Monthly
Cleartext Bluetooth transmission in TP-Link Tapo L535E, P300, and D100C devices allows adjacent attackers to intercept and manipulate initial setup data, enabling potential unauthorized device control during onboarding. The flaw stems from missing encryption on the Bluetooth pairing channel used only during initialization, and TP-Link has released patched firmware versions for all affected models. No public exploit identified at time of analysis, but the low complexity and absence of authentication make this a meaningful risk for users provisioning devices in dense urban or office environments.
Cleartext transmission of TLS-bound data in Deno's Node.js compatibility layer (versions >= 2.0.0, < 2.7.8) allows an on-path attacker to read and tamper with traffic an application believed was encrypted. When the default `autoSelectFamily` option is enabled and the first connection attempt fails, the socket reinitialization path reuses a stale TLS upgrade hook tied to the dead handle, so the retry connection is never upgraded to TLS and any bytes written before the `secureConnect` event leave the host in plaintext. A full proof-of-concept is published in the vendor advisory (publicly available exploit code exists); the issue is fixed in Deno 2.7.8 and there is no public exploit identified in the wild at time of analysis.
Cleartext TCP transmission in STER (by Poland's Central Institute for Labour Protection, CIOP) exposes sensitive data including passwords, personal data, and authentication tokens to interception. All versions prior to 9.5 are affected per EUVD-2026-31424. Exploitation requires the attacker to be pre-positioned on the network path (CVSS AT:P), limiting opportunistic mass exploitation, but poses meaningful risk in shared or corporate network environments where insider or adjacent-network threats exist. No public exploit code identified at time of analysis and no confirmed active exploitation (CISA KEV).
HCL AION transmits backend service details over unencrypted HTTP channels under certain conditions, allowing authenticated local or adjacent-network attackers with limited privileges to intercept and read sensitive configuration data through man-in-the-middle attacks. The vulnerability requires user interaction and non-default network positioning, resulting in a CVSS score of 4.3 (low severity) with confirmed vendor awareness and advisory availability.
HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive information to interception or unauthorized access. The vulnerability requires adjacent network access, high attack complexity, and user interaction, limiting real-world exploitation scope. No active exploitation has been confirmed at time of analysis.
Cleartext transmission in Foscam VD1 Video Doorbell (firmware before V5.3.13_1072) exposes Session Description Protocol (SDP) credentials and ICE candidates over unencrypted network channels, enabling on-path attackers to intercept media stream authentication tokens, hijack real-time video/audio feeds, and abuse Foscam's TURN relay infrastructure for unauthorized traffic routing. EPSS score of 0.02% (5th percentile) suggests low widespread exploitation likelihood, though the network-accessible attack vector (AV:N) with no authentication requirement (PR:N) and low complexity (AC:L) creates risk in residential deployment scenarios where LAN or ISP-level interception is feasible.
Session ID disclosure in Catalyst::Plugin::Statsd for Perl (versions ≤0.10.0) occurs when the StatsD communication channel lacks encryption, leaking authentication tokens over unsecured UDP to remote StatsD daemons. CVSS 7.5 (High) reflects network-accessible confidentiality impact, but EPSS score of 0.03% (9th percentile) and SSVC assessment (no observed exploitation, partial technical impact) indicate limited real-world exploitation activity. Vendor advisory from GitHub Security (GHSA-gjvr-hq83-fc38) confirms the issue with related advisories for similar Plack-Middleware-Statsd vulnerability (CVE-2026-45179).
Plack::Middleware::Statsd versions before 0.9.0 leak user IP addresses to unsecured statsd daemons via unencrypted UDP communication. Remote unauthenticated attackers on the same network as the statsd daemon can intercept plaintext IP addresses transmitted by the middleware. Version 0.9.0 and later disable IP logging by default and use HMAC signatures when logging is enabled, eliminating the exposure.
EZVIZ App versions using legacy cloud feature modules with outdated API interfaces allow attackers to eavesdrop on network traffic and disclose sensitive video data. The vulnerability requires adjacent network access and high exploitation complexity, but affects all EZVIZ App versions until patched. Attackers can obtain video transmission data without authentication or user interaction by intercepting unencrypted or weakly encrypted API communications.
HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to intercept and read confidential information. The vulnerability requires high attack complexity (likely man-in-the-middle positioning) but affects all versions of the product when unencrypted channels are in use. No active exploitation has been reported, and the low CVSS score (3.7) reflects limited confidentiality impact with no integrity or availability compromise.
