Aspnetcore
by Microsoft
Source repositories
CVEs (40)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-44487 | Hig | 0.65 | 7.5 | 1.00 | KEV | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | |
| CVE-2026-40372 | Cri | 0.59 | 9.1 | 0.11 | Apr 21, 2026 | Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2018-0784 | Hig | 0.58 | 8.8 | 0.07 | Jan 10, 2018 | ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Elevation Of Privilege Vulnerability". This CVE is unique from CVE-2018-0808. | ||
| CVE-2017-11879 | Hig | 0.58 | 8.8 | 0.09 | Nov 15, 2017 | ASP.NET Core 2.0 allows an attacker to steal log-in session information such as cookies or authentication tokens via a specially crafted URL aka "ASP.NET Core Elevation Of Privilege Vulnerability". | ||
| CVE-2018-8292 | Hig | 0.50 | 7.5 | 0.15 | Oct 10, 2018 | An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0. | ||
| CVE-2017-8700 | Hig | 0.50 | 7.5 | 0.10 | Nov 15, 2017 | ASP.NET Core 1.0, 1.1, and 2.0 allow an attacker to bypass Cross-origin Resource Sharing (CORS) configurations and retrieve normally restricted content from a web application, aka "ASP.NET Core Information Disclosure Vulnerability". | ||
| CVE-2026-26130 | Hig | 0.49 | 7.5 | 0.01 | Mar 10, 2026 | Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. | ||
| CVE-2018-8409 | Hig | 0.49 | 7.5 | 0.07 | Sep 13, 2018 | A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests, aka "System.IO.Pipelines Denial of Service." This affects .NET Core 2.1, System.IO.Pipelines, ASP.NET Core 2.1. | ||
| CVE-2018-0808 | Hig | 0.49 | 7.5 | 0.08 | Mar 14, 2018 | ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how ASP.NET web applications handle web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability". This CVE is unique from CVE-2018-0784. | ||
| CVE-2017-11883 | Hig | 0.49 | 7.5 | 0.09 | Nov 15, 2017 | .NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack against a .NET Core web application by improperly handling web requests, aka ".NET CORE Denial Of Service Vulnerability". | ||
| CVE-2017-11770 | Hig | 0.49 | 7.5 | 0.05 | Nov 15, 2017 | .NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack against a .NET Core web application by improperly parsing certificate data. A denial of service vulnerability exists when .NET Core improperly handles parsing certificate… | ||
| CVE-2026-45591 | Hig | 0.42 | 7.5 | 0.01 | Jun 9, 2026 | Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network. | ||
| CVE-2018-0785 | Med | 0.42 | 6.5 | 0.03 | Jan 10, 2018 | ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Cross Site Request Forgery Vulnerability". | ||
| CVE-2018-8356 | Med | 0.36 | 5.5 | 0.01 | Jul 11, 2018 | A security feature bypass vulnerability exists when Microsoft .NET Framework components do not correctly validate certificates, aka ".NET Framework Security Feature Bypass Vulnerability." This affects .NET Framework 4.7.2, Microsoft .NET Framework 3.0, Microsoft .NET Framework… | ||
| CVE-2020-1147 | 0.22 | — | 0.94 | KEV | Jul 14, 2020 | A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'. | ||
| CVE-2023-38180 | 0.12 | — | 0.16 | KEV | Aug 8, 2023 | .NET and Visual Studio Denial of Service Vulnerability | ||
| CVE-2025-55315 | 0.03 | — | 0.66 | Oct 14, 2025 | Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network. | |||
| CVE-2020-0606 | 0.03 | — | 0.17 | Jan 14, 2020 | A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code… | |||
| CVE-2020-0605 | 0.03 | — | 0.18 | Jan 14, 2020 | A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code… | |||
| CVE-2025-26682 | 0.01 | — | 0.01 | Apr 8, 2025 | Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. |
- risk 0.65cvss 7.5epss 1.00
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- risk 0.59cvss 9.1epss 0.11
Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
- risk 0.58cvss 8.8epss 0.07
ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Elevation Of Privilege Vulnerability". This CVE is unique from CVE-2018-0808.
- risk 0.58cvss 8.8epss 0.09
ASP.NET Core 2.0 allows an attacker to steal log-in session information such as cookies or authentication tokens via a specially crafted URL aka "ASP.NET Core Elevation Of Privilege Vulnerability".
- risk 0.50cvss 7.5epss 0.15
An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.
- risk 0.50cvss 7.5epss 0.10
ASP.NET Core 1.0, 1.1, and 2.0 allow an attacker to bypass Cross-origin Resource Sharing (CORS) configurations and retrieve normally restricted content from a web application, aka "ASP.NET Core Information Disclosure Vulnerability".
- risk 0.49cvss 7.5epss 0.01
Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
- risk 0.49cvss 7.5epss 0.07
A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests, aka "System.IO.Pipelines Denial of Service." This affects .NET Core 2.1, System.IO.Pipelines, ASP.NET Core 2.1.
- risk 0.49cvss 7.5epss 0.08
ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how ASP.NET web applications handle web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability". This CVE is unique from CVE-2018-0784.
- risk 0.49cvss 7.5epss 0.09
.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack against a .NET Core web application by improperly handling web requests, aka ".NET CORE Denial Of Service Vulnerability".
- risk 0.49cvss 7.5epss 0.05
.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack against a .NET Core web application by improperly parsing certificate data. A denial of service vulnerability exists when .NET Core improperly handles parsing certificate…
- risk 0.42cvss 7.5epss 0.01
Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.
- risk 0.42cvss 6.5epss 0.03
ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Cross Site Request Forgery Vulnerability".
- risk 0.36cvss 5.5epss 0.01
A security feature bypass vulnerability exists when Microsoft .NET Framework components do not correctly validate certificates, aka ".NET Framework Security Feature Bypass Vulnerability." This affects .NET Framework 4.7.2, Microsoft .NET Framework 3.0, Microsoft .NET Framework…
- risk 0.22cvss —epss 0.94
A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'.
- risk 0.12cvss —epss 0.16
.NET and Visual Studio Denial of Service Vulnerability
- CVE-2025-55315Oct 14, 2025risk 0.03cvss —epss 0.66
Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
- CVE-2020-0606Jan 14, 2020risk 0.03cvss —epss 0.17
A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code…
- CVE-2020-0605Jan 14, 2020risk 0.03cvss —epss 0.18
A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code…
- CVE-2025-26682Apr 8, 2025risk 0.01cvss —epss 0.01
Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Page 1 of 2