CVE-2026-26214 Xiaomi Galaxy FDS Android SDK <= 3.0.8 TLS Hostname Verification Disabled Enables MITM

Galaxy FDS Android SDK XiaoMi/galaxy-fds-sdk-android version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled the default configuration. In GalaxyFDSClientImpl.createHttpClient, the SDK configures Apache HttpClient with SSLSocketFactory.ALLOWALLHOSTNAMEVERIFIER, which accep...

Notepad++ Download of Code Without Integrity Check Vulnerability

Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges...

CVE-2026-20671

CVE-2026-20671 describes a logic issue resolved by improved checks across Apple platforms. The vulnerability affects multiple Apple OS versions and is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26...

Apple多款产品 安全漏洞

Apple iOS is an operating system developed for mobile devices.Apple macOS is a specialized operating system developed for Mac computers.Apple iPadOS is an operating system for iPad tablets. A security bypass vulnerability exists in multiple Apple products and is caused by a logic issue in a kerne...

TP-LINK多款产品 安全漏洞

TP-LINK Tapos are products of the TP-LINK company from China. The TP-LINK Tapo is a series of secure Wi-Fi cameras. The TP-Link Tapo H100 is also a product of the TP-LINK company. The TP-Link Tapo H100 is an intelligent IoT gateway. The TP-Link Tapo P100 is also an intelligent IoT gateway. Both t...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to the DefaultConfig function, which sets TlsInsecureSkipVerify to true, disabling TLS certificate verification for all outgoing storage driver communications. An attacker can intercept and manipulate...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to the DefaultConfig function, which sets TlsInsecureSkipVerify to true, disabling TLS certificate verification for all outgoing storage driver communications. An attacker can intercept and manipulate...

EUVD-2026-5284

The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle MitM attack to intercept the cleartext communication,...

EUVD-2025-206661

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download a...

ASUSTOR ADM 安全漏洞

ASUSTOR ADM is a dedicated operating system developed by ASUSTOR Technology ASUSTOR for all ASUSTOR NAS devices. Vulnerabilities exist in versions 4.1.0 to 4.3.3.ROF1, and from version 5.0.0 to 5.1.1.RCI1 of ASUSTOR ADM. These vulnerabilities stem from the API communication component not verifyin...

GHSA-GX3X-VQ4P-MHHV cert-manager-controller DoS via Specially Crafted DNS Response

Impact The cert-manager-controller performs DNS lookups during ACME DNS-01 processing for zone discovery and propagation self-checks. By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a...

Missing Validation of OpenSSL Certificate

Overview Affected versions of this package are vulnerable to Missing Validation of OpenSSL Certificate due to the default configuration of DefaultConfig where TLS certificate verification is disabled for outgoing storage driver communications. An attacker can intercept, decrypt, and manipulate al...

CVE-2026-1530 Fog-kubevirt: fog-kubevirt: man-in-the-middle vulnerability due to disabled certificate validation

A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle MITM attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in...

PT-2026-5323

Name of the Vulnerable Software and Affected Versions VX800v version 1.0 Description The web interface of VX800v version 1.0 transmits sensitive information over unencrypted HTTP due to missing application layer encryption. This allows a network-adjacent attacker to intercept the traffic and...

CVE-2026-24772 OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a share...

Tenda W30E security vulnerabilities

The Tenda W30E is a router produced by the Chinese company Tenda. Versions of the Tenda W30E such as V2 and V16.01.0.195037 have security vulnerabilities. These vulnerabilities stem from the maintenance interface, which exposes sensitive credentials in plain text, potentially allowing network...

Cleartext Transmission of Sensitive Information

Overview open-webui is a Credit: Peter Girnus Brandon Niemczyk...

CVE-2025-27377

Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle MITM attack could exploit this issue to intercept or manipulate network traffic, potentially exposing authentication credentials or sensiti...

Azure Linux 3.0 Security Update: kernel (CVE-2025-37957)

The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-37957 advisory. - In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Forcibly leave SMM mode on...

CVE-2025-58742 Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture

Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle AiTM by modifying the 'Server' field to redirect client...