CWE-307 · Improper Restriction of Excessive Authentication Attempts

593 CVEs classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). Browse by severity and year.

Top CVEs for CWE-307
CVESeverityScorePublishedSummary
CVE-2026-6853Critical9.82026-06-12Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App al…
CVE-2026-8760Critical9.82026-05-27The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for…
CVE-2020-37228Critical9.82026-05-16iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLo…
CVE-2026-33879Critical9.82026-03-27Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across he…
CVE-2026-33640Critical9.82026-03-26Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider…
CVE-2026-31851Critical9.82026-03-23Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. A…
CVE-2025-69246Critical9.82026-03-16Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering l…
CVE-2026-24436Critical9.82026-01-26Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication end…
CVE-2025-64310Critical9.82025-11-21EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password m…
CVE-2025-63807Critical9.82025-11-20An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code g…
CVE-2025-64102Critical9.82025-10-29Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP…
CVE-2025-56221Critical9.82025-10-17A lack of rate limiting in the login mechanism of SigningHub v8.6.8 allows attackers to bypass authentication via a brute force attack.
CVE-2025-8679Critical9.82025-10-01In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials…
CVE-2025-1740Critical9.82025-09-03Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brut…
CVE-2025-7393Critical9.82025-07-21Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Mail Login allows Brute Force.This issue affects Mail Login: from 3.0.0 befor…
CVE-2024-9342Critical9.82025-07-16In Eclipse GlassFish versions before 8.0.3 it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts…
CVE-2025-43863Critical9.82025-06-12vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If…
CVE-2025-3709Critical9.82025-05-02Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perf…
CVE-2025-25595Critical9.82025-03-18A lack of rate limiting in the login page of Safe App version a3.0.9 allows attackers to bypass authentication via a brute force attack.
CVE-2024-46442Critical9.82024-12-10An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.