Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

CERT/CC

Source -

CNA

BOS Name -

N/A

CNA CVEs -

9

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
9Vulnerabilities found
CVE-2026-8142
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-6.5||MEDIUM
EPSS-0.02% / 5.71%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 19:54
Updated-05 Jun, 2026 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2026-8142

VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.

Action-Not Available
Vendor-CERT/CC
Product-VINCE
CVE-2026-35467
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-7.5||HIGH
EPSS-0.01% / 1.50%
||
7 Day CHG~0.00%
Published-02 Apr, 2026 | 20:27
Updated-03 Jun, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Private Key stored as extractable in browser IndexeDB

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.

Action-Not Available
Vendor-cmuCERT/CC
Product-cveclientcveClient/encrypt-storage.js
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2026-35466
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.01% / 1.76%
||
7 Day CHG~0.00%
Published-02 Apr, 2026 | 20:20
Updated-03 Jun, 2026 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS via unsanitized input from remote service

XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services

Action-Not Available
Vendor-cmuCERT/CC
Product-cveclientcveClient/cveInterface.js
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10469
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-4.4||MEDIUM
EPSS-0.11% / 29.34%
||
7 Day CHG~0.00%
Published-28 Oct, 2024 | 15:38
Updated-25 Aug, 2025 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.

VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users.

Action-Not Available
Vendor-certCERT/CC
Product-vinceVINCE
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-9953
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-4.9||MEDIUM
EPSS-0.19% / 41.56%
||
7 Day CHG~0.00%
Published-14 Oct, 2024 | 21:19
Updated-20 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8

A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.

Action-Not Available
Vendor-certCERT/CC
Product-vinceVINCE - Vulnerability Information and Coordination Environment
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-40238
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-2.47% / 85.64%
||
7 Day CHG~0.00%
Published-26 Oct, 2022 | 15:15
Updated-07 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5

A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed.

Action-Not Available
Vendor-certCERT/CC
Product-vinceVINCE - The Vulnerability Information and Coordination Environment
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-40257
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 59.22%
||
7 Day CHG~0.00%
Published-10 Oct, 2022 | 00:00
Updated-03 Aug, 2024 | 12:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4

An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field.

Action-Not Available
Vendor-certCERT/CC
Product-vinceVINCE - The Vulnerability Information and Coordination Environment
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-40248
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.40% / 60.91%
||
7 Day CHG~0.00%
Published-10 Oct, 2022 | 00:00
Updated-03 Aug, 2024 | 12:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4

An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field.

Action-Not Available
Vendor-certCERT/CC
Product-vinceVINCE - The Vulnerability Information and Coordination Environment
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-25799
Assigner-CERT/CC
ShareView Details
Assigner-CERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 37.54%
||
7 Day CHG~0.00%
Published-16 Aug, 2022 | 22:00
Updated-17 Sep, 2024 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An open redirect vulnerability exists in CERT/CC VINCE software prior to version 1.50.0

An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user's browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user's credentials.

Action-Not Available
Vendor-certCERT/CC
Product-vinceVINCE - The Vulnerability Information and Coordination Environment
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')