Monthly
wolfSSL's ARIA-GCM cipher suites in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte nonce for every encrypted application-data record, enabling plaintext recovery through cryptanalytic attacks. This vulnerability affects only non-FIPS builds explicitly configured with --enable-aria and the proprietary MagicCrypto SDK (opt-in for Korean regulatory compliance). Authenticated remote attackers can exploit this to recover encrypted data, though AES-GCM implementations in the same product are unaffected due to independent invocation counters. No public exploit code or active exploitation has been identified at time of analysis.
CVE-2026-3559 is an authentication bypass vulnerability in Philips Hue Bridge devices affecting the HomeKit Accessory Protocol implementation, where a static nonce in the SRP authentication mechanism allows network-adjacent attackers to gain unauthorized access without credentials. With a CVSS score of 8.1 and requiring only local network access, attackers can achieve high confidentiality and integrity impact on the affected smart home infrastructure. No active exploitation (not in KEV), POC availability, or EPSS data is currently available.
Libsoup's digest authentication mechanism fails to validate nonce reuse and enforce proper nonce-count incrementation, enabling attackers to replay captured authentication headers to bypass access controls. A remote attacker can exploit this to impersonate legitimate users and access protected resources without valid credentials. No patch is currently available.
strongMan's credential encryption uses a static initialization vector with AES-CTR mode, causing all database fields to be encrypted with identical key streams. An attacker with database access can leverage publicly stored certificates to derive the key stream and decrypt stored private keys and EAP secrets. No patch is currently available for this high-severity vulnerability affecting strongSwan management deployments.
HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk [CVSS 7.4 HIGH]
Cryptographic issue may occur while encrypting license data. [CVSS 8.4 HIGH]
hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Initialization vector (IV) reuse in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an attacker to discern information about or more easily decrypt encrypted messages between. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
wolfSSL's ARIA-GCM cipher suites in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte nonce for every encrypted application-data record, enabling plaintext recovery through cryptanalytic attacks. This vulnerability affects only non-FIPS builds explicitly configured with --enable-aria and the proprietary MagicCrypto SDK (opt-in for Korean regulatory compliance). Authenticated remote attackers can exploit this to recover encrypted data, though AES-GCM implementations in the same product are unaffected due to independent invocation counters. No public exploit code or active exploitation has been identified at time of analysis.
CVE-2026-3559 is an authentication bypass vulnerability in Philips Hue Bridge devices affecting the HomeKit Accessory Protocol implementation, where a static nonce in the SRP authentication mechanism allows network-adjacent attackers to gain unauthorized access without credentials. With a CVSS score of 8.1 and requiring only local network access, attackers can achieve high confidentiality and integrity impact on the affected smart home infrastructure. No active exploitation (not in KEV), POC availability, or EPSS data is currently available.
Libsoup's digest authentication mechanism fails to validate nonce reuse and enforce proper nonce-count incrementation, enabling attackers to replay captured authentication headers to bypass access controls. A remote attacker can exploit this to impersonate legitimate users and access protected resources without valid credentials. No patch is currently available.
strongMan's credential encryption uses a static initialization vector with AES-CTR mode, causing all database fields to be encrypted with identical key streams. An attacker with database access can leverage publicly stored certificates to derive the key stream and decrypt stored private keys and EAP secrets. No patch is currently available for this high-severity vulnerability affecting strongSwan management deployments.
HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk [CVSS 7.4 HIGH]
Cryptographic issue may occur while encrypting license data. [CVSS 8.4 HIGH]
hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Initialization vector (IV) reuse in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an attacker to discern information about or more easily decrypt encrypted messages between. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.