Total
1322 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-6662 | 1 Google | 1 Chrome | 2026-02-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| Google Chrome caches TLS sessions before certificate validation occurs. | |||||
| CVE-2026-25644 | 1 Datahub | 1 Datahub | 2026-02-20 | N/A | 7.5 HIGH |
| DataHub is an open-source metadata platform. Prior to version 1.3.1.8, the LDAP ingestion source is vulnerable to MITM attack through TLS downgrade. This issue has been patched in version 1.3.1.8. | |||||
| CVE-2026-25961 | 1 Sumatrapdfreader | 1 Sumatrapdf | 2026-02-20 | N/A | 7.5 HIGH |
| SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution. | |||||
| CVE-2026-24122 | 1 Sigstore | 1 Cosign | 2026-02-20 | N/A | 3.7 LOW |
| Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5. | |||||
| CVE-2026-24935 | 1 Asustor | 1 Data Master | 2026-02-19 | N/A | 5.6 MEDIUM |
| A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or facilitate further targeted attacks by acting as a proxy between the user and the device services. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | |||||
| CVE-2026-24934 | 1 Asustor | 1 Data Master | 2026-02-19 | N/A | 3.7 LOW |
| The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to spoof the response, leading the device to update its DDNS record with an incorrect IP address. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | |||||
| CVE-2026-24933 | 1 Asustor | 1 Data Master | 2026-02-19 | N/A | 5.9 MEDIUM |
| The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user information, including account emails, MD5 hashed passwords, and device serial numbers. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | |||||
| CVE-2026-24932 | 1 Asustor | 1 Data Master | 2026-02-19 | N/A | 5.9 MEDIUM |
| The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle (MitM) attack, which may obtain the sensitive information of DDNS updating process, including the user's account email, MD5 hashed password, and device serial number.This issue affects ADM: from 4.1.0 through 4.3.3.ROF1, from 5.0.0 through 5.1.1.RCI1. | |||||
| CVE-2025-20670 | 1 Mediatek | 46 Mt2737, Mt6813, Mt6835 and 43 more | 2026-02-17 | N/A | 5.7 MEDIUM |
| In Modem, there is a possible permission bypass due to improper certificate validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station controlled by the attacker, with User execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01334347; Issue ID: MSV-2772. | |||||
| CVE-2026-25160 | 1 Alistgo | 1 Alist | 2026-02-13 | N/A | 9.1 CRITICAL |
| Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0. | |||||
| CVE-2025-15557 | 1 Tp-link | 4 Tapo H100, Tapo H100 Firmware, Tapo P100 and 1 more | 2026-02-12 | N/A | 8.8 HIGH |
| An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications. This may compromise the confidentiality and integrity of device-to-cloud communication, enabling manipulation of device data or operations. | |||||
| CVE-2025-15323 | 1 Tanium | 1 Tanos | 2026-02-10 | N/A | 3.7 LOW |
| Tanium addressed an improper certificate validation vulnerability in Tanium Appliance. | |||||
| CVE-2025-71063 | 1 Mrvladus | 1 Errands | 2026-02-05 | N/A | 8.2 HIGH |
| Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. | |||||
| CVE-2025-39205 | 1 Hitachienergy | 1 Microscada X Sys600 | 2026-01-30 | N/A | 6.5 MEDIUM |
| A vulnerability exists in the IEC 61850 in MicroSCADA X SYS600 product. The certificate validation of the TLS protocol allows remote Man-in-the-Middle attack due to missing proper validation. | |||||
| CVE-2025-67229 | 1 Todesktop | 1 Builder | 2026-01-29 | N/A | 9.8 CRITICAL |
| An improper certificate validation vulnerability exists in ToDesktop Builder v0.32.1 This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation. | |||||
| CVE-2025-58188 | 1 Golang | 1 Go | 2026-01-29 | N/A | 7.5 HIGH |
| Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. | |||||
| CVE-2025-13052 | 1 Asustor | 1 Data Master | 2026-01-28 | N/A | 5.9 MEDIUM |
| When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the SMTP. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RKD2 as well as from ADM 5.0.0 through ADM 5.1.0.RN42. | |||||
| CVE-2026-22250 | 1 Weblate | 1 Wlc | 2026-01-27 | N/A | 2.5 LOW |
| wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0. | |||||
| CVE-2025-30024 | 1 Axis | 1 Device Manager | 2026-01-23 | N/A | 6.8 MEDIUM |
| The communication protocol used between client and server had a flaw that could be leveraged to execute a man in the middle attack. | |||||
| CVE-2024-50394 | 1 Qnap | 1 Helpdesk | 2026-01-22 | N/A | 8.8 HIGH |
| An improper certificate validation vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following version: Helpdesk 3.3.3 and later | |||||