CWE-1104
Use of Unmaintained Third Party Components
Description
The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-40906 | Cri | 0.64 | 9.8 | 0.01 | May 16, 2025 | BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of… | ||
| CVE-2026-41468 | Hig | 0.57 | 8.7 | 0.00 | Apr 22, 2026 | Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary… | ||
| CVE-2025-3497 | Hig | 0.57 | 8.7 | 0.00 | Jul 9, 2025 | The Linux distribution underlying the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is obsolete and reached end of life (EOL) on June 30, 2024. Thus, any unmitigated vulnerability could be exploited to affect this product. | ||
| CVE-2024-11999 | Hig | 0.57 | 8.8 | 0.01 | Dec 17, 2024 | CWE-1104: Use of Unmaintained Third-Party Components vulnerability exists that could cause complete control of the device when an authenticated user installs malicious code into HMI product. | ||
| CVE-2024-8885 | Hig | 0.57 | 8.8 | 0.00 | Oct 2, 2024 | A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files. | ||
| CVE-2026-21821 | Hig | 0.54 | 8.3 | 0.00 | May 13, 2026 | The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and increase the risk… | ||
| CVE-2025-20010 | Hig | 0.51 | 7.8 | 0.00 | Nov 11, 2025 | Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack… | ||
| CVE-2025-48862 | Hig | 0.46 | 7.1 | 0.00 | Aug 14, 2025 | Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. However, only the private key - if available in the backup - is encrypted, while the backup file itself remains… | ||
| CVE-2024-35252 | 0.00 | — | 0.02 | Jun 11, 2024 | Azure Storage Movement Client Library Denial of Service Vulnerability | |||
| CVE-2024-21631 | 0.00 | — | 0.01 | Jan 3, 2024 | Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vapor's `vapor_urlparser_parse` function uses `uint16_t` indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly… |
- risk 0.64cvss 9.8epss 0.01
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of…
- risk 0.57cvss 8.7epss 0.00
Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary…
- risk 0.57cvss 8.7epss 0.00
The Linux distribution underlying the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is obsolete and reached end of life (EOL) on June 30, 2024. Thus, any unmitigated vulnerability could be exploited to affect this product.
- risk 0.57cvss 8.8epss 0.01
CWE-1104: Use of Unmaintained Third-Party Components vulnerability exists that could cause complete control of the device when an authenticated user installs malicious code into HMI product.
- risk 0.57cvss 8.8epss 0.00
A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files.
- risk 0.54cvss 8.3epss 0.00
The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and increase the risk…
- risk 0.51cvss 7.8epss 0.00
Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack…
- risk 0.46cvss 7.1epss 0.00
Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. However, only the private key - if available in the backup - is encrypted, while the backup file itself remains…
- CVE-2024-35252Jun 11, 2024risk 0.00cvss —epss 0.02
Azure Storage Movement Client Library Denial of Service Vulnerability
- CVE-2024-21631Jan 3, 2024risk 0.00cvss —epss 0.01
Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vapor's `vapor_urlparser_parse` function uses `uint16_t` indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly…