CVE-2026-45328

ESF-IDF is the Espressif Internet of Things IOT Development Framework. In versions 5.5.4 and 6.0, the esptee component exposes secure-service wrappers in espsecureservices.c and espsecureservicesiram.c that bridge calls from the user application i.e. the REE to TEE-protected hardware peripherals...

CVE-2026-45328

The CVE concerns ESF-IDF’s ESP-IDF esp_tee component. In versions 5.5.4 and 6.0, the secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c bridge calls from the REE to TEE-protected peripherals (AES, SHA, ECC, HMAC, SPI, MMU, WDT) and security features (attestation, OTA,...

CVE-2026-45328 ESF-IDF: Out-of-Bounds Write in ESP-TEE Secure Service Wrappers

ESF-IDF is the Espressif Internet of Things IOT Development Framework. In versions 5.5.4 and 6.0, the esptee component exposes secure-service wrappers in espsecureservices.c and espsecureservicesiram.c that bridge calls from the user application i.e. the REE to TEE-protected hardware peripherals...

PT-2026-48350

ESF-IDF is the Espressif Internet of Things IOT Development Framework. In versions 5.5.4 and 6.0, the esp tee component exposes secure-service wrappers in esp secure services.c and esp secure services iram.c that bridge calls from the user application i.e. the REE to TEE-protected hardware...

CVE-2025-44018

CVE-2025-44018 affects the GL.iNet GL-AXT1800 OTA Update mechanism (firmware 4.7.0). A specially crafted .tar enables a firmware downgrade, which a motivated attacker could trigger via a man‑in‑the‑middle scenario. Cisco Talos documents the vulnerable version (GL-AXT1800 4.7.0) and assigns CVSS v...

EUVD-2016-7800

Malware in sbrugna...

EUVD-2016-7802

Malware in sbrugna...

EUVD-2017-4782

Malware in sbrugna...

EUVD-2021-0071

Malware in sbrugna...

EUVD-2023-58563

Malicious code in bioql PyPI...

CVE-2023-6321

A command injection vulnerability exists in the IOCTL that manages OTA updates. A specially crafted command can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability...

CVE-2023-6321 Owlet Camera OS command injection

A command injection vulnerability exists in the IOCTL that manages OTA updates. A specially crafted command can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability...

CVE-2023-6321 Owlet Camera OS command injection

A command injection vulnerability exists in the IOCTL that manages OTA updates. A specially crafted command can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability...

CVE-2023-6321

The CVE-2023-6321 issue is described across connected sources as a command-injection vulnerability in the IOCTL handler that manages OTA updates on Owlet Cam OS. The underlying flaw allows an authenticated attacker to execute commands with root privileges, potentially taking full control of affec...

CVE-2021-41104

ESPHome is a system to control the ESP8266/ESP32. Anyone with webserver enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which webserver allows over-the-air OTA updates without checking user defined basic auth username & password. This issue is...

CVE-2021-41104

ESPHome is a system to control the ESP8266/ESP32. Anyone with webserver enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which webserver allows over-the-air OTA updates without checking user defined basic auth username & password. This issue is...

PYSEC-2021-351

ESPHome is a system to control the ESP8266/ESP32. Anyone with webserver enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which webserver allows over-the-air OTA updates without checking user defined basic auth username & password. This issue is...

Default credentials

ESPHome is a system to control the ESP8266/ESP32. Anyone with webserver enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which webserver allows over-the-air OTA updates without checking user defined basic auth username & password. This issue is...

PYSEC-2021-351

ESPHome is a system to control the ESP8266/ESP32. Anyone with webserver enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which webserver allows over-the-air OTA updates without checking user defined basic auth username & password. This issue is...

CVE-2021-41104

ESPHome’s web_server in versions 2021.9.1 and earlier is vulnerable to OTA updates without validating the configured HTTP basic auth credentials. The root cause is that OTA update requests bypass the user-defined username/password check. The issue is fixed in version 2021.9.2; as a workaround, di...