4519 matches found
CVE-2026-30795
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android Heartbeat sync loop modules allows Sniffing Attacks. This vulnerability is associated with program files src/hbbshttp/sync.Rs and program routine...
CVE-2026-30783
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient Client signaling, API sync loop, config management modules allows Privilege Abuse. This vulnerability is associated with program files src/rendezvousmediator.Rs, src/hbbshttp/sync....
CVE-2026-30783 RustDesk Client Can Orphan API Channel to Ignore All Admin Commands and ACL Policies
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient Client signaling, API sync loop, config management modules allows Privilege Abuse. This vulnerability is associated with program files src/rendezvousmediator.Rs, src/hbbshttp/sync....
CVE-2026-30783
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient Client signaling, API sync loop, config management modules allows Privilege Abuse. This vulnerability is associated with program files src/rendezvousmediator.Rs, src/hbbshttp/sync....
CVE-2026-30783
CVE-2026-30783 affects rustdesk-client across Windows, macOS, Linux, iOS, Android, and WebClient up to version 1.4.5. The issue is tied to client signaling, API sync loop, and config handling, specifically in src/rendezvous_mediator.Rs and src/hbbs_http/sync.Rs. Root cause details and exact explo...
CVE-2026-30796 RustDesk Server Pro API Requires Address Book Password in Plaintext for Sync Protocol
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux Address book sync API modules allows Sniffing Attacks. This vulnerability is associated with program files Closed source — API endpoint handling...
CVE-2026-30796 RustDesk Server Pro API Requires Address Book Password in Plaintext for Sync Protocol
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux Address book sync API modules allows Sniffing Attacks. This vulnerability is associated with program files Closed source — API endpoint handling...
CVE-2026-30796
CVE-2026-30796 affects RustDesk Server Pro (rustdesk-server-pro) on Windows, macOS, and Linux. The vulnerability lies in cleartext transmission within the Address Book Sync/Heartbeat API path, where the Heartbeat API handler accepts a preset address-book password in plaintext. Consequence: potent...
CVE-2026-30795 RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android Heartbeat sync loop modules allows Sniffing Attacks. This vulnerability is associated with program files src/hbbshttp/sync.Rs and program routine...
CVE-2026-30792 RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient Strategy sync, HTTP API client, config options engine modules allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files...
PT-2026-23460
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android Heartbeat sync loop modules allows Sniffing Attacks. This vulnerability is associated with program files src/hbbs http/sync.Rs and program routin...
PT-2026-23457
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient Strategy sync, HTTP API client, config options engine modules allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files...
RUSTSEC-2026-0036 `time-sync` was removed from crates.io due to malicious code
The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days. The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before...
Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005513)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005513 advisory. In the Linux kernel, the following vulnerability has been resolved: ocfs2: cancel dqisyncwork before freeing oinfo ocfs2globalreadinfo will initialize and schedule...
Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005413)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005413 advisory. In the Linux kernel, the following vulnerability has been resolved: media: platform: exynos4-is: Add hardware sync wait to fimcishwchangemode In fimcishwchangemode,...
CVE-2025-58107
In Microsoft Exchange through 2019, Exchange ActiveSync EAS configurations on on-premises servers may transmit sensitive data from Samsung mobile devices in cleartext, including the user's name, e-mail address, device ID, bearer token, and base64-encoded password...
Unity Linux 20.1070a Security Update: kernel (UTSA-2026-005805)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005805 advisory. In the Linux kernel, the following vulnerability has been resolved: media: platform: exynos4-is: Add hardware sync wait to fimcishwchangemode In fimcishwchangemode,...
CVE-2025-58107
Microsoft Exchange Server (on-premises) up to 2019 is affected: Exchange ActiveSync (EAS) configurations may transmit cleartext data from Samsung devices, exposing user name, e-mail address, device ID, bearer token, and base64-encoded password. Root cause: unencrypted transmission within EAS conf...
CVE-2026-27638
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budge...
EUVD-2026-8905
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode...