Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3390 vulnerabilities
CVE-2026-0828 (GCVE-0-2026-0828)
Vulnerability from cvelistv5 – Published: 2026-06-26 15:47 – Updated: 2026-06-26 17:33
VLAI
Title
Kernel driver vulnerability in Safetica Endpoint Client
Summary
Kernel driver ProcessMonitorDriver.sys in Safetica's endpoint client x64 , versions 10.5.75.0 and 11.11.4.0, allows unprivileged user to abuse IOCTL path and terminate protected system processes.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Safetica | Endpoint Client |
Affected:
10.5.75.0 , ≤ 10.5.75.0
(custom)
|
|
| Safetica | Endpoint Client |
Affected:
11.11.4.0 , ≤ 11.11.4.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-26T15:50:43.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/818729"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T17:33:10.210218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T17:33:16.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Endpoint Client",
"vendor": "Safetica",
"versions": [
{
"lessThanOrEqual": "10.5.75.0",
"status": "affected",
"version": "10.5.75.0",
"versionType": "custom"
}
]
},
{
"product": "Endpoint Client",
"vendor": "Safetica",
"versions": [
{
"lessThanOrEqual": "11.11.4.0",
"status": "affected",
"version": "11.11.4.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kernel driver ProcessMonitorDriver.sys in Safetica\u0027s endpoint client x64 , versions 10.5.75.0 and 11.11.4.0, allows unprivileged user to abuse IOCTL path and terminate protected system processes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-269 Improper Privilege Management",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:47:32.364Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.safetica.com/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Kernel driver vulnerability in Safetica Endpoint Client",
"x_generator": {
"engine": "VINCE 3.0.43",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-0828"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-0828",
"datePublished": "2026-06-26T15:47:32.364Z",
"dateReserved": "2026-01-09T19:21:20.617Z",
"dateUpdated": "2026-06-26T17:33:16.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0685 (GCVE-0-2026-0685)
Vulnerability from cvelistv5 – Published: 2026-06-26 15:45 – Updated: 2026-06-26 17:36
VLAI
Title
Server side template inject (SSTI) in Edgewall Genshi Template Engine
Summary
Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Edgewall *Genshi* | Genshi |
Affected:
0 , ≤ 0.7.9
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-26T15:50:40.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/244846"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0685",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T17:36:09.734967Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T17:36:14.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Genshi",
"vendor": "Edgewall *Genshi*",
"versions": [
{
"lessThanOrEqual": "0.7.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:45:11.283Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/edgewall/genshi/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server side template inject (SSTI) in Edgewall Genshi Template Engine",
"x_generator": {
"engine": "VINCE 3.0.43",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-0685"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-0685",
"datePublished": "2026-06-26T15:45:11.283Z",
"dateReserved": "2026-01-07T19:12:01.099Z",
"dateUpdated": "2026-06-26T17:36:14.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11919 (GCVE-0-2025-11919)
Vulnerability from cvelistv5 – Published: 2026-06-26 15:39 – Updated: 2026-06-26 17:40
VLAI
Title
Unprotected temporary directories in Wolfram Cloud may result in privilege escalation
Summary
The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wolfram Research Inc. | Cloud |
Affected:
14.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-26T15:49:25.791Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/553375"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11919",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T17:39:58.284281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T17:40:10.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/PeterRoberge/vulnerability-wolfram-cloud-14.2/blob/main/disclosure.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cloud",
"vendor": "Wolfram Research Inc.",
"versions": [
{
"status": "affected",
"version": "14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker\u0027s code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:11:46.925Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/PeterRoberge/vulnerability-wolfram-cloud-14.2/blob/main/disclosure.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unprotected temporary directories in Wolfram Cloud may result in privilege escalation",
"x_generator": {
"engine": "VINCE 3.0.43",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-11919"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-11919",
"datePublished": "2026-06-26T15:39:41.353Z",
"dateReserved": "2025-10-17T14:38:44.831Z",
"dateUpdated": "2026-06-26T17:40:10.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5757 (GCVE-0-2026-5757)
Vulnerability from cvelistv5 – Published: 2026-06-26 15:15 – Updated: 2026-06-26 18:38
VLAI
Title
There exists an unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine
