Csaf
by Cisagov
Source repositories
CVEs (29)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-10953 | Hig | 0.49 | 7.5 | 0.04 | Apr 17, 2019 | ABB, Phoenix Contact, Schneider Electric, Siemens, WAGO - Programmable Logic Controllers, multiple versions. Researchers have found some controllers are susceptible to a denial-of-service attack due to a flood of network packets. | ||
| CVE-2026-21404 | Med | 0.41 | 6.3 | 0.00 | Jun 4, 2026 | NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful… | ||
| CVE-2026-40425 | Med | 0.37 | 5.7 | 0.00 | May 29, 2026 | The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password. | ||
| CVE-2026-44611 | Med | 0.35 | 5.4 | 0.00 | May 29, 2026 | Danelec MacGregor Voyage Data Recorder passwords are stored with a hashing method which limits password length and is susceptible to brute force attacks. | ||
| CVE-2026-42951 | Med | 0.35 | 5.4 | 0.00 | May 29, 2026 | An authenticated user can download a backup of the Danelec MacGregor Voyage Data Recorder device which includes account data and password hashes. | ||
| CVE-2026-42932 | Med | 0.34 | 5.3 | 0.00 | Jun 12, 2026 | Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can… | ||
| CVE-2026-4293 | Med | 0.34 | 5.3 | 0.00 | May 20, 2026 | The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser. | ||
| CVE-2025-53471 | Med | 0.33 | 5.1 | 0.00 | Jul 11, 2025 | Emerson ValveLink products receive input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. | ||
| CVE-2026-50099 | Med | 0.30 | 4.6 | 0.00 | Jun 12, 2026 | During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell… |
- risk 0.49cvss 7.5epss 0.04
ABB, Phoenix Contact, Schneider Electric, Siemens, WAGO - Programmable Logic Controllers, multiple versions. Researchers have found some controllers are susceptible to a denial-of-service attack due to a flood of network packets.
- risk 0.41cvss 6.3epss 0.00
NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful…
- risk 0.37cvss 5.7epss 0.00
The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password.
- risk 0.35cvss 5.4epss 0.00
Danelec MacGregor Voyage Data Recorder passwords are stored with a hashing method which limits password length and is susceptible to brute force attacks.
- risk 0.35cvss 5.4epss 0.00
An authenticated user can download a backup of the Danelec MacGregor Voyage Data Recorder device which includes account data and password hashes.
- risk 0.34cvss 5.3epss 0.00
Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can…
- risk 0.34cvss 5.3epss 0.00
The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser.
- risk 0.33cvss 5.1epss 0.00
Emerson ValveLink products receive input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- risk 0.30cvss 4.6epss 0.00
During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell…
Page 2 of 2