Skip to main content

IIS

5 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-1694 MEDIUM This Month

PcVue versions 12.0.0 through 16.3.3 fail to remove default IIS and ASP.NET HTTP headers during deployment of WebVue, WebScheduler, TouchVue, and SnapVue features, allowing unauthenticated remote attackers to gather sensitive server configuration details through information disclosure. This vulnerability requires user interaction and has no available patch at this time.

IIS .NET Pcvue
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-26335 CRITICAL POC Act Now

Static ASP.NET machineKey in Calero VeraSMART before 2022 R1. Hardcoded key enables ViewState deserialization attacks and cookie forgery.

IIS .NET RCE Deserialization Verasmart
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-26333 CRITICAL Act Now

Unauthenticated .NET Remoting endpoint in Calero VeraSMART before 2022 R1. TCP port 8001 exposes default Object URIs enabling deserialization attacks. EPSS 0.17%.

IIS .NET RCE Verasmart
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2019-25345 HIGH POC This Week

Realtek IIS Codec Service 6.4.10041.133 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service configuration to inject malicious executables and escalate privileges on the system. [CVSS 7.8 HIGH]

IIS
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21962 CRITICAL PATCH Act Now

Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthenticated network attackers to fully compromise the middleware layer.

Oracle Apache IIS Http Server Weblogic Server Proxy Plug In
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-1694
EPSS 0% CVSS 4.3
MEDIUM This Month

PcVue versions 12.0.0 through 16.3.3 fail to remove default IIS and ASP.NET HTTP headers during deployment of WebVue, WebScheduler, TouchVue, and SnapVue features, allowing unauthenticated remote attackers to gather sensitive server configuration details through information disclosure. This vulnerability requires user interaction and has no available patch at this time.

IIS .NET Pcvue
NVD
CVE-2026-26335
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Static ASP.NET machineKey in Calero VeraSMART before 2022 R1. Hardcoded key enables ViewState deserialization attacks and cookie forgery.

IIS .NET RCE +2
NVD Exploit-DB VulDB
CVE-2026-26333
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated .NET Remoting endpoint in Calero VeraSMART before 2022 R1. TCP port 8001 exposes default Object URIs enabling deserialization attacks. EPSS 0.17%.

IIS .NET RCE +1
NVD
CVE-2019-25345
EPSS 0% CVSS 7.8
HIGH POC This Week

Realtek IIS Codec Service 6.4.10041.133 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service configuration to inject malicious executables and escalate privileges on the system. [CVSS 7.8 HIGH]

IIS
NVD Exploit-DB
CVE-2026-21962
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthenticated network attackers to fully compromise the middleware layer.

Oracle Apache IIS +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy