24h | 7d | 30d

CVE-2023-36414

Overview

  • Microsoft
  • Azure Identity SDK for .NET
10 Oct 2023
Published
14 Apr 2025
Updated
CVSS v3.1
HIGH (8.8)
EPSS
2.46%
KEV

Description

Azure Identity SDK Remote Code Execution Vulnerability

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-064
METTLER TOLEDO: LabX Standard Report on External Component Analysis - v21.3

Multiple vulnerabilities have been discovered in LabX Standard v21.3.22. Most of the vulnerabilities are fixed in LabX Standard v21.4.23. The Vulnerabilities CVE-2025-69419, CVE-2026-0915, CVE-2025-15467 and CVE-2025-58187 are not yet fixed. The fix will be available in the upcoming releases.
CVE-2025-68121, CVE-2018-15727, CVE-2025-15467, CVE-2023-36414, CVE-2024-0056, CVE-2025-68154, CVE-2026-24737, CVE-2021-24112, CVE-2025-58187, CVE-2025-9230, CVE-2025-15281, CVE-2026-21218, CVE-2026-26127, CVE-2026-26130, CVE-2026-0915, CVE-2026-2391, CVE-2026-22036, CVE-2024-43483, CVE-2023-29331, CVE-2025-69419, CVE-2025-46817

certvde.com/en/advisories/vde-

mettler-toledo.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 10h ago

CVE-2025-68121

Overview

  • Go standard library
  • crypto/tls
  • crypto/tls
05 Feb 2026
Published
29 Apr 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-064
METTLER TOLEDO: LabX Standard Report on External Component Analysis - v21.3

Multiple vulnerabilities have been discovered in LabX Standard v21.3.22. Most of the vulnerabilities are fixed in LabX Standard v21.4.23. The Vulnerabilities CVE-2025-69419, CVE-2026-0915, CVE-2025-15467 and CVE-2025-58187 are not yet fixed. The fix will be available in the upcoming releases.
CVE-2025-68121, CVE-2018-15727, CVE-2025-15467, CVE-2023-36414, CVE-2024-0056, CVE-2025-68154, CVE-2026-24737, CVE-2021-24112, CVE-2025-58187, CVE-2025-9230, CVE-2025-15281, CVE-2026-21218, CVE-2026-26127, CVE-2026-26130, CVE-2026-0915, CVE-2026-2391, CVE-2026-22036, CVE-2024-43483, CVE-2023-29331, CVE-2025-69419, CVE-2025-46817

certvde.com/en/advisories/vde-

mettler-toledo.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 10h ago

CVE-2025-68154

Overview

  • sebhildebrandt
  • systeminformation
16 Dec 2025
Published
17 Dec 2025
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.05%
KEV

Description

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-064
METTLER TOLEDO: LabX Standard Report on External Component Analysis - v21.3

Multiple vulnerabilities have been discovered in LabX Standard v21.3.22. Most of the vulnerabilities are fixed in LabX Standard v21.4.23. The Vulnerabilities CVE-2025-69419, CVE-2026-0915, CVE-2025-15467 and CVE-2025-58187 are not yet fixed. The fix will be available in the upcoming releases.
CVE-2025-68121, CVE-2018-15727, CVE-2025-15467, CVE-2023-36414, CVE-2024-0056, CVE-2025-68154, CVE-2026-24737, CVE-2021-24112, CVE-2025-58187, CVE-2025-9230, CVE-2025-15281, CVE-2026-21218, CVE-2026-26127, CVE-2026-26130, CVE-2026-0915, CVE-2026-2391, CVE-2026-22036, CVE-2024-43483, CVE-2023-29331, CVE-2025-69419, CVE-2025-46817

certvde.com/en/advisories/vde-

mettler-toledo.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 10h ago

CVE-2025-58187

Overview

  • Go standard library
  • crypto/x509
  • crypto/x509
29 Oct 2025
Published
20 Nov 2025
Updated
CVSS
Pending
EPSS
0.02%
KEV

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-064
METTLER TOLEDO: LabX Standard Report on External Component Analysis - v21.3

