Monthly
Man-in-the-middle attacks are possible in Apache Log4j Core through 2.25.3 when SMTP, Socket, or Syslog appenders use TLS with the verifyHostName attribute configured in the <Ssl> element, because the attribute was silently ignored despite being available since version 2.12.0. This is a regression from an incomplete fix to CVE-2025-68161 that only addressed hostname verification via system property. An attacker with a certificate from a trusted CA can intercept TLS connections. Apache has released patched version 2.25.4 to correct this issue.
Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue. [CVSS 5.3 MEDIUM]
Galaxy FDS Android SDK version 3.0.8 and earlier disable TLS hostname verification by default, allowing attackers to perform man-in-the-middle attacks against applications using the library. All applications leveraging this SDK with default configuration are vulnerable to interception and modification of communications with Xiaomi FDS cloud storage, potentially compromising authentication credentials and file contents. No patch is currently available, and the affected open source project has reached end-of-life status.
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. [CVSS 5.3 MEDIUM]
Uniffle HTTP client (before 0.10.0) trusts all SSL certificates and disables hostname verification by default, exposing all REST API communication between the CLI and Coordinator to man-in-the-middle attacks.
An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper Validation of Certificate with Host Mismatch vulnerability in Akınsoft QR Menü allows HTTP Response Splitting.05.05 before v1.05.12. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CVE-2025-49015 is a security vulnerability (CVSS 4.9). Remediation should follow standard vulnerability management procedures.
A security vulnerability in Fortinet FortiClientWindows (CVSS 4.8) that allows an unauthorized attacker. Remediation should follow standard vulnerability management procedures.
A flaw was found in Keycloak. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Man-in-the-middle attacks are possible in Apache Log4j Core through 2.25.3 when SMTP, Socket, or Syslog appenders use TLS with the verifyHostName attribute configured in the <Ssl> element, because the attribute was silently ignored despite being available since version 2.12.0. This is a regression from an incomplete fix to CVE-2025-68161 that only addressed hostname verification via system property. An attacker with a certificate from a trusted CA can intercept TLS connections. Apache has released patched version 2.25.4 to correct this issue.
Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue. [CVSS 5.3 MEDIUM]
Galaxy FDS Android SDK version 3.0.8 and earlier disable TLS hostname verification by default, allowing attackers to perform man-in-the-middle attacks against applications using the library. All applications leveraging this SDK with default configuration are vulnerable to interception and modification of communications with Xiaomi FDS cloud storage, potentially compromising authentication credentials and file contents. No patch is currently available, and the affected open source project has reached end-of-life status.
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. [CVSS 5.3 MEDIUM]
Uniffle HTTP client (before 0.10.0) trusts all SSL certificates and disables hostname verification by default, exposing all REST API communication between the CLI and Coordinator to man-in-the-middle attacks.
An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper Validation of Certificate with Host Mismatch vulnerability in Akınsoft QR Menü allows HTTP Response Splitting.05.05 before v1.05.12. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CVE-2025-49015 is a security vulnerability (CVSS 4.9). Remediation should follow standard vulnerability management procedures.
A security vulnerability in Fortinet FortiClientWindows (CVSS 4.8) that allows an unauthorized attacker. Remediation should follow standard vulnerability management procedures.
A flaw was found in Keycloak. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.