Unity Linux 20.1060e / 20.1070e Security Update: curl (UTSA-2026-017589)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017589 advisory. When sending data to an MQTT server, libcurl = 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use...

PT-2026-7834

Name of the Vulnerable Software and Affected Versions SolaX devices affected versions not specified Description Devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in Alibaba Cloud mqtt001.solaxcloud.com, TCP 8883. This allows attackers in a...

JLSEC-2025-29 When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances errone...

When sending data to an MQTT server, libcurl = 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it again...

EUVD-2021-10073

Malware in sbrugna...

EUVD-2019-0656

Malware in sbrugna...

EUVD-2018-11109

Malware in sbrugna...

EUVD-2025-16053

Malicious code in bioql PyPI...

EUVD-2021-2848

Malicious code in bioql PyPI...

Telpo MDM 安全漏洞

Telpo MDM is a mobile device management system from the Chinese company Telpo. A security vulnerability exists in Telpo MDM versions 1.4.6 to 1.4.9, which originates from the plaintext storage of administrator credentials and MQTT server details, and could lead to unauthorized access...

CVE-2025-27803

The devices do not implement any authentication for the web interface or the MQTT server. An attacker who has network access to the device immediately gets administrative access to the devices and can perform arbitrary administrative actions and reconfigure the devices or potentially gain access ...

PT-2025-22331 · Echarge Hardy Barth · Cph2 / Cpp2 Charging Stations

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The issue concerns a lack of authentication for the web interface or the MQTT server. This allows an attacker with network access to gain administrative access, perform arbitrary...

GO-2024-3307 CVE-2024-50948 in github.com/mochi-mqtt/server

CVE-2024-50948 in github.com/mochi-mqtt/server...

CentOS 9 : curl-7.76.1-12.el9

The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the curl-7.76.1-12.el9 build changelog. - When sending data to an MQTT server, libcurl = 7.20.0 and = 7.20.0 and = 7.78.0 connects to an IMAP or POP3 server to retrieve data using...

CVE-2023-6248

The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connect...

Hardcoded credentials

The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connect...

CVE-2023-6248 Data leakage and arbitrary remote code execution in Syrus cloud devices

The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connect...

CVE-2023-6248 Data leakage and arbitrary remote code execution in Syrus cloud devices

The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connect...

CVE-2023-45321

The Android Client application, when enrolled with the define method 1 the user manually inserts the server ip address, use HTTP protocol to retrieve sensitive information ip address and credentials to connect to a remote MQTT broker entity instead of HTTPS and this feature is not configurable by...

PT-2023-29497 · Google · Android Client

Name of the Vulnerable Software and Affected Versions: Android Client application affected versions not specified Description: The issue concerns the use of the HTTP protocol instead of HTTPS to retrieve sensitive information, including IP addresses and credentials for a remote MQTT broker entity...

CVE-2023-1748

The listed versions of Nexx Smart Home devices use hard-coded credentials. An attacker with unauthenticated access to the Nexx Home mobile application or the affected firmware could view the credentials and access the MQ Telemetry Server MQTT server and the ability to remotely control garage door...