Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1395 — Vulnerability Class 34

34 vulnerabilities classified as CWE-1395. AI Chinese analysis included.

CWE-1395 represents a critical architectural weakness where software relies on third-party components containing known vulnerabilities. This flaw typically arises when developers integrate external libraries, modules, or intellectual property without thoroughly vetting their security posture. Attackers exploit this dependency by targeting the specific vulnerabilities within the third-party code, using them as a foothold to compromise the entire application. Since the vulnerable component is often deeply integrated, exploiting it can lead to remote code execution, data breaches, or system takeover. To mitigate this risk, developers must implement rigorous supply chain security practices, including continuous monitoring for security advisories, automated vulnerability scanning of dependencies, and timely patching. Additionally, maintaining an accurate bill of materials and restricting the use of outdated or unmaintained libraries are essential strategies for minimizing exposure to these indirect attack vectors.

MITRE CWE Description
The product has a dependency on a third-party component that contains one or more known vulnerabilities. Many products are large enough or complex enough that part of their functionality uses libraries, modules, or other intellectual property developed by third parties who are not the product creator. For example, even an entire operating system might be from a third-party supplier in some hardware products. Whether open or closed source, these components may contain publicly known vulnerabilities or hidden functionality such as malware that could be exploited by adversaries to compromise the product.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityVaries by Context
The consequences vary widely, depending on the vulnerabilities that exist in the component; how those vulnerabilities can be "reached" by adversaries, as the exploitation paths and attack surface will vary depending on how the component is used; and the criticality of the privilege levels and featur…
Mitigations (5)
Requirements, PolicyIn some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are di…
RequirementsRequire a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Architecture and Design, Implementation, Integration, ManufacturingMaintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Operation, Patching and MaintenanceActively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Operation, Patching and MaintenanceContinuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
Examples (2)
The "SweynTooth" vulnerabilities in Bluetooth Low Energy (BLE) software development kits (SDK) were found to affect multiple Bluetooth System-on-Chip (SoC) manufacturers. These SoCs were used by many products such as medical devices, Smart Home devices, wearables, and other IoT devices. [REF-1314] [REF-1315]
log4j, a Java-based logging framework, is used in a large number of products, with estimates in the range of 3 billion affected devices [REF-1317]. When the "log4shell" (CVE-2021-44228) vulnerability was initially announced, it was actively exploited for remote code execution, requiring urgent mitigation in many organizations. However, it was unclear how many products were affected, as Log4j would…
CVE IDTitleCVSSSeverityPublished
CVE-2025-59851 HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability — DFXAnalytics 3.7 Low2026-05-06
CVE-2025-15638 Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt — Net::Dropbear 9.8AICriticalAI2026-04-21
CVE-2024-14031 Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library — Sereal::Encoder 8.1AIHighAI2026-03-31
CVE-2024-14030 Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library — Sereal::Decoder 8.1AIHighAI2026-03-31
CVE-2026-4176 Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib — perl 9.8 -2026-03-29
CVE-2026-23654 GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability — GitHub Repo: Zero Shot scFoundation 8.8 High2026-03-10
CVE-2026-3257 UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library — UnQLite 9.8 -2026-03-05
CVE-2026-3381 Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib — Compress::Raw::Zlib 9.8 -2026-03-05
CVE-2026-0943 HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability — HarfBuzz::Shaper 6.5AIMediumAI2026-01-19
CVE-2025-69275 Spectrum outdated java library in class-path — DX NetOps Spectrum 6.1AIMediumAI2026-01-12
CVE-2025-15444 Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium — Crypt::Sodium::XS 8.1 -2026-01-06
CVE-2025-13823 Micro820®, Micro850®, Micro870® – Specialized Fuzzing Vulnerabilities — Micro820®, Micro850®, Micro870® 7.5AIHighAI2025-12-15
CVE-2025-12220 Busybox 1.31.1 - Multiple Known Vulnerabilities — BLU-IC2 9.8 -2025-10-25
CVE-2025-12219 Vulnerable Components in Azure Access OS — BLU-IC2 8.8 -2025-10-25
CVE-2025-34203 Vasion Print (formerly PrinterLogic) Use of Outdated, End-Of-Life, and Vulnerable Third-Party Components — Print Virtual Appliance Host 10.0 -2025-09-19
CVE-2025-10226 PostgreSQL Upgrade from v10 to v17.4 in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier to Address Multiple Vulnerabilities — AxxonOne C-Werk 9.8 Critical2025-09-10
CVE-2025-42927 Information Disclosure due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Service) — SAP NetWeaver AS Java (Adobe Document Service) 3.4 Low2025-09-09
CVE-2025-40913 Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow — Net::Dropbear 9.8AICriticalAI2025-07-16
CVE-2024-26293 Unauthenticated Path Traversal affecting Avid NEXIS — Avid NEXIS E-series 9.8AICriticalAI2025-07-14
CVE-2022-4976 Archive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities — Archive::Unzip::Burst 8.8AIHighAI2025-06-12
CVE-2025-40912 CryptX for Perl before version 0.065 contains a dependency that may be susceptible to malformed unicode — CryptX 9.8AICriticalAI2025-06-11
CVE-2025-40914 Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow — CryptX 9.8AICriticalAI2025-06-11
CVE-2020-36846 IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library — IO::Compress::Brotli 7.5AIHighAI2025-05-30
CVE-2025-40906 BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities — BSON::XS 9.8AICriticalAI2025-05-16
CVE-2025-40907 FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library — FCGI 9.8AICriticalAI2025-05-16
CVE-2024-12740 Dependency on Vulnerable Third-Party Component exposes Vulnerabilities in NI Vision Software — Vision Development Module 7.8 High2025-01-27
CVE-2024-11948 GFI Archiver Telerik Web UI Remote Code Execution Vulnerability — Archiver 9.8 -2024-12-11
CVE-2024-6121 NI SystemLink Server Ships Out of Date Redis Version — SystemLink Server 7.8 High2024-07-22
CVE-2024-32753 TYCO Illustra Pro Gen 4 - JQuery version — TYCO Illustra Pro4 Fixed cameras 9.1AICriticalAI2024-07-11
CVE-2024-38526 pdoc embeds link to malicious CDN if math mode is enabled — pdoc-High2024-06-25

Vulnerabilities classified as CWE-1395 represent 34 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.