Total
1249 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46070 | 1 Automai | 1 Botmanager | 2026-01-21 | N/A | 9.8 CRITICAL |
| An issue in Automai BotManager v.25.2.0 allows a remote attacker to execute arbitrary code via the BotManager.exe component | |||||
| CVE-2025-13034 | 1 Haxx | 1 Curl | 2026-01-20 | N/A | 5.9 MEDIUM |
| When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. | |||||
| CVE-2025-14819 | 1 Haxx | 1 Curl | 2026-01-20 | N/A | 5.3 MEDIUM |
| When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. | |||||
| CVE-2025-68161 | 1 Apache | 1 Log4j | 2026-01-20 | N/A | 4.8 MEDIUM |
| The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates. | |||||
| CVE-2025-52598 | 1 Hanwhavision | 512 Knb-2000, Knb-2000 Firmware, Knb-5000n and 509 more | 2026-01-16 | N/A | 3.7 LOW |
| Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has found a flaw that camera's client service does not perform certificate validation. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | |||||
| CVE-2025-65291 | 1 Aqara | 6 Camera Hub G3, Camera Hub G3 Firmware, Hub M2 and 3 more | 2026-01-15 | N/A | 7.4 HIGH |
| Aqara Hub devices including Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, Camera Hub G3 4.1.9_0027 fail to validate server certificates in TLS connections for discovery services and CoAP gateway communications, enabling man-in-the-middle attacks on device control and monitoring. | |||||
| CVE-2023-47537 | 1 Fortinet | 1 Fortios | 2026-01-14 | N/A | 4.8 MEDIUM |
| An improper certificate validation vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.6, FortiOS 7.0.0 through 7.0.15, FortiOS 6.4 all versions allows a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the FortiLink communication channel between the FortiOS device and FortiSwitch. | |||||
| CVE-2025-30669 | 1 Zoom | 3 Meeting Software Development Kit, Workplace Desktop, Workplace Virtual Desktop Infrastructure | 2026-01-13 | N/A | 4.8 MEDIUM |
| Improper certificate validation in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via adjacent access. | |||||
| CVE-2025-71063 | 2026-01-13 | N/A | 8.2 HIGH | ||
| Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. | |||||
| CVE-2025-66001 | 2026-01-08 | N/A | 8.8 HIGH | ||
| NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks. | |||||
| CVE-2024-30149 | 1 Hcltech | 1 Appscan Source | 2026-01-08 | N/A | 4.8 MEDIUM |
| HCL AppScan Source <= 10.6.0 does not properly validate a TLS/SSL certificate for an executable. | |||||
| CVE-2025-56231 | 1 Tonec | 1 Internet Download Manager | 2026-01-07 | N/A | 9.1 CRITICAL |
| Tonec Internet Download Manager 6.42.41.1 and earlier suffers from Missing SSL Certificate Validation, which allows attackers to bypass update protections. | |||||
| CVE-2025-14022 | 1 Linecorp | 1 Line | 2026-01-07 | N/A | 7.7 HIGH |
| LINE client for iOS prior to 15.4 allows man-in-the-middle attacks due to improper SSL/TLS certificate validation in an integrated financial SDK. The SDK interfered with the application's network processing, causing server certificate verification to be disabled for a significant portion of network traffic, which could allow a network-adjacent attacker to intercept or modify encrypted communications. | |||||
| CVE-2025-66491 | 1 Traefik | 1 Traefik | 2026-01-02 | N/A | 5.9 MEDIUM |
| Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3. | |||||
| CVE-2025-69412 | 2026-01-02 | N/A | 3.4 LOW | ||
| KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration. | |||||
| CVE-2025-65830 | 1 Meatmeet | 1 Meatmeet | 2025-12-30 | N/A | 9.1 CRITICAL |
| Due to a lack of certificate validation, all traffic from the mobile application can be intercepted. As a result, an adversary located "upstream" can decrypt the TLS traffic, inspect its contents, and modify the requests in transit. This may result in a total compromise of the user's account if the attacker intercepts a request with active authentication tokens or cracks the MD5 hash sent on login. | |||||
| CVE-2024-5261 | 1 Libreoffice | 1 Libreoffice | 2025-12-23 | N/A | 9.8 CRITICAL |
| Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents. LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers. In affected versions of LibreOffice, when used in LibreOfficeKit mode only, then curl's TLS certification verification was disabled (CURLOPT_SSL_VERIFYPEER of false) In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true. This issue affects LibreOffice before version 24.2.4. | |||||
| CVE-2025-61729 | 1 Golang | 1 Go | 2025-12-19 | N/A | 7.5 HIGH |
| Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. | |||||
| CVE-2024-29887 | 1 Serverpod | 1 Serverpod | 2025-12-19 | N/A | 7.4 HIGH |
| Serverpod is an app and web server, built for the Flutter and Dart ecosystem. This bug bypassed the validation of TSL certificates on all none web HTTP clients in the `serverpod_client` package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server. An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used. Upgrading to version `1.2.6` resolves this issue. | |||||
| CVE-2025-61727 | 1 Golang | 1 Go | 2025-12-18 | N/A | 6.5 MEDIUM |
| An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | |||||