CWE-640: CWE-640
Yearly Trend
Top Affected Vendors
All CWE-640 CVEs (74)
CVE-2025-63314 is a critical authentication bypass vulnerability in DDSN Interactive Acora CMS v10.7.1 where static password reset tokens allow attack...
Jan 12, 2026This critical vulnerability in GitLab allows attackers to hijack user accounts by intercepting password reset emails sent to unverified email addresse...
Jan 12, 2024This vulnerability allows unauthenticated attackers to reset passwords for any user account by exploiting a flawed OTP verification process in the pas...
Feb 7, 2026CVE-2025-64113 is an authentication bypass vulnerability in Emby Server that allows attackers to gain full administrative access to the media server. ...
Dec 9, 2025This vulnerability allows attackers to escalate privileges via a crafted password reset mechanism on imonnit.com, enabling account takeover of arbitra...
Nov 26, 2025CVE-2025-12866 is a critical authentication bypass vulnerability in EIP Plus software developed by Hundred Plus. It allows unauthenticated remote atta...
Nov 10, 2025Daikin Europe N.V. Security Gateway contains an authorization bypass vulnerability that allows attackers to access the system without valid credential...
Sep 11, 2025This vulnerability allows attackers to bypass password recovery mechanisms in Hossein Material Dashboard WordPress plugin, potentially gaining unautho...
Sep 9, 2025This vulnerability allows attackers to reset any user account password in Danphe Health Hospital Management System EMR, enabling complete account take...
Aug 13, 2025This vulnerability allows attackers to take over user accounts in Flask Boilerplate applications by exploiting the password reset feature. Attackers c...
Jul 7, 2025This vulnerability allows remote attackers to bypass authentication in Allegra by exploiting a predictable password reset token generation mechanism. ...
Jun 21, 2025This vulnerability allows attackers to bypass authentication and reset passwords for any user account in the Paid Videochat Turnkey Site WordPress plu...
Apr 17, 2025The AdForest WordPress theme contains a critical authentication bypass vulnerability that allows unauthenticated attackers to reset any user's passwor...
Jan 8, 2025This vulnerability in CrushFTP allows attackers to bypass password reset mechanisms, potentially leading to complete account takeover. It affects Crus...
Dec 10, 2024This vulnerability in Olive VLE allows attackers to obtain sensitive information through the password reset function, potentially leading to account t...
Oct 25, 2024This vulnerability allows unauthenticated remote attackers to force a password reset for the administrator account in R-HUB TurboMeeting, setting it t...
Jul 25, 2024This vulnerability in Shenzhen Guoxin Synthesis image system allows attackers to reset passwords without authorization via the resetPassword API, pote...
Jun 16, 2024CVE-2024-5404 allows unauthenticated remote attackers to change the admin password on moneo appliances due to a weak password recovery mechanism. This...
Jun 3, 2024CVE-2023-36487 is a critical authentication bypass vulnerability in ILIAS learning management system that allows remote attackers to take over user ac...
Jun 29, 2023This vulnerability allows remote attackers to take over administrator accounts on Milesight NVR devices through a weak password reset mechanism in the...
Apr 28, 2023This vulnerability allows attackers to bypass password reset mechanisms in MEGAFEIS and BOFEI DBD+ mobile applications due to an insecure expiry mecha...
Mar 21, 2023CVE-2022-27157 is a weak password recovery mechanism vulnerability in pearweb that allows attackers to reset passwords without proper authentication. ...
Apr 15, 2022CVE-2021-36209 is an account takeover vulnerability in JetBrains Hub password reset functionality. Attackers could exploit this to reset passwords for...
Aug 6, 2021This vulnerability allows attackers to bypass password recovery mechanisms in Schneider Electric PowerLogic devices, potentially gaining administrator...
Jun 11, 2021CVE-2021-28293 is an unauthenticated account takeover vulnerability in Seceon aiSIEM's password reset functionality. Attackers can set arbitrary passw...
Jun 8, 2021This vulnerability allows remote attackers to change passwords on Modicon Managed Switches without authentication when basic user information is known...
May 26, 2021This vulnerability in konzept-ix publiXone allows attackers to craft password-reset tokens to take over arbitrary user accounts. It affects all publiX...
Oct 27, 2020This vulnerability allows attackers to bypass password reset mechanisms in eramba by brute-forcing weak recovery tokens. Affected systems include eram...
Sep 3, 2020Ruijie Reyee OS versions 2.206.x through 2.319.x contain a weak password change mechanism that allows attackers to brute force authentication. This vu...
Dec 6, 2024This vulnerability in Statmatic CMS allows attackers to hijack password reset tokens and take over user accounts. Attackers need a valid email address...
Feb 24, 2026CVE-2021-25323 is an authentication bypass vulnerability in MISP (Malware Information Sharing Platform) where users could change their passwords witho...
Jan 19, 2021This vulnerability allows attackers to bypass the OTP verification in the password reset workflow of the Touch Lebanon Mobile App. Attackers can reset...
Aug 20, 2025The BoomBox Theme Extensions WordPress plugin allows authenticated attackers with subscriber-level access or higher to reset passwords of any user, in...
Mar 19, 2025This vulnerability in SAP NetWeaver AS Java allows attackers to manipulate security answer content during self-registration or profile modification, p...
Apr 9, 2024This vulnerability allows attackers to reset arbitrary user passwords in WWBN AVideo by exploiting insufficient entropy in password recovery token gen...
Jan 10, 2024This vulnerability allows attackers to bypass password recovery mechanisms in LinkStack versions prior to 4.2.9, potentially enabling unauthorized acc...
Oct 29, 2023CVE-2021-25957 is an authentication bypass vulnerability in Dolibarr's password reset functionality that allows low-privileged attackers to reset any ...
Aug 17, 2021CVE-2021-31912 is an account takeover vulnerability in JetBrains TeamCity where attackers could potentially hijack user accounts during password reset...
May 11, 2021CVE-2023-4096 is a weak password recovery mechanism vulnerability in Fujitsu Arconte Γurea version 1.5.0.0. Attackers can brute-force the emailed PIN...
Sep 19, 2023JumpServer's password reset verification code lacks rate limiting, allowing attackers to brute-force the 6-digit code within its 1-minute validity win...
Sep 27, 2023This vulnerability in Intelbras VIP 3260 Z IA devices allows attackers to bypass password recovery mechanisms through the /OutsideCmd endpoint. It aff...
Feb 16, 2026This vulnerability in Piwigo allows attackers to send password reset emails containing malicious links to legitimate users. By manipulating the Host h...
Nov 18, 2025This vulnerability in VMware NSX allows unauthenticated attackers to enumerate valid usernames through a weak password recovery mechanism. This enable...
Sep 29, 2025Kanboard versions before 1.2.46 have a password reset vulnerability where attackers can craft malicious reset links that leak tokens to attacker-contr...
Jun 24, 2025This vulnerability allows unauthenticated attackers to brute-force OTP codes and reset passwords for any user, including administrators, in the Direct...
Feb 28, 2025The Build App Online WordPress plugin has a weak password reset mechanism that allows unauthenticated attackers to reset any user's password by guessi...
Jun 11, 2024This vulnerability allows locked B2B users in SAP Commerce Cloud to bypass account restrictions by exploiting the forgotten password functionality whe...
Dec 12, 2023ZITADEL identity infrastructure systems are vulnerable to account takeover via password reset email manipulation. Attackers can inject malicious Forwa...
Nov 30, 2023CVE-2022-29174 is a password reset token vulnerability in Countly Server that allows attackers who know a user's email/username and full name to guess...
May 17, 2022This vulnerability in Strapi allows attackers who have obtained a valid session to change a user's password without providing the current password. Th...
May 6, 2021About CWE-640 (CWE-640)
Our database tracks 74 CVEs classified as CWE-640, with 31 rated critical and 34 rated high severity. The average CVSS score for CWE-640 vulnerabilities is 8.4.
External reference: View CWE-640 on MITRE CWE →
Monitor CWE-640 Vulnerabilities
Get alerted when new CWE-640 CVEs affect your infrastructure.
Start Monitoring Free