彙總 Philips 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 路徑處理缺陷、跨站腳本、記憶體損壞與CSRF,在 軟體部署與生產負載 使用場景中可能帶來 異常行為、檔案覆寫與工作階段劫持 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-3562 | Philips Hue Bridge hk_hap Ed25519 Signature Verification Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ed25519_sign_open function. The issue results from improper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the | [email protected] | 8.8 | 0.02% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3561 | Philips Hue Bridge hk_hap characteristics Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of PUT requests to the characteristics endpoint. The issue results from the lack of proper validat | [email protected] | 8.0 | 0.14% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3560 | Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the hk_hap_pair_storage_put function of the HomeKit implementation, which listens on TCP port 8080 by default. The issue results from the lack of proper validatio | [email protected] | 8.8 | 0.07% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3559 | Philips Hue Bridge HomeKit Accessory Protocol Static Nonce Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the SRP authentication mechanism in the HomeKit Accessory Protocol service, which listens on TCP port 8080 by default. The issue results from the use of a static | [email protected] | 8.1 | 0.16% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3558 | Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the HomeKit Accessory Protocol service, which listens on TCP port 8080 by default. The issue results from the lack of authentication prior to allowing | [email protected] | 8.1 | 0.16% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3557 | Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the hap_pair_verify_handler function of the hk_hap service, which listens on TCP port 8080 by | [email protected] | 8.0 | 0.16% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3556 | Philips Hue Bridge HomeKit Pair-Setup Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the hk_hap_pair_storage_put function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based | [email protected] | 8.8 | 0.07% | 2026-03-16 | 2026-04-27 |
| CVE-2026-3555 | Philips Hue Bridge Zigbee Stack Custom Command Handler Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. User interaction is required to exploit this vulnerability in that the user must initiate the device pairing process. The specific flaw exists within the handling of custom Zigbee ZCL frames in the Model Info download functionality. The issue results f | [email protected] | 8.0 | 0.05% | 2026-03-16 | 2026-04-27 |
| CVE-2025-27955 | Clinical Collaboration Platform 12.2.1.5 has a weak logout system where the session token remains valid after logout and allows a remote attacker to obtain sensitive information and execute arbitrary code. | [email protected] | 6.5 | 0.63% | 2025-06-02 | 2025-06-13 |
| CVE-2025-27954 | An issue in Clinical Collaboration Platform 12.2.1.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the usertoken function of default.aspx. | [email protected] | 6.5 | 0.64% | 2025-06-02 | 2025-06-13 |
| CVE-2025-27953 | An issue in Clinical Collaboration Platform 12.2.1.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the session management component. | [email protected] | 6.5 | 0.56% | 2025-06-02 | 2025-06-13 |
| CVE-2023-40704 | The product does not require unique and complex passwords to be created during installation. Using Philips's default password could jeopardize the PACS system if the password was hacked or leaked. An attacker could gain access to the database impacting system availability and data integrity. | [email protected] | 5.7 | 0.06% | 2024-07-18 | 2025-04-09 |
| CVE-2018-8863 | The HTTP header in Philips EncoreAnywhere contains data an attacker may be able to use to gain sensitive information. | [email protected] | 5.9 | 0.13% | 2023-11-09 | 2024-11-21 |
| CVE-2021-39369 | In Philips (formerly Carestream) Vue MyVue PACS through 12.2.x.x, the VideoStream function allows Path Traversal by authenticated users to access files stored outside of the web root. | [email protected] | 6.5 | 0.42% | 2022-12-26 | 2025-04-14 |
| CVE-2021-32966 | Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP system credentials. | [email protected] | 3.7 | 0.08% | 2022-05-25 | 2024-11-21 |
| CVE-2022-0922 | The software does not perform any authentication for critical system functionality. | [email protected] | 6.5 | 0.04% | 2022-04-01 | 2024-11-21 |
| CVE-2021-33024 | Philips Vue PACS versions 12.2.x.x and prior transmits or stores authentication credentials, but it uses an insecure method susceptible to unauthorized interception and/or retrieval. | [email protected] | 3.7 | 0.18% | 2022-04-01 | 2024-11-21 |
| CVE-2021-33022 | Philips Vue PACS versions 12.2.x.x and prior transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. | [email protected] | 7.5 | 0.10% | 2022-04-01 | 2024-11-21 |
| CVE-2021-33020 | Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. | [email protected] | 8.2 | 0.18% | 2022-04-01 | 2024-11-21 |
| CVE-2021-33018 | The use of a broken or risky cryptographic algorithm in Philips Vue PACS versions 12.2.x.x and prior is an unnecessary risk that may result in the exposure of sensitive information. | [email protected] | 7.5 | 0.14% | 2022-04-01 | 2024-11-21 |