Monthly
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent the EncryptInterceptor component, exposing sensitive data in cleartext. The vulnerability stems from an incomplete fix for CVE-2026-29146, enabling network-accessible adversaries to access confidential information without authentication. CVSS 7.5 (High severity) reflects network-based exploitation with low complexity and high confidentiality impact. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).
IPv6 Pod traffic in Antrea dual-stack Kubernetes clusters transmits in plaintext despite IPsec encryption configuration, exposing inter-node communication to network eavesdropping. Affects Antrea versions prior to 2.6.0, 2.5.2, and 2.4.5 when dual-stack networking is enabled with trafficEncryptionMode: ipsec. Vendor-released patches are available across multiple stable branches. No public exploit identified at time of analysis, though the vulnerability bypasses intended encryption controls and could enable passive network monitoring in multi-tenant or untrusted network environments.
DSA Study Hub stores JWT authentication tokens in unencrypted HTTP cookies, allowing attackers to extract and replay user credentials to gain unauthorized access to accounts. An unauthenticated remote attacker can intercept these tokens through network traffic analysis or client-side inspection to impersonate legitimate users. A patch is available in commit d527fba and should be applied immediately.
Missing BLE authentication in Pebble Prism Ultra smartwatch. PoC available.
Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality. [CVSS 6.5 MEDIUM]
Thinkplus Fu100 Firmware versions up to - is affected by missing encryption of sensitive data (CVSS 4.6).
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Missing Encryption of Sensitive Data (CWE-311) in the Object Archive component in AxxonSoft Axxon One (C-Werk) before 2.0.8 on Windows and Linux allows a local attacker with access to exported. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
HCL BigFix SM is affected by cryptographic weakness due to weak or outdated encryption algorithms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.
Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent the EncryptInterceptor component, exposing sensitive data in cleartext. The vulnerability stems from an incomplete fix for CVE-2026-29146, enabling network-accessible adversaries to access confidential information without authentication. CVSS 7.5 (High severity) reflects network-based exploitation with low complexity and high confidentiality impact. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).
IPv6 Pod traffic in Antrea dual-stack Kubernetes clusters transmits in plaintext despite IPsec encryption configuration, exposing inter-node communication to network eavesdropping. Affects Antrea versions prior to 2.6.0, 2.5.2, and 2.4.5 when dual-stack networking is enabled with trafficEncryptionMode: ipsec. Vendor-released patches are available across multiple stable branches. No public exploit identified at time of analysis, though the vulnerability bypasses intended encryption controls and could enable passive network monitoring in multi-tenant or untrusted network environments.
DSA Study Hub stores JWT authentication tokens in unencrypted HTTP cookies, allowing attackers to extract and replay user credentials to gain unauthorized access to accounts. An unauthenticated remote attacker can intercept these tokens through network traffic analysis or client-side inspection to impersonate legitimate users. A patch is available in commit d527fba and should be applied immediately.
Missing BLE authentication in Pebble Prism Ultra smartwatch. PoC available.
Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality. [CVSS 6.5 MEDIUM]
Thinkplus Fu100 Firmware versions up to - is affected by missing encryption of sensitive data (CVSS 4.6).
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Missing Encryption of Sensitive Data (CWE-311) in the Object Archive component in AxxonSoft Axxon One (C-Werk) before 2.0.8 on Windows and Linux allows a local attacker with access to exported. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
HCL BigFix SM is affected by cryptographic weakness due to weak or outdated encryption algorithms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.
Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.