TP-LINK多款产品 安全漏洞

TP-LINK Tapos are products of the TP-LINK company from China. The TP-LINK Tapo is a series of secure Wi-Fi cameras. The TP-Link Tapo H100 is also a product of the TP-LINK company. The TP-Link Tapo H100 is an intelligent IoT gateway. The TP-Link Tapo P100 is also an intelligent IoT gateway. Both t...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to the DefaultConfig function, which sets TlsInsecureSkipVerify to true, disabling TLS certificate verification for all outgoing storage driver communications. An attacker can intercept and manipulate...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to the DefaultConfig function, which sets TlsInsecureSkipVerify to true, disabling TLS certificate verification for all outgoing storage driver communications. An attacker can intercept and manipulate...

EUVD-2026-5284

The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle MitM attack to intercept the cleartext communication,...

EUVD-2025-206661

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download a...

ASUSTOR ADM 安全漏洞

ASUSTOR ADM is a dedicated operating system developed by ASUSTOR Technology ASUSTOR for all ASUSTOR NAS devices. Vulnerabilities exist in versions 4.1.0 to 4.3.3.ROF1, and from version 5.0.0 to 5.1.1.RCI1 of ASUSTOR ADM. These vulnerabilities stem from the API communication component not verifyin...

GHSA-GX3X-VQ4P-MHHV cert-manager-controller DoS via Specially Crafted DNS Response

Impact The cert-manager-controller performs DNS lookups during ACME DNS-01 processing for zone discovery and propagation self-checks. By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a...

Missing Validation of OpenSSL Certificate

Overview Affected versions of this package are vulnerable to Missing Validation of OpenSSL Certificate due to the default configuration of DefaultConfig where TLS certificate verification is disabled for outgoing storage driver communications. An attacker can intercept, decrypt, and manipulate al...

CVE-2026-1530 Fog-kubevirt: fog-kubevirt: man-in-the-middle vulnerability due to disabled certificate validation

A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle MITM attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in...

PT-2026-5323

Name of the Vulnerable Software and Affected Versions VX800v version 1.0 Description The web interface of VX800v version 1.0 transmits sensitive information over unencrypted HTTP due to missing application layer encryption. This allows a network-adjacent attacker to intercept the traffic and...

CVE-2026-24772 OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a share...

Tenda W30E security vulnerabilities

The Tenda W30E is a router produced by the Chinese company Tenda. Versions of the Tenda W30E such as V2 and V16.01.0.195037 have security vulnerabilities. These vulnerabilities stem from the maintenance interface, which exposes sensitive credentials in plain text, potentially allowing network...

Cleartext Transmission of Sensitive Information

Overview open-webui is a Credit: Peter Girnus Brandon Niemczyk...

CVE-2025-27377

Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle MITM attack could exploit this issue to intercept or manipulate network traffic, potentially exposing authentication credentials or sensiti...

Azure Linux 3.0 Security Update: kernel (CVE-2025-37957)

The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-37957 advisory. - In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Forcibly leave SMM mode on...

CVE-2025-58742 Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture

Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle AiTM by modifying the 'Server' field to redirect client...

CVE-2025-58742 Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture

Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle AiTM by modifying the 'Server' field to redirect client...

CVE-2025-58742

CVE-2025-58742 affects Milner ImageDirector Capture for Windows, specifically the Connection Settings dialog. The vulnerability arises when an attacker can modify the Server field to redirect client authentication, enabling Adversary in the Middle (AiTM) and exposing credentials. Affected version...

CVE-2025-11043

An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges...

MiracleLinux 4 : thunderbird-78.7.0-1.0.1.AXS4 (AXSA:2021-1432:01)

The remote MiracleLinux 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2021-1432:01 advisory. Mozilla: Cross-origin information leakage via redirected PDF requests CVE-2021-23953 Mozilla: Type confusion when using logical assignment operators...