Syntax: kev:true severity:critical epss:>0.95 vendor:cisco patch:false
Filters
Severity
Exploitation
Data Source
Data Quality
Vendor
CWE — Weakness Type
Clear all
Top 20 matches Showing top matches — use filters or a more specific query to narrow
On Mercku M6a devices through 2.1.0, the authentication system uses predictable session tokens based on timestamps.
On Mercku M6a devices through 2.1.0, session tokens remain valid for at least months in some cases.
Mercku M6a devices through 2.1.0 allow password changes via intranet CSRF attacks.
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attac
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful p
The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration an
Mercku M6a devices through 2.1.0 allow root TELNET logins via the web admin password.
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.
A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in ses
The openml/openml.org web application version v2.0.20241110 uses predictable MD5-based tokens for critical user workflows such as signup confirmation, password resets, email confirmation resends, and
The Media Server’s authorization tokens have a poor quality of randomness. An attacker may be able to guess the token of an active user by computing plausible tokens.
The YoSmart YoLink application through 2025-10-02 has session tokens with unexpectedly long lifetimes.
Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can exploit the deterministic k
CVE-2026-28787
CRITICAL CVSS 9.0
Find Similar
OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead,
Unauthenticated Sensitive Data Exposure in Conekta Payment Gateway <= 6.0.0 versions.
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimesta
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predic
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predic
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in pred
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predic
Page 1+ Next →