|
3101
|
10.0 |
CRITICAL
Network
|
-
|
-
|
The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authenticati…
|
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
|
CVE-2026-50086
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3102
|
8.6 |
HIGH
Network
|
-
|
-
|
The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing …
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-50085
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3103
|
9.6 |
CRITICAL
Network
|
-
|
-
|
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an e…
|
CWE-862
Missing Authorization
|
CVE-2026-50084
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3104
|
9.1 |
CRITICAL
Network
|
-
|
-
|
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3…
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2026-50083
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3105
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Fun…
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-50082
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3106
|
9.8 |
CRITICAL
Network
|
-
|
-
|
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with a…
|
CWE-913
Improper Control of Dynamically-Managed Code Resources
|
CVE-2026-47210
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3107
|
10.0 |
CRITICAL
Network
|
-
|
-
|
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the …
|
CWE-693
Protection Mechanism Failure
|
CVE-2026-47140
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3108
|
8.6 |
HIGH
Network
|
-
|
-
|
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to htt…
|
CWE-693
Protection Mechanism Failure
|
CVE-2026-47139
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3109
|
5.3 |
MEDIUM
Adjacent
|
-
|
-
|
OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes with…
|
CWE-789
Memory Allocation with Excessive Size Value
|
CVE-2026-44967
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3110
|
5.9 |
MEDIUM
Network
|
-
|
-
|
Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks.
These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying deri…
|
CWE-208
Information Exposure Through Timing Discrepancy
|
CVE-2017-20240
|
2026-06-13 02:16 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
