Total
1274 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-40702 | 2 Ibm, Microsoft | 3 Cognos Controller, Controller, Windows | 2025-07-03 | 8.2 High |
| IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation. | ||||
| CVE-2025-34066 | 2025-07-03 | N/A | ||
| An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks. | ||||
| CVE-2020-35509 | 1 Redhat | 2 Keycloak, Red Hat Single Sign On | 2025-06-30 | 5.4 Medium |
| A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity. | ||||
| CVE-2024-5921 | 1 Paloaltonetworks | 1 Globalprotect | 2025-06-27 | 8.8 High |
| An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers. This can enable a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint. Please subscribe to our RSS feed https://security.paloaltonetworks.com/rss.xml to be alerted to new updates to this and other advisories. | ||||
| CVE-2025-4947 | 2 Curl, Haxx | 2 Curl, Curl | 2025-06-26 | 6.5 Medium |
| libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks. | ||||
| CVE-2024-0853 | 1 Haxx | 1 Curl | 2025-06-20 | 5.3 Medium |
| curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check. | ||||
| CVE-2023-33757 | 1 Splicecom | 2 Ipcs, Ipcs2 | 2025-06-20 | 5.9 Medium |
| A lack of SSL certificate validation in Splicecom iPCS (iOS App) v1.3.4, iPCS2 (iOS App) v2.8 and before, and iPCS (Android App) v1.8.5 and before allows attackers to eavesdrop on communications via a man-in-the-middle attack. | ||||
| CVE-2025-29885 | 1 Qnap | 1 File Station | 2025-06-18 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later | ||||
| CVE-2025-29884 | 1 Qnap | 1 File Station | 2025-06-18 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later | ||||
| CVE-2025-29883 | 1 Qnap | 1 File Station | 2025-06-18 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later | ||||
| CVE-2025-22486 | 1 Qnap | 1 File Station | 2025-06-18 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later | ||||
| CVE-2023-50356 | 1 Areal-topkapi | 1 Vision Server | 2025-06-17 | 6.5 Medium |
| SSL connections to some LDAP servers are vulnerable to a man-in-the-middle attack due to improper certificate validation in AREAL Topkapi Vision (Server). This allows a remote unauthenticated attacker to gather sensitive information and prevent valid users from login. | ||||
| CVE-2023-28807 | 1 Zscaler | 1 Secure Internet And Saas Access | 2025-06-17 | 5.1 Medium |
| In Zscaler Internet Access (ZIA) a mismatch between Connect Host and Client Hello's Server Name Indication (SNI) enables attackers to evade network security controls by hiding their communications within legitimate traffic. | ||||
| CVE-2023-6043 | 1 Lenovo | 1 Vantage | 2025-06-17 | 7.8 High |
| A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker to bypass integrity checks and execute arbitrary code with elevated privileges. | ||||
| CVE-2023-33760 | 1 Splicecom | 1 Maximiser Soft Pbx | 2025-06-17 | 5.3 Medium |
| SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate. This issue can allow attackers to eavesdrop on communications via a man-in-the-middle attack. | ||||
| CVE-2023-33295 | 1 Cohesity | 1 Cohesity Dataplatform | 2025-06-17 | 6.5 Medium |
| Cohesity DataProtect prior to 6.8.1_u5 or 7.1 was discovered to have a incorrect access control vulnerability due to a lack of TLS Certificate Validation. | ||||
| CVE-2025-22874 | 2025-06-16 | 7.5 High | ||
| Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. | ||||
| CVE-2025-32407 | 1 Samsung | 1 Internet | 2025-06-12 | 5.9 Medium |
| Samsung Internet for Galaxy Watch version 5.0.9, available up until Samsung Galaxy Watch 3, does not properly validate TLS certificates, allowing for an attacker to impersonate any and all websites visited by the user. This is a critical misconfiguration in the way the browser validates the identity of the server. It negates the use of HTTPS as a secure channel, allowing for Man-in-the-Middle attacks, stealing sensitive information or modifying incoming and outgoing traffic. NOTE: This vulnerability is in an end-of-life product that is no longer maintained by the vendor. | ||||
| CVE-2018-1000500 | 1 Busybox | 1 Busybox | 2025-06-09 | 6.5 Medium |
| Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". | ||||
| CVE-2021-22924 | 8 Debian, Fedoraproject, Haxx and 5 more | 55 Debian Linux, Fedora, Libcurl and 52 more | 2025-06-09 | 3.7 Low |
| libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. | ||||