Multiple vulnerabilities have been discovered in LabX Standard v21.3.22. Most of the vulnerabilities are fixed in LabX Standard v21.4.23. The Vulnerabilities CVE-2025-69419, CVE-2026-0915, CVE-2025-15467 and CVE-2025-58187 are not yet fixed. The fix will be available in the upcoming releases.
CVE-2025-68121, CVE-2018-15727, CVE-2025-15467, CVE-2023-36414, CVE-2024-0056, CVE-2025-68154, CVE-2026-24737, CVE-2021-24112, CVE-2025-58187, CVE-2025-9230, CVE-2025-15281, CVE-2026-21218, CVE-2026-26127, CVE-2026-26130, CVE-2026-0915, CVE-2026-2391, CVE-2026-22036, CVE-2024-43483, CVE-2023-29331, CVE-2025-69419, CVE-2025-46817

certvde.com/en/advisories/vde-

mettler-toledo.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-22036

Overview

  • nodejs
  • undici
14 Jan 2026
Published
22 Jan 2026
Updated
CVSS v3.1
MEDIUM (5.9)
EPSS
0.02%
KEV

Description

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-064
METTLER TOLEDO: LabX Standard Report on External Component Analysis - v21.3

Multiple vulnerabilities have been discovered in LabX Standard v21.3.22. Most of the vulnerabilities are fixed in LabX Standard v21.4.23. The Vulnerabilities CVE-2025-69419, CVE-2026-0915, CVE-2025-15467 and CVE-2025-58187 are not yet fixed. The fix will be available in the upcoming releases.
CVE-2025-68121, CVE-2018-15727, CVE-2025-15467, CVE-2023-36414, CVE-2024-0056, CVE-2025-68154, CVE-2026-24737, CVE-2021-24112, CVE-2025-58187, CVE-2025-9230, CVE-2025-15281, CVE-2026-21218, CVE-2026-26127, CVE-2026-26130, CVE-2026-0915, CVE-2026-2391, CVE-2026-22036, CVE-2024-43483, CVE-2023-29331, CVE-2025-69419, CVE-2025-46817

certvde.com/en/advisories/vde-

mettler-toledo.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-2391

Overview

  • qs
12 Feb 2026
Published
12 Feb 2026
Updated
CVSS v4.0
MEDIUM (6.3)
EPSS
0.05%
KEV

Description

### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284). ### Details When the `comma` option is set to `true` (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., `?param=a,b,c` becomes `['a', 'b', 'c']`). However, the limit check for `arrayLimit` (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in `parseArrayValue`, enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation. **Vulnerable code** (lib/parse.js: lines ~40-50): ```js if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {     return val.split(','); } if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {     throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.'); } return val; ``` The `split(',')` returns the array immediately, skipping the subsequent limit check. Downstream merging via `utils.combine` does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., `?param=,,,,,,,,...`), allocating massive arrays in memory without triggering limits. It bypasses the intent of `arrayLimit`, which is enforced correctly for indexed (`a[0]=`) and bracket (`a[]=`) notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p). ### PoC **Test 1 - Basic bypass:** ``` npm install qs ``` ```js const qs = require('qs'); const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit: 5) const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true }; try {   const result = qs.parse(payload, options);   console.log(result.a.length); // Outputs: 26 (bypass successful) } catch (e) {   console.log('Limit enforced:', e.message); // Not thrown } ``` **Configuration:** - `comma: true` - `arrayLimit: 5` - `throwOnLimitExceeded: true` Expected: Throws "Array limit exceeded" error. Actual: Parses successfully, creating an array of length 26. ### Impact Denial of Service (DoS) via memory exhaustion.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-064
METTLER TOLEDO: LabX Standard Report on External Component Analysis - v21.3

Multiple vulnerabilities have been discovered in LabX Standard v21.3.22. Most of the vulnerabilities are fixed in LabX Standard v21.4.23. The Vulnerabilities CVE-2025-69419, CVE-2026-0915, CVE-2025-15467 and CVE-2025-58187 are not yet fixed. The fix will be available in the upcoming releases.
CVE-2025-68121, CVE-2018-15727, CVE-2025-15467, CVE-2023-36414, CVE-2024-0056, CVE-2025-68154, CVE-2026-24737, CVE-2021-24112, CVE-2025-58187, CVE-2025-9230, CVE-2025-15281, CVE-2026-21218, CVE-2026-26127, CVE-2026-26130, CVE-2026-0915, CVE-2026-2391, CVE-2026-22036, CVE-2024-43483, CVE-2023-29331, CVE-2025-69419, CVE-2025-46817

certvde.com/en/advisories/vde-

mettler-toledo.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 10h ago

CVE-2025-69419

Overview

  • OpenSSL
  • OpenSSL
27 Jan 2026
Published
12 May 2026
Updated
CVSS
Pending
EPSS
0.12%
KEV

Description

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-064
METTLER TOLEDO: LabX Standard Report on External Component Analysis - v21.3

Multiple vulnerabilities have been discovered in LabX Standard v21.3.22. Most of the vulnerabilities are fixed in LabX Standard v21.4.23. The Vulnerabilities CVE-2025-69419, CVE-2026-0915, CVE-2025-15467 and CVE-2025-58187 are not yet fixed. The fix will be available in the upcoming releases.
CVE-2025-68121, CVE-2018-15727, CVE-2025-15467, CVE-2023-36414, CVE-2024-0056, CVE-2025-68154, CVE-2026-24737, CVE-2021-24112, CVE-2025-58187, CVE-2025-9230, CVE-2025-15281, CVE-2026-21218, CVE-2026-26127, CVE-2026-26130, CVE-2026-0915, CVE-2026-2391, CVE-2026-22036, CVE-2024-43483, CVE-2023-29331, CVE-2025-69419, CVE-2025-46817

certvde.com/en/advisories/vde-

mettler-toledo.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 10h ago

CVE-2025-46817

Overview

  • redis
  • redis
03 Oct 2025
Published
03 Oct 2025
Updated
CVSS v3.1
HIGH (7.0)
EPSS
10.51%
KEV

Description

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-064
METTLER TOLEDO: LabX Standard Report on External Component Analysis - v21.3

Multiple vulnerabilities have been discovered in LabX Standard v21.3.22. Most of the vulnerabilities are fixed in LabX Standard v21.4.23. The Vulnerabilities CVE-2025-69419, CVE-2026-0915, CVE-2025-15467 and CVE-2025-58187 are not yet fixed. The fix will be available in the upcoming releases.
CVE-2025-68121, CVE-2018-15727, CVE-2025-15467, CVE-2023-36414, CVE-2024-0056, CVE-2025-68154, CVE-2026-24737, CVE-2021-24112, CVE-2025-58187, CVE-2025-9230, CVE-2025-15281, CVE-2026-21218, CVE-2026-26127, CVE-2026-26130, CVE-2026-0915, CVE-2026-2391, CVE-2026-22036, CVE-2024-43483, CVE-2023-29331, CVE-2025-69419, CVE-2025-46817

certvde.com/en/advisories/vde-

mettler-toledo.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-0915

Overview

  • The GNU C Library
  • glibc
15 Jan 2026
Published
20 Jan 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV

Description

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-064
METTLER TOLEDO: LabX Standard Report on External Component Analysis - v21.3

Multiple vulnerabilities have been discovered in LabX Standard v21.3.22. Most of the vulnerabilities are fixed in LabX Standard v21.4.23. The Vulnerabilities CVE-2025-69419, CVE-2026-0915, CVE-2025-15467 and CVE-2025-58187 are not yet fixed. The fix will be available in the upcoming releases.
CVE-2025-68121, CVE-2018-15727, CVE-2025-15467, CVE-2023-36414, CVE-2024-0056, CVE-2025-68154, CVE-2026-24737, CVE-2021-24112, CVE-2025-58187, CVE-2025-9230, CVE-2025-15281, CVE-2026-21218, CVE-2026-26127, CVE-2026-26130, CVE-2026-0915, CVE-2026-2391, CVE-2026-22036, CVE-2024-43483, CVE-2023-29331, CVE-2025-69419, CVE-2025-46817

certvde.com/en/advisories/vde-

mettler-toledo.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-21218

Overview

  • Microsoft
  • .NET 10.0
10 Feb 2026
Published
11 May 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV

Description

Improper handling of missing special element in .NET allows an unauthorized attacker to perform spoofing over a network.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-064
METTLER TOLEDO: LabX Standard Report on External Component Analysis - v21.3

Multiple vulnerabilities have been discovered in LabX Standard v21.3.22. Most of the vulnerabilities are fixed in LabX Standard v21.4.23. The Vulnerabilities CVE-2025-69419, CVE-2026-0915, CVE-2025-15467 and CVE-2025-58187 are not yet fixed. The fix will be available in the upcoming releases.
CVE-2025-68121, CVE-2018-15727, CVE-2025-15467, CVE-2023-36414, CVE-2024-0056, CVE-2025-68154, CVE-2026-24737, CVE-2021-24112, CVE-2025-58187, CVE-2025-9230, CVE-2025-15281, CVE-2026-21218, CVE-2026-26127, CVE-2026-26130, CVE-2026-0915, CVE-2026-2391, CVE-2026-22036, CVE-2024-43483, CVE-2023-29331, CVE-2025-69419, CVE-2025-46817

certvde.com/en/advisories/vde-

mettler-toledo.csaf-tp.certvde

  • 0
  • 0
  • 0
  • 10h ago
Showing 71 to 80 of 89 CVEs