Microsoft Asp.net Core — known CVE vulnerabilities
Every CVE whose affected-product data names Microsoft Asp.net Core, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (39)
CVE-2025-55315 — CVSS 9.9 (critical): Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a…
CVE-2026-40372 — CVSS 9.1 (critical): Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
CVE-2018-0787 — CVSS 8.8 (high): ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates…
CVE-2017-11879 — CVSS 8.8 (high): ASP.NET Core 2.0 allows an attacker to steal log-in session information such as cookies or authentication tokens via a specially crafted…
CVE-2018-0784 — CVSS 8.8 (high): ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core…
CVE-2019-1302 — CVSS 8.8 (high): An elevation of privilege vulnerability exists when a ASP.NET Core web application, created using vulnerable project templates, fails to…
CVE-2020-0603 — CVSS 8.8 (high): A remote code execution vulnerability exists in ASP.NET Core software when the software fails to handle objects in memory.An attacker who…
CVE-2018-8409 — CVSS 7.5 (high): A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests, aka "System.IO.Pipelines Denial of Service."…
CVE-2018-8171 — CVSS 7.5 (high): A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET…
CVE-2025-26682 — CVSS 7.5 (high): Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
CVE-2018-0808 — CVSS 7.5 (high): ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how ASP.NET web applications handle web requests, aka…
CVE-2018-0875 — CVSS 7.5 (high): .NET Core 1.0, .NET Core 1.1, NET Core 2.0 and PowerShell Core 6.0.0 allow a denial of Service vulnerability due to how specially crafted…
CVE-2018-8292 — CVSS 7.5 (high): An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka…
CVE-2019-0548 — CVSS 7.5 (high): A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka "ASP.NET Core Denial of Service…
CVE-2019-0564 — CVSS 7.5 (high): A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka "ASP.NET Core Denial of Service…
CVE-2019-0815 — CVSS 7.5 (high): A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service…
CVE-2019-0982 — CVSS 7.5 (high): A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service…
CVE-2026-26130 — CVSS 7.5 (high): Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
CVE-2020-0602 — CVSS 7.5 (high): A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service…
CVE-2017-8700 — CVSS 7.5 (high): ASP.NET Core 1.0, 1.1, and 2.0 allow an attacker to bypass Cross-origin Resource Sharing (CORS) configurations and retrieve normally…
CVE-2020-1045 — CVSS 7.5 (high): <p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p> <p>The ASP.NET Core…
CVE-2020-1161 — CVSS 7.5 (high): A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service…
CVE-2020-1597 — CVSS 7.5 (high): A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this…
CVE-2026-45591 — CVSS 7.5 (high): Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.
CVE-2025-24070 — CVSS 7.0 (high): Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network.
CVE-2018-0785 — CVSS 6.5 (medium): ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery vulnerability due to the ASP.NET Core project templates, aka "ASP.NET…
CVE-2019-1075 — CVSS 6.1 (medium): A spoofing vulnerability exists in ASP.NET Core that could lead to an open redirect, aka 'ASP.NET Core Spoofing Vulnerability'.
CVE-2018-8356 — CVSS 5.5 (medium): A security feature bypass vulnerability exists when Microsoft .NET Framework components do not correctly validate certificates, aka ".NET…