cbcvebase.

Espressif Arduino-Esp32 vulnerabilities

7 known vulnerabilities affecting espressif/arduino-esp32.

Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH4MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2026-42854P2CRITICALCVSS 9.8fixed in 3.3.82026-05-12
CVE-2026-42854 [CRITICAL] CWE-121 CVE-2026-42854: arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; bounda
nvd
CVE-2024-45798P3CRITICALCVSS 9.9vCommits prior to a7cec020df8f1a815bd8dfd2559f51a2216bcf1c2024-09-17
CVE-2024-45798 [CRITICAL] CWE-20 CVE-2024-45798: arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue ha
nvd
CVE-2025-53007P3HIGHCVSS 8.9fixed in 3.2.1v>= 3.3.0-alpha1, < 3.3.0-RC12025-06-26
CVE-2025-53007 [HIGH] CWE-113 CVE-2025-53007: arduino-esp32 provides an Arduino core for the ESP32. Versions prior to 3.3.0-RC1 and 3.2.1 contain arduino-esp32 provides an Arduino core for the ESP32. Versions prior to 3.3.0-RC1 and 3.2.1 contain a HTTP Response Splitting vulnerability. The `sendHeader` function takes arbitrary input for the HTTP header name and value, concatenates them into an HTTP header line, and appends this to the outgoing HTTP response headers. There is no validation or san
nvd
CVE-2026-41429P3HIGHCVSS 8.8fixed in 3.3.82026-04-24
CVE-2026-41429 [HIGH] CWE-121 CVE-2026-41429: arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled by calling NBNS.begin(...), the device listens on UDP port 137 and processes untrusted NBNS requests from th
nvd
CVE-2025-53540P3HIGHCVSS 8.7fixed in 3.2.12025-07-07
CVE-2025-53540 [HIGH] CWE-352 CVE-2025-53540: arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery (CSRF). The update endpoints accept POST requests for firmware uploads without CSRF protection. This allows an attacker to
nvd
CVE-2026-42855P3HIGHCVSS 7.5fixed in 3.3.82026-05-12
CVE-2026-42855 [HIGH] CWE-287 CVE-2026-42855: arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp32 computes the authentication hash using the URI field from the client's Authorization header, without verifying that it matches the actual requested URI.
nvd
CVE-2019-12586P4MEDIUMCVSS 6.5≤ 1.0.2v1.0.32019-09-04
CVE-2019-12586 [MEDIUM] CVE-2019-12586: The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 thr The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 processes EAP Success messages before any EAP method completion or failure, which allows attackers in radio range to cause a denial of service (crash) via a crafted message.
nvd
Espressif Arduino-Esp32 vulnerabilities | cvebase