Monthly
Credential disclosure in Devolutions Remote Desktop Manager versions 2026.2.0 through 2026.2.8 allows a low-privileged attacker to capture stored social login credentials by creating a crafted web entry targeting a provider lookalike domain. The social login autofill feature fails to properly validate the target host against the legitimate OAuth or social identity provider domain, causing stored credentials to be submitted to an attacker-controlled site when the victim user opens the malicious entry. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.
TLS SNI hostname validation in aiohttp is silently bypassed when a keep-alive connection is reused from the connection pool, allowing per-request `server_hostname` overrides to be ignored on subsequent requests to the same host. Applications relying on dynamic per-request SNI to enforce tenant isolation, proxy routing, or custom certificate validation are at risk of connecting under the wrong TLS identity without any error raised. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in aiohttp 3.14.1.
Man-in-the-middle attack against OpenStack oslo.messaging 1.0.0 through 17.3.0 is possible because the RabbitMQ driver validates the certificate chain but skips TLS hostname verification, letting any cert signed by the deployment CA impersonate the broker. An attacker positioned on the control-plane network can intercept and tamper with RPC and notification traffic between OpenStack services, with no public exploit identified at time of analysis but a credible POC pathway documented in OSSN-0096.
Improper certificate hostname validation in the Apache Directory LDAP API client allows network-positioned attackers to impersonate LDAP servers and intercept authenticated directory traffic. The flaw was disclosed via the oss-security mailing list on 2026-06-01 and is tracked under CWE-297; no public exploit identified at time of analysis. With a CVSS 4.0 score of 8.8 and high confidentiality/integrity impact, the issue is significant for applications that rely on this library to connect to LDAP/LDAPS endpoints.
Man-in-the-middle attacks against Claude Desktop's SSH remote development feature are possible in versions 1.2581.0 through 1.4303.x because the client only checks that a hostname exists in ~/.ssh/known_hosts without verifying that the server's presented host key matches the stored key. A network-positioned adversary can substitute an arbitrary host key during an SSH handshake and have the connection silently accepted, allowing interception or modification of remote developer sessions. No public exploit identified at time of analysis, and EPSS (0.02%) plus SSVC (Exploitation: none) indicate no active exploitation despite the high CVSS 4.0 score of 7.4.
TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.23.0), allowing remote unauthenticated attackers to perform man-in-the-middle attacks against encrypted communications. The vulnerability enables interception and potential modification of data in transit with low attack complexity and no user interaction required. While EPSS shows minimal current exploitation activity (0.00%), CISA SSVC classifies this as automatable with partial technical impact, and a vendor patch is available in version 0.23.0.
Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle attacks against versions prior to 0.23.0. This CWE-297 (improper certificate validation) vulnerability allows network attackers with high complexity positioning to intercept and modify encrypted communications without authentication. EPSS exploitation probability is low (0.01%, 1st percentile), with no KEV listing or public exploit code identified at time of analysis. Vendor patch available in Thrift 0.23.0.
Authentication bypass via user impersonation affects Spring Security 7.0.0 through 7.0.4, where the SubjectX500PrincipalExtractor mishandles malformed CN values in X.509 client certificates and extracts the wrong username. Authenticated attackers presenting a carefully crafted certificate can be authenticated as a different (potentially higher-privileged) user. No public exploit identified at time of analysis; EPSS is very low (0.02%) and CISA SSVC marks exploitation as none.
Man-in-the-middle attacks are possible in Apache Log4j Core through 2.25.3 when SMTP, Socket, or Syslog appenders use TLS with the verifyHostName attribute configured in the <Ssl> element, because the attribute was silently ignored despite being available since version 2.12.0. This is a regression from an incomplete fix to CVE-2025-68161 that only addressed hostname verification via system property. An attacker with a certificate from a trusted CA can intercept TLS connections. Apache has released patched version 2.25.4 to correct this issue.
Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue. [CVSS 5.3 MEDIUM]
Credential disclosure in Devolutions Remote Desktop Manager versions 2026.2.0 through 2026.2.8 allows a low-privileged attacker to capture stored social login credentials by creating a crafted web entry targeting a provider lookalike domain. The social login autofill feature fails to properly validate the target host against the legitimate OAuth or social identity provider domain, causing stored credentials to be submitted to an attacker-controlled site when the victim user opens the malicious entry. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.
TLS SNI hostname validation in aiohttp is silently bypassed when a keep-alive connection is reused from the connection pool, allowing per-request `server_hostname` overrides to be ignored on subsequent requests to the same host. Applications relying on dynamic per-request SNI to enforce tenant isolation, proxy routing, or custom certificate validation are at risk of connecting under the wrong TLS identity without any error raised. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in aiohttp 3.14.1.
Man-in-the-middle attack against OpenStack oslo.messaging 1.0.0 through 17.3.0 is possible because the RabbitMQ driver validates the certificate chain but skips TLS hostname verification, letting any cert signed by the deployment CA impersonate the broker. An attacker positioned on the control-plane network can intercept and tamper with RPC and notification traffic between OpenStack services, with no public exploit identified at time of analysis but a credible POC pathway documented in OSSN-0096.
Improper certificate hostname validation in the Apache Directory LDAP API client allows network-positioned attackers to impersonate LDAP servers and intercept authenticated directory traffic. The flaw was disclosed via the oss-security mailing list on 2026-06-01 and is tracked under CWE-297; no public exploit identified at time of analysis. With a CVSS 4.0 score of 8.8 and high confidentiality/integrity impact, the issue is significant for applications that rely on this library to connect to LDAP/LDAPS endpoints.
Man-in-the-middle attacks against Claude Desktop's SSH remote development feature are possible in versions 1.2581.0 through 1.4303.x because the client only checks that a hostname exists in ~/.ssh/known_hosts without verifying that the server's presented host key matches the stored key. A network-positioned adversary can substitute an arbitrary host key during an SSH handshake and have the connection silently accepted, allowing interception or modification of remote developer sessions. No public exploit identified at time of analysis, and EPSS (0.02%) plus SSVC (Exploitation: none) indicate no active exploitation despite the high CVSS 4.0 score of 7.4.
TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.23.0), allowing remote unauthenticated attackers to perform man-in-the-middle attacks against encrypted communications. The vulnerability enables interception and potential modification of data in transit with low attack complexity and no user interaction required. While EPSS shows minimal current exploitation activity (0.00%), CISA SSVC classifies this as automatable with partial technical impact, and a vendor patch is available in version 0.23.0.
Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle attacks against versions prior to 0.23.0. This CWE-297 (improper certificate validation) vulnerability allows network attackers with high complexity positioning to intercept and modify encrypted communications without authentication. EPSS exploitation probability is low (0.01%, 1st percentile), with no KEV listing or public exploit code identified at time of analysis. Vendor patch available in Thrift 0.23.0.
Authentication bypass via user impersonation affects Spring Security 7.0.0 through 7.0.4, where the SubjectX500PrincipalExtractor mishandles malformed CN values in X.509 client certificates and extracts the wrong username. Authenticated attackers presenting a carefully crafted certificate can be authenticated as a different (potentially higher-privileged) user. No public exploit identified at time of analysis; EPSS is very low (0.02%) and CISA SSVC marks exploitation as none.
Man-in-the-middle attacks are possible in Apache Log4j Core through 2.25.3 when SMTP, Socket, or Syslog appenders use TLS with the verifyHostName attribute configured in the <Ssl> element, because the attribute was silently ignored despite being available since version 2.12.0. This is a regression from an incomplete fix to CVE-2025-68161 that only addressed hostname verification via system property. An attacker with a certificate from a trusted CA can intercept TLS connections. Apache has released patched version 2.25.4 to correct this issue.
Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue. [CVSS 5.3 MEDIUM]