NuGet package

microsoft.aspnetcore.app.runtime.win-x64

pkg:nuget/microsoft.aspnetcore.app.runtime.win-x64

Vulnerabilities (24)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2026-26130	Hig	7.5		>= 8.0.0, < 8.0.25	8.0.25	Mar 10, 2026	Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
CVE-2025-55315		—		>= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107	10.0.0-rc.2.25502.107	Oct 14, 2025	Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
CVE-2025-24070		—		>= 9.0.0, < 9.0.3	9.0.3	Mar 11, 2025	Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network.
CVE-2024-38229		—		>= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3	9.0.0-rc.2.24474.3	Oct 8, 2024	.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2024-38168		—		>= 8.0.0, < 8.0.8	8.0.8	Aug 13, 2024	.NET and Visual Studio Denial of Service Vulnerability
CVE-2024-35264		—		>= 8.0.0, < 8.0.7	8.0.7	Jul 9, 2024	.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2024-30046		—		>= 7.0.0, < 7.0.19	7.0.19	May 14, 2024	Visual Studio Denial of Service Vulnerability
CVE-2024-21386		—		< 6.0.27	6.0.27	Feb 13, 2024	.NET Denial of Service Vulnerability
CVE-2023-38180		—	KEV	>= 7.0.0, < 7.0.10	7.0.10	Aug 8, 2023	.NET and Visual Studio Denial of Service Vulnerability
CVE-2023-38178		—		>= 7.0.0, < 7.0.10	7.0.10	Aug 8, 2023	.NET Core and Visual Studio Denial of Service Vulnerability
CVE-2023-33170		—		< 6.0.20	6.0.20	Jul 11, 2023	ASP.NET and Visual Studio Security Feature Bypass Vulnerability
CVE-2022-38013		—		>= 3.1.0, < 3.1.29	3.1.29	Sep 13, 2022	.NET Core and Visual Studio Denial of Service Vulnerability
CVE-2022-34716		—		>= 3.1.0, < 3.1.28	3.1.28	Aug 9, 2022	.NET Spoofing Vulnerability
CVE-2022-29145		—		>= 3.0.0, < 3.1.25	3.1.25	May 10, 2022	.NET and Visual Studio Denial of Service Vulnerability
CVE-2022-29117		—		>= 3.0.0, < 3.1.25	3.1.25	May 10, 2022	.NET and Visual Studio Denial of Service Vulnerability
CVE-2022-23267		—		>= 3.0.0, < 3.1.25	3.1.25	May 10, 2022	.NET and Visual Studio Denial of Service Vulnerability
CVE-2022-24464		—		>= 3.0.0, < 3.1.23	3.1.23	Mar 9, 2022	.NET and Visual Studio Denial of Service Vulnerability
CVE-2022-21986		—		>= 5.0.0, < 5.0.14	5.0.14	Feb 9, 2022	.NET Denial of Service Vulnerability
CVE-2021-1723		—		>= 3.1.0, < 3.1.11	3.1.11	Jan 12, 2021	ASP.NET Core and Visual Studio Denial of Service Vulnerability
CVE-2020-1045		—		>= 3.1.0, < 3.1.8	3.1.8	Sep 11, 2020	A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.<

CVE-2026-26130HigMar 10, 2026
affected >= 8.0.0, < 8.0.25fixed 8.0.25
Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
CVE-2025-55315Oct 14, 2025
affected >= 10.0.0-rc.1.25451.107, < 10.0.0-rc.2.25502.107fixed 10.0.0-rc.2.25502.107
Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
CVE-2025-24070Mar 11, 2025
affected >= 9.0.0, < 9.0.3fixed 9.0.3
Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network.
CVE-2024-38229Oct 8, 2024
affected >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3fixed 9.0.0-rc.2.24474.3
.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2024-38168Aug 13, 2024
affected >= 8.0.0, < 8.0.8fixed 8.0.8
.NET and Visual Studio Denial of Service Vulnerability
CVE-2024-35264Jul 9, 2024
affected >= 8.0.0, < 8.0.7fixed 8.0.7
.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2024-30046May 14, 2024
affected >= 7.0.0, < 7.0.19fixed 7.0.19
Visual Studio Denial of Service Vulnerability
CVE-2024-21386Feb 13, 2024
affected < 6.0.27fixed 6.0.27
.NET Denial of Service Vulnerability
CVE-2023-38180KEVAug 8, 2023
affected >= 7.0.0, < 7.0.10fixed 7.0.10
.NET and Visual Studio Denial of Service Vulnerability
CVE-2023-38178Aug 8, 2023
affected >= 7.0.0, < 7.0.10fixed 7.0.10
.NET Core and Visual Studio Denial of Service Vulnerability
CVE-2023-33170Jul 11, 2023
affected < 6.0.20fixed 6.0.20
ASP.NET and Visual Studio Security Feature Bypass Vulnerability
CVE-2022-38013Sep 13, 2022
affected >= 3.1.0, < 3.1.29fixed 3.1.29
.NET Core and Visual Studio Denial of Service Vulnerability
CVE-2022-34716Aug 9, 2022
affected >= 3.1.0, < 3.1.28fixed 3.1.28
.NET Spoofing Vulnerability
CVE-2022-29145May 10, 2022
affected >= 3.0.0, < 3.1.25fixed 3.1.25
.NET and Visual Studio Denial of Service Vulnerability
CVE-2022-29117May 10, 2022
affected >= 3.0.0, < 3.1.25fixed 3.1.25
.NET and Visual Studio Denial of Service Vulnerability
CVE-2022-23267May 10, 2022
affected >= 3.0.0, < 3.1.25fixed 3.1.25
.NET and Visual Studio Denial of Service Vulnerability
CVE-2022-24464Mar 9, 2022
affected >= 3.0.0, < 3.1.23fixed 3.1.23
.NET and Visual Studio Denial of Service Vulnerability
CVE-2022-21986Feb 9, 2022
affected >= 5.0.0, < 5.0.14fixed 5.0.14
.NET Denial of Service Vulnerability
CVE-2021-1723Jan 12, 2021
affected >= 3.1.0, < 3.1.11fixed 3.1.11
ASP.NET Core and Visual Studio Denial of Service Vulnerability
CVE-2020-1045Sep 11, 2020
affected >= 3.1.0, < 3.1.8fixed 3.1.8
A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.<

Page 1 of 2