8.8
CVE-2026-30784 - RustDesk hbbs/hbbr Servers Broker Connections Without Any Authorization Check
Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associβ¦
8.8
CVE-2026-30783 - RustDesk Client Can Orphan API Channel to Ignore All Admin Commands and ACL Policies
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/synβ¦
9.3
CVE-2026-30790 - RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force
Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSSβ¦
9.3
CVE-2026-30789 - RustDesk Client Generates Auth Proof Without Client-Side Nonce, Enabling Replay Attacks
Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). Tβ¦
8.2
CVE-2026-30798 - RustDesk Client Accepts Unauthenticated stop-service Command via Strategy Payload
Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop, strategy processing modules) allows Protocol Manipulation. This vulnerability is β¦
9.3
CVE-2026-30797 - RustDesk rustdesk://config/ URI Silently Re-homes Client to Attacker-Controlled Server
Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, config import modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files flβ¦
8.7
CVE-2026-25048 - xgrammar: Multi-layer nesting causes DoS
xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
5.4
CVE-2025-64166 - Mercurius: Incorrect Content-Type parsing can lead to CSRF attack
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlenβ¦
8.7
CVE-2026-30796 - RustDesk Server Pro API Requires Address Book Password in Plaintext for Sync Protocol
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source β API endpoint handling heβ¦
8.7
CVE-2026-30795 - RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop modules) allows Sniffing Attacks. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routinβ¦