Total
605 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14859 | 2026-04-07 | N/A | N/A | ||
| The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device. | |||||
| CVE-2026-5682 | 2026-04-07 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Android. Affected is an unknown function of the file /api/endpoint of the component com.meesho.supply. Such manipulation leads to risky cryptographic algorithm. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-34950 | 2026-04-07 | N/A | 9.1 CRITICAL | ||
| fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that CVE-2023-48223 patched. | |||||
| CVE-2025-13916 | 3 Ibm, Linux, Microsoft | 3 Aspera Shares, Linux Kernel, Windows | 2026-04-06 | N/A | 5.9 MEDIUM |
| IBM Aspera Shares 1.9.9 through 1.11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information | |||||
| CVE-2026-25834 | 1 Arm | 1 Mbed Tls | 2026-04-06 | N/A | 6.5 MEDIUM |
| Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade. | |||||
| CVE-2026-20996 | 1 Samsung | 1 Smart Switch | 2026-03-31 | N/A | 5.3 MEDIUM |
| Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.69.15 allows remote attackers to configure a downgraded scheme for authentication. | |||||
| CVE-2019-25651 | 2026-03-30 | N/A | 8.3 HIGH | ||
| Ubiquiti UniFi Network Controller prior to 5.10.12 (excluding 5.6.42), UAP FW prior to 4.0.6, UAP-AC, UAP-AC v2, and UAP-AC Outdoor FW prior to 3.8.17, USW FW prior to 4.0.6, USG FW prior to 4.4.34 uses AES-CBC encryption for device-to-controller communication, which contains cryptographic weaknesses that allow attackers to recover encryption keys from captured traffic. Attackers with adjacent network access can capture sufficient encrypted traffic and exploit AES-CBC mode vulnerabilities to derive the encryption keys, enabling unauthorized control and management of network devices. | |||||
| CVE-2026-28252 | 1 Trane | 5 Tracer Concierge, Tracer Sc, Tracer Sc\+ and 2 more | 2026-03-27 | N/A | 9.8 CRITICAL |
| A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device. | |||||
| CVE-2026-33512 | 1 Wwbn | 1 Avideo | 2026-03-25 | N/A | 7.5 HIGH |
| WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch. | |||||
| CVE-2026-3598 | 4 Apple, Linux, Microsoft and 1 more | 4 Macos, Linux Kernel, Windows and 1 more | 2026-03-25 | N/A | 7.5 HIGH |
| Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Config string generation, web console export modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program routines Config export/generation routines. This issue affects RustDesk Server Pro: through 1.7.5. | |||||
| CVE-2026-30791 | 5 Apple, Google, Linux and 2 more | 6 Iphone Os, Macos, Android and 3 more | 2026-03-18 | N/A | 7.5 HIGH |
| Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Config import, URI scheme handler, CLI --config modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files flutter/lib/common.Dart, hbb_common/src/config.Rs and program routines parseRustdeskUri(), importConfig(). This issue affects RustDesk Client: through 1.4.5. | |||||
| CVE-2026-28490 | 1 Authlib | 1 Authlib | 2026-03-17 | N/A | 6.5 MEDIUM |
| Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9. | |||||
| CVE-2026-28479 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 7.5 HIGH |
| OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker can exploit SHA-1 collisions to cause cache poisoning, allowing one sandbox configuration to be misinterpreted as another and enabling unsafe sandbox state reuse. | |||||
| CVE-2025-41711 | 2026-03-11 | N/A | 5.3 MEDIUM | ||
| An unauthenticated remote attacker can use firmware images to extract password hashes and brute force plaintext passwords of accounts with limited access. | |||||
| CVE-2025-13476 | 1 Rakuten | 1 Viber | 2026-03-10 | N/A | 9.8 CRITICAL |
| Rakuten Viber Cloak mode in Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 uses a static and predictable TLS ClientHello fingerprint lacking extension diversity, allowing Deep Packet Inspection (DPI) systems to trivially identify and block proxy traffic, undermining censorship circumvention. (CWE-327) | |||||
| CVE-2026-23601 | 1 Arubanetworks | 18 7010, 7030, 7205 and 15 more | 2026-03-09 | N/A | 5.4 MEDIUM |
| A vulnerability has been identified in the wireless encryption handling of Wi-Fi transmissions. A malicious actor can generate shared-key authenticated transmissions containing targeted payloads while impersonating the identity of a primary BSSID.Successful exploitation allows for the delivery of tampered data to specific endpoints, bypassing standard cryptographic separation. | |||||
| CVE-2025-14175 | 1 Tp-link | 2 Tl-wr820n, Tl-wr820n Firmware | 2026-03-08 | N/A | 6.5 MEDIUM |
| A vulnerability in the SSH server of TP-Link TL-WR820N v2.80 allows the use of a weak cryptographic algorithm, enabling an adjacent attacker to intercept and decrypt SSH traffic. Exploitation may expose sensitive information and compromise confidentiality. | |||||
| CVE-2025-66597 | 1 Yokogawa | 1 Fast\/tools | 2026-03-06 | N/A | 7.5 HIGH |
| A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product supports weak cryptographic algorithms, potentially allowing an attacker to decrypt communications with the web server. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04 | |||||
| CVE-2025-66598 | 1 Yokogawa | 1 Fast\/tools | 2026-03-06 | N/A | 7.5 HIGH |
| A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product supports old SSL/TLS versions, potentially allowing an attacker to decrypt communications with the web server. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04 | |||||
| CVE-2025-14480 | 1 Ibm | 1 Aspera Faspio Gateway | 2026-03-05 | N/A | 5.1 MEDIUM |
| IBM Aspera faspio Gateway 1.3.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information | |||||