Threat Intelligence Database

A vulnerability in Home Assistant core prior to version 2026.5.3 allows any installed Android app without permissions to send forged location data to the LocationSensorManager BroadcastReceiver. This receiver is exported without permission checks and trusts the received location data, forwarding it to the user's Home Assistant server. This bypasses Android's mock location protections and enables a local malicious app to fake the device's GPS position, potentially triggering zone-based automations such as unlocking doors or disarming alarms. The issue is fixed in version 2026.5.3.

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in HAVELSAN Liman MYS allows Cross-Site Flashing. This issue affects Liman MYS: before 2.1.1 - 1010.

Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted, unencrypted SDC messages during the discovery process. Attackers with access to the hospital network can send malformed SDC packets to exhaust CPU resources in the affected process, causing further SDC messages to no longer be processed.

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android.

Ella Core versions prior to 1.10.0 contain a vulnerability where the UE Security Capabilities received in NGAP PathSwitchRequest messages are not verified against locally stored values. This allows a malicious gNB to overwrite stored UE security capabilities with arbitrary values by sending a crafted PathSwitchRequest message. The vulnerability is fixed in version 1.10.0. The CVSS score is 6.1, indicating a medium severity issue with potential integrity and availability impacts but no confidentiality loss.

Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 — it could send a NAS Security Mode Command while an N2 handover was still pending (and vice versa). Concurrent Security Mode Command and N2 handover produce a KgNB mismatch between the UE and target gNB, causing the handover to fail. Requires a stalled gNB + re-registration race to trigger. This vulnerability is fixed in 1.10.0.

CVE-2026-44473 is a high-severity vulnerability in ellanetworks core (Ella Core), a 5G core designed for private networks. Versions prior to 1.10.0 allow a radio with a valid NG Setup to send a forged PDUSessionResourceSetupResponse containing any UE's AMF-UE-NGAP-ID. The core fails to verify that the message arrived on the SCTP association bound to that UE's logical NG-connection, resulting in the creation of a GTP tunnel towards the radio. This improper security check can lead to denial of service or disruption of network operations. The vulnerability is fixed in version 1.10.0. No known exploits in the wild have been reported.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.