CVEs classified under CWE-349, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (27)
CVE-2026-42960 — CVSS 10.0 (critical): NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section…
CVE-2026-41120 — CVSS 9.8 (critical): Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With Trusted Data…
CVE-2026-45602 — CVSS 9.1 (critical): No cwe for this issue in Windows DHCP Server allows an unauthorized attacker to perform tampering over a network.
CVE-2025-5994: A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client…
CVE-2025-40778 — CVSS 8.6 (high): Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the…
CVE-2025-40776 — CVSS 8.6 (high): A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack. This…
CVE-2026-32162 — CVSS 8.4 (high): Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally.
CVE-2026-35641 — CVSS 7.8 (high): OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to…
CVE-2020-8023 — CVSS 7.7 (high): A acceptance of Extraneous Untrusted Data With Trusted Data vulnerability in the start script of openldap2 of SUSE Enterprise Storage 5…
CVE-2026-33612 — CVSS 7.5 (high): A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.
CVE-2025-29816 — CVSS 7.5 (high): Improper input validation in Microsoft Office Word allows an unauthorized attacker to bypass a security feature over a network.
CVE-2025-27415 — CVSS 7.5 (high): Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN…
CVE-2024-41924 — CVSS 7.2 (high): Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an…
CVE-2023-44317 — CVSS 7.2 (high): A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V7.2.2), RUGGEDCOM RM1224 LTE(4G)…
CVE-2024-53848 — CVSS 7.1 (high): check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote…
CVE-2025-48804 — CVSS 6.8 (medium): Acceptance of extraneous untrusted data with trusted data in Windows BitLocker allows an unauthorized attacker to bypass a security feature…
CVE-2024-52555 — CVSS 6.3 (medium): In JetBrains WebStorm before 2024.3 code execution in Untrusted Project mode was possible via type definitions installer script
CVE-2020-10751 — CVSS 6.1 (medium): A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would…
CVE-2025-11411: NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that…
CVE-2025-68269 — CVSS 5.4 (medium): In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH
CVE-2024-34083 — CVSS 5.4 (medium): aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept…
CVE-2025-11703 — CVSS 5.3 (medium): The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including…
CVE-2025-46339 — CVSS 4.3 (medium): FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a…
CVE-2025-20255 — CVSS 4.3 (medium): A vulnerability in client join services of Cisco Webex Meetings could allow an unauthenticated, remote attacker to manipulate cached HTTP…
CVE-2026-44572 — CVSS 3.7 (low): Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could…
CVE-2024-21094 — CVSS 3.7 (low): Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component…
CVE-2025-1680: An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxa’s Ethernet switches, which allows…