|
541
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allo…
|
CWE-200
Information Exposure
|
CVE-2026-6046
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
542
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-cod…
|
CWE-321
Use of Hard-coded Cryptographic Key
|
CVE-2026-50091
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
543
|
9.3 |
CRITICAL
Network
|
-
|
-
|
The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper…
|
CWE-1289
Improper Validation of Unsafe Equivalence in Input
|
CVE-2026-50090
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
544
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:…
|
CWE-601
Open Redirect
|
CVE-2026-50089
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
545
|
8.2 |
HIGH
Network
|
-
|
-
|
The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: P…
|
CWE-942
Permissive Cross-domain Policy with Untrusted Domains
|
CVE-2026-50088
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
546
|
8.2 |
HIGH
Network
|
-
|
-
|
The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and h…
|
CWE-942
Permissive Cross-domain Policy with Untrusted Domains
|
CVE-2026-50087
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
547
|
10.0 |
CRITICAL
Network
|
-
|
-
|
The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authenticati…
|
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
|
CVE-2026-50086
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
548
|
8.6 |
HIGH
Network
|
-
|
-
|
The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing …
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-50085
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
549
|
9.6 |
CRITICAL
Network
|
-
|
-
|
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an e…
|
CWE-862
Missing Authorization
|
CVE-2026-50084
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
550
|
9.1 |
CRITICAL
Network
|
-
|
-
|
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3…
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2026-50083
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
