Hpe
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Hpe product.
RSS Feeds for Hpe security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Hpe products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Hpe Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 72 vulnerabilities in Hpe with an average score of 7.0 out of ten. Last year, in 2025 Hpe had 60 security vulnerabilities published. That is, 12 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.09
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 72 | 7.00 |
| 2025 | 60 | 7.09 |
| 2024 | 7 | 8.81 |
| 2023 | 10 | 7.84 |
| 2022 | 11 | 7.44 |
| 2021 | 4 | 6.15 |
| 2020 | 3 | 6.90 |
| 2019 | 18 | 7.63 |
| 2018 | 234 | 0.00 |
It may take a day or so for new Hpe vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Hpe Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-44871 | May 12, 2026 |
HPE Aruba OS CLI Command Injection via PAPICommand injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44873 | May 12, 2026 |
Session Management Bypass in HPE AOS-8 Allows Persistence Post Account DisableA session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled. |
|
| CVE-2026-44874 | May 12, 2026 |
Authenticated Remote File Disclosure via Web UI in HPE AOS-10 GatewayA vulnerability exists in the web-based management interface of an AOS-10 Gateway that could allow an authenticated remote attacker to access sensitive files on the underlying operating system. Successful exploitation of this vulnerability could result in the disclosure of confidential system information, potentially enabling further attacks against the affected device. |
|
| CVE-2026-44872 | May 12, 2026 |
HPE AOS-8/10 Authenticated RMI Command Injection for Remote File WriteA command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device. |
|
| CVE-2026-44870 | May 12, 2026 |
AOS CLI Command Injection via PAPICommand injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44869 | May 12, 2026 |
Command Injection in AOS-8/10 Web Mgt InterfaceCommand injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44868 | May 12, 2026 |
HPE AOS-10/8 Web UI Cmd InjectionCommand injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44867 | May 12, 2026 |
HPE ArubaOS 8/10 Command Injection via Web Management InterfaceCommand injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44866 | May 12, 2026 |
Command Injection in HPE AOS-8/10 Web Management InterfaceCommand injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44865 | May 12, 2026 |
HPE AOS-8/10 OS Command Injection via Web GUICommand injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44864 | May 12, 2026 |
SQLi in HPE ArubaOS AOS-8/10 CLI OS Command ExecSQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44863 | May 12, 2026 |
HPE AOS CLI/MP SQLi Allows OS Command ExecSQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44862 | May 12, 2026 |
SQLi in HPE Aruba AOS-8/10 CLI/MT ProtocolSQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44861 | May 12, 2026 |
SQLi in HPE Aruba AOS CLI enables OS command execSQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44860 | May 12, 2026 |
SQLi in HP Aruba AOS-8/10 CLI allows OS Command ExecSQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-44859 | May 12, 2026 |
AOS-8/AOS-10 CLI Buf Overflow Enables Privileged Code ExecStack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system. |
|
| CVE-2026-44858 | May 12, 2026 |
Stack Buffer Overflow in HPE AOS-8/10 CLI ServicesStack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system. |
|
| CVE-2026-44857 | May 12, 2026 |
HPE AOS-8/10 CLI Buffer Overflow Exploits Exec CodeStack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system. |
|
| CVE-2026-44856 | May 12, 2026 |
AOS-8/10 OS CLI: Auth Buffer Overflow Enables Privileged EscalationStack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system. |
|
| CVE-2026-44855 | May 12, 2026 |
Stack-based BF Overflow in HPE AOS-8/AOS-10 CLI Mgmt ServsStack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system. |
|
| CVE-2026-44854 | May 12, 2026 |
Command Injection in AOS-8/AOS-10 Web Mgmt Interface - Upload & RCECommand injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to the underlying operating system, potentially leading to remote code execution as a privileged user. |
|
| CVE-2026-44853 | May 12, 2026 |
AOS-8/10 CMD Injection in Web Mgmt Allows Authenticated File Upload/RCECommand injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to the underlying operating system, potentially leading to remote code execution as a privileged user. |
|
| CVE-2026-44852 | May 12, 2026 |
RCE via Path Validation in HPE AOS-8/AOS-10 Web UIAn authenticated remote code execution vulnerability exists in the AOS-8 and AOS-10 web-based management interface. A vulnerability in the certificate download functionality could allow an authenticated remote attacker to overwrite arbitrary files on the underlying operating system by exploiting improper input validation in the file path parameter. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system as a privileged user. |
|
| CVE-2026-23827 | May 12, 2026 |
Heap Buffer Overflow in HPE ArubaOS (AOS-8/10) Network Mgmt ServiceA heap-based buffer overflow vulnerability exists in a Network management service of AOS-8 and AOS-10 that could allow an unauthenticated remote attacker to achieve remote code execution. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code as a privileged user on the underlying operating system, potentially leading to a system compromise. Exploitation may also result in a denial-of-service (DoS) condition affecting the impacted system process. |
|
| CVE-2026-23826 | May 12, 2026 |
Unauth Remote DoS via Network Packets in AOS-8 NetMgt ServiceA vulnerability in a network management service of AOS-8 Operating System could allow an unauthenticated remote attacker to exploit this vulnerability by sending specially crafted network packets to the affected device, potentially resulting in a denial-of-service condition. Successful exploitation could cause the affected service process to terminate unexpectedly, disrupting normal device operations. |
|
| CVE-2026-23825 | May 12, 2026 |
HPE AOS 8/10 DoS via Unvalidated Network Messages in Protocol HandlerVulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems. An unauthenticated attacker could exploit these vulnerabilities by sending specially crafted network messages to the affected service. Due to insufficient input validation, successful exploitation may terminate a critical system process, resulting in a denial-of-service condition. |
|
| CVE-2026-23824 | May 12, 2026 |
ArubaOS 8/10 DoS via Unvalidated Network Protocol MessagesVulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems. An unauthenticated attacker could exploit these vulnerabilities by sending specially crafted network messages to the affected service. Due to insufficient input validation, successful exploitation may terminate a critical system process, resulting in a denial-of-service condition. |
|
| CVE-2026-23823 | May 12, 2026 |
CLI Command Injection in HPE Aruba AP AOS-10.7.x.xA vulnerability in the command line interface of Access Points running AOS-10 could allow an authenticated remote attacker to perform command injection. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. NOTE: This vulnerability only impacts Access Points running AOS-10.7.x.x and above. AOS-10.4 AP and AOS-8 Instant software branches are not affected by this vulnerability. |
Arubaos
|
| CVE-2026-23822 | May 12, 2026 |
AOS-8 DHCP XML DoS via Unauth Remote TriggerA vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system. NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x |
Arubaos
|
| CVE-2026-23821 | May 12, 2026 |
HPE Aruba AOS10 AP Authenticated Remote Command Exec via Config Processor (CVE202623821)A vulnerability in the configuration processing logic of Access Points running AOS-10 could allow an authenticated remote attacker to execute system commands under certain pre-existing conditions. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. Note: Access Points running AOS-8 Instant software are not affected by this vulnerability. |
Arubaos
|
| CVE-2026-23820 | May 12, 2026 |
Authenticated Remote Shell via CLI in HPE AOS-10/8 Instant APsA vulnerability in the command line interface of Access Points running AOS-10 and AOS-8 Instant could allow an authenticated remote attacker to execute system commands in a restricted shell environment. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. |
Arubaos
|
| CVE-2026-23819 | May 12, 2026 |
Aruba AP: Remote JavaScript Exec via Web UI CVE-2026-23819A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings. |
Arubaos
|
| CVE-2026-23818 | Apr 07, 2026 |
Open Redirect in HPE Aruba Private 5G Core On-Prem GUIA vulnerability has been identified in the graphical user interface (GUI) of HPE Aruba Networking Private 5G Core On-Prem that could allow an attacker to abuse an open redirect vulnerability in the login flow using a crafted URL. Successful exploitation may redirect an authenticated user to an attacker-controlled server hosting a spoofed login page prompting the unsuspecting victim to give away their credentials, which could then be captured by the attacker, before being redirected back to the legitimate login page. |
|
| CVE-2026-23817 | Mar 11, 2026 |
Unauth Remote URL Redirect in HPE AOS-CX Switch Web UIA vulnerability in the web-based management interface of AOS-CX Switches could allow an unauthenticated remote attacker to redirect users to an arbitrary URL. |
|
| CVE-2026-23816 | Mar 11, 2026 |
