CWE-307— Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.— MITRE CWE catalog
573 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-307page 12 of 12
- CVE-2026-41037HIGHCVSS 8.8EG 8.82026-04-21
This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by p…
- CVE-2026-41213MEDIUMCVSS 5.9EG 5.92026-04-23
@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers ar…
- CVE-2026-41893HIGHCVSS 7.5EG 7.52026-05-09
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10…
- CVE-2026-42952HIGHCVSS 7.5EG 7.52026-07-10
Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack.
- CVE-2026-43914HIGHCVSS 7.3EG 7.32026-05-11
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the un…
- CVE-2026-43926MEDIUMCVSS 6.3EG 6.32026-06-04
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint `/client/reset-password-confirm/:hash` is handled by a non-API controller and is not covered by FOSSB…
- CVE-2026-44195MEDIUMCVSS 5.3EG 5.32026-05-13
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By i…
- CVE-2026-45010CRITICALCVSS 9.1EG 9.12026-05-15
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated at…
- CVE-2026-45364HIGHCVSS 7.3EG 7.32026-05-15
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configur…
- CVE-2026-47203LOWCVSS 2.9EG 2.92026-05-29
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth…
- CVE-2026-47380MEDIUMCVSS 6.3EG 6.32026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash compariso…
- CVE-2026-49324MEDIUMCVSS 4.6EG 4.62026-05-29
Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize t…
- CVE-2026-50176HIGHCVSS 7.5EG 7.52026-06-25
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthoriz…
- CVE-2026-53904HIGHCVSS 7.1EG 7.12026-07-01
MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as well as previously issued temporary passwords, furthermore, p…
- CVE-2026-55501HIGHCVSS 7.3EG 7.32026-07-06
9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route…
- CVE-2026-56234MEDIUMCVSS 5.3EG 5.32026-06-23
Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-p…
- CVE-2026-56450MEDIUMCVSS 5.1EG 5.12026-06-22
AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an…
- CVE-2026-6853CRITICALCVSS 9.8EG 9.82026-06-12
Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass. This issue affects Pause+ Mobile App: from v1.0.6 …
- CVE-2026-6947HIGHCVSS 7.5EG 7.52026-04-24
DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the de…
- CVE-2026-7255MEDIUMCVSS 6.5EG 6.52026-05-12
** UNSUPPORTED WHEN ASSIGNED ** An improper restriction of excessive authentication attempts vulnerability in the web management interface of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to …
- CVE-2026-7671LOWCVSS 3.7EG 3.72026-05-03
A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attem…
- CVE-2026-7820MEDIUMCVSS 6.5EG 6.52026-05-11
Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically…
- CVE-2026-8760CRITICALCVSS 9.8EG 9.82026-05-27
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was …
Map vulnerabilities like CWE-307 to your infrastructure
EchelonGraph correlates every CVE — across CWE-307 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →