汇总 Philips 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 路径处理缺陷、跨站脚本、内存损坏与CSRF,在 软件部署与生产负载 使用场景中可能带来 异常行为、文件覆盖与会话劫持 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2026-3562 | Philips Hue Bridge hk_hap Ed25519 Signature Verification Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ed25519_sign_open function. The issue results from improper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the | [email protected] | 8.8 | 0.29% | 2026-03-16 | 2026-06-17 |
| CVE-2026-3561 | Philips Hue Bridge hk_hap characteristics Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of PUT requests to the characteristics endpoint. The issue results from the lack of proper validat | [email protected] | 8.0 | 0.50% | 2026-03-16 | 2026-06-17 |
| CVE-2026-3560 | Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the hk_hap_pair_storage_put function of the HomeKit implementation, which listens on TCP port 8080 by default. The issue results from the lack of proper validatio | [email protected] | 8.8 | 0.48% | 2026-03-16 | 2026-06-17 |
| CVE-2026-3559 | Philips Hue Bridge HomeKit Accessory Protocol Static Nonce Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the SRP authentication mechanism in the HomeKit Accessory Protocol service, which listens on TCP port 8080 by default. The issue results from the use of a static | [email protected] | 8.1 | 0.40% | 2026-03-16 | 2026-06-17 |
| CVE-2026-3558 | Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the HomeKit Accessory Protocol service, which listens on TCP port 8080 by default. The issue results from the lack of authentication prior to allowing | [email protected] | 8.1 | 0.40% | 2026-03-16 | 2026-06-17 |
| CVE-2026-3557 | Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the hap_pair_verify_handler function of the hk_hap service, which listens on TCP port 8080 by | [email protected] | 8.0 | 0.50% | 2026-03-16 | 2026-06-17 |
| CVE-2026-3556 | Philips Hue Bridge HomeKit Pair-Setup Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the hk_hap_pair_storage_put function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based | [email protected] | 8.8 | 0.51% | 2026-03-16 | 2026-06-17 |
| CVE-2026-3555 | Philips Hue Bridge Zigbee Stack Custom Command Handler Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. User interaction is required to exploit this vulnerability in that the user must initiate the device pairing process. The specific flaw exists within the handling of custom Zigbee ZCL frames in the Model Info download functionality. The issue results f | [email protected] | 8.0 | 0.36% | 2026-03-16 | 2026-06-17 |
| CVE-2025-27955 | Clinical Collaboration Platform 12.2.1.5 has a weak logout system where the session token remains valid after logout and allows a remote attacker to obtain sensitive information and execute arbitrary code. | [email protected] | 6.5 | 0.29% | 2025-06-02 | 2026-06-17 |
| CVE-2025-27954 | An issue in Clinical Collaboration Platform 12.2.1.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the usertoken function of default.aspx. | [email protected] | 6.5 | 0.31% | 2025-06-02 | 2026-06-17 |
| CVE-2025-27953 | An issue in Clinical Collaboration Platform 12.2.1.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the session management component. | [email protected] | 6.5 | 0.31% | 2025-06-02 | 2026-06-17 |
| CVE-2023-40704 | The product does not require unique and complex passwords to be created during installation. Using Philips's default password could jeopardize the PACS system if the password was hacked or leaked. An attacker could gain access to the database impacting system availability and data integrity. | [email protected] | 5.7 | 0.34% | 2024-07-18 | 2026-06-17 |
| CVE-2018-8863 | The HTTP header in Philips EncoreAnywhere contains data an attacker may be able to use to gain sensitive information. | [email protected] | 5.9 | 0.54% | 2023-11-09 | 2026-06-16 |
| CVE-2021-39369 | In Philips (formerly Carestream) Vue MyVue PACS through 12.2.x.x, the VideoStream function allows Path Traversal by authenticated users to access files stored outside of the web root. | [email protected] | 6.5 | 0.86% | 2022-12-26 | 2026-06-17 |
| CVE-2021-32966 | Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP system credentials. | [email protected] | 3.7 | 0.42% | 2022-05-25 | 2026-06-16 |
| CVE-2022-0922 | The software does not perform any authentication for critical system functionality. | [email protected] | 6.5 | 0.38% | 2022-04-01 | 2026-06-17 |
| CVE-2021-33024 | Philips Vue PACS versions 12.2.x.x and prior transmits or stores authentication credentials, but it uses an insecure method susceptible to unauthorized interception and/or retrieval. | [email protected] | 3.7 | 0.86% | 2022-04-01 | 2026-06-16 |
| CVE-2021-33022 | Philips Vue PACS versions 12.2.x.x and prior transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. | [email protected] | 7.5 | 0.58% | 2022-04-01 | 2026-06-16 |
| CVE-2021-33020 | Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. | [email protected] | 8.2 | 0.57% | 2022-04-01 | 2026-06-16 |
| CVE-2021-33018 | The use of a broken or risky cryptographic algorithm in Philips Vue PACS versions 12.2.x.x and prior is an unnecessary risk that may result in the exposure of sensitive information. | [email protected] | 7.5 | 0.53% | 2022-04-01 | 2026-06-16 |