Skip to main content

Waf Asp

3 CVEs product

Monthly

CVE-2026-4767 CRITICAL Act Now

Authentication abuse in TR7 Cyber Defense WAF-ASP (versions v1.0.324.900 through v1.4.0.116) lets remote unauthenticated attackers invoke a security-critical function that fails to enforce any authentication check, yielding full compromise of confidentiality, integrity, and availability per the CVSS 9.8 rating. Because WAF-ASP is a web application firewall, abusing this exposed function can subvert the very protection layer meant to shield downstream applications. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; disclosure comes from Turkey's national CERT (TR-CERT).

Authentication Bypass Waf Asp
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-4772 MEDIUM This Month

Stored XSS in TR7 Cyber Defense Inc.'s WAF-ASP web application firewall permits authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users - including administrators - who later view the affected page. Versions from v1.0.324.900 up to but not including v1.4.0.117 are confirmed affected. No public exploit code or CISA KEV listing exists at time of analysis; exploitation nonetheless requires only low-privilege credentials and a single victim page-view.

XSS Waf Asp
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-4770 MEDIUM This Month

DOM-Based cross-site scripting in TR7 Cyber Defense Inc.'s WAF-ASP product allows an authenticated low-privilege attacker to inject malicious JavaScript that executes in the browser of any user who interacts with a crafted page within the WAF's web interface. Affected versions span v1.0.42.239 through versions prior to v1.4.0.117. No public exploit or active exploitation has been identified at time of analysis; the irony is notable in that this is a security control product with an XSS vulnerability in its own management interface.

XSS Waf Asp
NVD
CVSS 3.1
4.6
EPSS
0.1%
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication abuse in TR7 Cyber Defense WAF-ASP (versions v1.0.324.900 through v1.4.0.116) lets remote unauthenticated attackers invoke a security-critical function that fails to enforce any authentication check, yielding full compromise of confidentiality, integrity, and availability per the CVSS 9.8 rating. Because WAF-ASP is a web application firewall, abusing this exposed function can subvert the very protection layer meant to shield downstream applications. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; disclosure comes from Turkey's national CERT (TR-CERT).

Authentication Bypass Waf Asp
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in TR7 Cyber Defense Inc.'s WAF-ASP web application firewall permits authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users - including administrators - who later view the affected page. Versions from v1.0.324.900 up to but not including v1.4.0.117 are confirmed affected. No public exploit code or CISA KEV listing exists at time of analysis; exploitation nonetheless requires only low-privilege credentials and a single victim page-view.

XSS Waf Asp
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

DOM-Based cross-site scripting in TR7 Cyber Defense Inc.'s WAF-ASP product allows an authenticated low-privilege attacker to inject malicious JavaScript that executes in the browser of any user who interacts with a crafted page within the WAF's web interface. Affected versions span v1.0.42.239 through versions prior to v1.4.0.117. No public exploit or active exploitation has been identified at time of analysis; the irony is notable in that this is a security control product with an XSS vulnerability in its own management interface.

XSS Waf Asp
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy