Skip to main content

AWS

14 CVEs product

Monthly

CVE-2026-3337 Cargo MEDIUM PATCH This Month

Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authentication tag validity through precise timing measurements. The vulnerability affects AWS-LC and related cryptographic libraries across multiple AES-CCM variants (128, 192, and 256-bit), potentially enabling attackers to forge authenticated messages. AWS service customers are unaffected, but applications using AWS-LC directly should upgrade to version 1.69.0 or later.

AWS Aws Libcrypto Aws Lc Fips Sys Aws Lc Sys Red Hat +2
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-27702 npm CRITICAL POC PATCH Act Now

Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal state. PoC and patch available.

AWS Budibase
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-27700 npm HIGH PATCH This Week

Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]

AWS Hono
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-4960 HIGH This Week

The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege escalation vulnerability due to multiple flaws in its implementation. [CVSS 7.8 HIGH]

macOS AWS Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2019-25333 HIGH POC This Week

Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP request paths. [CVSS 7.5 HIGH]

AWS Path Traversal
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2020-37153 CRITICAL POC Act Now

Multiple vulnerabilities in ASTPP 4.0.1 including XSS and command injection in SIP device configuration and plugin management. PoC available.

AWS XSS Command Injection Astpp
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-25492 PHP MEDIUM POC PATCH This Month

Craft CMS versions 3.5.0-4.16.17 and 5.0.0-RC1-5.8.21 contain a server-side request forgery vulnerability in the save_images_Asset GraphQL mutation that allows authenticated users to bypass hostname validation and retrieve internal URLs by specifying domains resolving to private IP addresses. By uploading files with non-image extensions like .txt, attackers can bypass downstream validation to access sensitive data including AWS instance metadata credentials from the host system. Public exploit code exists for this vulnerability, though patches are available in versions 4.16.18 and 5.8.22.

AWS Craft Cms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2020-37114 MEDIUM POC This Month

GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students' uploaded assessments, due to improper access controls and information disclosure flaws in various modules. [CVSS 4.3 MEDIUM]

AWS Information Disclosure Open Eclass Platform
NVD Exploit-DB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22239 MEDIUM This Month

BLUVOYIX's email sending API contains design flaws that permit unauthenticated attackers to send arbitrary emails on behalf of affected organizations through specially crafted HTTP requests. This integrity issue requires no user interaction and could enable large-scale spam or phishing campaigns originating from compromised systems. No patch is currently available for this vulnerability.

AWS Bluvoyix
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-22611 NuGet LOW PATCH Monitor

AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input fie...

.NET AWS
NVD GitHub
CVSS 3.1
3.7
EPSS
0.1%
CVE-2025-61916 Maven HIGH PATCH This Week

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]

Docker Kubernetes AWS Gitlab Github +2
NVD GitHub
CVSS 3.1
7.9
EPSS
0.0%
CVE-2025-15115 MEDIUM This Month

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. [CVSS 6.5 MEDIUM]

AWS Authentication Bypass Petlibro
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-52454 HIGH This Week

Salesforce Tableau Server on Windows and Linux allows authenticated attackers with low privileges to conduct Server-Side Request Forgery attacks through the Amazon S3 Connector module, enabling resource location spoofing that could result in unauthorized access to internal systems and data exfiltration. Versions before 2025.1.3, 2024.2.12, and 2023.3.19 are affected. EPSS score of 0.04% (12th percentile) indicates minimal observed exploitation activity, and no public exploit has been identified at time of analysis.

Salesforce SSRF Windows Linux AWS +1
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-20286 CRITICAL Act Now

Default credentials in Cisco ISE cloud deployments on AWS/Azure/OCI. CVSS 9.9.

Cisco Oracle Information Disclosure Authentication Bypass Azure +2
NVD
CVSS 3.1
9.9
EPSS
0.1%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authentication tag validity through precise timing measurements. The vulnerability affects AWS-LC and related cryptographic libraries across multiple AES-CCM variants (128, 192, and 256-bit), potentially enabling attackers to forge authenticated messages. AWS service customers are unaffected, but applications using AWS-LC directly should upgrade to version 1.69.0 or later.

AWS Aws Libcrypto Aws Lc Fips Sys +4
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal state. PoC and patch available.

AWS Budibase
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]

AWS Hono
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege escalation vulnerability due to multiple flaws in its implementation. [CVSS 7.8 HIGH]

macOS AWS Privilege Escalation
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP request paths. [CVSS 7.5 HIGH]

AWS Path Traversal
NVD Exploit-DB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Multiple vulnerabilities in ASTPP 4.0.1 including XSS and command injection in SIP device configuration and plugin management. PoC available.

AWS XSS Command Injection +1
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Craft CMS versions 3.5.0-4.16.17 and 5.0.0-RC1-5.8.21 contain a server-side request forgery vulnerability in the save_images_Asset GraphQL mutation that allows authenticated users to bypass hostname validation and retrieve internal URLs by specifying domains resolving to private IP addresses. By uploading files with non-image extensions like .txt, attackers can bypass downstream validation to access sensitive data including AWS instance metadata credentials from the host system. Public exploit code exists for this vulnerability, though patches are available in versions 4.16.18 and 5.8.22.

AWS Craft Cms
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC This Month

GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students' uploaded assessments, due to improper access controls and information disclosure flaws in various modules. [CVSS 4.3 MEDIUM]

AWS Information Disclosure Open Eclass Platform
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM This Month

BLUVOYIX's email sending API contains design flaws that permit unauthenticated attackers to send arbitrary emails on behalf of affected organizations through specially crafted HTTP requests. This integrity issue requires no user interaction and could enable large-scale spam or phishing campaigns originating from compromised systems. No patch is currently available for this vulnerability.

AWS Bluvoyix
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input fie...

.NET AWS
NVD GitHub
EPSS 0% CVSS 7.9
HIGH PATCH This Week

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]

Docker Kubernetes AWS +4
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. [CVSS 6.5 MEDIUM]

AWS Authentication Bypass Petlibro
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Salesforce Tableau Server on Windows and Linux allows authenticated attackers with low privileges to conduct Server-Side Request Forgery attacks through the Amazon S3 Connector module, enabling resource location spoofing that could result in unauthorized access to internal systems and data exfiltration. Versions before 2025.1.3, 2024.2.12, and 2023.3.19 are affected. EPSS score of 0.04% (12th percentile) indicates minimal observed exploitation activity, and no public exploit has been identified at time of analysis.

Salesforce SSRF Windows +3
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Default credentials in Cisco ISE cloud deployments on AWS/Azure/OCI. CVSS 9.9.

Cisco Oracle Information Disclosure +4
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy