Total
1329 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-68121 | 2 Go Standard Library, Golang | 2 Crypto Tls, Go | 2026-02-20 | 7.4 High |
| During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. | ||||
| CVE-2026-24935 | 1 Asustor | 2 Adm, Data Master | 2026-02-19 | 5.6 Medium |
| A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or facilitate further targeted attacks by acting as a proxy between the user and the device services. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | ||||
| CVE-2026-24934 | 1 Asustor | 2 Adm, Data Master | 2026-02-19 | 3.7 Low |
| The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to spoof the response, leading the device to update its DDNS record with an incorrect IP address. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | ||||
| CVE-2026-24933 | 1 Asustor | 2 Adm, Data Master | 2026-02-19 | 5.9 Medium |
| The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user information, including account emails, MD5 hashed passwords, and device serial numbers. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | ||||
| CVE-2026-24932 | 1 Asustor | 2 Adm, Data Master | 2026-02-19 | 5.9 Medium |
| The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle (MitM) attack, which may obtain the sensitive information of DDNS updating process, including the user's account email, MD5 hashed password, and device serial number.This issue affects ADM: from 4.1.0 through 4.3.3.ROF1, from 5.0.0 through 5.1.1.RCI1. | ||||
| CVE-2025-65753 | 1 Gryphon | 1 Guardian Gryphon | 2026-02-19 | 7.5 High |
| An issue in the TLS certification mechanism of Guardian Gryphon v01.06.0006.22 allows attackers to execute commands as root. | ||||
| CVE-2026-24734 | 2 Apache, Apache Tomcat | 3 Tomcat, Tomcat Native, Apache Tomcat | 2026-02-18 | 7.4 High |
| Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue. | ||||
| CVE-2025-20670 | 1 Mediatek | 46 Mt2737, Mt6813, Mt6835 and 43 more | 2026-02-17 | 5.7 Medium |
| In Modem, there is a possible permission bypass due to improper certificate validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station controlled by the attacker, with User execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01334347; Issue ID: MSV-2772. | ||||
| CVE-2025-9293 | 2 Tp-link, Tp Link | 14 Aginet App, Deco App, Festa App and 11 more | 2026-02-13 | N/A |
| A vulnerability in the certificate validation logic may allow applications to accept untrusted or improperly validated server identities during TLS communication. An attacker in a privileged network position may be able to intercept or modify traffic if they can position themselves within the communication channel. Successful exploitation may compromise confidentiality, integrity, and availability of application data. | ||||
| CVE-2026-0872 | 1 Thales | 1 Safenet Agent For Windows Logon | 2026-02-13 | N/A |
| Improper Certificate Validation vulnerability in Thales SafeNet Agent for Windows Logon on Windows allows Signature Spoofing by Improper Validation.This issue affects SafeNet Agent for Windows Logon: 4.0.0, 4.1.1, 4.1.2. | ||||
| CVE-2026-25160 | 1 Alistgo | 1 Alist | 2026-02-13 | 9.1 Critical |
| Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0. | ||||
| CVE-2025-48802 | 1 Microsoft | 7 Windows 11 22h2, Windows 11 22h2, Windows 11 23h2 and 4 more | 2026-02-13 | 6.5 Medium |
| Improper certificate validation in Windows SMB allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2025-15557 | 1 Tp-link | 4 Tapo H100, Tapo H100 Firmware, Tapo P100 and 1 more | 2026-02-12 | 8.8 High |
| An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications. This may compromise the confidentiality and integrity of device-to-cloud communication, enabling manipulation of device data or operations. | ||||
| CVE-2025-70029 | 1 Sunbird-ed | 1 Sunbirded-portal | 2026-02-12 | 7.5 High |
| An issue in Sunbird-Ed SunbirdEd-portal v1.13.4 allows attackers to obtain sensitive information. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTP request options | ||||
| CVE-2025-15573 | 2 Solax, Solax Power | 5 Pocket Wifi 3, Pocket Wifi+4gm, Pocket Wifi+lan and 2 more | 2026-02-12 | 9.4 Critical |
| The affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in the Alibaba Cloud (mqtt001.solaxcloud.com, TCP 8883). This allows attackers in a man-in-the-middle position to act as the legitimate MQTT server and issue arbitrary commands to devices. | ||||
| CVE-2026-0228 | 1 Palo Alto Networks | 3 Cloud Ngfw, Pan-os, Prisma Access | 2026-02-12 | N/A |
| An improper certificate validation vulnerability in PAN-OS allows users to connect Terminal Server Agents on Windows to PAN-OS using expired certificates even if the PAN-OS configuration would not normally permit them to do so. | ||||
| CVE-2025-15323 | 1 Tanium | 1 Tanos | 2026-02-10 | 3.7 Low |
| Tanium addressed an improper certificate validation vulnerability in Tanium Appliance. | ||||
| CVE-2026-22613 | 1 Eaton | 1 Network M3 | 2026-02-10 | 5.7 Medium |
| The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton Network M3 which is available on the Eaton download center. | ||||
| CVE-2025-48393 | 1 Eaton | 1 G4 Pdu | 2026-02-09 | 5.7 Medium |
| The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton G4 PDU which is available on the Eaton download center. | ||||
| CVE-2025-71063 | 1 Mrvladus | 1 Errands | 2026-02-05 | 8.2 High |
| Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. | ||||