Total
1302 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0872 | 2026-02-13 | N/A | N/A | ||
| Improper Certificate Validation vulnerability in Thales SafeNet Agent for Windows Logon on Windows allows Signature Spoofing by Improper Validation.This issue affects SafeNet Agent for Windows Logon: 4.0.0, 4.1.1, 4.1.2. | |||||
| CVE-2025-15557 | 1 Tp-link | 4 Tapo H100, Tapo H100 Firmware, Tapo P100 and 1 more | 2026-02-12 | N/A | 8.8 HIGH |
| An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications. This may compromise the confidentiality and integrity of device-to-cloud communication, enabling manipulation of device data or operations. | |||||
| CVE-2025-70029 | 2026-02-12 | N/A | 7.5 HIGH | ||
| An issue in Sunbird-Ed SunbirdEd-portal v1.13.4 allows attackers to obtain sensitive information. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTP request options | |||||
| CVE-2025-15573 | 2026-02-12 | N/A | 9.4 CRITICAL | ||
| The affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in the Alibaba Cloud (mqtt001.solaxcloud.com, TCP 8883). This allows attackers in a man-in-the-middle position to act as the legitimate MQTT server and issue arbitrary commands to devices. | |||||
| CVE-2026-0228 | 2026-02-12 | N/A | N/A | ||
| An improper certificate validation vulnerability in PAN-OS allows users to connect Terminal Server Agents on Windows to PAN-OS using expired certificates even if the PAN-OS configuration would not normally permit them to do so. | |||||
| CVE-2025-15323 | 1 Tanium | 1 Tanos | 2026-02-10 | N/A | 3.7 LOW |
| Tanium addressed an improper certificate validation vulnerability in Tanium Appliance. | |||||
| CVE-2026-22613 | 2026-02-09 | N/A | 5.7 MEDIUM | ||
| The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton Network M3 which is available on the Eaton download center. | |||||
| CVE-2025-48393 | 2026-02-09 | N/A | 5.7 MEDIUM | ||
| The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton G4 PDU which is available on the Eaton download center. | |||||
| CVE-2025-71063 | 1 Mrvladus | 1 Errands | 2026-02-05 | N/A | 8.2 HIGH |
| Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. | |||||
| CVE-2026-1778 | 2026-02-03 | N/A | 5.9 MEDIUM | ||
| Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed. | |||||
| CVE-2025-39205 | 1 Hitachienergy | 1 Microscada X Sys600 | 2026-01-30 | N/A | 6.5 MEDIUM |
| A vulnerability exists in the IEC 61850 in MicroSCADA X SYS600 product. The certificate validation of the TLS protocol allows remote Man-in-the-Middle attack due to missing proper validation. | |||||
| CVE-2025-67229 | 1 Todesktop | 1 Builder | 2026-01-29 | N/A | 9.8 CRITICAL |
| An improper certificate validation vulnerability exists in ToDesktop Builder v0.32.1 This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation. | |||||
| CVE-2025-53869 | 2026-01-29 | N/A | 3.7 LOW | ||
| Multiple MFPs provided by Brother Industries, Ltd. does not properly validate server certificates, which may allow a man-in-the-middle attacker to replace the set of root certificates used by the product with a set of arbitrary certificates. | |||||
| CVE-2025-58188 | 1 Golang | 1 Go | 2026-01-29 | N/A | 7.5 HIGH |
| Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. | |||||
| CVE-2025-13052 | 1 Asustor | 1 Data Master | 2026-01-28 | N/A | 5.9 MEDIUM |
| When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the SMTP. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RKD2 as well as from ADM 5.0.0 through ADM 5.1.0.RN42. | |||||
| CVE-2026-22250 | 1 Weblate | 1 Wlc | 2026-01-27 | N/A | 2.5 LOW |
| wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0. | |||||
| CVE-2026-22696 | 2026-01-27 | N/A | N/A | ||
| dcap-qvl implements the quote verification logic for DCAP (Data Center Attestation Primitives). A vulnerability present in versions prior to 0.3.9 involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral (including qe_identity, qe_identity_signature, and qe_identity_issuer_chain) from the PCCS. However, it skips to verify the QE Identity signature against its certificate chain and does not enforce policy constraints on the QE Report. An attacker can forge the QE Identity data to whitelist a malicious or non-Intel Quoting Enclave. This allows the attacker to forge the QE and sign untrusted quotes that the verifier will accept as valid. Effectively, this bypasses the entire remote attestation security model, as the verifier can no longer trust the entity responsible for signing the quotes. All deployments utilizing the dcap-qvl library for SGX or TDX quote verification are affected. The vulnerability has been patched in dcap-qvl version 0.3.9. The fix implements the missing cryptographic verification for the QE Identity signature and enforces the required checks for MRSIGNER, ISVPRODID, and ISVSVN against the QE Report. Users of the `@phala/dcap-qvl-node` and `@phala/dcap-qvl-web` packages should switch to the pure JavaScript implementation, `@phala/dcap-qvl`. There are no known workarounds for this vulnerability. Users must upgrade to the patched version to ensure that QE Identity collateral is properly verified. | |||||
| CVE-2025-11043 | 2026-01-26 | N/A | 7.4 HIGH | ||
| An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges. | |||||
| CVE-2025-32057 | 2026-01-26 | N/A | 6.5 MEDIUM | ||
| The Infotainment ECU manufactured by Bosch which is installed in Nissan Leaf ZE1 – 2020 uses a Redbend service for over-the-air provisioning and updates. HTTPS is used for communication with the back-end server. Due to usage of the default configuration for the underlying SSL engine, the server root certificate is not verified. As a result, an attacker may be able to impersonate a Redbend backend server using a self-signed certificate. First identified on Nissan Leaf ZE1 manufactured in 2020. | |||||
| CVE-2025-30024 | 1 Axis | 1 Device Manager | 2026-01-23 | N/A | 6.8 MEDIUM |
| The communication protocol used between client and server had a flaw that could be leveraged to execute a man in the middle attack. | |||||