Skip to main content

CWE-307

Improper Restriction of Excessive Authentication Attempts

475 CVEs Avg CVSS 7.6 MITRE
157
CRITICAL
149
HIGH
144
MEDIUM
25
LOW
114
POC
0
KEV

Monthly

CVE-2026-61458 HIGH This Week

Passphrase brute-force in PasswordPusher before 2.9.2 lets remote attackers who possess a push token recover the passphrase protecting a shared secret by hammering the POST /p/:token/access endpoint. Because that route has no per-route rate limiting and no per-push lockout, an attacker can sustain roughly 120 guesses per minute, making short or dictionary-based passphrases recoverable within hours to days. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Information Disclosure Passwordpusher
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-42952 HIGH CISA Act Now

Denial-of-service exposure in the Hydro-Québec Le Circuit Électrique EV charging-station backend allows remote, unauthenticated attackers to hammer the authentication endpoint without rate limiting, degrading or exhausting the service that charging stations rely on. The flaw (CWE-307, missing throttling of repeated auth attempts) affects all backend versions prior to the June 2026 fix and carries a CVSS 4.0 base score of 8.7. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but it was reported through ICS-CERT and documented in CISA ICS advisory ICSA-26-188-01.

Information Disclosure Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-11915 PHP MEDIUM This Month

vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.

Information Disclosure Brute Force Attack Protection
NVD VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-15079 PHP MEDIUM PATCH This Month

Brute-force credential attacks against Drupal sites running the Login Disable contrib module (versions 0.0.0 through 2.1.4) are enabled by the module's failure to restrict excessive authentication attempts (CWE-307). The module, intended to provide administrators with login-gating controls, paradoxically omits rate-limiting enforcement, allowing a low-privileged attacker to enumerate or compromise user credentials via automated requests. EPSS is low (0.21%, 12th percentile) and no active exploitation is confirmed in CISA KEV, but the network-accessible attack vector and low complexity keep this relevant for sites where the module is deployed.

Information Disclosure Login Disable
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-53904 MEDIUM This Month

Account denial-of-service in MyComplianceOffice MCO 25.3.3.1 enables a remote attacker to permanently lock a targeted user out of their account by repeatedly triggering password resets. MCO's reset mechanism invalidates all previously set passwords and temporary credentials on every reset cycle, and imposes no rate limit on how frequently resets can be initiated - so once an attacker supplies the victim's email and a valid security question answer, they can sustain the lockout indefinitely. No public exploit has been identified at time of analysis, and active exploitation is not confirmed, but the attack is conceptually simple and requires no authentication beyond the security question hurdle.

Denial Of Service Mco
NVD
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-35098 MEDIUM PATCH This Month

Unlimited brute-force attacks against KTM System e-BOK user accounts are enabled by the complete absence of login rate limiting, account lockout, or authentication throttling on the portal's login endpoint. All versions prior to the June 2026 patch are affected, with the risk materially amplified by companion vulnerability CVE-2026-35097, which constrains passwords to a six-digit numeric format - reducing the effective keyspace to 1,000,000 combinations and making full exhaustion feasible with standard tooling in minutes to hours. No public exploit code or CISA KEV listing has been identified at time of analysis, but the combination of these two flaws represents a near-trivially exploitable account takeover path against any e-BOK deployment where both vulnerabilities are present.

Information Disclosure E Bok
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-11779 MEDIUM This Month

Improper authorization in PayloadCMS 3.84.1 allows low-privilege authenticated users to invoke the account unlock operation without sufficient access control, effectively bypassing the brute-force lockout mechanism protecting other user accounts. Reported by Fluid Attacks, this flaw has both a confidentiality and integrity dimension: attackers can disclose account state information and manipulate the lock status of accounts they do not own. No public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Payloadcms
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-50176 HIGH CISA Act Now

Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management system) stems from its WebSocket API enforcing no rate limit on authentication requests, letting a remote, network-positioned attacker flood the authentication endpoint to exhaust resources or rapidly guess credentials for unauthorized access. CISA's ICS-CERT (advisory ICSA-26-176-02) coordinated this issue, which carries a CVSS 4.0 base of 8.7 driven by high availability impact. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56234 MEDIUM PATCH This Month

Unauthenticated access to Capgo's credential validation endpoint before version 12.128.2 enables large-scale password spraying and credential stuffing attacks against user accounts. The `POST /functions/v1/private/validate_password_compliance` Supabase Edge Function accepts requests using only the publicly distributed anon key - a client-side secret embedded in shipped app binaries - with no rate limiting or lockout enforcement. Combined with wildcard CORS headers, any browser-side or scripted attacker can systematically validate username/password pairs at scale, ultimately compromising Capgo accounts and potentially tampering with mobile app live update pipelines. No public exploit code has been identified at time of analysis, but the attack is trivially automatable given the absence of access controls.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56450 MEDIUM PATCH This Month

Unlimited OTP brute-force against AIL Framework's two-factor authentication endpoint allows an attacker who already possesses a valid account password to bypass the second authentication factor entirely and gain unauthorized account access. The verify_2fa() route accepted an unbounded number of OTP submissions without incrementing a failure counter or enforcing a lockout, and the implementation uses counter-based HOTP rather than time-limited TOTP, removing the time-window throttle that would otherwise constrain brute-force speed. No public exploit code or CISA KEV listing exists at time of analysis, but the prerequisite of a valid password - obtainable via phishing or credential dumps - makes this a realistic threat against any AIL deployment where 2FA is meant to serve as a meaningful access boundary.

Authentication Bypass Ail Framework
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
EPSS 0% CVSS 8.7
HIGH This Week

Passphrase brute-force in PasswordPusher before 2.9.2 lets remote attackers who possess a push token recover the passphrase protecting a shared secret by hammering the POST /p/:token/access endpoint. Because that route has no per-route rate limiting and no per-push lockout, an attacker can sustain roughly 120 guesses per minute, making short or dictionary-based passphrases recoverable within hours to days. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Information Disclosure Passwordpusher
NVD GitHub
EPSS 0% CVSS 8.7
HIGH Act Now

Denial-of-service exposure in the Hydro-Québec Le Circuit Électrique EV charging-station backend allows remote, unauthenticated attackers to hammer the authentication endpoint without rate limiting, degrading or exhausting the service that charging stations rely on. The flaw (CWE-307, missing throttling of repeated auth attempts) affects all backend versions prior to the June 2026 fix and carries a CVSS 4.0 base score of 8.7. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but it was reported through ICS-CERT and documented in CISA ICS advisory ICSA-26-188-01.

Information Disclosure Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.

Information Disclosure Brute Force Attack Protection
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Brute-force credential attacks against Drupal sites running the Login Disable contrib module (versions 0.0.0 through 2.1.4) are enabled by the module's failure to restrict excessive authentication attempts (CWE-307). The module, intended to provide administrators with login-gating controls, paradoxically omits rate-limiting enforcement, allowing a low-privileged attacker to enumerate or compromise user credentials via automated requests. EPSS is low (0.21%, 12th percentile) and no active exploitation is confirmed in CISA KEV, but the network-accessible attack vector and low complexity keep this relevant for sites where the module is deployed.

Information Disclosure Login Disable
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Account denial-of-service in MyComplianceOffice MCO 25.3.3.1 enables a remote attacker to permanently lock a targeted user out of their account by repeatedly triggering password resets. MCO's reset mechanism invalidates all previously set passwords and temporary credentials on every reset cycle, and imposes no rate limit on how frequently resets can be initiated - so once an attacker supplies the victim's email and a valid security question answer, they can sustain the lockout indefinitely. No public exploit has been identified at time of analysis, and active exploitation is not confirmed, but the attack is conceptually simple and requires no authentication beyond the security question hurdle.

Denial Of Service Mco
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unlimited brute-force attacks against KTM System e-BOK user accounts are enabled by the complete absence of login rate limiting, account lockout, or authentication throttling on the portal's login endpoint. All versions prior to the June 2026 patch are affected, with the risk materially amplified by companion vulnerability CVE-2026-35097, which constrains passwords to a six-digit numeric format - reducing the effective keyspace to 1,000,000 combinations and making full exhaustion feasible with standard tooling in minutes to hours. No public exploit code or CISA KEV listing has been identified at time of analysis, but the combination of these two flaws represents a near-trivially exploitable account takeover path against any e-BOK deployment where both vulnerabilities are present.

Information Disclosure E Bok
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper authorization in PayloadCMS 3.84.1 allows low-privilege authenticated users to invoke the account unlock operation without sufficient access control, effectively bypassing the brute-force lockout mechanism protecting other user accounts. Reported by Fluid Attacks, this flaw has both a confidentiality and integrity dimension: attackers can disclose account state information and manipulate the lock status of accounts they do not own. No public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Payloadcms
NVD GitHub
EPSS 0% CVSS 8.7
HIGH Act Now

Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management system) stems from its WebSocket API enforcing no rate limit on authentication requests, letting a remote, network-positioned attacker flood the authentication endpoint to exhaust resources or rapidly guess credentials for unauthorized access. CISA's ICS-CERT (advisory ICSA-26-176-02) coordinated this issue, which carries a CVSS 4.0 base of 8.7 driven by high availability impact. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated access to Capgo's credential validation endpoint before version 12.128.2 enables large-scale password spraying and credential stuffing attacks against user accounts. The `POST /functions/v1/private/validate_password_compliance` Supabase Edge Function accepts requests using only the publicly distributed anon key - a client-side secret embedded in shipped app binaries - with no rate limiting or lockout enforcement. Combined with wildcard CORS headers, any browser-side or scripted attacker can systematically validate username/password pairs at scale, ultimately compromising Capgo accounts and potentially tampering with mobile app live update pipelines. No public exploit code has been identified at time of analysis, but the attack is trivially automatable given the absence of access controls.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Unlimited OTP brute-force against AIL Framework's two-factor authentication endpoint allows an attacker who already possesses a valid account password to bypass the second authentication factor entirely and gain unauthorized account access. The verify_2fa() route accepted an unbounded number of OTP submissions without incrementing a failure counter or enforcing a lockout, and the implementation uses counter-based HOTP rather than time-limited TOTP, removing the time-window throttle that would otherwise constrain brute-force speed. No public exploit code or CISA KEV listing exists at time of analysis, but the prerequisite of a valid password - obtainable via phishing or credential dumps - makes this a realistic threat against any AIL deployment where 2FA is meant to serve as a meaningful access boundary.

Authentication Bypass Ail Framework
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy