Vendor CVEs
Linecorp
All CVEs
25 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-44487 | Hig | 0.65 | 7.5 | 1.00 | KEV | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | |
| CVE-2016-4850 | Hig | 0.53 | 8.1 | 0.02 | Apr 20, 2017 | LINE for Windows before 4.8.3 allows man-in-the-middle attackers to execute arbitrary code. | ||
| CVE-2016-4831 | Hig | 0.51 | 7.8 | 0.00 | Jul 12, 2016 | Untrusted search path vulnerability in LINE and LINE Installer 4.7.0 and earlier on Windows allows local users to gain privileges via a Trojan horse DLL in an unspecified directory. | ||
| CVE-2026-3861 | Med | 0.42 | 6.5 | 0.00 | Apr 16, 2026 | LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become… | ||
| CVE-2021-36214 | Med | 0.40 | 6.1 | 0.01 | Jul 13, 2021 | LINE client for iOS before 10.16.3 allows cross site script with specific header in WebView. | ||
| CVE-2016-1156 | Med | 0.37 | 5.7 | 0.01 | Feb 19, 2016 | LINE 4.3.0.724 and earlier on Windows and 4.3.1 and earlier on OS X allows remote authenticated users to cause a denial of service (application crash) via a crafted post that is mishandled when displaying a Timeline. | ||
| CVE-2026-11748 | 0.00 | — | 0.00 | Jun 22, 2026 | A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated… | |||
| CVE-2026-11746 | 0.00 | — | 0.00 | Jun 22, 2026 | A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the… | |||
| CVE-2026-11745 | 0.00 | — | 0.00 | Jun 22, 2026 | A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored… | |||
| CVE-2026-11752 | 0.00 | — | 0.00 | Jun 18, 2026 | ## External Control of File Name or Path in xDS SDS DataSource ### Summary `DataSourceStream` in the `:xds` module resolves control-plane-supplied `filename` and `environment_variable` fields from SDS Secret resources without any allow-list or base-directory confinement. A… | |||
| CVE-2025-14023 | 0.00 | — | 0.00 | Dec 15, 2025 | LINE client for iOS prior to 15.19 allows UI spoofing due to inconsistencies between the navigation state and the in-app browser's user interface, which could create confusion about the trust context of displayed pages or interactive elements under specific conditions. | |||
| CVE-2025-14022 | 0.00 | — | 0.00 | Dec 15, 2025 | LINE client for iOS prior to 15.4 allows man-in-the-middle attacks due to improper SSL/TLS certificate validation in an integrated financial SDK. The SDK interfered with the application's network processing, causing server certificate verification to be disabled for a… | |||
| CVE-2025-14021 | 0.00 | — | 0.00 | Dec 15, 2025 | The in-app browser in LINE client for iOS versions prior to 14.14 is vulnerable to address bar spoofing, which could allow attackers to execute malicious JavaScript within iframes while displaying trusted URLs, enabling phishing attacks through overlaid malicious content. | |||
| CVE-2025-14020 | 0.00 | — | 0.00 | Dec 15, 2025 | LINE client for Android versions prior to 14.20 contains a UI spoofing vulnerability in the in-app browser where the full-screen security Toast notification is not properly re-displayed when users return from another application, potentially allowing attackers to conduct… | |||
| CVE-2025-14019 | 0.00 | — | 0.00 | Dec 15, 2025 | LINE client for Android versions from 13.8 to 15.5 is vulnerable to UI spoofing in the in-app browser where a specific layout could obscure the full-screen warning prompt, potentially allowing attackers to conduct phishing attacks. | |||
| CVE-2024-5739 | 0.00 | — | 0.00 | Jun 12, 2024 | The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS (UXSS) vulnerability. This vulnerability allows for cross-site scripting (XSS) where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site… | |||
| CVE-2023-45559 | 0.00 | — | 0.01 | Jan 3, 2024 | An issue in Tamaki_hamanoki Line v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. | |||
| CVE-2023-39733 | 0.00 | — | 0.01 | Oct 24, 2023 | The leakage of the client secret in TonTon-Tei Line v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages. | |||
| CVE-2023-39040 | 0.00 | — | 0.00 | Sep 18, 2023 | An information leak in Cheese Cafe Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | |||
| CVE-2023-38493 | 0.00 | — | 0.01 | Jul 25, 2023 | Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might… | |||
| CVE-2023-31818 | 0.00 | — | 0.01 | Jul 11, 2023 | An issue found in Marukyu Line v.13.4.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp function. | |||
| CVE-2021-43795 | 0.00 | — | 0.02 | Dec 2, 2021 | Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing… | |||
| CVE-2019-16771 | 0.00 | — | 0.01 | Dec 6, 2019 | Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has… | |||
| CVE-2014-6980 | 0.00 | — | 0.00 | Oct 16, 2014 | The LINE PLAY (aka jp.naver.lineplay.android) application 2.3.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||
| CVE-2013-7144 | 0.00 | — | 0.01 | Aug 16, 2014 | LINE 3.2.1.83 and earlier on Windows and 3.2.1 and earlier on OS X does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
- risk 0.65cvss 7.5epss 1.00
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- risk 0.53cvss 8.1epss 0.02
LINE for Windows before 4.8.3 allows man-in-the-middle attackers to execute arbitrary code.