Cleartext Bluetooth transmission in TP-Link Tapo L535E, P300, and D100C devices allows adjacent attackers to intercept and manipulate initial setup data, enabling potential unauthorized device control during onboarding. The flaw stems from missing encryption on the Bluetooth pairing channel used only during initialization, and TP-Link has released patched firmware versions for all affected models. No public exploit identified at time of analysis, but the low complexity and absence of authentication make this a meaningful risk for users provisioning devices in dense urban or office environments.
Cleartext transmission of TLS-bound data in Deno's Node.js compatibility layer (versions >= 2.0.0, < 2.7.8) allows an on-path attacker to read and tamper with traffic an application believed was encrypted. When the default `autoSelectFamily` option is enabled and the first connection attempt fails, the socket reinitialization path reuses a stale TLS upgrade hook tied to the dead handle, so the retry connection is never upgraded to TLS and any bytes written before the `secureConnect` event leave the host in plaintext. A full proof-of-concept is published in the vendor advisory (publicly available exploit code exists); the issue is fixed in Deno 2.7.8 and there is no public exploit identified in the wild at time of analysis.
Cleartext TCP transmission in STER (by Poland's Central Institute for Labour Protection, CIOP) exposes sensitive data including passwords, personal data, and authentication tokens to interception. All versions prior to 9.5 are affected per EUVD-2026-31424. Exploitation requires the attacker to be pre-positioned on the network path (CVSS AT:P), limiting opportunistic mass exploitation, but poses meaningful risk in shared or corporate network environments where insider or adjacent-network threats exist. No public exploit code identified at time of analysis and no confirmed active exploitation (CISA KEV).
HCL AION transmits backend service details over unencrypted HTTP channels under certain conditions, allowing authenticated local or adjacent-network attackers with limited privileges to intercept and read sensitive configuration data through man-in-the-middle attacks. The vulnerability requires user interaction and non-default network positioning, resulting in a CVSS score of 4.3 (low severity) with confirmed vendor awareness and advisory availability.
HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive information to interception or unauthorized access. The vulnerability requires adjacent network access, high attack complexity, and user interaction, limiting real-world exploitation scope. No active exploitation has been confirmed at time of analysis.
Cleartext transmission in Foscam VD1 Video Doorbell (firmware before V5.3.13_1072) exposes Session Description Protocol (SDP) credentials and ICE candidates over unencrypted network channels, enabling on-path attackers to intercept media stream authentication tokens, hijack real-time video/audio feeds, and abuse Foscam's TURN relay infrastructure for unauthorized traffic routing. EPSS score of 0.02% (5th percentile) suggests low widespread exploitation likelihood, though the network-accessible attack vector (AV:N) with no authentication requirement (PR:N) and low complexity (AC:L) creates risk in residential deployment scenarios where LAN or ISP-level interception is feasible.
Session ID disclosure in Catalyst::Plugin::Statsd for Perl (versions ≤0.10.0) occurs when the StatsD communication channel lacks encryption, leaking authentication tokens over unsecured UDP to remote StatsD daemons. CVSS 7.5 (High) reflects network-accessible confidentiality impact, but EPSS score of 0.03% (9th percentile) and SSVC assessment (no observed exploitation, partial technical impact) indicate limited real-world exploitation activity. Vendor advisory from GitHub Security (GHSA-gjvr-hq83-fc38) confirms the issue with related advisories for similar Plack-Middleware-Statsd vulnerability (CVE-2026-45179).
Plack::Middleware::Statsd versions before 0.9.0 leak user IP addresses to unsecured statsd daemons via unencrypted UDP communication. Remote unauthenticated attackers on the same network as the statsd daemon can intercept plaintext IP addresses transmitted by the middleware. Version 0.9.0 and later disable IP logging by default and use HMAC signatures when logging is enabled, eliminating the exposure.
EZVIZ App versions using legacy cloud feature modules with outdated API interfaces allow attackers to eavesdrop on network traffic and disclose sensitive video data. The vulnerability requires adjacent network access and high exploitation complexity, but affects all EZVIZ App versions until patched. Attackers can obtain video transmission data without authentication or user interaction by intercepting unencrypted or weakly encrypted API communications.
HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to intercept and read confidential information. The vulnerability requires high attack complexity (likely man-in-the-middle positioning) but affects all versions of the product when unencrypted channels are in use. No active exploitation has been reported, and the low CVSS score (3.7) reflects limited confidentiality impact with no integrity or availability compromise.