCVSS 3.1EG 3.12025-07-20
A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been rated as problematic. This issue affects some unknown processing of the component Login. The manipulation leads to improper restriction of excessive au…
- CVE-2025-8118MEDIUMCVSS 6.5EG 6.52025-09-30
PAD CMS implements weak client-side brute-force protection by utilizing two cookies: login_count and login_timeout. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass th…
- CVE-2025-8679CRITICALCVSS 9.8EG 9.82025-10-01
In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials captive-portal SSID configurations, repeated manual login attempts may allow an…
- CVE-2025-8742LOWCVSS 3.7EG 3.72025-08-08
A vulnerability was found in macrozheng mall 1.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Admin Login. The manipulation leads to improper restriction of excessive authentica…
- CVE-2025-8927LOWCVSS 3.7EG 3.72025-08-13
A vulnerability was determined in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality of the file /email/send_code of the component Verification Code Handler. The manipulation of the argument email leads to improp…
- CVE-2025-9004CRITICALCVSS 9.1EG 3.72025-08-15
A vulnerability was found in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /settings/password. The manipulation leads to improper restriction of excessive authentication attempts. The attack may be initiat…
- CVE-2025-9551MEDIUMCVSS 6.5EG 6.52025-10-10
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.This issue affects Protected Pages: from 0.0.0 before 1.8.0, from 7.X-1.0 before 7.X-2.5.
- CVE-2026-0972MEDIUMCVSS 5.4EG 7.32026-04-21
HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing.
- CVE-2026-10216LOWCVSS 3.7EG 3.72026-06-01
A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of exc…
- CVE-2026-11779MEDIUMCVSS 5.3EG 5.32026-06-26
An Improper Authorization vulnerability exists in PayloadCMS version 3.84.1 due to insufficient access control on the account unlock operation.
- CVE-2026-1409LOWCVSS 2.0EG 2.02026-01-26
A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication …
- CVE-2026-15079NONECVSS 0.0EG 0.02026-07-10
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force. This issue affects Login Disable versions: from 0.0.0 to 2.1.4.
- CVE-2026-1685LOWCVSS 3.7EG 3.72026-01-30
A vulnerability was identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_40AC74 of the component Login. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be pe…
- CVE-2026-1816MEDIUMCVSS 6.3EG 6.32026-05-21
Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13.
- CVE-2026-20882HIGHCVSS 7.5EG 7.52026-03-06
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate …
- CVE-2026-2110LOWCVSS 3.7EG 3.72026-02-07
A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper rest…
- CVE-2026-22278HIGHCVSS 8.1EG 8.12026-01-22
Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper restriction of excessive authentication attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to U…
- CVE-2026-22603MEDIUMCVSS 6.5EG 6.52026-01-10
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that ap…
- CVE-2026-22616MEDIUMCVSS 6.5EG 6.52026-04-16
Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eat…
- CVE-2026-2402MEDIUMCVSS 5.3EG 5.32026-04-14
CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials …
- CVE-2026-24436CRITICALCVSS 9.8EG 9.82026-01-26
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts again…
- CVE-2026-24696HIGHCVSS 7.5EG 7.52026-03-06
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate …
- CVE-2026-25577HIGHCVSS 7.5EG 7.52026-02-10
Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauth…
- CVE-2026-26206MEDIUMCVSS 6.5EG 6.52026-04-29
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by se…
- CVE-2026-26227LOWCVSS 3.7EG 3.72026-02-26
VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-d…
- CVE-2026-27753MEDIUMCVSS 6.5EG 6.52026-02-27
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interface. Attackers can conduct online passw…
- CVE-2026-27778HIGHCVSS 7.5EG 7.52026-03-06
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate …
- CVE-2026-31851CRITICALCVSS 9.8EG 9.82026-03-23
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. An attacker can perform unlimited authentication attempts against endpoints that …
- CVE-2026-31903HIGHCVSS 7.5EG 7.52026-03-20
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate …
- CVE-2026-31904HIGHCVSS 7.5EG 7.52026-03-20
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimat…
- CVE-2026-32025HIGHCVSS 7.5EG 7.52026-03-19
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into o…
- CVE-2026-32292HIGHCVSS 7.5EG 7.52026-03-17
The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials.
- CVE-2026-32295HIGHCVSS 7.5EG 7.52026-03-17
JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials.
- CVE-2026-3329HIGHCVSS 8.7EG 8.72026-06-11
A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.
- CVE-2026-33419HIGHCVSS 7.5EG 7.52026-03-24
MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined we…
- CVE-2026-33580MEDIUMCVSS 6.5EG 6.52026-03-31
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this t…
- CVE-2026-33667HIGHCVSS 7.4EG 7.42026-04-15
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tr…
- CVE-2026-34505MEDIUMCVSS 6.5EG 6.52026-03-31
OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secr…
- CVE-2026-35098MEDIUMCVSS 6.9EG 6.92026-06-30
KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user ac…
- CVE-2026-35597MEDIUMCVSS 5.9EG 5.92026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/…
- CVE-2026-35623MEDIUMCVSS 4.8EG 4.82026-04-09
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password gu…
- CVE-2026-35628MEDIUMCVSS 4.8EG 4.82026-04-09
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without thrott…
- CVE-2026-35646MEDIUMCVSS 4.8EG 4.82026-04-09
OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are reje…
- CVE-2026-35675HIGHCVSS 8.2EG 8.22026-05-20
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can e…
- CVE-2026-35902MEDIUMCVSS 6.2EG 6.22026-04-27
The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest authentication attempts. By repeatedly sending RTSP requests with invalid authentication parameters, an unauthenticated attacker can caus…
- CVE-2026-36607HIGHCVSS 8.8EG 8.82026-06-03
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker o…
- CVE-2026-36612MEDIUMCVSS 6.4EG 6.42026-06-03
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).
- CVE-2026-36959HIGHCVSS 7.5EG 7.52026-04-30
U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks …
- CVE-2026-40485MEDIUMCVSS 5.3EG 5.32026-04-18
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent u…
- CVE-2026-40586HIGHCVSS 7.5EG 7.52026-04-21
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-ac…
Map vulnerabilities like CWE-307 to your infrastructure
EchelonGraph correlates every CVE — across CWE-307 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →