Exploit Database

146,884 exploits tracked across all sources.

Sort: Activity Stars
CVE-2026-39315 WRITEUP MEDIUM
Unhead <2.1.13 hasDangerousProtocol() - Protocol Filter Bypass
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes the raw value directly into SSR HTML output. The browser's HTML parser decodes the padded entity natively and constructs the blocked URI. This vulnerability is fixed in 2.1.13.
CVSS 6.1
CVE-2026-40087 WRITEUP MEDIUM
LangChain has incomplete f-string validation in prompt templates
LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28.
CVSS 5.3
CVE-2026-4436 WRITEUP HIGH
GPL Odorizers GPL750 Missing Authentication for Critical Function
A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or too little odorant is injected into a gas line.
CVSS 8.6
CVE-2025-15346 WRITEUP CRITICAL
wolfssl-py <= 5.8.2 - Improper Authentication via Missing WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT Flag
A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.  Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided.  This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake.  The issue affects versions up to and including 5.8.2.
CVE-2025-15346 WRITEUP CRITICAL
wolfssl-py <= 5.8.2 - Improper Authentication via Missing WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT Flag
A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.  Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided.  This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake.  The issue affects versions up to and including 5.8.2.
CVE-2025-13912 WRITEUP LOW
wolfSSL < 5.8.4 - Timing Side-Channel Information Disclosure via LLVM Optimization
Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks.
CVE-2024-1545 WRITEUP MEDIUM
WolfSSL wolfssl5.6.6 - Privilege Escalation
Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure.
CVSS 5.9
CVE-2024-1544 WRITEUP MEDIUM
wolfssl < 5.7.2 - Observable Discrepancy in ECDSA Nonce Generation
Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits.
CVSS 4.1
CVE-2025-12889 WRITEUP MEDIUM
wolfssl - Improper Input Validation in TLS 1.2 Digest Handling
With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest.
CVSS 5.4
CVE-2025-12888 WRITEUP HIGH
Xtensa-based ESP32 - Timing Side Channel
Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa.
CVSS 7.5
CVE-2025-11936 WRITEUP MEDIUM
wolfssl 5.8.2-5.8.3 - Unauthenticated Denial of Service via TLS 1.3 KeyShareEntry Parsing
Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported group, leading to excessive CPU and memory consumption during ClientHello processing.
CVSS 5.3
CVE-2025-11935 WRITEUP HIGH
wolfssl 5.8.2-5.8.3 - Inadequate Encryption Strength via TLS 1.3 PSK Without PFS
With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection.
CVSS 7.5
CVE-2025-11934 WRITEUP LOW
wolfSSL 5.8.2-5.8.4 - TLS 1.3 CertificateVerify Signature Algorithm Downgrade
Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256.
CVSS 2.7
CVE-2025-11933 WRITEUP MEDIUM
wolfssl 5.8.2-5.8.4 - Unauthenticated Denial of Service via TLS 1.3 CKS Extension Parsing
Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions.
CVSS 6.5
CVE-2025-11932 WRITEUP MEDIUM
wolfssl - Timing Side-Channel in TLS 1.3 PSK Binder Verification
The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder
CVSS 4.3
CVE-2025-11931 WRITEUP HIGH
wolfssl - Integer Underflow and Out-of-Bounds Access in wc_XChaCha20Poly1305_Decrypt
Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application.
CVSS 8.2
CVE-2024-5991 WRITEUP HIGH
wolfssl < 5.7.0 - Out-of-bounds Read in MatchDomainName()
In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0.
CVSS 7.5
CVE-2024-5991 WRITEUP HIGH
wolfssl < 5.7.0 - Out-of-bounds Read in MatchDomainName()
In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0.
CVSS 7.5
CVE-2024-5288 WRITEUP MEDIUM
wolfssl < 5.7.2 - ECDSA Private Key Disclosure via Rowhammer Fault Injection
An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECC keys, such as in server-side TLS connections, the connection is halted if any fault occurs. The success rate in a certain amount of connection requests can be processed via an advanced technique for ECDSA key recovery.
CVSS 5.1
CVE-2024-2881 WRITEUP MEDIUM
WolfSSL <5.6.6 - Privilege Escalation
Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure.
CVSS 6.7
CVE-2024-1545 WRITEUP MEDIUM
WolfSSL wolfssl5.6.6 - Privilege Escalation
Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure.
CVSS 5.9
CVE-2024-1544 WRITEUP MEDIUM
wolfssl < 5.7.2 - Observable Discrepancy in ECDSA Nonce Generation
Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits.
CVSS 4.1
CVE-2024-0901 WRITEUP HIGH
WolfSSL 3.12.2 through 5.6.6 - Memory Corruption
Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malformed packet with the correct length.
CVSS 7.5
CVE-2024-0901 WRITEUP HIGH
WolfSSL 3.12.2 through 5.6.6 - Memory Corruption
Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malformed packet with the correct length.
CVSS 7.5
CVE-2023-6937 WRITEUP MEDIUM
wolfSSL < 5.6.6 - Improper Input Validation in (D)TLS Record Handling
wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating.
CVSS 5.3