Philips 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには パス処理の欠陥、vendor risk cross-site scripting、vendor risk memory corruption, and vendor risk csrf があり、vendor surface software deployment の利用場面で vendor impact unexpected behavior、ファイル上書き, and vendor impact session compromise などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-3562 | Philips Hue Bridge hk_hap Ed25519 Signature Verification Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ed25519_sign_open function. The issue results from improper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the | [email protected] | 8.8 | 0.02% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3561 | Philips Hue Bridge hk_hap characteristics Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of PUT requests to the characteristics endpoint. The issue results from the lack of proper validat | [email protected] | 8.0 | 0.14% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3560 | Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the hk_hap_pair_storage_put function of the HomeKit implementation, which listens on TCP port 8080 by default. The issue results from the lack of proper validatio | [email protected] | 8.8 | 0.07% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3559 | Philips Hue Bridge HomeKit Accessory Protocol Static Nonce Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the SRP authentication mechanism in the HomeKit Accessory Protocol service, which listens on TCP port 8080 by default. The issue results from the use of a static | [email protected] | 8.1 | 0.16% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3558 | Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the HomeKit Accessory Protocol service, which listens on TCP port 8080 by default. The issue results from the lack of authentication prior to allowing | [email protected] | 8.1 | 0.16% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3557 | Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the hap_pair_verify_handler function of the hk_hap service, which listens on TCP port 8080 by | [email protected] | 8.0 | 0.16% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3556 | Philips Hue Bridge HomeKit Pair-Setup Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the hk_hap_pair_storage_put function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based | [email protected] | 8.8 | 0.07% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3555 | Philips Hue Bridge Zigbee Stack Custom Command Handler Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. User interaction is required to exploit this vulnerability in that the user must initiate the device pairing process. The specific flaw exists within the handling of custom Zigbee ZCL frames in the Model Info download functionality. The issue results f | [email protected] | 8.0 | 0.05% | 2026-03-16 | 2026-04-27 |
| CVE-2025-27955 | Clinical Collaboration Platform 12.2.1.5 has a weak logout system where the session token remains valid after logout and allows a remote attacker to obtain sensitive information and execute arbitrary code. | [email protected] | 6.5 | 0.63% | 2025-06-02 | 2025-06-13 |
| CVE-2025-27954 | An issue in Clinical Collaboration Platform 12.2.1.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the usertoken function of default.aspx. | [email protected] | 6.5 | 0.64% | 2025-06-02 | 2025-06-13 |
| CVE-2025-27953 | An issue in Clinical Collaboration Platform 12.2.1.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the session management component. | [email protected] | 6.5 | 0.56% | 2025-06-02 | 2025-06-13 |
| CVE-2023-40704 | The product does not require unique and complex passwords to be created during installation. Using Philips's default password could jeopardize the PACS system if the password was hacked or leaked. An attacker could gain access to the database impacting system availability and data integrity. | [email protected] | 5.7 | 0.06% | 2024-07-18 | 2025-04-09 |
| CVE-2018-8863 | The HTTP header in Philips EncoreAnywhere contains data an attacker may be able to use to gain sensitive information. | [email protected] | 5.9 | 0.13% | 2023-11-09 | 2024-11-21 |
| CVE-2021-39369 | In Philips (formerly Carestream) Vue MyVue PACS through 12.2.x.x, the VideoStream function allows Path Traversal by authenticated users to access files stored outside of the web root. | [email protected] | 6.5 | 0.42% | 2022-12-26 | 2025-04-14 |
| CVE-2021-32966 | Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP system credentials. | [email protected] | 3.7 | 0.08% | 2022-05-25 | 2024-11-21 |
| CVE-2022-0922 | The software does not perform any authentication for critical system functionality. | [email protected] | 6.5 | 0.04% | 2022-04-01 | 2024-11-21 |
| CVE-2021-33024 | Philips Vue PACS versions 12.2.x.x and prior transmits or stores authentication credentials, but it uses an insecure method susceptible to unauthorized interception and/or retrieval. | [email protected] | 3.7 | 0.18% | 2022-04-01 | 2024-11-21 |
| CVE-2021-33022 | Philips Vue PACS versions 12.2.x.x and prior transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. | [email protected] | 7.5 | 0.10% | 2022-04-01 | 2024-11-21 |
| CVE-2021-33020 | Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. | [email protected] | 8.2 | 0.18% | 2022-04-01 | 2024-11-21 |
| CVE-2021-33018 | The use of a broken or risky cryptographic algorithm in Philips Vue PACS versions 12.2.x.x and prior is an unnecessary risk that may result in the exposure of sensitive information. | [email protected] | 7.5 | 0.14% | 2022-04-01 | 2024-11-21 |