Skip to main content

CWE-1059

Insufficient Technical Documentation

3 CVEs Avg CVSS 9.4 MITRE
2
CRITICAL
1
HIGH
0
MEDIUM
0
LOW
0
POC
0
KEV

Monthly

CVE-2026-59084 CRITICAL Act Now

Cluster-communication confidentiality and integrity in Apache Tomcat can be undermined because the secure-configuration requirements for the EncryptInterceptor were never clearly documented, leaving operators liable to deploy the cluster session-replication channel insecurely. The flaw affects Tomcat 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.119, 10.1.0-M1-10.1.56 and 11.0.0-M1-11.0.23, and is fixed in 9.0.120, 10.1.57 and 11.0.24. It carries a CVSS 9.1 (C:H/I:H) but SSVC records exploitation as none, no public exploit identified at time of analysis, and the root cause is a documentation weakness (CWE-1059) rather than a code defect.

Information Disclosure Apache Tomcat Apache Tomcat
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-48035 npm HIGH PATCH GHSA This Week

Audit log tamper-resistance failure in @hulumi/baseline versions prior to 1.4.0 allows any S3-delete-capable principal in the AWS account to silently erase CloudTrail and AWS Config forensic records that the AccountFoundation construct was advertised to protect. Three compounding defects - hard-coded objectLock:false on the startup-hardened tier, unrestricted propagation of forceDestroy/logBucketForceDestroy to the audit bucket, and a sandbox tier that omitted Object Lock, server access logging, and the CloudTrail-Lake EventDataStore entirely - left consumers believing they had immutable audit capture when they did not. No public exploit identified at time of analysis, no CVSS or EPSS published, and the issue is a defense-in-depth/forensic-integrity weakness rather than a remote code execution path.

Information Disclosure
NVD GitHub
EPSS
0.0%
CVE-2022-3270 CRITICAL Act Now

In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bus Module Cpx E Ep Firmware Bus Node Cpx Fb32 Firmware Bus Node Cpx Fb33 Firmware Bus Node Cpx Fb36 Firmware +95
NVD
CVSS 3.1
9.8
EPSS
1.1%
EPSS 0% CVSS 9.1
CRITICAL Act Now

Cluster-communication confidentiality and integrity in Apache Tomcat can be undermined because the secure-configuration requirements for the EncryptInterceptor were never clearly documented, leaving operators liable to deploy the cluster session-replication channel insecurely. The flaw affects Tomcat 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.119, 10.1.0-M1-10.1.56 and 11.0.0-M1-11.0.23, and is fixed in 9.0.120, 10.1.57 and 11.0.24. It carries a CVSS 9.1 (C:H/I:H) but SSVC records exploitation as none, no public exploit identified at time of analysis, and the root cause is a documentation weakness (CWE-1059) rather than a code defect.

Information Disclosure Apache Tomcat +1
NVD VulDB
EPSS 0%
HIGH PATCH This Week

Audit log tamper-resistance failure in @hulumi/baseline versions prior to 1.4.0 allows any S3-delete-capable principal in the AWS account to silently erase CloudTrail and AWS Config forensic records that the AccountFoundation construct was advertised to protect. Three compounding defects - hard-coded objectLock:false on the startup-hardened tier, unrestricted propagation of forceDestroy/logBucketForceDestroy to the audit bucket, and a sandbox tier that omitted Object Lock, server access logging, and the CloudTrail-Lake EventDataStore entirely - left consumers believing they had immutable audit capture when they did not. No public exploit identified at time of analysis, no CVSS or EPSS published, and the issue is a defense-in-depth/forensic-integrity weakness rather than a remote code execution path.

Information Disclosure
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bus Module Cpx E Ep Firmware Bus Node Cpx Fb32 Firmware +97
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy