彙總 Yahoo 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
已披露問題常與 跨站腳本、路徑處理缺陷與輸入驗證問題 相關,可能在 生產負載與軟體部署 場景中帶來 記憶體損壞與工作階段劫持 等暴露風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-34043 | Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5. | [email protected] | 5.9 | 0.47% | 2026-03-30 | 2026-06-17 |
| CVE-2019-6035 | Open redirect vulnerability in Athenz v1.8.24 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted page. | [email protected] | 6.1 | 1.12% | 2019-12-26 | 2026-06-16 |
| CVE-2017-2253 | Untrusted search path vulnerability in Installer of Yahoo! Toolbar (for Internet explorer) v8.0.0.6 and earlier, with its timestamp prior to June 13, 2017, 18:18:55 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | [email protected] | 7.8 | 1.08% | 2017-07-17 | 2026-06-16 |
| CVE-2014-7216 | Multiple stack-based buffer overflows in Yahoo! Messenger 11.5.0.228 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the (1) shortcut or (2) title keys in an emoticons.xml file. | [email protected] | 9.3 | 6.83% | 2015-09-11 | 2026-06-16 |
| CVE-2014-5881 | The Yahoo! Japan Box (aka jp.co.yahoo.android.ybox) application 1.5.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | [email protected] | 5.4 | 0.35% | 2014-09-11 | 2026-06-16 |
| CVE-2013-6853 | Cross-site scripting (XSS) vulnerability in clickstream.js in Y! Toolbar plugin for FireFox 3.1.0.20130813024103 for Mac, and 2.5.9.2013418100420 for Windows, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is stored by the victim. | [email protected] | 4.3 | 1.93% | 2014-01-25 | 2026-06-16 |
| CVE-2013-6780 | Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via the allowedDomain parameter. | [email protected] | 4.3 | 2.38% | 2013-11-13 | 2026-06-16 |
| CVE-2013-4700 | The Yahoo! Japan Shopping application 1.4 and earlier for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | [email protected] | 5.8 | 0.52% | 2013-08-21 | 2026-06-16 |
| CVE-2013-4699 | The Yahoo! Japan Yafuoku! application 4.3.0 and earlier for iOS and Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | [email protected] | 5.8 | 0.52% | 2013-08-21 | 2026-06-16 |
| CVE-2013-4942 | Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. | [email protected] | 4.3 | 1.19% | 2013-07-29 | 2026-06-16 |
| CVE-2013-4941 | Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. | [email protected] | 4.3 | 1.19% | 2013-07-29 | 2026-06-16 |
| CVE-2013-4940 | Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a CVE-2013-4939 regression. | [email protected] | 4.3 | 1.49% | 2013-07-29 | 2026-06-16 |
| CVE-2013-4939 | Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.0.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. | [email protected] | 4.3 | 1.49% | 2013-07-29 | 2026-06-16 |
| CVE-2013-4873 | The Yahoo! Tumblr app before 3.4.1 for iOS sends cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network. | [email protected] | 5.0 | 2.07% | 2013-07-18 | 2026-06-16 |
| CVE-2013-2316 | The Yahoo! Browser application 1.4.4 and earlier for Android allows remote attackers to spoof the address bar via vectors related to URL display, a different vulnerability than CVE-2013-2307. | [email protected] | 5.8 | 1.52% | 2013-06-03 | 2026-06-16 |
| CVE-2013-2307 | The Yahoo! Browser application before 1.4.3 for Android allows remote attackers to spoof the address bar via a crafted web site. | [email protected] | 5.8 | 1.46% | 2013-04-26 | 2026-06-16 |
| CVE-2012-5883 | Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore.swf, a similar issue to CVE-2010-4209. | [email protected] | 4.3 | 2.10% | 2012-11-16 | 2026-06-16 |
| CVE-2012-5882 | Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to uploader.swf, a similar issue to CVE-2010-4208. | [email protected] | 4.3 | 2.40% | 2012-11-16 | 2026-06-16 |
| CVE-2012-5881 | Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to charts.swf, a similar issue to CVE-2010-4207. | [email protected] | 4.3 | 2.45% | 2012-11-16 | 2026-06-16 |
| CVE-2012-2647 | Yahoo! Toolbar 1.0.0.5 and earlier for Chrome and Safari allows remote attackers to modify the configured search URL, and intercept search terms, via a crafted web page. | [email protected] | 5.8 | 1.28% | 2012-07-31 | 2026-06-16 |