VARIoT IoT vulnerabilities database
| VAR-202606-4422 | CVE-2026-12760 | TP-LINK Technologies of tapo c200 Unlimited or Throttling Resource Allocation Vulnerability in Firmware |
CVSS V2: - CVSS V3: 6.5 Severity: MEDIUM |
A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets. An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording. - No information handled by the software will be rewritten. - The software may completely shut down
| VAR-202606-4313 | CVE-2026-54317 | Home Assistant Multiple vulnerabilities in |
CVSS V2: - CVSS V3: 7.6 Severity: HIGH |
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0. This vulnerability 2026.6.0 has been fixed.- All information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - Part of the software may stop working
| VAR-202606-5967 | CVE-2026-52846 | Light Code Labs of Caddy Encoding and escaping vulnerabilities in |
CVSS V2: - CVSS V3: 4.2 Severity: MEDIUM |
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4. XSS This vulnerability is present in version 2.11.4 has been fixed.- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop
| VAR-202606-5321 | CVE-2026-52845 | Light Code Labs of Caddy Multiple vulnerabilities in |
CVSS V2: - CVSS V3: 8.1 Severity: HIGH |
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4. 2.11.4 has been fixed.- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop
| VAR-202606-5117 | CVE-2026-52844 | Light Code Labs of Caddy Multiple vulnerabilities in |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4. Caddy is the default TLS This is a highly scalable server platform that uses version 2.11.4 Before Windows In the environment, Caddy The pass matcher is /private¥secret.txt of /private/* It is recognized as an external entity, file_server The same request path on disk private¥secret.txt It will be processed as follows: This will allow unauthenticated remote clients to /private/* Protect Caddy The path scope auth/deny It may be possible to bypass root access. This vulnerability is in version 2.11.4 has been fixed.- All information handled by the software may be leaked to external parties. - No rewriting will occur to the information handled by the software. - The software will not stop
| VAR-202606-4388 | CVE-2026-45692 | Light Code Labs of Caddy Multiple vulnerabilities in |
CVSS V2: - CVSS V3: 5.4 Severity: MEDIUM |
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3. 2.11.3 Fixed in- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop
| VAR-202606-5937 | CVE-2026-45135 | Light Code Labs of Caddy Multiple vulnerabilities in |
CVSS V2: - CVSS V3: 8.1 Severity: HIGH |
Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This vulnerability is fixed in 2.11.3. ASCII If it contains bytes golang.org/x/text/search of search.IgnoreCase I was misusing it. URL Creating this could lead to remote code execution. This vulnerability is in version 2.11.3 has been fixed.- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software may completely shut down
| VAR-202606-4184 | CVE-2026-49872 | Apache Software Foundation of APISIX Authentication vulnerability in |
CVSS V2: - CVSS V3: 8.1 Severity: HIGH |
Improper Authentication vulnerability in Apache APISIX.
When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source.
This issue affects Apache APISIX: from 3.0.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 We recommend that you upgrade to .- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop
| VAR-202606-4138 | CVE-2026-49871 | Apache Software Foundation of APISIX Cross-site request forgery vulnerability in |
CVSS V2: - CVSS V3: 9.3 Severity: CRITICAL |
Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations.
This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity.
Actions the victim takes upstream are then attributed to attackers identity.
This issue affects Apache APISIX: from 3.0.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue. ID It may be authenticated as such. ID This will be attributed to [the relevant party]. 3.17.0 We recommend upgrading to .- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop
| VAR-202606-3855 | CVE-2026-49231 | Apache Software Foundation of APISIX Spoofing authentication evasion vulnerability in |
CVSS V2: - CVSS V3: 5.4 Severity: MEDIUM |
Authentication Bypass by Spoofing vulnerability in opa plugin.
An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin.
This could allow the attacker to assume higher privileges on the upstream service.
This issue affects Apache APISIX: from 3.5.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 We recommend that you upgrade to .- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop
| VAR-202606-3791 | CVE-2026-49230 | Apache Software Foundation of APISIX Vulnerability related to insufficient data integrity verification in |
CVSS V2: - CVSS V3: 9.1 Severity: CRITICAL |
Improper Validation of Integrity Check Value vulnerability in Apache APISIX.
The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.
This issue affects Apache APISIX: from 3.8.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 It is recommended to upgrade to .- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop
| VAR-202606-3913 | CVE-2026-48895 | Apache Software Foundation of APISIX Open redirect vulnerability in |
CVSS V2: - CVSS V3: 7.2 Severity: HIGH |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX.
The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token.
This issue affects Apache APISIX: from 3.0.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 It is recommended to upgrade to .- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop
| VAR-202606-3914 | CVE-2026-47341 | Apache Software Foundation of APISIX In Capture-replay Authentication Bypass Vulnerability |
CVSS V2: - CVSS V3: 6.5 Severity: MEDIUM |
Authentication Bypass by Capture-replay vulnerability in Apache APISIX.
Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry.
This issue affects Apache APISIX: from 3.11.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 It is recommended to upgrade to .- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop
| VAR-202606-3962 | CVE-2026-47339 | Apache Software Foundation of APISIX Fraud related to unauthorized authentication in |
CVSS V2: - CVSS V3: 8.1 Severity: HIGH |
Incorrect Authorization vulnerability in Apache APISIX.
An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source.
This issue affects Apache APISIX: from 2.14.1 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue. An attacker could exploit the default settings. This is a problem. 3.17.0 We recommend that you upgrade to .- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop
| VAR-202606-3918 | CVE-2026-44915 | Apache Software Foundation of APISIX Open redirect vulnerability in |
CVSS V2: - CVSS V3: 6.1 Severity: MEDIUM |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX.
The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft.
This issue affects Apache APISIX: from 3.0.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue. Apache APISIX This includes accessing untrusted sites. 3.17.0 We recommend that you upgrade to .- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop
| VAR-202606-3793 | CVE-2026-44087 | Apache Software Foundation of APISIX Inadequate validation of data reliability in |
CVSS V2: - CVSS V3: 9.1 Severity: CRITICAL |
Insufficient Verification of Data Authenticity vulnerability in Apache APISIX.
The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources.
This issue affects Apache APISIX: from 2.3 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 It is recommended to upgrade to .- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop
| VAR-202606-3794 | CVE-2026-44046 | Apache Software Foundation of APISIX Vulnerability in using untrusted sources |
CVSS V2: - CVSS V3: 5.8 Severity: MEDIUM |
Use of Less Trusted Source vulnerability in Apache APISIX.
Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules.
This issue affects Apache APISIX: from 1.2.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue. An attacker could exploit this vulnerability in the default settings. 3.17.0 It is recommended to upgrade to .• The information handled by this software will not be leaked to external parties. • Some of the information handled by this software may be rewritten. • This software will not stop
| VAR-202606-3795 | CVE-2026-39999 | Apache Software Foundation of APISIX Spoofing authentication evasion vulnerability in |
CVSS V2: - CVSS V3: 9.1 Severity: CRITICAL |
Authentication Bypass by Spoofing vulnerability in Apache APISIX.
The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin.
This issue affects Apache APISIX: from v2.2 through v3.16.0.
Users are recommended to upgrade to version v3.17.0, which fixes the issue. v3.17.0 We recommend that you upgrade to .- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop
| VAR-202606-3919 | CVE-2026-39998 | Apache Software Foundation of APISIX Input verification vulnerability in |
CVSS V2: - CVSS V3: 8.8 Severity: HIGH |
Improper Input Validation vulnerability in Apache APISIX.
The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers.
This issue affects Apache APISIX: from 2.12.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 It is recommended to upgrade to .- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software may completely shut down
| VAR-202606-4065 | CVE-2026-20246 | Cisco Systems Umbrella Virtual Appliance Vulnerability in privilege management in |
CVSS V2: - CVSS V3: 6.0 Severity: MEDIUM |
A vulnerability in the vmadmin CLI of Cisco Umbrella Virtual Appliance could allow an authenticated, local attacker to elevate privileges on an affected device.
This vulnerability is due to insufficient validation of user-supplied commands. An attacker with vmadmin privileges could exploit this vulnerability by using certain commands at the CLI. A successful exploit could allow the attacker to elevate privileges to root. root You will be promoted.- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop