CVE-2021-46009
In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations c
CVSS
9.8
Critical
EPSS
12.2%
p96
KEV
—
Exploit Today
29
0-100
Published: Mar 30, 2022 · Last modified: Jul 9, 2026 · CWE-306
12.2%EPSS · 30 days15.2%
2026-06-302026-07-16
In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies.
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-32489.8 CRI100.0%
KEV—80Langflow Missing Authentication Vulnerability2dCVE-2024-116809.8 CRI99.8%
KEV—80ProjectSend Improper Authentication Vulnerability2dCVE-2026-561645.3 MED92.0%
KEV—78Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability2dCVE-2026-468179.8 CRI60.3%
KEV—68Oracle E-Business Suite Improper Privilege Management Vulnerability19hCVE-2022-245629.8 CRI98.9%
——30In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.8dCVE-2026-411769.8 CRI98.2%
——29Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.2d