CVE Daily
← All tags

Tag: Mitm

All CVEs associated with "Mitm". Page 2/32 • 3809 CVEs.

Subscribe CVEs: RSS for “Mitm”  ·  RSS (High+Critical only)

About “Mitm”

A curated feed of “Mitm”-related CVEs appears below. We currently track 3809 CVEs for this tag (all time). In the last 365 days, 218 were published. Average CVSS is 6.1 (all time; 6.6 over 365d), and 25% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-295 - Improper Certificate Validation, CWE-319 - Cleartext Transmission of Sensitive Information, CWE-297 - Improper Validation of Certificate with Host Mismatch.

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-01-08
High

CVE-2025-66001

NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by def…

CVSS: 8.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2019-25278

FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle at…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2026-01-07
Critical

CVE-2025-68637

The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle…

CVSS: 9.1 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
2026-01-06
High

CVE-2020-36917

iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmis…

CVSS: 7.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2020-36914

QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie tra…

CVSS: 7.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2026-01-05
Critical

CVE-2026-0625

Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configu…

CVSS: 9.3 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2025-12-18
Medium

CVE-2025-68161

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org…

CVSS: 4.8 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
2025-12-16
Medium

CVE-2025-62330

HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information because the HTTP port remains accessible and does not redirect to HTTPS as intended. As a result, an attacker wi…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2025-12-15
High

CVE-2023-53881

ReyeeOS 1.204.1614 contains an unencrypted CWMP communication vulnerability that allows attackers to intercept and manipulate device communication through a man-in-the-middle attack. Attackers can cr…

CVSS: 8.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2025-13489

IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 IBM DevOps Deploy transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2025-14022

LINE client for iOS prior to 15.4 allows man-in-the-middle attacks due to improper SSL/TLS certificate validation in an integrated financial SDK. The SDK interfered with the application's network pro…

CVSS: 7.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-12-13
Critical

CVE-2025-36754

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token…

CVSS: 9.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2025-12-12
Low

CVE-2025-13053

When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and se…

CVSS: 3.7 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
Medium

CVE-2025-13052

When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SM…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-12-10
High

CVE-2025-65291

Aqara Hub devices including Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, Camera Hub G3 4.1.9_0027 fail to validate server certificates in TLS connections for discovery services and CoAP gateway communicatio…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2025-65290

Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 fail to validate server certificates during HTTPS firmware downloads, allowing man-in-the-middle attacke…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2025-65831

The application uses an insecure hashing algorithm (MD5) to hash passwords. If an attacker obtained a copy of these hashes, either through exploiting cloud services, performing TLS downgrade attacks…

CVSS: 7.5 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2025-12-09
High

CVE-2025-12946

A vulnerability in the speedtest feature of affected NETGEAR Nighthawk routers, caused by improper input validation, can allow attackers on the router's WAN side, using attacker-in-the-middle techniq…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
Low

CVE-2025-40818

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP4). Affected applications contain private SSL/TLS keys on the server that are not properly protected allowin…

CVSS: 3.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2025-40801

A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), JT Bi-Directional Translator for STEP (All versions), NX V2412 (All versions < V2412…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2025-40800

A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), NX V2412 (All versions < V2412.8700), NX V2506 (All versions < V2506.6000), Simcente…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2025-66491

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annot…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-12-01
Medium

CVE-2024-32384

Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker…

CVSS: 6.8 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2024-56089

An issue in Technitium through v13.2.2 enables attackers to conduct a DNS cache poisoning attack and inject fake responses by reviving the birthday attack.

CVSS: 7.5 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
2025-11-24
Medium

CVE-2025-63432

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker…

CVSS: 4.6 CWE: CWE-599 - Missing Validation of OpenSSL Certificate View on NVD
High

CVE-2025-44018

A firmware downgrade vulnerability exists in the OTA Update functionality of GL-Inet GL-AXT1800 4.7.0. A specially crafted .tar file can lead to a firmware downgrade. An attacker can perform a man-in…

CVSS: 8.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-11-20
Medium

CVE-2025-64027

Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_messag…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-36161

IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2025-11-17
Medium

CVE-2025-60022

Improper certificate validation vulnerability exists in 'デジラアプリ' App for iOS prior to ver.80.10.00. If this vulnerability is exploited, a man-in-the-middle attack may allow an attacker to eavesdrop o…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-11-13
Critical

CVE-2025-36096

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 stores NIM private keys used in NIM environments in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle t…

CVSS: 9.0 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2025-11-11
High

CVE-2025-40744

A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 11). Affected applications do not properly validate client certificates to connect to License Service endpoint.…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2025-12942

Improper Input Validation vulnerability in NETGEAR R6260 and NETGEAR R6850 allows unauthenticated attackers connected to LAN with ability to perform MiTM attacks and control over DNS Server to perfor…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2025-11-07
Medium

CVE-2025-10966

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2025-64184

Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, ima…

CVSS: 8.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-11-06
High

CVE-2025-12790

A flaw was found in Rubygem MQTT. By default, the package used to not have hostname validation, resulting in possible Man-in-the-Middle (MITM) attack.

CVSS: 7.4 CWE: CWE-29 - Path Traversal: '..filename' View on NVD
2025-11-05
Medium

CVE-2025-56232

GOG Galaxy 2.0.0.2 suffers from Missing SSL Certificate Validation. An attacker who controls the local network, DNS, or a proxy can perform a man-in-the-middle (MitM) attack to intercept update reque…

CVSS: 6.8 CWE: CWE-599 - Missing Validation of OpenSSL Certificate View on NVD
2025-11-03
Medium

CVE-2025-36093

IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an attacker to access unauthorized content or perform unauthorized actions using man in the middle techniques due to impro…

CVSS: 4.8 CWE: CWE-602 - Client-Side Enforcement of Server-Side Security View on NVD
2025-10-31
Medium

CVE-2025-12357

By manipulating the Signal Level Attenuation Characterization (SLAC) protocol with spoofed measurements, an attacker can stage a man-in-the-middle attack between an electric vehicle and chargers th…

CVSS: 6.3 CWE: CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints View on NVD
2025-10-30
High

CVE-2025-54470

This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry…

CVSS: 8.6 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-10-16
High

CVE-2025-11493

The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attack…

CVSS: 8.8 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
Critical

CVE-2025-11492

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, m…

CVSS: 9.6 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2025-10-15
High

CVE-2025-11619

Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers in MitM position to intercept traffic.

CVSS: 8.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2025-62371

OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all SSL certificates by defa…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2025-55039

This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication…

CVSS: 6.5 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2025-10-14
High

CVE-2025-25253

An Improper Validation of Certificate with Host Mismatch vulnerability [CWE-297] in FortiProxy version 7.6.1 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions and FortiOS version…

CVSS: 7.5 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
Medium

CVE-2025-41705

An unauthenticated remote attacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend.

CVSS: 6.8 CWE: CWE-523 - Unprotected Transport of Credentials View on NVD
2025-09-29
Critical

CVE-2025-34212

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an unv…

CVSS: 9.8 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
Medium

CVE-2025-34211

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA and SaaS deployments) contain a private SSL key and matching publ…

CVSS: 4.9 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
Critical

CVE-2025-34196

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application prior to 25.1.1413 (Windows client deployments) contain a hardcoded private key for the PrinterL…

CVSS: 9.8 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2025-09-23
Medium

CVE-2025-10548

The CleverControl employee monitoring software (v11.5.1041.6) fails to validate TLS server certificates during the installation process. The installer downloads and executes external components using…

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-09-19
High

CVE-2025-34199

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786 (VA and SaaS deployments) contain insecure defaults and code patter…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
Critical

CVE-2025-34198

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951 and Application prior to 20.0.2368 (VA and SaaS deployments) contain shared, hardcoded SSH host private keys in…

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Critical

CVE-2024-13990

MicroWorld eScan AV's update mechanism failed to ensure authenticity and integrity of updates: update packages were delivered and accepted without robust cryptographic verification. As a result, an o…

CVSS: 9.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-09-17
Low

CVE-2025-59410

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, ra…

CVSS: 3.7 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
Medium

CVE-2025-59347

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configura…

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-09-16
Medium

CVE-2025-9708

A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority (CA) without properly verifying the…

CVSS: 6.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Low

CVE-2025-59270

psPAS PowerShell module does not explicitly enforce TLS 1.2 within the 'Get-PASSAMLResponse' function during the SAML authentication process. An unauthenticated attacker in a 'Man-in-the-Middle' posi…

CVSS: 3.1 CWE: CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') View on NVD
2025-09-12
High

CVE-2025-7448

Wi-SUN unexpected 4- Way Handshake packet receptions may lead to predictable keys and potentially leading to Man in the middle (MitM) attack

CVSS: 8.6 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2025-58781

WTW-EAGLE App does not properly validate server certificates, which may allow a man-in-the-middle attacker to monitor encrypted traffic.

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-09-08
Low

CVE-2025-58422

RICOH Streamline NX versions 3.5.1 to 24R3 are vulnerable to tampering with operation history. If an attacker can perform a man-in-the-middle attack, they may alter the values of HTTP requests, which…

CVSS: 3.1 CWE: CWE-348 - Use of Less Trusted Source View on NVD
2025-09-06
High

CVE-2025-9961

An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500.  The exploit can only be conducted via a Man-In-The-Middle (MITM) attack.  This iss…

CVSS: 8.6 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2025-09-03
High

CVE-2025-9785

PaperCut Print Deploy is an optional component that integrates with PaperCut NG/MF which simplifies printer deployment and management. When the component is deployed to an environment, the customer h…

CVSS: 7.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-09-01
Medium

CVE-2025-33099

IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to perform unauthorized actions using man in the middle techniques due to improper certificate validation.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2025-33084

IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could expl…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2025-08-28
Medium

CVE-2025-58127

Improper Certificate Validation in Checkmk Exchange plugin Dell Powerscale allows attackers in MitM position to intercept traffic.

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2025-58126

Improper Certificate Validation in Checkmk Exchange plugin VMware vSAN allows attackers in MitM position to intercept traffic.

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2025-58125

Improper Certificate Validation in Checkmk Exchange plugin Freebox v6 agent allows attackers in MitM position to intercept traffic.

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2025-58124

Improper Certificate Validation in Checkmk Exchange plugin check-mk-api allows attackers in MitM position to intercept traffic.

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2025-58123

Improper Certificate Validation in Checkmk Exchange plugin BGP Monitoring allows attackers in MitM position to intercept traffic.

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-08-26
High

CVE-2025-35115

Agiloft Release 28 downloads critical system packages over an insecure HTTP connection. An attacker in a Man-In-the-Middle position could replace or modify the contents of the download URL. Users sho…

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2025-08-14
High

CVE-2024-7402

Netskope has identified a potential gap in its agent (Netskope Client) in which a malicious insider can potentially tamper the Netskope Client configuration by performing MITM (Man-in-the-Middle) act…

CVSS: 7.0 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
2025-08-13
Medium

CVE-2025-55279

This vulnerability exists in ZKTeco WL20 due to hard-coded private key stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting…

CVSS: 6.9 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2025-08-12
High

CVE-2025-40770

A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions). The affected application uses a monitoring interface that is not operating in a strictly passive mod…

CVSS: 7.4 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
Medium

CVE-2024-41986

A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506…

CVSS: 6.4 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
Medium

CVE-2025-26398

SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. If exploited, this vulnerability could lead to a machine-in-the-middle (MITM) attack against users. This…

CVSS: 5.6 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2025-08-09
Medium

CVE-2025-55013

The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (tas…

CVSS: 4.2 CWE: CWE-23 - Relative Path Traversal View on NVD
2025-08-08
High

CVE-2025-8393

A TLS vulnerability exists in the phone application used to manage a connected device. The phone application accepts self-signed certificates when establishing TLS communication which may result in…

CVSS: 7.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-08-06
Medium

CVE-2025-48393

The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security is…

CVSS: 5.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-08-01
Medium

CVE-2025-54792

LocalSend is an open-source app to securely share files and messages with nearby devices over local networks without needing an internet connection. In versions 1.16.1 and below, a critical Man-in-th…

CVSS: 6.8 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2025-07-31
Medium

CVE-2024-34328

An open redirect in Sielox AnyWare v2.1.2 allows attackers to execute a man-in-the-middle attack via a crafted URL.

CVSS: 6.3 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2025-07-25
Critical

CVE-2025-29628

A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection in Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud AP…

CVSS: 9.4 CWE: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel View on NVD
2025-07-11
Low

CVE-2025-53861

A flaw was found in Ansible. Sensitive cookies without security flags over non-encrypted channels can lead to Man-in-the-Middle (MitM) and Cross-site scripting (XSS) attacks allowing attackers to rea…

CVSS: 3.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2025-30024

The communication protocol used between client and server had a flaw that could be leveraged to execute a man in the middle attack.

CVSS: 6.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-07-10
High

CVE-2025-49812

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Onl…

CVSS: 7.4 CWE: CWE-287 - Improper Authentication View on NVD
2025-07-08
High

CVE-2024-31854

A vulnerability has been identified in SICAM TOOLBOX II (All versions < V07.11). During establishment of a https connection to the TLS server of a managed device, the affected application doesn't che…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2024-31853

A vulnerability has been identified in SICAM TOOLBOX II (All versions < V07.11). During establishment of a https connection to the TLS server of a managed device, the affected application doesn't che…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2023-52236

A vulnerability has been identified in RUGGEDCOM i800 (All versions), RUGGEDCOM i801 (All versions), RUGGEDCOM i802 (All versions), RUGGEDCOM i803 (All versions), RUGGEDCOM M2100 (All versions), RUGG…

CVSS: 7.0 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2025-07-07
Medium

CVE-2024-43190

IBM Engineering Requirements Management DOORS 9.7.2.9, under certain configurations, could allow a remote attacker to obtain password reset instructions of a legitimate user using man in the middle t…

CVSS: 5.9 CWE: CWE-640 - Weak Password Recovery Mechanism for Forgotten Password View on NVD
2025-07-01
High

CVE-2025-34066

An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh.…

CVSS: 8.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-06-26
Medium

CVE-2025-36034

IBM InfoSphere DataStage Flow Designer in IBM InfoSphere Information Server 11.7 discloses sensitive user information in API requests in clear text that could be intercepted using man in the middle t…

CVSS: 5.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2025-06-25
High

CVE-2025-52890

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security optio…

CVSS: 8.1 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-06-24
High

CVE-2025-6032

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

CVSS: 8.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2025-39205

A vulnerability exists in the IEC 61850 in MicroSCADA X SYS600 product. The certificate validation of the TLS protocol allows remote Man-in-the-Middle attack due to missing proper validation.

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-06-18
Critical

CVE-2025-26199

CloudClassroom-PHP-Project v1.0 is affected by an insecure credential transmission vulnerability. The application transmits passwords over unencrypted HTTP during the login process, exposing sensitiv…

CVSS: 9.8 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2025-06-13
Low

CVE-2025-48825

RICOH Streamline NX V3 PC Client versions 3.5.0 to 3.7.0 contains an issue with use of less trusted source, which may allow an attacker who can conduct a man-in-the-middle attack to eavesdrop upgrade…

CVSS: 2.5 CWE: CWE-348 - Use of Less Trusted Source View on NVD
2025-06-11
High

CVE-2025-49146

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver…

CVSS: 8.2 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2025-41663

For u-link Management API an unauthenticated remote attacker in a man-in-the-middle position can inject arbitrary commands in responses returned by WWH servers, which are then executed with elevated…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2024-7457

The ws.stash.app.mac.daemon.helper tool contains a vulnerability caused by an incorrect use of macOS’s authorization model. Instead of validating the client's authorization reference, the helper invo…

CVSS: 7.8 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-05-30
Medium

CVE-2025-44612

Tinxy WiFi Lock Controller v1 RF was discovered to transmit sensitive information in plaintext, including control information and device credentials, allowing attackers to possibly intercept and acce…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2025-05-29
Critical

CVE-2023-41591

An issue in Open Network Foundation ONOS v2.7.0 allows attackers to create fake IP/MAC addresses and potentially execute a man-in-the-middle attack on communications between fake and real hosts.

CVSS: 9.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2025-05-28
Medium

CVE-2025-4947

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-mid…

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-05-21
Medium

CVE-2025-48417

The certificate and private key used for providing transport layer security for connections to the web interface (TCP port 443) is hard-coded in the firmware and are shipped with the update files. An…

CVSS: 6.5 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2025-05-18
Low

CVE-2025-4858

A vulnerability was found in D-Link DAP-2695 120b36r137_ALL_en_20210528. It has been declared as problematic. This vulnerability affects unknown code of the file /adv_arpspoofing.php of the component…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-05-16
Medium

CVE-2025-32407

Samsung Internet for Galaxy Watch version 5.0.9, available up until Samsung Galaxy Watch 3, does not properly validate TLS certificates, allowing for an attacker to impersonate any and all websites v…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-05-08
Low

CVE-2025-46712

Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to…

CVSS: 3.7 CWE: CWE-440 - Expected Behavior Violation View on NVD
2025-05-07
Low

CVE-2025-46551

JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting…

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2024-47619

syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildca…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-05-06
Medium

CVE-2025-37730

Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_…

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-04-30
Medium

CVE-2025-24339

A vulnerability in the web application of ctrlX OS allows a remote unauthenticated attacker to conduct various attacks against users of the vulnerable system, including web cache poisoning or Man-in-…

CVSS: 5.0 CWE: CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax View on NVD
2025-04-23
Low

CVE-2025-25046

IBM InfoSphere Information Server 11.7 DataStage Flow Designer  transmits sensitive information via URL or query parameters that could be exposed to an unauthorized actor using man in the middle tec…

CVSS: 3.7 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2025-28169

BYD QIN PLUS DM-i Dilink OS v3.0_13.1.7.2204050.1 to v3.0_13.1.7.2312290.1_0 was discovered to cend broadcasts to the manufacturer's cloud server unencrypted, allowing attackers to execute a man-in-t…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-04-15
High

CVE-2024-42193

HCL BigFix Web Reports' service communicates over HTTPS but exhibits a weakness in its handling of SSL certificate validation. This scenario presents a possibility of man-in-the-middle (MITM) attacks…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-04-09
High

CVE-2025-2222

CWE-552: Files or Directories Accessible to External Parties vulnerability over https exists that could leak information and potential privilege escalation following man in the middle attack.

CVSS: 7.8 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
Medium

CVE-2025-27722

Cleartext transmission of sensitive information issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, a man-in-the-middle attack may allow a remote unauthenticated attacker to eavesdrop t…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2025-04-08
Low

CVE-2024-50565

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through…

CVSS: 3.1 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
High

CVE-2024-26013

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through…

CVSS: 7.5 CWE: CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints View on NVD
2025-03-31
Critical

CVE-2025-30095

VyOS 1.3 through 1.5 (fixed in 1.4.2) or any Debian-based system using dropbear in combination with live-build has the same Dropbear private host keys across different installations. Thus, an attacke…

CVSS: 9.0 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2025-03-24
High

CVE-2025-29314

Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack.

CVSS: 8.1 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2025-03-20
Medium

CVE-2025-0254

HCL Digital Experience components Ring API and dxclient may be vulnerable to man-in-the-middle (MitM) attacks prior to 9.5 CF226. An attacker could intercept and potentially alter communication betw…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2025-03-19
High

CVE-2024-10444

Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows man-in-the-middle attackers to h…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD