Search Results (223 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-48974 1 Baxter 1 Life2000 Ventilator Firmware 2026-04-15 9.3 Critical
The ventilator does not perform proper file integrity checks when adopting firmware updates. This makes it possible for an attacker to force unauthorized changes to the device's configuration settings and/or compromise device functionality by pushing a compromised/illegitimate firmware file. This could disrupt the function of the device and/or cause unauthorized information disclosure.
CVE-2025-9319 1 Lenovo 1 Wallpaper Client 2026-04-15 7.5 High
A potential vulnerability was reported in the Lenovo Wallpaper Client that could allow arbitrary code execution under certain conditions.
CVE-2025-15575 2 Solax, Solax Power 5 Pocket Wifi 3, Pocket Wifi+4gm, Pocket Wifi+lan and 2 more 2026-04-15 5.3 Medium
The firmware update functionality does not verify the authenticity of the supplied firmware update files. This allows attackers to flash malicious firmware update files on the device. Initial analysis of the firmware update functionality does not show any cryptographic checks (e.g. digital signature checks) on the supplied firmware update files. Furthermore, ESP32 security features such as secure boot are not used.
CVE-2025-53520 1 Eg4 Electronics 7 Eg4 12000xp, Eg4 12kpv, Eg4 18kpv and 4 more 2026-04-15 8.8 High
The affected product allows firmware updates to be downloaded from EG4's website, transferred via USB dongles, or installed through EG4's Monitoring Center (remote, cloud-connected interface) or via a serial connection, and can install these files without integrity checks. The TTComp archive format used for the firmware is unencrypted and can be unpacked and altered without detection.
CVE-2025-1058 2026-04-15 8.1 High
CWE-494: Download of Code Without Integrity Check vulnerability exists that could render the device inoperable when malicious firmware is downloaded.
CVE-2023-41921 2026-04-15 9.8 Critical
A vulnerability allows attackers to download source code or an executable from a remote location and execute the code without sufficiently verifying the origin and integrity of the code. This vulnerability can allow attackers to modify the firmware before uploading it to the system, thus achieving the modification of the target’s integrity to achieve an insecure state.
CVE-2024-52583 2026-04-15 8.2 High
The WesHacks GitHub repository provides the official Hackathon competition website source code for the Muweilah Wesgreen Hackathon. The page `schedule.html` before 17 November 2024 or commit 93dfb83 contains links to `Leostop`, a site that hosts a malicious injected JavaScript file that occurs when bootstrap is run as well as jquery. `Leostop` may be a tracking malware and creates 2 JavaScript files, but little else is known about it. The WesHacks website remove all references to `Leostop` as of 17 November 2024.
CVE-2025-52263 1 Starcharge 1 Artemis 2026-04-15 8 High
An issue in the Web Configuration module of Startcharge Artemis AC Charger 7-22 kW v1.0.4 allows authenticated network-adjacent attackers to upload crafted firmware, leading to arbitrary code execution.
CVE-2025-53696 1 Johnsoncontrols 1 Istar Ultra 2026-04-15 N/A
iSTAR Ultra performs a firmware verification on boot, however the verification does not inspect certain portions of the firmware. These firmware parts may contain malicious code. Tested up to firmware 6.9.2, later firmwares are also possibly affected.
CVE-2025-7620 1 Dsic 1 Cross-browser Components 2026-04-15 8.8 High
The cross-browser document creation component produced by Digitware System Integration Corporation has a Remote Code Execution vulnerability. If a user visits a malicious website while the component is active, remote attackers can cause the system to download and execute arbitrary programs.
CVE-2025-52937 1 Point Cloud Library 1 Pcl 2026-04-15 N/A
Vulnerability in PointCloudLibrary PCL (surface/src/3rdparty/opennurbs modules). This vulnerability is associated with program files crc32.C. This vulnerability is only relevant if the PCL version is older than 1.14.0 or the user specifically requests to not use the system zlib (WITH_SYSTEM_ZLIB=FALSE).
CVE-2017-13083 1 Akeo 1 Rufus 2026-04-07 N/A
Akeo Consulting Rufus prior to version 2.17.1187 does not adequately validate the integrity of updates downloaded over HTTP, allowing an attacker to easily convince a user to execute arbitrary code
CVE-2026-3502 1 Trueconf 1 Trueconf 2026-04-03 7.8 High
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
CVE-2026-30603 1 Qianniao 1 Qn-l23pa0904 2026-04-03 6.8 Medium
An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data via supplying a crafted iu.sh script contained in an SD card.
CVE-2025-47904 1 Microchip 2 Timeprovider 4100, Timeprovider 4100 Firmware 2026-03-31 4.1 Medium
Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.
CVE-2026-33075 2 Fastgpt, Labring 2 Fastgpt, Fastgpt 2026-03-25 8.8 High
FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication.
CVE-2026-28500 2 Linuxfoundation, Onnx 2 Onnx, Onnx 2026-03-24 8.6 High
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
CVE-2026-1878 1 Asus 2 Driver Headset , Driver Keyboard Mouse 2026-03-20 N/A
An Insufficient Integrity Verification vulnerability in the ASUS ROG peripheral driver installation process allows privilege escalation to SYSTEM. The vulnerability is due to improper access control on the installation directory, which enables the exploitation of a race condition where the legitimate installer is substituted with an unexpected payload immediately after download, resulting in arbitrary code execution. Refer to the "Security Update for ASUS ROG peripheral driver" section on the ASUS Security Advisory for more information.
CVE-2025-15556 3 Notepad++, Notepad-plus-plus, Notepad Plus Plus 5 Notepad++, Notepad++, Notepad\+\+ and 2 more 2026-03-05 7.5 High
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
CVE-2024-43169 1 Ibm 2 Engineering Requirements Management Doors, Engineering Requirements Management Doors Next 2026-02-26 8.8 High
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a user to download a malicious file without verifying the integrity of the code.