CVEbaza.plCWE DictionaryCWE-307
Common Weakness Enumeration

CWE-307

Improper Restriction of Excessive Authentication Attempts

Category: BaseCVE: 713
Description

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

CVE vulnerabilities with CWE-307 (713)
9.8
CVSS
CRITICAL
CVE-2026-6853

Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass. This issue affects Pause+ Mobile App: from v1.0.6 before v1.5.

pub. 2026-06-12
9.8
CVSS
CRITICAL
CVE-2026-8760

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.

pub. 2026-05-27
9.8
CVSS
CRITICAL
CVE-2025-63807

An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.

pub. 2025-11-20
9.8
CVSS
CRITICAL
CVE-2025-56221

A lack of rate limiting in the login mechanism of SigningHub v8.6.8 allows attackers to bypass authentication via a brute force attack.

pub. 2025-10-17
9.8
CVSS
CRITICAL
CVE-2025-1740

Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brute Force. This issue affects MyRezzta: from s2.03.01 before v2.05.01.

pub. 2025-09-03
9.8
CVSS
CRITICAL
CVE-2025-7393

Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Mail Login allows Brute Force.This issue affects Mail Login: from 3.0.0 before 3.2.0, from 4.0.0 before 4.2.0.

pub. 2025-07-21
9.8
CVSS
CRITICAL
CVE-2025-3709

Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.

pub. 2025-05-02
9.8
CVSS
CRITICAL
CVE-2025-25595

A lack of rate limiting in the login page of Safe App version a3.0.9 allows attackers to bypass authentication via a brute force attack.

pub. 2025-03-18
9.8
CVSS
CRITICAL
CVE-2024-46442

An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.

pub. 2024-12-10
9.8
CVSS
CRITICAL
CVE-2024-5716

Logsign Unified SecOps Platform Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password reset mechanism. The issue results from the lack of restriction of excessive authentication attempts. An attacker can leverage this vulnerability to reset a user's password and bypass authentication on the system. Was ZDI-CAN-24164.

pub. 2024-11-22
9.8
CVSS
CRITICAL
CVE-2024-41276

A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application.

pub. 2024-10-01
9.8
CVSS
CRITICAL
CVE-2024-43042

Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack.

pub. 2024-08-16
9.8
CVSS
CRITICAL
CVE-2024-39225

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a remote code execution (RCE) vulnerability.

pub. 2024-08-06
9.8
CVSS
CRITICAL
CVE-2024-2051

CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the login form.

pub. 2024-03-18
9.8
CVSS
CRITICAL
CVE-2024-21652

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.

pub. 2024-03-18
9.8
CVSS
CRITICAL
CVE-2023-33759

SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass authentication via a brute force attack.

pub. 2024-01-25
9.8
CVSS
CRITICAL
CVE-2023-6928

EuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system.

pub. 2023-12-19
9.8
CVSS
CRITICAL
CVE-2023-6272

The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits.

pub. 2023-12-18
9.8
CVSS
CRITICAL
CVE-2023-49443

DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack.

pub. 2023-12-08
9.8
CVSS
CRITICAL
CVE-2023-35039

Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15.

pub. 2023-12-07
Showing 20 of 713 vulnerabilities
Information
ID: CWE-307
Type: Base
Vulnerabilities: 713
MITRE CWE ↗
← CWE Dictionary