Skip to main content

CWE-1395

Dependency on Vulnerable Third-Party Component

11 CVEs Avg CVSS 7.3 MITRE
3
CRITICAL
5
HIGH
1
MEDIUM
2
LOW
0
POC
0
KEV

Monthly

CVE-2026-47906 HIGH This Week

Arbitrary code execution in Adobe Dreamweaver Desktop 21.7 and earlier stems from a vulnerable third-party component bundled with the application, allowing an attacker to run code in the context of the user who opens a malicious file. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the changed-scope CVSS of 8.6 reflects the potential for the embedded component flaw to break out of Dreamweaver's security boundary.

RCE Dreamweaver Desktop
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2024-42206 LOW Monitor

HCL iReflection Third party vulnerable and outdated components issue was detected in the web application. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Ireflection
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-11159 CRITICAL PATCH Act Now

Remote code execution in Pentaho Data Integration & Analytics affects all versions through vulnerable H2 database JDBC driver. Authenticated data source administrators can execute arbitrary external scripts during database connection creation, achieving complete system compromise with potential container escape (CVSS scope changed). EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor advisory indicates patches available in versions 10.2.0.7 and 11.0.0.0.

Information Disclosure Pentaho Data Integration And Analytics
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-34652 HIGH This Week

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Adobe
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-34654 MEDIUM This Month

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Adobe
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2022-4988 HIGH This Week

Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Alien
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-59851 LOW Monitor

HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers with high effort to gain limited unauthorized access. The application fails to update or isolate vulnerable dependencies, potentially enabling exploitation of publicly disclosed security flaws in embedded components to bypass authentication or extract sensitive information.

Authentication Bypass Dfxanalytics
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-15638 CRITICAL PATCH Act Now

Remote code execution with complete system compromise affects Net::Dropbear Perl module versions before 0.14 due to bundled vulnerable libtomcrypt library. The module ships with Dropbear 2019.78 or earlier containing libtomcrypt v1.18.1, inheriting CVE-2016-6129 (RSA signature forgery) and CVE-2018-12437 (RSA key recovery via side-channel). CVSS 10.0 reflects network-accessible attack with no authentication or user interaction required and complete confidentiality, integrity, and availability impact with scope change. CISA SSVC framework confirms automatable exploitation with total technical impact, though no active exploitation reported. Patch available in Net::Dropbear 0.14 with updated cryptographic dependencies.

Information Disclosure Suse
NVD
CVSS 3.1
10.0
EPSS
0.0%
CVE-2024-14031 HIGH PATCH This Week

Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Sereal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2024-14030 HIGH PATCH This Week

Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Sereal
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
EPSS 0% CVSS 8.6
HIGH This Week

Arbitrary code execution in Adobe Dreamweaver Desktop 21.7 and earlier stems from a vulnerable third-party component bundled with the application, allowing an attacker to run code in the context of the user who opens a malicious file. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the changed-scope CVSS of 8.6 reflects the potential for the embedded component flaw to break out of Dreamweaver's security boundary.

RCE Dreamweaver Desktop
NVD
EPSS 0% CVSS 3.1
LOW Monitor

HCL iReflection Third party vulnerable and outdated components issue was detected in the web application. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Ireflection
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution in Pentaho Data Integration & Analytics affects all versions through vulnerable H2 database JDBC driver. Authenticated data source administrators can execute arbitrary external scripts during database connection creation, achieving complete system compromise with potential container escape (CVSS scope changed). EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor advisory indicates patches available in versions 10.2.0.7 and 11.0.0.0.

Information Disclosure Pentaho Data Integration And Analytics
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Adobe
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Adobe
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Alien
NVD GitHub
EPSS 0% CVSS 3.7
LOW Monitor

HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers with high effort to gain limited unauthorized access. The application fails to update or isolate vulnerable dependencies, potentially enabling exploitation of publicly disclosed security flaws in embedded components to bypass authentication or extract sensitive information.

Authentication Bypass Dfxanalytics
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution with complete system compromise affects Net::Dropbear Perl module versions before 0.14 due to bundled vulnerable libtomcrypt library. The module ships with Dropbear 2019.78 or earlier containing libtomcrypt v1.18.1, inheriting CVE-2016-6129 (RSA signature forgery) and CVE-2018-12437 (RSA key recovery via side-channel). CVSS 10.0 reflects network-accessible attack with no authentication or user interaction required and complete confidentiality, integrity, and availability impact with scope change. CISA SSVC framework confirms automatable exploitation with total technical impact, though no active exploitation reported. Patch available in Net::Dropbear 0.14 with updated cryptographic dependencies.

Information Disclosure Suse
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Sereal
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Sereal
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy