CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-46419
https://notcve.org/view.php?id=CVE-2026-46419
14 May 2026 — Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation. • https://github.com/Yubico/java-webauthn-server/releases/tag/2.8.2 • CWE-253: Incorrect Check of Function Return Value •
CVSS: 2.9EPSS: 0%CPEs: 3EXPL: 0CVE-2026-40947
https://notcve.org/view.php?id=CVE-2026-40947
15 Apr 2026 — Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path. • https://www.yubico.com/support/security-advisories/ysa-2026-01 • CWE-426: Untrusted Search Path •
CVSS: 2.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29991
https://notcve.org/view.php?id=CVE-2025-29991
03 Apr 2025 — Yubico YubiKey 5.4.1 through 5.7.3 before 5.7.4 has an incorrect FIDO CTAP PIN/UV Auth Protocol Two implementation. It uses the signature length from CTAP PIN/UV Auth Protocol One, even when CTAP PIN/UV Auth Protocol Two was chosen, resulting in a partial signature verification. • https://www.yubico.com/support/security-advisories/ysa-2025-02 • CWE-1390: Weak Authentication •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23013 – Gentoo Linux Security Advisory 202501-04
https://notcve.org/view.php?id=CVE-2025-23013
15 Jan 2025 — In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to k... • https://www.yubico.com/support/security-advisories/ysa-2025-01 • CWE-394: Unexpected Status Code or Return Value •
CVSS: 4.2EPSS: 0%CPEs: 18EXPL: 0CVE-2024-45678
https://notcve.org/view.php?id=CVE-2024-45678
03 Sep 2024 — Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected. • https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel • CWE-203: Observable Discrepancy •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31498
https://notcve.org/view.php?id=CVE-2024-31498
04 Apr 2024 — Yubico ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, when Edge is not used, allows privilege escalation because browser windows can open as Administrator. ykman-gui (también conocido como GUI de YubiKey Manager) anterior a 1.2.6 en Windows, cuando no se usa Edge, permite la escalada de privilegios porque las ventanas del navegador se pueden abrir como Administrador. • https://www.yubico.com/support/security-advisories/ysa-2024-01 • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39908
https://notcve.org/view.php?id=CVE-2023-39908
14 Aug 2023 — The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not properly validate the length of specific read operations on object metadata. This may lead to disclosure of uninitialized and previously used memory. • https://blog.inhq.net/posts/yubico-yubihsm-pkcs-vuln • CWE-125: Out-of-bounds Read •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24584
https://notcve.org/view.php?id=CVE-2022-24584
11 May 2022 — Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP functionality by "writing" it on a token using the Yubico Personalization Tool, they can then upload the new configuration to Yubicos OTP validation servers. NOTE: the vendor disputes this because there is no way for a YubiKey device to prevent a user from deciding that a sec... • https://demo.yubico.com/otp/verify • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2015-3298
https://notcve.org/view.php?id=CVE-2015-3298
29 Mar 2022 — Yubico ykneo-openpgp before 1.0.10 has a typo in which an invalid PIN can be used. When first powered up, a signature will be issued even though the PIN has not been validated. Yubico ykneo-openpgp versiones anteriores a 1.0.10, presenta una errata en la que puede usarse un PIN no válido. Cuando es encendido por primera vez, es emitida una firma aunque el PIN no haya sido comprendido • https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43399
https://notcve.org/view.php?id=CVE-2021-43399
08 Dec 2021 — The Yubico YubiHSM YubiHSM2 library 2021.08, included in the yubihsm-shell project, does not properly validate the length of some operations including SSH signing requests, and some data operations received from a YubiHSM 2 device. La librería YubiHSM YubiHSM2 versión 2021.08, incluida en el proyecto yubihsm-shell, no comprueba correctamente la longitud de algunas operaciones, incluyendo las peticiones de firma SSH, y algunas operaciones de datos recibidas desde un dispositivo YubiHSM 2 • https://blog.inhq.net/posts/yubico-yubihsm-shell-vuln3 • CWE-787: Out-of-bounds Write •