- risk 0.51cvss 7.8epss 0.00
Untrusted search path vulnerability in LINE and LINE Installer 4.7.0 and earlier on Windows allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.
- risk 0.42cvss 6.5epss 0.00
LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become…
- risk 0.40cvss 6.1epss 0.01
LINE client for iOS before 10.16.3 allows cross site script with specific header in WebView.
- risk 0.37cvss 5.7epss 0.01
LINE 4.3.0.724 and earlier on Windows and 4.3.1 and earlier on OS X allows remote authenticated users to cause a denial of service (application crash) via a crafted post that is mishandled when displaying a Timeline.
- CVE-2026-11748Jun 22, 2026risk 0.00cvss —epss 0.00
A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated…
- CVE-2026-11746Jun 22, 2026risk 0.00cvss —epss 0.00
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the…
- CVE-2026-11745Jun 22, 2026risk 0.00cvss —epss 0.00
A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored…
- CVE-2026-11752Jun 18, 2026risk 0.00cvss —epss 0.00
## External Control of File Name or Path in xDS SDS DataSource ### Summary `DataSourceStream` in the `:xds` module resolves control-plane-supplied `filename` and `environment_variable` fields from SDS Secret resources without any allow-list or base-directory confinement. A…
- CVE-2025-14023Dec 15, 2025risk 0.00cvss —epss 0.00
LINE client for iOS prior to 15.19 allows UI spoofing due to inconsistencies between the navigation state and the in-app browser's user interface, which could create confusion about the trust context of displayed pages or interactive elements under specific conditions.
- CVE-2025-14022Dec 15, 2025risk 0.00cvss —epss 0.00
LINE client for iOS prior to 15.4 allows man-in-the-middle attacks due to improper SSL/TLS certificate validation in an integrated financial SDK. The SDK interfered with the application's network processing, causing server certificate verification to be disabled for a…
- CVE-2025-14021Dec 15, 2025risk 0.00cvss —epss 0.00
The in-app browser in LINE client for iOS versions prior to 14.14 is vulnerable to address bar spoofing, which could allow attackers to execute malicious JavaScript within iframes while displaying trusted URLs, enabling phishing attacks through overlaid malicious content.
- CVE-2025-14020Dec 15, 2025risk 0.00cvss —epss 0.00
LINE client for Android versions prior to 14.20 contains a UI spoofing vulnerability in the in-app browser where the full-screen security Toast notification is not properly re-displayed when users return from another application, potentially allowing attackers to conduct…
- CVE-2025-14019Dec 15, 2025risk 0.00cvss —epss 0.00
LINE client for Android versions from 13.8 to 15.5 is vulnerable to UI spoofing in the in-app browser where a specific layout could obscure the full-screen warning prompt, potentially allowing attackers to conduct phishing attacks.
- CVE-2024-5739Jun 12, 2024risk 0.00cvss —epss 0.00
The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS (UXSS) vulnerability. This vulnerability allows for cross-site scripting (XSS) where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site…
- CVE-2023-45559Jan 3, 2024risk 0.00cvss —epss 0.01
An issue in Tamaki_hamanoki Line v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.
- CVE-2023-39733Oct 24, 2023risk 0.00cvss —epss 0.01
The leakage of the client secret in TonTon-Tei Line v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.
- CVE-2023-39040Sep 18, 2023risk 0.00cvss —epss 0.00
An information leak in Cheese Cafe Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
- CVE-2023-38493Jul 25, 2023risk 0.00cvss —epss 0.01
Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might…
- CVE-2023-31818Jul 11, 2023risk 0.00cvss —epss 0.01
An issue found in Marukyu Line v.13.4.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp function.
- CVE-2021-43795Dec 2, 2021risk 0.00cvss —epss 0.02
Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing…
- CVE-2019-16771Dec 6, 2019risk 0.00cvss —epss 0.01
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has…
- CVE-2014-6980Oct 16, 2014risk 0.00cvss —epss 0.00
The LINE PLAY (aka jp.naver.lineplay.android) application 2.3.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
- CVE-2013-7144Aug 16, 2014risk 0.00cvss —epss 0.01
LINE 3.2.1.83 and earlier on Windows and 3.2.1 and earlier on OS X does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.