CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

32 matches found

CVE-2026-42854

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array VLA on the stack whose size is derived from an attacker-controlled HTTP head...

9.8CVSS6AI score0.00283EPSS

Exploits1References1

NVD•added 2026/05/12 10:16 p.m.•8 views

CVE-2026-42855

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp32 computes the authentication hash using the URI field from the client's Authorization header,...

7.5CVSS0.00047EPSS

Exploits1References1

NVD•added 2026/05/12 10:16 p.m.•10 views

CVE-2026-42854

9.8CVSS0.00283EPSS

Exploits1References1

Cvelist•added 2026/05/12 9:56 p.m.•34 views

CVE-2026-42854 arduino-esp32: Stack buffer overflow in WebServer multipart boundary parsing leads to remote crash potential RCE

9.8CVSS0.00283EPSS

Exploits1References1

Vulnrichment•added 2026/05/12 9:56 p.m.•10 views

CVE-2026-42854 arduino-esp32: Stack buffer overflow in WebServer multipart boundary parsing leads to remote crash potential RCE

9.8CVSS6.2AI score0.00283EPSS

Exploits1References1

CVE•added 2026/05/12 9:56 p.m.•10 views

CVE-2026-42854

Summary: The Arduino-ESP32 core is affected by a stack overflow in the WebServer multipart boundary parser. A boundary derived from the HTTP header (Content-Type: multipart/form-data; boundary=...) with length > ~8000 can overflow the 8192-byte loopTask stack, potentially enabling remote code ...

9.8CVSS6.2AI score0.00283EPSS

Exploits1References1Affected Software1

ATTACKERKB•added 2026/05/12 9:56 p.m.•4 views

CVE-2026-42855

7.5CVSS5.8AI score0.00047EPSS

Exploits1References2Affected Software1

Vulnrichment•added 2026/05/12 9:56 p.m.•6 views

CVE-2026-42855 arduino-esp32: Digest authentication URI mismatch bypass in WebServer allows cross-resource replay attack

7.5CVSS5.8AI score0.00047EPSS

Exploits1References1

Cvelist•added 2026/05/12 9:56 p.m.•30 views

CVE-2026-42855 arduino-esp32: Digest authentication URI mismatch bypass in WebServer allows cross-resource replay attack

7.5CVSS0.00047EPSS

Exploits1References1

CNNVD•added 2026/05/12 12:0 a.m.•4 views

arduino-esp32 安全漏洞

Arduino-ESP32 is an open-source project by Espressif, designed for use with the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 boards. Versions of Arduino-ESP32 prior to 3.3.8 contained a security vulnerability. This vulnerability stemmed from the WebServer multi-part form parser’s...

9.8CVSS6.2AI score0.00283EPSS

Exploits1References1

Positive Technologies•added 2026/05/12 12:0 a.m.•8 views

PT-2026-40454

9.8CVSS6.2AI score0.00283EPSS

Exploits1References2

CVE•added 2026/04/24 7:19 p.m.•13 views

CVE-2026-41429

CVE-2026-41429 affects the arduino-esp32 core (ESP32/ESP32-S2/ESP32-S3/ESP32-C3/ESP32-C6/ESP32-H2). The issue is a memory corruption in NBNS packet handling when NetBIOS is enabled via NBNS.begin(...); the code path listens on UDP port 137 and processes untrusted NBNS requests. The request parser...

8.8CVSS5.6AI score0.00028EPSS

Exploits1References1Affected Software1

Cvelist•added 2026/04/24 7:19 p.m.•27 views

CVE-2026-41429 Improper validation of NBNS name_len in arduino-esp32 NetBIOS leads to memory corruption

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled by calling NBNS.begin..., the device listens on UDP...

8.8CVSS0.00028EPSS

Exploits1References1

CNNVD•added 2026/04/24 12:0 a.m.•4 views

arduino-esp32 安全漏洞

8.8CVSS5.8AI score0.00028EPSS

Exploits1References2

EUVD•added 2025/10/03 8:7 p.m.•0 views

EUVD-2024-41606

Malicious code in bioql PyPI...

9.9CVSS6.6AI score0.00319EPSS

Exploits0References5

Cvelist•added 2025/07/07 7:26 p.m.•5 views

CVE-2025-53540 CSRF Vulnerability in Firmware Update Endpoints Allows Remote Code Execution

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery CSRF. The update endpoints accept POST requests for firmware uploa...

8.7CVSS0.00769EPSS

Exploits0References2

Positive Technologies•added 2025/07/07 12:0 a.m.•2 views

PT-2025-28253 · Arduino · Arduino-Esp32

Name of the Vulnerable Software and Affected Versions: arduino-esp32 versions prior to 3.2.1 Description: The issue affects several OTA update examples and the HTTPUpdateServer implementation in the arduino-esp32 core, allowing an attacker to upload and execute arbitrary firmware due to a lack of...

8.7CVSS8AI score0.00769EPSS

Exploits0References6

CNNVD•added 2025/07/07 12:0 a.m.•1 views

arduino-esp32 跨站请求伪造漏洞

arduino-esp32 is an Espressif open source Arduino kernel for ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2. A cross-site request forgery vulnerability exists in arduino-esp32 versions prior to 3.2.1, which stems from an update endpoint accepting a POST request without CSRF protection...

8.7CVSS7.5AI score0.00769EPSS

Exploits0References3

RedhatCVE•added 2025/06/28 3:17 p.m.•3 views

CVE-2025-53007

arduino-esp32 provides an Arduino core for the ESP32. Versions prior to 3.3.0-RC1 and 3.2.1 contain a HTTP Response Splitting vulnerability. The sendHeader function takes arbitrary input for the HTTP header name and value, concatenates them into an HTTP header line, and appends this to the outgoi...

9.3CVSS7.3AI score0.00413EPSS

Exploits0References1

NVD•added 2025/06/26 3:15 p.m.•4 views

CVE-2025-53007

9.3CVSS0.00413EPSS

Exploits0References4

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by