CWE-620: CWE-620
Yearly Trend
Top Affected Vendors
All CWE-620 CVEs (44)
This critical vulnerability in Cisco Smart Software Manager On-Prem allows unauthenticated remote attackers to change any user's password, including a...
Jul 17, 2024CVE-2025-1107 is an unverified password change vulnerability in Janto software that allows unauthenticated attackers to change any user's password wit...
Feb 7, 2025The LevelOne WBR-6012 router's web interface contains an authentication bypass vulnerability that allows attackers to change the administrator passwor...
Oct 30, 2024This vulnerability allows attackers to set blank administrator credentials on Waveshare serial-to-Ethernet/Wi-Fi gateways, enabling complete authentic...
Dec 4, 2025This vulnerability allows unauthenticated attackers to reset passwords of any WordPress user, including administrators, through the Appy Pie Connect f...
Oct 3, 2025An authentication bypass vulnerability in Sophos AP6 Series Wireless Access Points allows remote attackers to gain administrative privileges without v...
Sep 9, 2025The Sala WordPress theme has an authentication bypass vulnerability that allows unauthenticated attackers to change any user's password, including adm...
Jul 9, 2025This vulnerability allows unauthenticated attackers to reset passwords for any user account in the DWT - Directory & Listing WordPress Theme, includin...
Jun 27, 2025The Motors WordPress theme has a critical privilege escalation vulnerability that allows unauthenticated attackers to change any user's password, incl...
May 20, 2025The Flynax Bridge WordPress plugin has a critical authentication bypass vulnerability that allows unauthenticated attackers to reset any user's passwo...
Apr 24, 2025This vulnerability allows unauthenticated attackers to reset passwords for any user account in CarSpot WordPress theme, including administrators. Atta...
Feb 18, 2025The Adifier System WordPress plugin has a critical privilege escalation vulnerability that allows unauthenticated attackers to reset any user's passwo...
Jan 18, 2025This critical vulnerability in Hangzhou Xiongwei Technology's Restaurant Digital Comprehensive Management platform allows attackers to bypass authenti...
Jul 26, 2024This vulnerability allows unauthorized attackers to reset administrative passwords without knowing the current password when auto-login is enabled, gr...
Jul 22, 2024CVE-2023-3069 is an unverified password change vulnerability in coreBOS CRM that allows attackers to change any user's password without authentication...
Jun 2, 2023CVE-2020-7378 allows unauthenticated attackers to change any user's password in OpenCRX, including administrative accounts, by connecting to the vulne...
Nov 24, 2020EventSentry Web Reports interface versions before 6.0.1.20 contain an unverified password change vulnerability. Attackers with temporary access to an ...
Feb 24, 2026This vulnerability allows unauthorized password changes on Tenda W30E V2 routers without verifying the current password. Attackers who gain access to ...
Jan 26, 2026This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to change any user's password, including administrators...
Apr 24, 2025This vulnerability in transformeroptimus/superagi v0.0.14 allows authenticated users to change other users' passwords after logging in, enabling accou...
Mar 20, 2025This vulnerability allows attackers to change any user's password without knowing the current password via the /cgi/admin.cgi endpoint. Attackers can ...
Dec 12, 2024A logic flaw in Matrix Authentication Service (MAS) versions 0.20.0 through 1.4.0 allows authenticated attackers to perform sensitive account operatio...
Oct 16, 2025This vulnerability in FelixRiddle's dev-jobs-handlebars 1.0 allows attackers to hijack password reset links by manipulating the Host header. Attackers...
Oct 16, 2025Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality that allows attackers to reset user passwords by manipulati...
Oct 16, 2025CVE-2024-27715 is an authentication bypass vulnerability in Eskooly Free Online School Management Software that allows remote attackers to change pass...
Jul 5, 2024This vulnerability in IBM Aspera Orchestrator allows authenticated users to change other users' passwords without knowing their current passwords. Thi...
Dec 11, 2025The Exertio Framework WordPress plugin has a critical authentication bypass vulnerability that allows unauthenticated attackers to reset any user's pa...
Mar 1, 2025This vulnerability in Metasys building automation servers allows authenticated users to lock out other users or take over their accounts. It affects M...
May 6, 2022This vulnerability in Johnson Controls Metasys building automation systems allows attackers to change passwords without verification. It affects Metas...
Jun 15, 2022This vulnerability allows unauthenticated attackers to change passwords for any user account in Pimcore's admin-ui-classic-bundle without verification...
Oct 30, 2023A Host Header Injection vulnerability in levlaz braindump v0.4.14 allows attackers to manipulate password reset links by injecting malicious Host head...
Oct 23, 2025CVE-2025-46389 is an authentication bypass vulnerability (CWE-620) that allows attackers to change passwords without proper verification. This affects...
Aug 6, 2025This vulnerability allows unauthenticated attackers to change the login password on SENTRON 7KT PAC1260 Data Manager devices without knowing the curre...
Apr 8, 2025This vulnerability in IBM Security Verify Access allows unauthenticated attackers to reset passwords for expired user accounts without knowing the cur...
Jan 20, 2025This vulnerability in ContiNew Admin allows unauthenticated attackers to remotely reset the super administrator password without verification. Affects...
May 12, 2025This vulnerability allows remote attackers to change the administrator password without verification on UTT θΏε 750W devices up to version 5.0. Att...
Jun 16, 2025This critical vulnerability in D-Link DI-7003GV2 routers allows remote attackers to change passwords without verification via a specific web interface...
May 19, 2025The BA Book Everything WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to reset any user's password ...
Sep 24, 2024This vulnerability allows remote attackers to change student passwords without proper verification in the SpringBoot-Vue-OnlineExam system. By manipul...
Apr 22, 2025The Buddypress Force Password Change WordPress plugin contains an authentication bypass vulnerability that allows authenticated attackers (subscriber-...
Apr 24, 2025This vulnerability allows attackers to change passwords without proper verification in Progress MOVEit Transfer's REST API modules on Windows. It affe...
Jan 7, 2026This vulnerability in vichan-devel vichan allows attackers to remotely change passwords without proper verification. It affects users of vichan up to ...
Feb 16, 2026This authentication bypass vulnerability allows low-privileged users to escalate privileges without proper credential verification. It affects systems...
Jan 22, 2026Ibexa DXP versions 5.0.0-beta1 through 5.0.3 have a password validation bypass vulnerability. Authenticated users can change their password without pr...
Dec 11, 2025About CWE-620 (CWE-620)
Our database tracks 44 CVEs classified as CWE-620, with 16 rated critical and 15 rated high severity. The average CVSS score for CWE-620 vulnerabilities is 7.9.
External reference: View CWE-620 on MITRE CWE →
Monitor CWE-620 Vulnerabilities
Get alerted when new CWE-620 CVEs affect your infrastructure.
Start Monitoring Free