353 matches found
Astra Linux - уязвимость в thunderbird
Thunderbird ignored the configuration that required STARTTLS security for SMTP connections. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication...
CVE-2026-40594 pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted prox...
CVE-2026-26994
A flaw was found in uTLS. An active network attacker could exploit this vulnerability by manipulating the initial connection message ClientHello during the TLS handshake. This manipulation forces a downgrade from the more secure TLS 1.3 protocol to an older, less secure version like TLS 1.2. As a...
CVE-2026-26994
uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a uTLS ClientHello spe...
UBUNTU-CVE-2026-26994
uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a uTLS ClientHello spe...
CVE-2026-26994
uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a uTLS ClientHello spe...
uTLS 安全漏洞
uTLS is an open-source Go language codebase developed by Refraction Networking. Versions of uTLS 1.6.7 and earlier contain security vulnerabilities. These vulnerabilities stem from the lack of a TLS 1.3 downgrade protection mechanism, which could lead to connection downgrade attacks...
PT-2026-5906
Name of the Vulnerable Software and Affected Versions HCL AION version 2.0 Description HCL AION is susceptible to a missing or insecure HTTP Strict-Transport-Security HSTS header. This can permit insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrad...
MiracleLinux 7 : samba-4.10.16-17.el7 (AXSA:2021-2787:06)
The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-2787:06 advisory. samba: Active Directory AD domain user could become root on domain members CVE-2020-25717 samba: SMB1 client connections can be downgraded to...
MiracleLinux 7 : samba-4.2.3-11.el7 (AXSA:2016-023:01)
The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2016-023:01 advisory. Samba is the standard Windows interoperability suite of programs for Linux and Unix. Security issues fixed with this release: CVE-2015-3223 The...
CVE-2025-53627
Meshtastic is an open source mesh networking solution. The Meshtastic firmware starting from version 2.5 introduces asymmetric encryption PKI for direct messages, but when the pkiencrypted flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an...
CVE-2025-53627
Meshtastic is an open source mesh networking solution. The Meshtastic firmware starting from version 2.5 introduces asymmetric encryption PKI for direct messages, but when the pkiencrypted flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an...
CVE-2025-53627 Meshtastic firmware allows forged DMs with no PKC to show up as encrypted
Meshtastic is an open source mesh networking solution. The Meshtastic firmware starting from version 2.5 introduces asymmetric encryption PKI for direct messages, but when the pkiencrypted flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an...
EUVD-2025-205605
Meshtastic is an open source mesh networking solution. The Meshtastic firmware starting from version 2.5 introduces asymmetric encryption PKI for direct messages, but when the pkiencrypted flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an...
CVE-2025-53627 Meshtastic firmware allows forged DMs with no PKC to show up as encrypted
Meshtastic is an open source mesh networking solution. The Meshtastic firmware starting from version 2.5 introduces asymmetric encryption PKI for direct messages, but when the pkiencrypted flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an...
PT-2025-53743
Name of the Vulnerable Software and Affected Versions Meshtastic versions 2.5 through 2.7.14 Description Meshtastic firmware, starting with version 2.5, implemented asymmetric encryption PKI for direct messages. However, when the pki encrypted flag is absent, the firmware reverts to legacy...
CVE-2025-67846
The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that...
CVE-2025-67846
The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that...
PT-2025-52407
Name of the Vulnerable Software and Affected Versions Mintlify Platform versions prior to 2025-11-15 Description The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows attackers to bypass security patches and execute downgrade attacks. This is possible through predictable...
EUVD-2025-202613
The application uses an insecure hashing algorithm MD5 to hash passwords. If an attacker obtained a copy of these hashes, either through exploiting cloud services, performing TLS downgrade attacks on the traffic from a mobile device, or through another means, they may be able to crack the hash in...