Syntax: kev:true severity:critical epss:>0.95 vendor:cisco patch:false
Filters
Severity
Exploitation
Data Source
Data Quality
Vendor
CWE — Weakness Type
Clear all
Top 20 matches Showing top matches — use filters or a more specific query to narrow
Brightpick Mission Control discloses device telemetry, configuration, and credential information via WebSocket traffic to unauthenticated users when they connect to a specific URL. The unauthentica
The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, incl
The Brightpick Mission Control web application exposes hardcoded credentials in its client-side JavaScript bundle.
An unauthenticated remote attacker may use the devices traffic capture without authentication to grab plaintext administrative credentials.
CVE-2018-25140
CRITICAL CVSS 9.3
Find Similar
FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. A
A cleartext transmission of sensitive information vulnerability in the affected products allows an unauthorized remote attacker to gain login credentials and access the Web-UI.
A vulnerability in the web-based management interface of Cisco Unified Intelligent Contact Management Enterprise could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS)
An unauthenticated remote attacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend.
An unauthenticated remote attacker can access information about running processes via the SNMP protocol. The amount of returned data can trigger a reboot by the watchdog.
The YoSmart YoLink Smart Hub firmware 0382 is unencrypted, and data extracted from it can be used to determine network access credentials.
CVE-2025-13658
CRITICAL CVSS 9.3
Find Similar
A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation
CVE-2025-3499
CRITICAL CVSS 10.0
Find Similar
The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). Exploiting OS command injection through these APIs, an attacker can send arbit
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to th
An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function.
CVE-2025-43983
CRITICAL CVSS 9.1
Find Similar
KuWFi CPF908-CP5 WEB5.0_LCD_20210125 devices have multiple unauthenticated access control vulnerabilities within goform/goform_set_cmd_process and goform/goform_get_cmd_process. These allow an unauthe
CVE-2025-36752
CRITICAL CVSS 9.4
Find Similar
Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access th
The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, l
Cross Site Scripting vulnerability in InformationPush master version allows a remote attacker to obtain sensitive information via the title, time and msg parameters
Credentials to access device configuration information stored unencrypted in flash memory. These credentials would allow read-only access to network configuration information and terminal configuratio
Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access.
Page 1+ Next →