Summary
Unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine allows an attacker to read and exfiltrate the server's heap memory, potentially leading to sensitive data exposure, further compromise, and stealthy persistence.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-26T15:52:23.093Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/518910"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5757",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T18:37:59.802606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T18:38:23.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ollama",
"vendor": "Ollama AI",
"versions": [
{
"status": "affected",
"version": "v0.13.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated remote information disclosure vulnerability in Ollama\u0027s model quantization engine allows an attacker to read and exfiltrate the server\u0027s heap memory, potentially leading to sensitive data exposure, further compromise, and stealthy persistence."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125 Out-of-bounds Read",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-416 Use After Free",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:15:28.464Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/518910"
},
{
"url": "https://ollama.com"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "There exists an unauthenticated remote information disclosure vulnerability in Ollama\u0027s model quantization engine",
"x_generator": {
"engine": "VINCE 3.0.43",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5757"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5757",
"datePublished": "2026-06-26T15:15:28.464Z",
"dateReserved": "2026-04-07T16:59:20.290Z",
"dateUpdated": "2026-06-26T18:38:23.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8050 (GCVE-0-2026-8050)
Vulnerability from cvelistv5 – Published: 2026-06-17 21:05 – Updated: 2026-06-18 13:14
VLAI
Title
CVE-2026-8050
Summary
In SignalRGB versions prior to 1.3.7.0, seven of the thirteen IOCTL handlers dereference the SystemBuffer pointer without first verifying that it is non-NULL. Sending an IOCTL with an empty input buffer causes a NULL pointer dereference, resulting in a kernel crash.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/380058 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SignalRGB | SignalRGB kernel driver |
Affected:
0 , < 1.3.7.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8050",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T13:14:27.020614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:14:31.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SignalRGB kernel driver",
"vendor": "SignalRGB",
"versions": [
{
"lessThan": "1.3.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In SignalRGB versions prior to 1.3.7.0, seven of the thirteen IOCTL handlers dereference the SystemBuffer pointer without first verifying that it is non-NULL. Sending an IOCTL with an empty input buffer causes a NULL pointer dereference, resulting in a kernel crash."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T21:05:32.448Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/380058"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8050",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8050"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8050",
"datePublished": "2026-06-17T21:05:32.448Z",
"dateReserved": "2026-05-06T17:40:15.269Z",
"dateUpdated": "2026-06-18T13:14:31.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8049 (GCVE-0-2026-8049)
Vulnerability from cvelistv5 – Published: 2026-06-17 21:05 – Updated: 2026-06-18 13:12
VLAI
Title
CVE-2026-8049
Summary
In SignalRGB versions prior to 1.3.7.0, the \\.\SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and issue privileged IOCTLs.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/380058 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SignalRGB | SignalRGB kernel driver |
Affected:
0 , < 1.3.7.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T13:12:10.123796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:12:38.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SignalRGB kernel driver",
"vendor": "SignalRGB",
"versions": [
{
"lessThan": "1.3.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In SignalRGB versions prior to 1.3.7.0, the \\\\.\\SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and issue privileged IOCTLs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T21:05:25.402Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/380058"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8049",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8049"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8049",
"datePublished": "2026-06-17T21:05:25.402Z",
"dateReserved": "2026-05-06T17:40:03.996Z",
"dateUpdated": "2026-06-18T13:12:38.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9648 (GCVE-0-2026-9648)
Vulnerability from cvelistv5 – Published: 2026-06-11 14:30 – Updated: 2026-06-11 15:39
VLAI
Title
CVE-2026-9648
Summary
The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Haskell Programming Language | crypton-certificate |
Affected:
0 , < 1.9.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-11T15:10:30.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/862559"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T15:39:09.493112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T15:39:31.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "crypton-certificate",
"vendor": "Haskell Programming Language",
"versions": [
{
"lessThan": "1.9.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA\u2019s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-295: Improper Certificate Validation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T14:30:30.800Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/kazu-yamamoto/crypton-certificate/pull/30"
},
{
"url": "https://github.com/kazu-yamamoto/crypton-certificate/pull/30/changes/f4b77edf6ead77f4a886da40e41eab20f0180e39"
},
{
"url": "https://hackage.haskell.org/package/crypton-x509-validation-1.9.1/revisions/"
},
{
"url": "https://github.com/haskell/security-advisories/pull/332"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9648",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9648"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9648",
"datePublished": "2026-06-11T14:30:30.800Z",
"dateReserved": "2026-05-26T19:26:04.460Z",
"dateUpdated": "2026-06-11T15:39:31.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8863 (GCVE-0-2026-8863)
Vulnerability from cvelistv5 – Published: 2026-06-09 18:10 – Updated: 2026-06-10 15:16
VLAI
Title
CVE-2026-8863
Summary
Multiple Microsoft-sigend UEFI SHIM bootloaders are vulnerable to SecureBoot bypass. An attacker with administrative privileges or the ability to modify the boot process could use one of the vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads. Specific UEFI DBX update is required to block these vulnerable boot loaders.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisory |
| https://kb.cert.org/vuls/id/616257 | third-party-advisory |
| https://www.kb.cert.org/vuls/id/616257 |
Impacted products
14 products
| Vendor | Product | Version | |
|---|---|---|---|
| Oracle Corporation | OracleLinux(7.2) shim |
Affected:
0.9
|
|
| PC-Doctor | Service Center Enterprise |
Affected:
14 , ≤ 17.0.7536.900
(custom)
|
|
| PC-Doctor | Service Center Drive Erase |
Affected:
15 , ≤ 17.0.7538.592
(custom)
|
|
| PC-Doctor | Service Center Japan |
Affected:
15 , ≤ 17.0.7539.904
(custom)
|
|
| PC-Doctor | Service Center |
Affected:
14 , ≤ 17.0.7535.900
(custom)
|
|
| PC-Doctor | Network Factory for Linux (Bootable Diagnostics) |
Affected:
6.9 , ≤ 6.20.7711.267
(custom)
|
|
| PC-Doctor | Factory for Linux (Bootable Diagnostics) |
Affected:
6.9 , ≤ 6.20.7710.267
(custom)
|
|
| Spyrus | WTGCreator |
Affected:
4.2
|
|
| Blancco UK | WhiteCanyon WipeDrive |
Affected:
8.0.0 , ≤ 8.1.3
(custom)
|
|
| baramundi software | baramundi Management Suite |
Affected:
* , ≤ 2024R1
(custom)
|
|
| SUSE Linux | OpenSUSE shim |
Affected:
0.9
|
|
| Finland Matriculation Board | Abitti 1 |
Affected:
1.0.0
|
|
| NTC IT ROSA LLC | RosaLinux |
Affected:
R9
|
|
| NTC IT ROSA LLC | RosaLinux |
Affected:
R10
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:03:03.811729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:03:21.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-09T19:41:27.054Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/616257"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OracleLinux(7.2) shim",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "0.9"
}
]
},
{
"product": "Service Center Enterprise",
"vendor": "PC-Doctor",
"versions": [
{
"lessThanOrEqual": "17.0.7536.900",
"status": "affected",
"version": "14",
"versionType": "custom"
}
]
},
{
"product": "Service Center Drive Erase",
"vendor": "PC-Doctor",
"versions": [
{
"lessThanOrEqual": "17.0.7538.592",
"status": "affected",
"version": "15",
"versionType": "custom"
}
]
},
{
"product": "Service Center Japan",
"vendor": "PC-Doctor",
"versions": [
{
"lessThanOrEqual": "17.0.7539.904",
"status": "affected",
"version": "15",
"versionType": "custom"
}
]
},
{
"product": "Service Center",
"vendor": "PC-Doctor",
"versions": [
{
"lessThanOrEqual": "17.0.7535.900",
"status": "affected",
"version": "14",
"versionType": "custom"
}
]
},
{
"product": "Network Factory for Linux (Bootable Diagnostics)",
"vendor": "PC-Doctor",
"versions": [
{
"lessThanOrEqual": "6.20.7711.267",
"status": "affected",
"version": "6.9",
"versionType": "custom"
}
]
},
{
"product": "Factory for Linux (Bootable Diagnostics)",
"vendor": "PC-Doctor",
"versions": [
{
"lessThanOrEqual": "6.20.7710.267",
"status": "affected",
"version": "6.9",
"versionType": "custom"
}
]
},
{
"product": "WTGCreator",
"vendor": "Spyrus",
"versions": [
{
"status": "affected",
"version": "4.2"
}
]
},
{
"product": "WhiteCanyon WipeDrive",
"vendor": "Blancco UK",
"versions": [
{
"lessThanOrEqual": "8.1.3",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"product": "baramundi Management Suite",
"vendor": "baramundi software",
"versions": [
{
"lessThanOrEqual": "2024R1",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
},
{
"product": "OpenSUSE shim",
"vendor": "SUSE Linux",
"versions": [
{
"status": "affected",
"version": "0.9"
}
]
},
{
"product": "Abitti 1",
"vendor": "Finland Matriculation Board",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
},
{
"product": "RosaLinux",
"vendor": "NTC IT ROSA LLC",
"versions": [
{
"status": "affected",
"version": "R9"
}
]
},
{
"product": "RosaLinux",
"vendor": "NTC IT ROSA LLC",
"versions": [
{
"status": "affected",
"version": "R10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to Martin Smolar of ESET for discovering and reporting this vulnerability"
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple Microsoft-sigend UEFI SHIM bootloaders are vulnerable to SecureBoot bypass. An attacker with administrative privileges or the ability to modify the boot process could use one of the vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads. Specific UEFI DBX update is required to block these vulnerable boot loaders."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-354: Improper Validation of Integrity Check Value",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T15:16:35.228Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "Microsoft Vendor Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8863"
},
{
"name": "CERT/CC Vulnerability Notice",
"tags": [
"third-party-advisory"
],
"url": "https://kb.cert.org/vuls/id/616257"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CVE-2026-8863",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8863"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8863",
"datePublished": "2026-06-09T18:10:15.426Z",
"dateReserved": "2026-05-18T19:41:10.790Z",
"dateUpdated": "2026-06-10T15:16:35.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10045 (GCVE-0-2026-10045)
Vulnerability from cvelistv5 – Published: 2026-06-09 18:09 – Updated: 2026-06-09 19:09
VLAI
Title
CVE-2026-10045
Summary
Shenzhen Kangda Xin Intelligent Network Technology Company's router, model DR300, version 2.1.2.121, contains hardcoded login credentials and has telnet enabled by default on WAN and LAN interfaces. These vulnerabilities allow attackers to read and write to memory, modify firmware stored in flash, inspect active connections, and view currently connected devices.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Shenzhen Kangda Xin Intelligent Network Technology Co., Ltd | DR300 |
Affected:
2.1.2.121
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-10045",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:09:40.667720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:09:45.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://rubenabreu.xyz/post/temu-routers-and-their-implications"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DR300",
"vendor": "Shenzhen Kangda Xin Intelligent Network Technology Co., Ltd",
"versions": [
{
"status": "affected",
"version": "2.1.2.121"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shenzhen Kangda Xin Intelligent Network Technology Company\u0027s router, model DR300, version 2.1.2.121, contains hardcoded login credentials and has telnet enabled by default on WAN and LAN interfaces. These vulnerabilities allow attackers to read and write to memory, modify firmware stored in flash, inspect active connections, and view currently connected devices."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-1188 Insecure Default Initialization of Resource",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T18:09:56.599Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://rubenabreu.xyz/post/temu-routers-and-their-implications"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-10045",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-10045"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-10045",
"datePublished": "2026-06-09T18:09:56.599Z",
"dateReserved": "2026-05-28T21:12:31.476Z",
"dateUpdated": "2026-06-09T19:09:45.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8888 (GCVE-0-2026-8888)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:16 – Updated: 2026-06-04 19:48
VLAI
Title
CVE-2026-8888
Summary
Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T19:48:22.314942Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T19:48:31.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1333",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:18:13.249Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8888",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8888"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8888",
"datePublished": "2026-06-03T18:16:25.264Z",
"dateReserved": "2026-05-18T20:40:05.298Z",
"dateUpdated": "2026-06-04T19:48:31.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8889 (GCVE-0-2026-8889)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:15 – Updated: 2026-06-10 19:00
VLAI
Title
CVE-2026-8889
Summary
Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8889",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T19:49:34.564362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T19:00:10.351Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-328",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:15:15.450Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8889",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8889"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8889",
"datePublished": "2026-06-03T18:15:15.450Z",
"dateReserved": "2026-05-18T20:43:53.154Z",
"dateUpdated": "2026-06-10T19:00:10.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8881 (GCVE-0-2026-8881)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:13 – Updated: 2026-06-04 17:25
VLAI
Title
CVE-2026-8881
Summary
Version 3.0.7 of the Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T17:25:31.107400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T17:25:48.030Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:13:14.217Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8881",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8881"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8881",
"datePublished": "2026-06-03T18:13:14.217Z",
"dateReserved": "2026-05-18T20:32:53.054Z",
"dateUpdated": "2026-06-04T17:25:48.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8879 (GCVE-0-2026-8879)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:11 – Updated: 2026-06-04 14:13
VLAI
Title
CVE-2026-8879
Summary
Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly's servers are unreachable, pages remain indefinitely hidden.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-829 Inclusion of Functionality from Untrusted Control Sphere
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T14:12:27.850403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T14:13:20.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly\u0027s servers are unreachable, pages remain indefinitely hidden."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:11:04.269Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8879",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8879"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8879",
"datePublished": "2026-06-03T18:11:04.269Z",
"dateReserved": "2026-05-18T20:29:18.234Z",
"dateUpdated": "2026-06-04T14:13:20.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8878 (GCVE-0-2026-8878)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:09 – Updated: 2026-06-04 14:18
VLAI
Title
CVE-2026-8878
Summary
Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T14:18:41.000614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T14:18:55.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:09:04.115Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8878",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8878"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8878",
"datePublished": "2026-06-03T18:09:04.115Z",
"dateReserved": "2026-05-18T20:27:44.651Z",
"dateUpdated": "2026-06-04T14:18:55.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8876 (GCVE-0-2026-8876)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:07 – Updated: 2026-06-04 14:20
VLAI
Title
CVE-2026-8876
Summary
Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T14:20:09.967341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T14:20:24.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-321",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:07:13.200Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8876",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8876"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8876",
"datePublished": "2026-06-03T18:07:13.200Z",
"dateReserved": "2026-05-18T20:27:18.596Z",
"dateUpdated": "2026-06-04T14:20:24.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8874 (GCVE-0-2026-8874)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:03 – Updated: 2026-06-04 14:43
VLAI
Title
CVE-2026-8874
Summary
Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-319 Cleartext Transmission of Sensitive Information
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , < 3.0.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8874",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T14:42:14.501953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T14:43:00.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThan": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:03:04.592Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8874",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8874"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8874",
"datePublished": "2026-06-03T18:03:04.592Z",
"dateReserved": "2026-05-18T20:26:19.787Z",
"dateUpdated": "2026-06-04T14:43:00.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10629 (GCVE-0-2026-10629)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:35 – Updated: 2026-06-03 15:19
VLAI
Title
CVE-2026-10629
Summary
SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-02T15:23:02.208Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/615987"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-10629",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T15:19:08.539555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:19:11.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "VoLTE",
"vendor": "Verizon",
"versions": [
{
"status": "affected",
"version": "UNKNOWN"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-346 Origin Validation Error",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-523 Missing Transport Layer Protection",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:35:07.902Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.3gpp.org/DynReport/33203.htm"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-10629",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-10629"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-10629",
"datePublished": "2026-06-02T14:35:07.902Z",
"dateReserved": "2026-06-02T14:31:31.922Z",
"dateUpdated": "2026-06-03T15:19:11.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7299 (GCVE-0-2026-7299)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:07 – Updated: 2026-06-02 18:17
VLAI
Title
CVE-2026-7299
Summary
Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.
Severity
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-02T15:23:03.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/265691"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7299",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T18:17:27.406510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:17:31.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Appsmith",
"vendor": "Appsmith",
"versions": [
{
"lessThan": "2.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Appsmith\u2019s SQL query editor\u2019s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:07:52.626Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh"
},
{
"url": "https://github.com/appsmithorg/appsmith/pull/41666"
},
{
"url": "https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit"
},
{
"url": "https://github.com/appsmithorg/appsmith/releases/tag/v2.1"
},
{
"url": "https://github.com/appsmithorg/appsmith/commit/99d69180919981ed9bc5484050d809a5bec68acc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-7299",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-7299"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-7299",
"datePublished": "2026-06-02T14:07:52.626Z",
"dateReserved": "2026-04-28T11:32:21.296Z",
"dateUpdated": "2026-06-02T18:17:31.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10621 (GCVE-0-2026-10621)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:03 – Updated: 2026-06-02 19:27
VLAI
Title
CVE-2026-10621
Summary
Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
| Collibra | Collibra Platform (SaaS) |
Affected:
2025.10 , < 2025.10.9
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2025.11 , < 2025.11.7
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.02 , < 2026.02.6
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.03 , < 2026.03.4
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.04 , < 2024.04.5
(custom)
|
|
| Collibra | Collibra Platform (on-prem) |
Affected:
2026.03 , < 2026.03.356
(custom)
|
|
| Collibra | Collibra Platform (on-prem) |
Affected:
2025.10 , < 2025.10.399
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-10621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T19:27:35.294894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:27:51.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.10.9",
"status": "affected",
"version": "2025.10",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.11.7",
"status": "affected",
"version": "2025.11",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.02.6",
"status": "affected",
"version": "2026.02",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.03.4",
"status": "affected",
"version": "2026.03",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2024.04.5",
"status": "affected",
"version": "2026.04",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (on-prem)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.03.356",
"status": "affected",
"version": "2026.03",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (on-prem)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.10.399",
"status": "affected",
"version": "2025.10",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-73 External Control of File Name or Path",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:03:35.360Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.collibra.com/"
},
{
"url": "https://kb.cert.org/vuls/id/873170"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-10621",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-10621"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-10621",
"datePublished": "2026-06-02T14:03:35.360Z",
"dateReserved": "2026-06-02T13:58:49.342Z",
"dateUpdated": "2026-06-02T19:27:51.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10622 (GCVE-0-2026-10622)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:01 – Updated: 2026-06-02 18:48
VLAI
Title
CVE-2026-10622
Summary
Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/* endpoints.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
| Collibra | Collibra Platform (on-prem) |
Affected:
2026.03 , < 2026.03.356
(custom)
|
|
| Collibra | Collibra Platform (on-prem) |
Affected:
2025.10 , < 2025.10.399
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.04 , < 2026.04.5
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.03 , < 2026.03.4
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.02 , < 2026.02.6
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2025.11 , < 2025.11.7
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2025.10 , < 2025.10.9
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-10622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T18:47:28.416220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:48:35.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Collibra Platform (on-prem)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.03.356",
"status": "affected",
"version": "2026.03",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (on-prem)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.10.399",
"status": "affected",
"version": "2025.10",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.04.5",
"status": "affected",
"version": "2026.04",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.03.4",
"status": "affected",
"version": "2026.03",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.02.6",
"status": "affected",
"version": "2026.02",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.11.7",
"status": "affected",
"version": "2025.11",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.10.9",
"status": "affected",
"version": "2025.10",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed \u0027/rest/* endpoints."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-287 Improper Authentication",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:01:06.148Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.collibra.com/"
},
{
"url": "https://kb.cert.org/vuls/id/873170"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-10622",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-10622"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-10622",
"datePublished": "2026-06-02T14:01:06.148Z",
"dateReserved": "2026-06-02T13:59:47.508Z",
"dateUpdated": "2026-06-02T18:48:35.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8501 (GCVE-0-2026-8501)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:25 – Updated: 2026-06-01 18:55
VLAI
Title
CVE-2026-8501
Summary
Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-782 - Exposed IOCTL with Insufficient Access Control
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Symantec | PC Tools Internet Security |
Affected:
*
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T18:20:00.476148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-782",
"description": "CWE-782 Exposed IOCTL with Insufficient Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:20:05.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-01T18:55:01.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/158530"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PC Tools Internet Security",
"vendor": "Symantec",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-782: Exposed IOCTL with Insufficient Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:25:11.611Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules"
},
{
"url": "https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language"
},
{
"url": "https://kb.cert.org/vuls/id/158530"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8501",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8501"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8501",
"datePublished": "2026-06-01T16:25:11.611Z",
"dateReserved": "2026-05-13T20:56:16.307Z",
"dateUpdated": "2026-06-01T18:55:01.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-4991 (GCVE-0-2022-4991)
Vulnerability from cvelistv5 – Published: 2026-06-01 15:49 – Updated: 2026-06-02 15:47
VLAI
Title
Tychon is vulnerable to privilege escalation due to OPENSSLDIR location
Summary
Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:46:50.993076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:47:22.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Tychon",
"vendor": "Tychon",
"versions": [
{
"lessThan": "1.7.857.82",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T15:49:12.319Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/730007"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Tychon is vulnerable to privilege escalation due to OPENSSLDIR location",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2022-4991"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-4991",
"datePublished": "2026-06-01T15:49:12.319Z",
"dateReserved": "2026-06-01T15:45:57.665Z",
"dateUpdated": "2026-06-02T15:47:22.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9098 (GCVE-0-2026-9098)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:31 – Updated: 2026-06-02 16:43
VLAI
Title
CVE-2026-9098
Summary
In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:50:28.631307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:43:43.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-346 Origin Validation Error",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:31:42.767Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9098",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9098"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9098",
"datePublished": "2026-05-28T16:31:42.767Z",
"dateReserved": "2026-05-20T15:05:20.584Z",
"dateUpdated": "2026-06-02T16:43:43.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9097 (GCVE-0-2026-9097)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:29 – Updated: 2026-06-02 16:43
VLAI
Title
CVE-2026-9097
Summary
Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:49:45.590863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:43:52.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:29:06.752Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9097",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9097"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9097",
"datePublished": "2026-05-28T16:29:06.752Z",
"dateReserved": "2026-05-20T15:05:12.699Z",
"dateUpdated": "2026-06-02T16:43:52.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9096 (GCVE-0-2026-9096)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:27 – Updated: 2026-06-02 16:43
VLAI
Title
CVE-2026-9096
Summary
Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:49:11.329944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:43:58.432Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:27:15.206Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9096",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9096"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9096",
"datePublished": "2026-05-28T16:27:15.206Z",
"dateReserved": "2026-05-20T15:05:04.383Z",
"dateUpdated": "2026-06-02T16:43:58.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9095 (GCVE-0-2026-9095)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:25 – Updated: 2026-05-28 17:07
VLAI
Title
CVE-2026-9095
Summary
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-294 Authentication Bypass by Capture-replay
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T17:07:35.384837Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:07:58.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion\u2019s subject, including administrator accounts, without needing the user\u2019s password or MFA credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:25:17.364Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9095",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9095"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9095",
"datePublished": "2026-05-28T16:25:17.364Z",
"dateReserved": "2026-05-20T15:04:41.651Z",
"dateUpdated": "2026-05-28T17:07:58.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9094 (GCVE-0-2026-9094)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:25 – Updated: 2026-06-02 16:44
VLAI
Title
CVE-2026-9094
Summary
Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:48:34.407679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:44:07.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token\u0027s user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284 Improper Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:25:09.055Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9094",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9094"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9094",
"datePublished": "2026-05-28T16:25:09.055Z",
"dateReserved": "2026-05-20T15:04:30.259Z",
"dateUpdated": "2026-06-02T16:44:07.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9093 (GCVE-0-2026-9093)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:21 – Updated: 2026-06-02 16:44
VLAI
Title
CVE-2026-9093
Summary
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:47:55.475804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:44:14.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-863 Incorrect Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:21:50.192Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9093",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9093"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9093",
"datePublished": "2026-05-28T16:21:50.192Z",
"dateReserved": "2026-05-20T15:04:21.545Z",
"dateUpdated": "2026-06-02T16:44:14.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9092 (GCVE-0-2026-9092)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:20 – Updated: 2026-06-01 16:56
VLAI
Title
CVE-2026-9092
Summary
Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T16:56:52.782321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:56:56.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:20:45.547Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9092",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9092"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9092",
"datePublished": "2026-05-28T16:20:45.547Z",
"dateReserved": "2026-05-20T15:04:14.204Z",
"dateUpdated": "2026-06-01T16:56:56.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9091 (GCVE-0-2026-9091)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:19 – Updated: 2026-05-29 19:01
VLAI
Title
CVE-2026-9091
Summary
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:01:45.674578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:01:52.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier contain a logic flaw in the social\u2011login binding flow that allows users to bypass configured MFA requirements. The binding\u2011rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:19:39.239Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9091",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9091"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9091",
"datePublished": "2026-05-28T16:19:39.239Z",
"dateReserved": "2026-05-20T15:04:03.933Z",
"dateUpdated": "2026-05-29T19:01:52.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}