EUVD-2026-34231

Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links...

CVE-2026-50226

Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links...

CVE-2026-50226

CVE-2026-50226 affects the AcerConnect OTA application. The issue arises from fixed AES-128-CBC keys inside the app, allowing attackers to forge authorization credentials for arbitrary IMEI numbers. This enables unauthorized actors to list catalog items and extract protected binaries from pre-sig...

EUVD-2026-34222

The device encrypts data using AES-CBC with static zero-filled Initialization Vectors IVs, making it susceptible to replay attacks and known-plaintext decryption...

CVE-2026-50210 Weak Static Cryptographic Initialization Vectors

The device encrypts data using AES-CBC with static zero-filled Initialization Vectors IVs, making it susceptible to replay attacks and known-plaintext decryption...

CVE-2026-50210 Weak Static Cryptographic Initialization Vectors

The device encrypts data using AES-CBC with static zero-filled Initialization Vectors IVs, making it susceptible to replay attacks and known-plaintext decryption...

CVE-2026-50208

High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle MITM actor could decrypt network traffic...

CVE-2026-50208

CVE-2026-50208 describes a vulnerability where TrustAllCerts routines bypass TLS certificate validation and are combined with hard-coded DES keys, enabling a MitM actor to decrypt network traffic. Documented impact includes high confidentiality and integrity risks with network traffic exposure; n...

CVE-2026-50208 Permissive TrustAllCerts TLS Verification

High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle MITM actor could decrypt network traffic...

DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization

DNN DotNetNuke versions 9.2 through 9.2.2 use a weak encryption algorithm to protect input parameters because of an incomplete fix for CVE-2018-15811. This cryptographic weakness enables attackers to craft malicious DNNPersonalization cookies that can be deserialized, leading to remote code...

WAVLINK WN530HG4 - Improper Access Control

WAVLINK WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. It contains a hardcoded encryption/decryption key for its configuration files at /etcro/lighttpd/www/cgi-bin/ExportAllSettings.sh. An attacker can possibly obtain sensitive information, modify data, and/or execute...

DotNetNuke 9.2 - 9.2.1 - Weak Encryption & Cookie Deserialization

DNN DotNetNuke versions 9.2 through 9.2.1 use a weak encryption algorithm to protect input parameters. This cryptographic weakness enables attackers to craft malicious DNNPersonalization cookies that can be deserialized, leading to remote code execution. id: CVE-2018-15811 info: name: DotNetNuke...

PT-2026-46162

The device encrypts data using AES-CBC with static zero-filled Initialization Vectors IVs, making it susceptible to replay attacks and known-plaintext decryption...

PT-2026-46160

High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle MITM actor could decrypt network traffic...

CVE-2026-8881

Version 3.0.7 of the Securly Chrome Extension uses EVPBytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching...

github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

A flaw was found in Go JOSE, a library for handling JSON Web Encryption JWE objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the...

CVE-2026-36606

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials...

CVE-2026-8881 CVE-2026-8881

Version 3.0.7 of the Securly Chrome Extension uses EVPBytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching...

CVE-2026-8881

CVE-2026-8881 affects the Securly Chrome Extension (version 3.0.7). The crypto uses EVP_BytesToKey with MD5 and a single iteration for AES encryption, relying on an MD5 primitive that has been broken since 2004 and provides no key stretching. This weak derivation reduces the security of protected...

EUVD-2026-34166

Version 3.0.7 of the Securly Chrome Extension uses EVPBytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching...