CVE records

The National Cyber Security Centre (NCSC) was recognised by the independent US organisation MITRE as a CVE Numbering Authority on 29 September 2021. In this role, the NCSC is responsible for preparing and publishing CVE records for vulnerabilities reported to it within the applicable scope. This makes the NCSC the official contact point to handle CVE publications for vulnerabilities affecting Switzerland when no other CNA is applicable.

As part of its CNA duties, the NCSC maintains a catalog of CVE records published under its authority. This list exists for tracking purposes and does not constitute a source of advisories or a reference to any of the vulnerably listed, relevant information for the vulnerabilities listed below such as patch availability and references are found in the MITRE links.

Vulnerabilities / CVE

CVE-2025-11184: Cross-Site Scripting Vulnerability in QWC2 Registration GUI

Published: 13. October 2025
Severity: 6.9 Medium

MITRE: CVE-2025-11184

CVE-2025-11183: Cross-Site Scripting Vulnerability in QWC2

Published: 13. October 2025
Severity: 6.9 Medium

MITRE: CVE-2025-11183

CVE-2025-9265: API Authentication Bypass via Header Spoofing vulnerability in Kiloview NDI N30 Products

Published: 13. October 2025
Severity: 10 Critical

MITRE: CVE-2025-9265

CVE-2025-8915: Hardcoded TLS private key in Kiloview N30 firmware

Published: 13. October 2025
Severity: 8.7 High

MITRE: CVE-2025-8915

CVE-2025-10363: Unauthenticated RCE via .NET Deserialization in Topal Finance Software

Published: 06. October 2025
Severity: 10 Critical

MITRE: CVE-2025-10363

CVE-2025-11226: Conditional processing of logback.xml configuration file, in conjunction with Spring Framework and Janino

Published: 01. October 2025
Severity: 5.9 Medium

MITRE: CVE-2025-11226

CVE-2025-6202: Phoenix: Rowhammer attack on Hynix DDR5 devices

Published: 15. September 2025
Severity: 7.1 High

MITRE: CVE-2025-6202

CVE-2025-9071: Insecure RSA-OAEP implementation with all-zero seed for padding in Oberon PSA Crypto

Published: 29. August 2025
Severity: 2.3 Low

MITRE: CVE-2025-9071

CVE-2025-7383: Timing side-channel vulnerability in AES-CBC decryption with PKCS#7 padding in Oberon PSA Crypto library

Published: 29. August 2025
Severity: 5.9 Medium

MITRE: CVE-2025-7383

CVE-2025-7071: Timing side-channel vulnerability in AES-CBC decryption with PKCS#7 padding in ocrypto library

Published: 29. August 2025
Severity: 5.9 Medium

MITRE: CVE-2025-7071

CVE-2025-7426: MINOVA TTA Information Disclosure and Credential Exposure

Published: 25. August 2025
Severity: Critical 9.3

MITRE: CVE-2025-7426

CVE-2024-12310 Imprivata - Login screen bypass

Published: 23 July 2025
Severity: 7.0 High

MITRE: CVE-2024-12310

CVE-2025-6056 Airlock IAM user enumeration

Published: 04. July 2025
Severity: 6.9 Medium

MITRE: CVE-2025-6056

CVE-2025-5598: airleader MASTER - Path Traversal

Published: 04 June 2025
Severity: Critical 9.2

MITRE: CVE-2025-5598

CVE-2025-5597: airleader MASTER - Authentication Bypass

Published: 04 June 2025
Severity: Critical 10.0

MITRE: CVE-2025-5597

CVE-2025-2407: Mobatime, Missing Authentication & Authorization in Web-API allows adversary unrestricted access

Published: 27 May 2025
Severity: Critical 9.4

MITRE: CVE-2025-2407

CVE-2025-40846: HaloITSM open redirect via the returnUrl

Published: 08 May 2025
Severity: 7.1 High

MITRE: CVE-2025-40846

CVE-2025-0669 BOINC Server Cross-Site Request Forgery

Published: 07. May 2025
Severity: 8.6 High

MITRE: CVE-2025-0669

CVE-2025-0668 BOINC Server Multiple SQL Injections

Published: 07. May 2025
Severity: 9.3 Critical

 MITRE: CVE-2025-0668

CVE-2025-0667 BOINC Server Stored XSS Injection in pm.php

Published: 07. May 2025
Severity: 8.7 High

MITRE: CVE-2025-0667

CVE-2025-0666 BOINC Server Stored XSS Injection in host_venue_action.php

Published: 07. May 2025
Severity: 7 High

MITRE: CVE-2025-0666

CVE-2025-3519: Unblu Spark Replace uploaded files knowing the file upload ID

Published: 22 April 2025
Severity: 7.0 High

MITRE: CVE-2025-3519

CVE-2025-3518: Unblu Spark File Upload functionality possible even when disabled

Published: 22 April 2025
Severity: 5.3 Medium

MITRE: CVE-2025-3518

CVE-2025-1425: PocketBook InkPad, File Read Through Improper Sudo Privilege Management

Published: 04. March 2025
Severity: 4.7 Medium

MITRE: CVE-2025-1425

CVE-2025-1424: PocketBook InkPad, Privilege Escalation Through SUID Binary and Developer Mode

Published: 04. March 2025
Severity: 8.6 High

MITRE: CVE-2025-1424

CVE-2025-0425: bestinformed Web, Local Privilege Escalation via Config Manipulation

Published: 18. February 2025
Severity: 8.5 High

MITRE: CVE-2025-0425

CVE-2025-0424: bestinformed Web, Multiple Authenticated Stored Cross-Site Scripting

Published: 18. February 2025
Severity: 5.1 High

MITRE: CVE-2025-0424

CVE-2025-0423: bestinformed Web, Multiple Unauthenticated Stored Cross-Site Scripting

Published: 18. February 2025
Severity: 5.3 Medium

MITRE: CVE-2025-0423

CVE-2025-0422: bestinformed Web, Authenticated Remote Code Execution via ScriptVar

Published: 18. February 2025
Severity: 8.6 High

MITRE: CVE-2025-0422

CVE-2025-0001: Abacus ERP authenticated arbitrary file read vulnerability

Published: 17 February 2025
Severity: Medium 6.5

MITRE: CVE-2025-0001

CVE-2024-13503: Stack-Based Buffer Overflow in Newtec's update signaling causes RCE

Published: 17 January 2025
Severity: Critical 9.5

MITRE: CVE-2024-13503

CVE-2024-13502: Command injection in the NTC2218, NTC2250, NTC2299 modems' web interfaces

Published: 17 January 2025
Severity: Critical 9.3

MITRE: CVE-2024-13502

CVE-2024-12801: SaxEventRecorder vulnerable to Server-Side Request Forgery (SSRF) attacks

Published: 19 December 2024
Severity: Low 2.1

MITRE: CVE-2024-12801

CVE-2024-12798: Logback-core JaninoEventEvaluator vulnerability

Published: 19 December 2024
Severity: Medium 5.9

MITRE: CVE-2024-12798

CVE-2024-9102: phpLDAPadmin: Improper Neutralization of Formula Elements

Published: 19 December 2024
Severity: Medium 5.0

MITRE: CVE-2024-9102

CVE-2024-9101: phpLDAPadmin: Reflected Cross-Site Scripting in entry_chooser.php

Published: 19 December 2024
Severity: Low 2.1

MITRE: CVE-2024-9101

CVE-2024-12305: Object-Level Access Control Vulnerability Allows Unauthorized Access to Student Grades in Unifiedtransform

Published: 09 December 2024
Severity: Medium 4.3

MITRE: CVE-2024-12305

CVE-2024-12306: Access Control Vulnerabilities Allow Unauthorized Access to User Profiles in Unifiedtransform

Published: 09 December 2024
Severity: Medium 4.3

MITRE: CVE-2024-12306

CVE-2024-12307: Function-Level Access Control Vulnerability Allows Unauthorized Modification of Student Data in Unifiedtransform

Published: 09 December 2024
Severity: Medium 4.3

MITRE: CVE-2024-12307

CVE-2024-9044: XML External Entity (XXE) Vulnerability in EasyTax

Published: 29 November 2024
Severity: Medium 4.6

MITRE: CVE-2024-9044

CVE-2024-8602: XML Eternal Entity Attack in the Software Library taxstatement.jar

Published: 14 October 2024
Severity: Medium 6.3

MITRE: CVE-2024-8602

CVE-2024-6203: HaloITSM - Password Reset Poisoning

Published: 06 August 2024
Severity: High 8.3

MITRE: CVE-2024-6203

CVE-2024-6202: HaloITSM - SAML XML Signature Wrapping (XSW)

Published: 06 August 2024
Severity: Critical 9.8

MITRE: CVE-2024-6202

CVE-2024-6201: HaloITSM - Emailing Template Injection

Published: 06 August 2024
Severity: Medium 5.3

MITRE: CVE-2024-6201

CVE-2024-6200: HaloITSM - Stored Cross-Site Scripting in Tickets

Published: 06 August 2024
Severity: High 8.0

MITRE: CVE-2024-6200

Bludit - Insecure Token Generation

Published: 24 June 2024
Severity: Medium 6.0

MITRE: CVE-2024-24554

Bludit uses SHA1 as Password Hashing Algorithm

Published: 24 June 2024
Severity: Medium 5.9

MITRE: CVE-2024-24553

Bludit is Vulnerable to Session Fixation

Published: 24 June 2024
Severity: Medium 5.6

MITRE: CVE-2024-24552

Bludit - Remote Code Exection (RCE) through Image API

Published: 24 June 2024
Severity: High 8.9

MITRE: CVE-2024-24551

Bludit - Remote Code Exection (RCE) through File API

Published: 24 June 2024
Severity: High 8.9

MITRE: CVE-2024-24550

Improper Access Control Leads to Server-Side Request Forgery in Mautic

Published: 10 April 2024
Severity: MEDIUM 5.0

MITRE: CVE-2024-3448

Improper Access Control Issues Lead to Sensitive Data Exposure in Mautic

Published: 10 April 2024
Severity: MEDIUM 5.4

MITRE: CVE-2024-2731

Predictable Page Indexing Might Lead to Sensitive Data Exposure in Mautic

Published: 10 April 2024
Severity: MEDIUM 5.3

MITRE: CVE-2024-2730

Authenticated Remote Code Execution in Kiloview NDI N series products

Published: 21 March 2024
Severity: High 8.8

MITRE: CVE-2024-2162

Use of Hard-coded Credentials in Kiloview NDI N series products API middleware

Published: 21 March 2024
Severity: Critical 9.1

MITRE: CVE-2024-2161

WAF bypass of the ModSecurity v3 release line

Published: 30 January 2024
Severity: High 8.6

MITRE: CVE-2024-1019

Command Execution trough Serial Interface of u-blox TOBY-L2

Published: 20 December 2023
Severity: High 7.6

MITRE: CVE-2023-0011

Logback "receiver" DOS vulnerability CVE-2023-6378 incomplete fix

Published: 04. December 2023
Severity: 7.1 High

MITRE: CVE-2023-6481

Logback "receiver" DOS vulnerability

Published: 21 November 2023
Severity 7.1 High

MITRE: CVE-2023-6378

Weak Access Control between Domains in Wing FTP Server <= 7.2.0

Published: 12. September 2023
Severity: 4.9 Medium

MITRE: CVE-2023-37881

Exposed Session Variable in Wing FTP Server <= 7.2.0

Published: 12. September 2023
Severity: 6.5 Medium

MITRE: CVE-2023-37879 

Insecure Default Permissions in Wing FTP Server <= 7.2.0

Published: 12. September 2023
Severity: 6.1 Medium

MITRE: CVE-2023-37878

Cross-Site Scripting Vulnerability in Wing FTP Server <= 7.2.0

Published: 12. September 2023
Severity: 3.0 Low

MITRE: CVE-2023-37875

Reflected XSS in BKG Ntrip Professional Caster version <=2.0.44

Published: 28. June 2023
Severity: 4.7 Medium

MITRE: CVE-2023-3034

Yellowbrik PEC-1864 authentication bypass

Published: 06. April 2023
Severity : 9.8 Critical

MITRE: CVE-2023-0750

Unauthenticated RCE affecting the AcyMailing plugin for Joomla

Published: 30. March 2023
Severity : 9.8 Critical

MITRE: CVE-2023-28731

Missing access control affecting the AcyMailing plugin for Joomla

Published: 30. March 2023
Severity : 6.5 Medium

MITRE: CVE-2023-28732

Stored XSS affecting the AcyMailing plugin for Joomla

Published: 30. March 2023
Severity : 7.2 High

MITRE: CVE-2023-28733

Hard coded credentials in elvexys ISOS firmwares

Published: 28. December 2022
Severity : 4.5 Medium

MITRE: CVE-2022-4780

Authentication bypass in elvexys StreamX using StreamView HTML component with public web server feature

Published: 28. December 2022
Severity : 7.5 High

MITRE: CVE-2022-4779

Path traversal in elvexys StreamX using StreamView HTML component with public web server feature

Published: 28. December 2022
Severity : 6.5 Medium

MITRE: CVE-2022-4778

STM32 USB Host Library Buffer Overflow

Published: 21. October 2022
Severity : 6.8 Medium

MITRE: CVE-2021-42553

Response body bypass in OWASP ModSecurity Core Rule Set via repeated HTTP Range header submission with a small byte range

Published: 20. September 2022
Severity : 7.5 HIGH

MITRE: CVE-2022-39958

Response body bypass in OWASP ModSecurity Core Rule Set via a specialy crafted charset in the HTTP Accept header

Published: 20. September 2022
Severity : 7.3 HIGH

MITRE: CVE-2022-39957

Partial rule set bypass in OWASP ModSecurity Core Rule Set for HTTP multipart requests using character encoding in the Content-Type or Content-Transfer-Encoding header

Published: 20. September 2022
Severity : 7.3 HIGH

MITRE: CVE-2022-39956

Partial rule set bypass in OWASP ModSecurity Core Rule Set by submitting a specially crafted HTTP Content-Type header

Published: 20. September 2022
Severity : 7.3 HIGH

MITRE: CVE-2022-39955

Multi Factor Authentication Bypass in various versions of Abacus ERP

Published: 19. April 2022
Severity : 8.1 HIGH

MITRE: CVE-2022-1065

Insecure EBICS messages encryption implementation in ebics-java/ebics-java-client could allow an adjacent attacker to decrypt EBICS payloads

Published: 14. April 2022
Severity : 6.5 MEDIUM

MITRE: CVE-2022-1279

Novel attack against the Combined Charging System (CCS) in electric vehicles to remotely cause a denial of service

Published: 12. April 2022
Severity : 4.6 MEDIUM

MITRE: CVE-2022-0878

Reflected XSS in the search the functionality of AlCoda NetBiblio WebOPAC

Published: 14. January 2022
Severity: 6.1 MEDIUM

MITRE: CVE-2021-42551

Attacker with privileges to edit configuration files is able to execute code through JNDI lookup, logback

Published: 16. December 2021
Severity: 6.6 MEDIUM

MITRE: CVE-2021-42550

Reflected XSS in search the functionality of Wordpress, WP Cloud Plugins Use-Your-Drive

Published: 13. Dezember 2021
Severity: 4.7 MEDIUM

MITRE: CVE-2021-42546

Reflected XSS in search the functionality of Wordpress, WP Cloud Plugins Out-of-the-Box

Published: 13. Dezember 2021
Severity: 4.7 MEDIUM

MITRE: CVE-2021-42547

Reflected XSS in search the functionality of Wordpress, WP Cloud Plugins Share-one-Drive

Published: 13. Dezember 2021
Severity: 4.7 MEDIUM

MITRE: CVE-2021-42548

Reflected XSS in search the functionality of Wordpress, WP Cloud Plugins Lets-Box

Published: 13. Dezember 2021
Severity: 4.7 MEDIUM

MITRE: CVE-2021-42549

Missing HTTPOnly flag on sensitive cookie in TopEase

Published: 30. November 2021
Severity: 8.1 - high

MITRE: CVE-2021-42115

Unauthorized Menu Item Access in TopEase

Published: 30. November 2021
Severity: 4.3 - medium

MITRE: CVE-2021-42116

UI Redressing in TopEase

Published: 30. November 2021
Severity: 3.5 - low

MITRE: CVE-2021-42117

Stored XSS in TopEase

Published: 30. November 2021
Severity: 8.1 - high

MITRE: CVE-2021-42118

Stored XSS in Search Function in TopEase

Published: 30. November 2021
Severity: 7.3 - high

MITRE: CVE-2021-42119

Missing Character Length (Denial of Service) in TopEase

Published: 30. November 2021
Severity: 6.5 - medium

MITRE: CVE-2021-42120

Denial of Service via Invalid Date Format in TopEase

Published: 30. November 2021
Severity: 4.3 - medium

MITRE: CVE-2021-42121

Denial of Service via Invalid Object Attribute in TopEase

Published: 30. November 2021
Severity: 4.3 - medium

MITRE: CVE-2021-42122

Missing Upload Filter in TopEase

Published: 30. November 2021
Severity: 7.3 - high

MITRE: CVE-2021-42123

Lack of Rate limiting in Authentication in TopEase

Published: 30. November 2021
Severity: 7.5 - high

MITRE: CVE-2021-42144

Insufficient Session Expiration in TopEase

Published: 30. November 2021
Severity: 8.1 - high

MITRE: CVE-2021-42145

Blacksmith, Scalable Rowhammering In the Frequency Domain to Bypass TRR Mitigations On Modern DDR4/LPDDR4X Devices

Published: 15. November 2021
Severity: 9.0 - critical

MITRE: CVE-2021-42114

Last modification 13.10.2025

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cve-list.html