CWE-307 · Improper Restriction of Excessive Authentication Attempts
593 CVEs classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-6853 | Critical | 9.8 | 2026-06-12 | Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App al… |
CVE-2026-8760 | Critical | 9.8 | 2026-05-27 | The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for… |
CVE-2020-37228 | Critical | 9.8 | 2026-05-16 | iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLo… |
CVE-2026-33879 | Critical | 9.8 | 2026-03-27 | Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across he… |
CVE-2026-33640 | Critical | 9.8 | 2026-03-26 | Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider… |
CVE-2026-31851 | Critical | 9.8 | 2026-03-23 | Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. A… |
CVE-2025-69246 | Critical | 9.8 | 2026-03-16 | Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering l… |
CVE-2026-24436 | Critical | 9.8 | 2026-01-26 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication end… |
CVE-2025-64310 | Critical | 9.8 | 2025-11-21 | EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password m… |
CVE-2025-63807 | Critical | 9.8 | 2025-11-20 | An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code g… |
CVE-2025-64102 | Critical | 9.8 | 2025-10-29 | Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP… |
CVE-2025-56221 | Critical | 9.8 | 2025-10-17 | A lack of rate limiting in the login mechanism of SigningHub v8.6.8 allows attackers to bypass authentication via a brute force attack. |
CVE-2025-8679 | Critical | 9.8 | 2025-10-01 | In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials… |
CVE-2025-1740 | Critical | 9.8 | 2025-09-03 | Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brut… |
CVE-2025-7393 | Critical | 9.8 | 2025-07-21 | Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Mail Login allows Brute Force.This issue affects Mail Login: from 3.0.0 befor… |
CVE-2024-9342 | Critical | 9.8 | 2025-07-16 | In Eclipse GlassFish versions before 8.0.3 it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts… |
CVE-2025-43863 | Critical | 9.8 | 2025-06-12 | vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If… |
CVE-2025-3709 | Critical | 9.8 | 2025-05-02 | Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perf… |
CVE-2025-25595 | Critical | 9.8 | 2025-03-18 | A lack of rate limiting in the login page of Safe App version a3.0.9 allows attackers to bypass authentication via a brute force attack. |
CVE-2024-46442 | Critical | 9.8 | 2024-12-10 | An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack. |