CVE-2026-50086 Aqara unauthenticated AES oracle

The Aqara IAM/SSO gateway gw-builder.aqara.com exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has a...

EUVD-2026-36476

The Aqara IAM/SSO gateway gw-builder.aqara.com exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has a...

CVE-2026-9641

CVE-2026-9641 affects Crypt::PBKDF2 for Perl prior to 0.261630. The vulnerability stems from a weak default configuration: using HMAC-SHA1 as the default algorithm and a default 1000 iterations, which is insufficient for modern password hashing. The impact, per sources, could involve reduced resi...

EUVD-2026-36470

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000...

CVE-2026-9641 Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000...

CVE-2026-9641 Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000...

PT-2026-48921

Name of the Vulnerable Software and Affected Versions Crypt::PBKDF2 versions prior to 0.261630 Description The software uses a weak default algorithm and an insufficient number of iterations. The default algorithm is HMAC-SHA1, which is intended only for legacy systems. Additionally, the default...

Linux Distros Unpatched Vulnerability : CVE-2026-9641

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be...

PT-2026-48910

Name of the Vulnerable Software and Affected Versions Aqara IAM/SSO gateway affected versions not specified Description The IAM/SSO gateway at 'gw-builder.aqara.com' exposes an unauthenticated AES oracle, allowing bidirectional AES round-trips against the platform's signing key. This occurs due t...

github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

A flaw was found in Go JOSE, a library for handling JSON Web Encryption JWE objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the...

github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

A flaw was found in Go JOSE, a library for handling JSON Web Encryption JWE objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the...

Security Bulletin: Multiple vulnerabilities in IBM Tivoli Network Manager IP Edition

Summary Multiple vulnerabilities were addressed in IBM Tivoli Network Manager IP Edition 4.2.0.24 IFix 1 Vulnerability Details CVEID:CVE-2025-11143 DESCRIPTION: The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of...

CVE-2026-40996

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS1 v1.5 rsa-15 encrypted key material unless operators explicitly reconfigured the flag...

CVE-2026-40996

CVE-2026-40996 affects Spring Web Services where Wss4jSecurityInterceptor incorrectly defaults allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J’s safer validation behavior for RequestData. This could allow RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material in inbound WS-Security dec...

CVE-2026-48488

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 SHAttered. Version 4.1.4 fixes the issue...

CVE-2026-42766

The CVE-2026-42766 entry documents a NULL pointer dereference in OpenSSL’s CMS decryption for password-based CMS messages. Specifically, PasswordRecipientInfo.keyDerivationAlgorithm is OPTIONAL and may be absent; OpenSSL’s CMS decryption dereferences this field without checking, triggering an app...

CVE-2026-34181

The CVE-2026-34181 issue affects PKCS#12 file processing in OpenSSL where insufficient input validation for PBMAC1 allows forging certificates and private keys. An attacker impersonating a user could cause a service that reads PKCS#12 files to accept forged certificates and keys with about a 1 in...

DEBIAN-CVE-2026-11793

A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can...

CVE-2026-11793

A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can...

UBUNTU-CVE-2026-11793

A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can...