TP-LINK多款产品 安全漏洞

TP-LINK Tapos are products of the TP-LINK company from China. The TP-LINK Tapo is a series of secure Wi-Fi cameras. The TP-Link Tapo H100 is also a product of the TP-LINK company. The TP-Link Tapo H100 is an intelligent IoT gateway. The TP-Link Tapo P100 is also an intelligent IoT gateway. Both t...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to the DefaultConfig function, which sets TlsInsecureSkipVerify to true, disabling TLS certificate verification for all outgoing storage driver communications. An attacker can intercept and manipulate...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to the DefaultConfig function, which sets TlsInsecureSkipVerify to true, disabling TLS certificate verification for all outgoing storage driver communications. An attacker can intercept and manipulate...

EUVD-2026-5284

The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle MitM attack to intercept the cleartext communication,...

Tenda W30E security vulnerabilities

The Tenda W30E is a router produced by the Chinese company Tenda. Versions of the Tenda W30E such as V2 and V16.01.0.195037 have security vulnerabilities. These vulnerabilities stem from the maintenance interface, which exposes sensitive credentials in plain text, potentially allowing network...

Cleartext Transmission of Sensitive Information

Overview open-webui is a Credit: Peter Girnus Brandon Niemczyk...

CVE-2025-27377

Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle MITM attack could exploit this issue to intercept or manipulate network traffic, potentially exposing authentication credentials or sensiti...

CVE-2025-11043

An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges...

B&R Automation Studio Trust Management Vulnerability

B&R Automation Studio is an integrated development environment provided by the Austrian company B&R. Versions of B&R Automation Studio prior to version 6.5 contained a trust management vulnerability. This vulnerability stemmed from improper verification of OPC-UA client and ANSL over TLS client...

CVE-2026-22079 Cleartext Transmission Vulnerability in Tenda Wireless Routers

This vulnerability exists in Tenda wireless routers 300Mbps Wireless Router F3 and N300 Easy Setup Router due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network cou...

CVE-2020-7339

Use of a Broken or Risky Cryptographic Algorithm vulnerability in McAfee Database Security Server and Sensor prior to 4.8.0 in the form of a SHA1 signed certificate that would allow an attacker on the same local network to potentially intercept communication between the Server and Sensors...

CVE-2019-25278 FaceSentry Access Control System 6.4.8 Authentication Credentials MiTM Disclosure

FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle attacks to capture HTTP cookie authentication information during network communication...

Featured Chrome Browser Extension Caught Intercepting Millions of Users' AI Chats

A Google Chrome extension with a "Featured" badge and six million users has been observed silently gathering every prompt entered by users into artificial intelligence AI-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and...

Exploit for Out-of-bounds Read in Openssl

--- Cybersecurity Labs Portfolio This repository contain...

CVE-2025-63433

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt,...

CVE-2025-63432

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerability by performing a Man-in-the-Middle MITM attack ...

CVE-2025-63433

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt,...

CVE-2025-34271

Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive credentials from peer nodes over an unencrypted channel even when SSL/TLS is enabled in the product configuration. As a result, an attacker positioned on the network...

CVE-2025-34271 Nagios Log Server < 2024R2.0.2 Cluster Manager Credential Requests Sent Over Plaintext

Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive credentials from peer nodes over an unencrypted channel even when SSL/TLS is enabled in the product configuration. As a result, an attacker positioned on the network...

CVE-2025-34271

Nagios Log Server (prior to 2024R2.0.2) suffers a cluster manager credential leakage vulnerability: credentials requested from peer nodes over an unencrypted channel, even with SSL/TLS enabled. This allows an on-path attacker to intercept credentials in transit and potentially authenticate as a c...