CWE-1104
Use of Unmaintained Third Party Components
BaseIncomplete
Description
The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (7)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-40906 | Cri | 0.64 | 9.8 | 0.01 | May 16, 2025 | BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported. | |
| CVE-2026-41468 | Hig | 0.57 | 8.7 | 0.00 | Apr 22, 2026 | Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript execution in operator browser sessions, enabling session hijacking, DOM manipulation, and persistent browser compromise. Network-adjacent attackers can deliver the complete injection and escape chain via MITM in plaintext HTTP deployments without active user interaction. | |
| CVE-2025-3497 | Hig | 0.57 | 8.7 | 0.00 | Jul 9, 2025 | The Linux distribution underlying the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is obsolete and reached end of life (EOL) on June 30, 2024. Thus, any unmitigated vulnerability could be exploited to affect this product. | |
| CVE-2024-11999 | Hig | 0.57 | 8.8 | 0.00 | Dec 17, 2024 | CWE-1104: Use of Unmaintained Third-Party Components vulnerability exists that could cause complete control of the device when an authenticated user installs malicious code into HMI product. | |
| CVE-2024-8885 | Hig | 0.57 | 8.8 | 0.00 | Oct 2, 2024 | A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files. | |
| CVE-2025-20010 | Hig | 0.51 | 7.8 | 0.00 | Nov 11, 2025 | Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | |
| CVE-2025-48862 | Hig | 0.46 | 7.1 | 0.00 | Aug 14, 2025 | Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. However, only the private key - if available in the backup - is encrypted, while the backup file itself remains unencrypted. |