Skip to main content

Sinec Ins

33 CVEs product

Monthly

CVE-2026-46749 MEDIUM CISA This Month

Weak password hashing in Siemens SINEC INS (all versions prior to V1.0 SP2 Update 6) exposes stored credentials to efficient offline recovery due to a static, hardcoded salt shared universally across all users and installations, combined with an insufficient iteration count. An attacker who has obtained high-privileged local access and can extract the password store can leverage the known static salt to construct targeted rainbow tables or run accelerated brute-force attacks, potentially recovering plaintext passwords and achieving unauthorized access to the application and downstream industrial network infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the cryptographic weakness is deterministic - once hashes are obtained, the static salt eliminates per-user uniqueness and dramatically reduces attack cost.

Authentication Bypass Sinec Ins
NVD VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-46748 HIGH CISA This Week

Local privilege escalation in Siemens SINEC INS (versions prior to V1.0 SP2 Update 6) stems from a binary shipped with the Linux cap_dac_override capability, which bypasses filesystem discretionary access control checks. An authenticated local attacker can leverage this overly broad capability to read or modify any file on the system, ultimately obtaining root. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Sinec Ins
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-46747 MEDIUM CISA This Month

Path traversal in Siemens SINEC INS versions prior to V1.0 SP2 Update 6 exposes arbitrary file system locations via the SFTP directory listing endpoint. An authenticated low-privileged network attacker can send a crafted path to GET /api/sftp/uploadFiles to read files outside the intended directory scope, resulting in unauthorized disclosure of file system contents. No active exploitation or public proof-of-concept has been identified at time of analysis; the impact is limited to confidentiality with no integrity or availability consequence.

Path Traversal Sinec Ins
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-46746 HIGH CISA This Week

Authenticated command injection in Siemens SINEC INS versions prior to V1.0 SP2 Update 6 allows remote attackers to execute arbitrary OS commands as the sinecins service account by submitting crafted directory names to the /api/sftp/uploadFiles endpoint. The injected payloads are stored and triggered later when directory listings are retrieved, producing a stored/second-order command injection. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects high impact across confidentiality, integrity, and availability of the underlying host.

Command Injection Sinec Ins
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2024-46894 MEDIUM This Month

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Sinec Ins
NVD
CVSS 4.0
5.3
EPSS
0.3%
CVE-2024-46892 MEDIUM This Month

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Sinec Ins
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2024-46891 MEDIUM This Month

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Sinec Ins
NVD
CVSS 4.0
6.9
EPSS
0.5%
CVE-2024-46890 CRITICAL Act Now

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Command Injection Sinec Ins
NVD
CVSS 4.0
9.4
EPSS
0.7%
CVE-2024-46889 MEDIUM This Month

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Sinec Ins
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2024-46888 CRITICAL Act Now

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal Sinec Ins
NVD
CVSS 4.0
9.4
EPSS
0.9%
CVE-2023-48431 HIGH PATCH This Week

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Sinec Ins
NVD
CVSS 3.1
8.6
EPSS
0.6%
CVE-2023-48430 LOW PATCH Monitor

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Sinec Ins
NVD
CVSS 3.1
2.7
EPSS
0.6%
CVE-2023-48429 LOW PATCH Monitor

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Sinec Ins
NVD
CVSS 3.1
2.7
EPSS
0.6%
CVE-2023-48428 HIGH PATCH This Week

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Sinec Ins
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2023-48427 CRITICAL PATCH Act Now

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation Sinec Ins
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2022-35256 MEDIUM POC This Month

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Node Js Llhttp Sinec Ins +1
NVD
CVSS 3.1
6.5
EPSS
2.6%
CVE-2022-35255 CRITICAL POC Act Now

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Node Js Sinec Ins Debian Linux
NVD
CVSS 3.1
9.1
EPSS
1.9%
CVE-2022-32222 MEDIUM POC This Month

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

OpenSSL Node.js Information Disclosure Node Js Sinec Ins
NVD
CVSS 3.1
5.3
EPSS
2.0%
CVE-2022-32215 MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling Llhttp Node Js +4
NVD
CVSS 3.1
6.5
EPSS
68.8%
CVE-2022-32213 npm MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling Llhttp Node Js +4
NVD
CVSS 3.1
6.5
EPSS
42.0%
CVE-2022-32212 HIGH This Week

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Command Injection Node.js Node Js Debian Linux +2
NVD
CVSS 3.1
8.1
EPSS
5.9%
CVE-2022-2097 Cargo MEDIUM PATCH This Month

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

OpenSSL Information Disclosure Fedora Active Iq Unified Manager Clustered Data Ontap Antivirus Connector +7
NVD
CVSS 3.1
5.3
EPSS
4.4%
CVE-2022-2068 HIGH PATCH This Week

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection OpenSSL Debian Linux Fedora Sinec Ins +24
NVD
CVSS 3.1
7.3
EPSS
96.3%
CVE-2022-0396 MEDIUM PATCH This Month

BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Bind Fedora H300s Firmware H500s Firmware +7
NVD
CVSS 3.1
5.3
EPSS
2.6%
CVE-2021-22945 CRITICAL POC PATCH Act Now

When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Libcurl Fedora Cloud Backup Clustered Data Ontap +13
NVD
CVSS 3.1
9.1
EPSS
6.2%
CVE-2021-3749 npm HIGH POC PATCH MAL This Week

axios is vulnerable to Inefficient Regular Expression Complexity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Axios Sinec Ins Goldengate
NVD GitHub
CVSS 3.1
7.5
EPSS
8.5%
CVE-2021-25217 HIGH POC PATCH This Week

In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life. Rated high severity (CVSS 7.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Dhcp Fedora Debian Linux Ruggedcom Rox Rx1400 Firmware +12
NVD
CVSS 3.1
7.4
EPSS
6.1%
CVE-2021-23841 Cargo MEDIUM PATCH This Month

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference OpenSSL Denial Of Service Debian Linux Nessus Network Monitor +20
NVD
CVSS 3.1
5.9
EPSS
7.5%
CVE-2021-23839 LOW PATCH Monitor

OpenSSL 1.0.2 supports SSLv2. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

OpenSSL Information Disclosure Business Intelligence Enterprise Manager For Storage Management Enterprise Manager Ops Center +4
NVD
CVSS 3.1
3.7
EPSS
3.0%
CVE-2021-23337 LIB HIGH POC PATCH THREAT This Week

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Command Injection Code Injection Lodash Banking Corporate Lending Process Management +21
NVD GitHub
CVSS 3.1
7.2
EPSS
22.4%
CVE-2020-7793 npm HIGH POC PATCH This Week

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Ua Parser Js Sinec Ins
NVD GitHub
CVSS 3.1
7.5
EPSS
3.9%
CVE-2020-28168 npm MEDIUM POC PATCH MAL This Month

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js SSRF Axios Sinec Ins
NVD GitHub
CVSS 3.1
5.9
EPSS
2.3%
CVE-2020-12762 HIGH POC This Week

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Integer Overflow Json C Fedora Debian Linux +2
NVD GitHub
CVSS 3.1
7.8
EPSS
1.9%
EPSS 0% CVSS 4.9
MEDIUM This Month

Weak password hashing in Siemens SINEC INS (all versions prior to V1.0 SP2 Update 6) exposes stored credentials to efficient offline recovery due to a static, hardcoded salt shared universally across all users and installations, combined with an insufficient iteration count. An attacker who has obtained high-privileged local access and can extract the password store can leverage the known static salt to construct targeted rainbow tables or run accelerated brute-force attacks, potentially recovering plaintext passwords and achieving unauthorized access to the application and downstream industrial network infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the cryptographic weakness is deterministic - once hashes are obtained, the static salt eliminates per-user uniqueness and dramatically reduces attack cost.

Authentication Bypass Sinec Ins
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Local privilege escalation in Siemens SINEC INS (versions prior to V1.0 SP2 Update 6) stems from a binary shipped with the Linux cap_dac_override capability, which bypasses filesystem discretionary access control checks. An authenticated local attacker can leverage this overly broad capability to read or modify any file on the system, ultimately obtaining root. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Sinec Ins
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Path traversal in Siemens SINEC INS versions prior to V1.0 SP2 Update 6 exposes arbitrary file system locations via the SFTP directory listing endpoint. An authenticated low-privileged network attacker can send a crafted path to GET /api/sftp/uploadFiles to read files outside the intended directory scope, resulting in unauthorized disclosure of file system contents. No active exploitation or public proof-of-concept has been identified at time of analysis; the impact is limited to confidentiality with no integrity or availability consequence.

Path Traversal Sinec Ins
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Authenticated command injection in Siemens SINEC INS versions prior to V1.0 SP2 Update 6 allows remote attackers to execute arbitrary OS commands as the sinecins service account by submitting crafted directory names to the /api/sftp/uploadFiles endpoint. The injected payloads are stored and triggered later when directory listings are retrieved, producing a stored/second-order command injection. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects high impact across confidentiality, integrity, and availability of the underlying host.

Command Injection Sinec Ins
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Sinec Ins
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Sinec Ins
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Sinec Ins
NVD
EPSS 1% CVSS 9.4
CRITICAL Act Now

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Command Injection Sinec Ins
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Sinec Ins
NVD
EPSS 1% CVSS 9.4
CRITICAL Act Now

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal Sinec Ins
NVD
EPSS 1% CVSS 8.6
HIGH PATCH This Week

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Sinec Ins
NVD
EPSS 1% CVSS 2.7
LOW PATCH Monitor

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Sinec Ins
NVD
EPSS 1% CVSS 2.7
LOW PATCH Monitor

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Sinec Ins
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Sinec Ins
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation Sinec Ins
NVD
EPSS 3% CVSS 6.5
MEDIUM POC This Month

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Node Js +3
NVD
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Node Js +2
NVD
EPSS 2% CVSS 5.3
MEDIUM POC This Month

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

OpenSSL Node.js Information Disclosure +2
NVD
EPSS 69% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling +6
NVD
EPSS 42% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling +6
NVD
EPSS 6% CVSS 8.1
HIGH This Week

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Command Injection Node.js +4
NVD
EPSS 4% CVSS 5.3
MEDIUM PATCH This Month

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

OpenSSL Information Disclosure Fedora +9
NVD
EPSS 96% CVSS 7.3
HIGH PATCH This Week

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection OpenSSL Debian Linux +26
NVD
EPSS 3% CVSS 5.3
MEDIUM PATCH This Month

BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Bind Fedora +9
NVD
EPSS 6% CVSS 9.1
CRITICAL POC PATCH Act Now

When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Libcurl Fedora +15
NVD
EPSS 9% CVSS 7.5
HIGH POC PATCH This Week

axios is vulnerable to Inefficient Regular Expression Complexity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Axios Sinec Ins +1
NVD GitHub
EPSS 6% CVSS 7.4
HIGH POC PATCH This Week

In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life. Rated high severity (CVSS 7.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Dhcp Fedora +14
NVD
EPSS 7% CVSS 5.9
MEDIUM PATCH This Month

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference OpenSSL Denial Of Service +22
NVD
EPSS 3% CVSS 3.7
LOW PATCH Monitor

OpenSSL 1.0.2 supports SSLv2. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

OpenSSL Information Disclosure Business Intelligence +6
NVD
EPSS 22% CVSS 7.2
HIGH POC PATCH THREAT This Week

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Command Injection Code Injection +23
NVD GitHub
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Ua Parser Js Sinec Ins
NVD GitHub
EPSS 2% CVSS 5.9
MEDIUM POC PATCH This Month

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js SSRF Axios +1
NVD GitHub
EPSS 2% CVSS 7.8
HIGH POC This Week

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Integer Overflow Json C +4
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy