High
CVSS: 7.6
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. W…
Medium
CVSS: 5.4
The BigFix SaaS's HTTP responses were missing some security headers. The absence of these headers weakens the application's client-side security posture, making it more vulnerable to common web attacks that these headers are designed to mit…
High
CVSS: 7.4
Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthentic…
Medium
CVSS: 6.5
By failing to authenticate three times to an unconfigured Abilis CPX device via SSH, an attacker can login to a restricted shell on the fourth attempt, and from there, relay connections.
Medium
CVSS: 5.9
Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an empty value, disabling a protection mechanism of the Java runtime.
Medium
CVSS: 4.9
VMware Aria Operations contains an information disclosure vulnerability. A malicious actor with non-administrative privileges in Aria Operations may exploit this vulnerability to disclose credentials of other users of Aria Operations.
Medium
CVSS: 5.3
In Liferay Portal 7.1.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions, the default membership type of a newly created site is “O…
Medium
CVSS: 6.5
During a short time frame while the device is booting an unauthenticated remote attacker can send traffic to unauthorized networks due to the switch operating in an undefined state until a CPU-induced reset allows proper configuration.
High
CVSS: 8.7
IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 uses insecure default configurations that could expose AMQStreams without client authentication that could allow an at…
Medium
CVSS: 4.4
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau 0.9.x derives numeric GIDs for Entra ID groups from the group display name when himmelblau.conf `id_attr_map = name` (the default configuration). Be…
Medium
CVSS: 5.7
In generateRandomPassword of LocalBluetoothLeBroadcast.java, there is a possible way to intercept the Auracast audio stream due to an insecure default value. This could lead to remote (proximal/adjacent) information disclosure with no addit…
Medium
CVSS: 5.5
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix the smbd_response slab to allow usercopy
The handling of received data in the smbdirect client code involves using
copy_to_iter() to copy data from the smbd_rep…
Critical
CVSS: 9.3
A security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix® Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps,…
Critical
CVSS: 9.3
HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default con…
High
CVSS: 7.3
In TRENDnet TEW-WLC100P 2.03b03, the i_dont_care_about_security_and_use_aggressive_mode_psk option is enabled in the strongSwan configuration file, so that IKE Responders are allowed to use IKEv1 Aggressive Mode with Pre-Shared Keys to cond…
High
CVSS: 8.8
An unauthenticated adjacent attacker is able to configure a new OCPP backend, due to insecure defaults for the configuration interface.
Critical
CVSS: 10.0
A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices.
Medium
CVSS: 5.3
Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927.
Critical
CVSS: 9.8
The Versa Director software exposes a number of services by default and allow attackers an easy foothold due to default credentials and multiple accounts (most with sudo access) that utilize the same default credentials. By default, Versa d…
Critical
CVSS: 9.3
The CS5000 Fire Panel is vulnerable due to a default account that exists
on the panel. Even though it is possible to change this by SSHing into
the device, it has remained unchanged on every installed system
observed. This account is not…