120 matches found
CVE-2026-40971
A flaw was found in Spring Boot. When configured to use an SSL Secure Sockets Layer bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. This vulnerability could allow an attacker on the same network to intercept or alter...
Improper SSL Hostname Verification
org.springframework.boot, spring-boot-elasticsearch is vulnerable to improper SSL hostname verification. The vulnerability is due to missing hostname verification in SSL bundle configuration, which allows an attacker to perform man-in-the-middle attacks by connecting to a malicious Elasticsearch...
nodejs: Node.js: Certification validation bypass in TLS host verification
A flaw was found in Node.js. An attacker can exploit a vulnerability in the Transport Layer Security TLS host verification process to bypass certification validation. This bypass could allow an attacker to intercept or alter communications, potentially leading to information disclosure or integri...
Flowise: Password Reset Link Sent Over Unsecured HTTP
Summary: The password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle MITM attack, where an attacker on the same network as the user e.g., public Wi-Fi can intercept...
PT-2026-44910
Name of the Vulnerable Software and Affected Versions axios versions 0.x through 1.x Description A prototype pollution gadget in the lib/adapters/http.js component allows an attacker to escalate any Object.prototype pollution within an application's dependency tree into a full Man-in-the-Middle...
CVE-2026-5363 Use of weak cryptographic key in TP-Link Archer C7
Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 uhttpd modules allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login. An adjacent attacker with the ability to...
EUVD-2026-20991
dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from...
IBM InfoSphere Information Server 安全漏洞
IBM InfoSphere Information Server is IBM's enterprise-class data integration platform for data quality management and ETL processing. An information disclosure vulnerability exists in IBM InfoSphere Information Server that stems from a query string of an HTTP GET request that could expose sensiti...
CVE-2026-1068
An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to obtain sensitive user data from the application...
CVE-2026-31960 DoS in Quill via unbounded read of HTTP response body during notarization
Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 has unbounded reads of HTTP response bodies during the Apple notarization process. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not...
Improper Certificate Validation
Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the CLI login command when the -skip-verify flag is used without the --cacert flag. An attacker can intercept sensitive information or perform man-in-the-middle attacks by exploiting the lack of proper...
CVE-2026-2539
The RF communication protocol in the Micca KE700 car alarm system does not encrypt its data frames. An attacker with a radio interception tool e.g., SDR can capture the random number and counters transmitted in cleartext, which is sensitive information required for authentication...
Improper Certificate Validation
Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to the DefaultConfig function, which sets TlsInsecureSkipVerify to true, disabling TLS certificate verification for all outgoing storage driver communications. An attacker can intercept and manipulate...
GHSA-GX3X-VQ4P-MHHV cert-manager-controller DoS via Specially Crafted DNS Response
Impact The cert-manager-controller performs DNS lookups during ACME DNS-01 processing for zone discovery and propagation self-checks. By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a...
Missing Validation of OpenSSL Certificate
Overview Affected versions of this package are vulnerable to Missing Validation of OpenSSL Certificate due to the default configuration of DefaultConfig where TLS certificate verification is disabled for outgoing storage driver communications. An attacker can intercept, decrypt, and manipulate al...
CVE-2021-31892
A vulnerability has been identified in SINUMERIK Analyse MyCondition All versions, SINUMERIK Analyze MyPerformance All versions, SINUMERIK Analyze MyPerformance /OEE-Monitor All versions, SINUMERIK Analyze MyPerformance /OEE-Tuning All versions, SINUMERIK Integrate Client 02 All versions =...
CVE-2026-22543
The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials...
CVE-2025-13489 IBM DevOps Deploy is susceptible to a Cleartext Transmission of Sensitive Information
IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 IBM DevOps Deploy transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques...
PT-2025-51100
Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint...
CVE-2025-65827
The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP. As a result, an adversary located "upstream" can intercept the traffic, inspect its contents, and modify the requests in transit. TThis may result in a total compromise o...