219 matches found
UBUNTU-CVE-2026-12249
An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services AD CS certificate auto-enrollment via the vendored Samba client script internal/policies/certificate/python/vendorsamba/gp/gpcertautoenrollext.py, ADSys utilizes a plaintext...
CVE-2026-11860
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class...
CVE-2026-25599
Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices...
CVE-2026-45432
The CVE-2026-45432 entry describes a vulnerability in GX Earth ONT models where user credentials are transmitted in cleartext over HTTP in the device’s web management interface. This allows a remote attacker who can intercept network traffic to obtain sensitive authentication data, potentially le...
EUVD-2026-34149
Mercusys AC12G EU V1 with firmware AC12GEUV1200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials...
Synology Note Station Client 安全漏洞
Synology Note Station Client is a desktop note application developed by Synology, a Chinese company. It supports note synchronization, knowledge management, and offline editing. Versions of Synology Note Station Client prior to 2.2.4-703 contained security vulnerabilities. These vulnerabilities...
CVE-2026-36610
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding; the firmware contains no TLS, enabling man-in-the-middle interception of DDNS credentials.
CVE-2026-25599
Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices...
Orca Energija Orca heat pump 安全漏洞
Orca Energija Orca heat pump is a series of air-to-water heat pump systems developed by Orca Energija. There are security vulnerabilities in Orca Energija Orca heat pumps. These vulnerabilities stem from the lack of authentication and plaintext data transmission. Combined with the absence of...
MAL-2026-4787 Malicious code in @autofleet/rabbit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a766d89a5ed19491bd107e5d31c79fbbe7a9be9bce2a957b290408fb9f54140c The package's compiled entry dist/index.js:48 defines let host = process.env.RABBITMQSERVICEHOST || '35.240.13.28' and then connects via...
Sensitive Cookie in HTTPS Session Without "Secure" Attribute
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute through the setTokenCookie function in the authentication service. An attacker can steal or replay the refreshtoken by intercepting it over plaintext HTTP o...
MAL-2026-4557 Malicious code in ezymail (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c The package advertises itself as a Gmail/SMTP sender library. The README documents that callers pass their SMTP user and pass Gmail App Password to a...
Malicious code in @aiscene/aiserver (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5afe7de709fb18909451ff49a02f133f248fb0dc0688709251c924038effc6dc On load, dist/index.js unconditionally instantiates new AIServer and calls server.start at module top level no require.main === module guard, so simp...
KDDI あんしんフィルター for au 安全漏洞
KDDI AnShin Filter for au is a content filtering and parental control service provided by the KDDI company for mobile devices. KDDI AnShin Filter for au has a security vulnerability. This vulnerability stems from the transmission of sensitive information in plaintext, which may allow intermediate...
Foscam VD1 Video Doorbell 安全漏洞
The Foscam VD1 Video Doorbell is a smart video doorbell from the American company Foscam, capable of supporting high-definition video surveillance and two-way voice communication. Versions of the Foscam VD1 Video Doorbell prior to V5.3.131072 contained security vulnerabilities. These...
PT-2026-34540
Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript executi...
BIT-APISIX-2026-31924 Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue...
Fortinet FortiSOAR PaaS和Fortinet FortiSOAR on-premise 安全漏洞
Fortinet FortiSOAR PaaS and Fortinet FortiSOAR on-premise are security orchestration, automation, and response software developed by Fortinet, a US-based company. Both versions of Fortinet FortiSOAR PaaS and Fortinet FortiSOAR on-premise have security vulnerabilities that stem from the transmissi...
HCCTG MPOS M6 PLUS 安全漏洞
HCCTG MPOS M6 PLUS is a mobile payment terminal device developed by HCCTG Corporation. The HCCTG MPOS M6 PLUS 1V.31-N version contains a security vulnerability, which stems from the Cardholder Data Handler component transmitting sensitive information in plaintext...
Mendi Neurofeedback Headset 安全漏洞
The Mendi Neurofeedback Headset is a brain training device developed by the Swedish company Mendi. The Mendi Neurofeedback Headset V4 version has a security vulnerability, which stems from the Bluetooth low-power processor component transmitting sensitive information in plaintext...