CLI Command Injection in HPE AOS-CX SwitchesA vulnerability in the command line interface of AOS-CX Switches could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. |
|
| CVE-2026-23815 | Mar 11, 2026 |
HPE AOS-CX CLI Custom Binary Command InjectionA vulnerability in a custom binary used in AOS-CX Switches' CLI could allow an authenticated remote attacker with high privileges to perform command injection. Successful exploitation could allow an attacker to execute unauthorized commands. |
|
| CVE-2026-23814 | Mar 11, 2026 |
AOS-CX CLI Command Injection via Parameter TamperingA vulnerability in the command parameters of a certain AOS-CX CLI command could allow a low-privilege authenticated remote attacker to inject malicious commands resulting in unwanted behavior. |
|
| CVE-2026-23813 | Mar 11, 2026 |
Unauthenticated Auth Bypass & Admin Reset in AOS-CX Web UIA vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls. In some cases this could enable resetting the admin password. |
|
| CVE-2026-23812 | Mar 04, 2026 |
AP Impersonation via Address-Based Spoofing Enables MitM on HPE ArubaA vulnerability has been identified where an attacker connecting to an access point as a standard wired or wireless client can impersonate a gateway by leveraging an address-based spoofing technique. Successful exploitation enables the redirection of data streams, allowing for the interception or modification of traffic intended for the legitimate network gateway via a Machine-in-the-Middle (MitM) position. |
|
| CVE-2026-23811 | Mar 04, 2026 |
Client Isolation Bypass in HPE ArubaOS Enables Layer 3 MitMA vulnerability in the client isolation mechanism may allow an attacker to bypass Layer 2 (L2) communication restrictions between clients and redirect traffic at Layer 3 (L3). In addition to bypassing policy enforcement, successful exploitation - when combined with a port-stealing attack - may enable a bi-directional Machine-in-the-Middle (MitM) attack. |
|
| CVE-2026-23810 | Mar 04, 2026 |
HPE Aruba AP GTK-Reencrypt Vulnerability (CVE-2026-23810)A vulnerability in the packet processing logic may allow an authenticated attacker to craft and transmit a malicious Wi-Fi frame that causes an Access Point (AP) to classify the frame as group-addressed traffic and re-encrypt it using the Group Temporal Key (GTK) associated with the victim's BSSID. Successful exploitation may enable GTK-independent traffic injection and, when combined with a port-stealing technique, allows an attacker to redirect intercepted traffic to facilitate machine-in-the-middle (MitM) attacks across BSSID boundaries. |
|
| CVE-2026-23809 | Mar 04, 2026 |
HPE WiFi BSSID Isolation Bypass via PortStealingA technique has been identified that adapts a known port-stealing method to Wi-Fi environments that use multiple BSSIDs. By leveraging the relationship between BSSIDs and their associated virtual ports, an attacker could potentially bypass inter-BSSID isolation controls. Successful exploitation may enable an attacker to redirect and intercept the victim's network traffic, potentially resulting in eavesdropping, session hijacking, or denial of service. |
|
| CVE-2026-23808 | Mar 04, 2026 |
HPE Aruba WLAN Roaming Protocol GTK Injection VulnerabilityA vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key (GTK) on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthorized frame injection, bypass client isolation, interfere with cross-client traffic, and compromise network segmentation, integrity, and confidentiality. |
|
| CVE-2026-23601 | Mar 04, 2026 |
Shared-Key Auth Spoofing in HPE Aruba Wi-FiA vulnerability has been identified in the wireless encryption handling of Wi-Fi transmissions. A malicious actor can generate shared-key authenticated transmissions containing targeted payloads while impersonating the identity of a primary BSSID.Successful exploitation allows for the delivery of tampered data to specific endpoints, bypassing standard cryptographic separation. |
|
| CVE-2026-23600 | Mar 02, 2026 |
HPE AutoPass License Server Auth Bypass via RemoteA remote authentication bypass vulnerability exists in HPE AutoPass License Server (APLS). |
Autopass License Server
|
| CVE-2026-23599 | Feb 17, 2026 |
CVE-2026-23599: Local Privilege Escalation in HPE Aruba ClearPass OnGuard (Linux)A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking ClearPass OnGuard Software for Linux. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges. |
|
| CVE-2026-23598 | Feb 17, 2026 |
HPE Aruba 5G Core API Error Disclosure Reveals Sensitive InfoVulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well as to gain insight into internal services and workflows, increasing the risk of unauthorized access and elevated privileges when combined with other vulnerabilities. |
|
| CVE-2026-23597 | Feb 17, 2026 |
Unauth Remote Info Disclosure via Aruba 5G Core API Error HandlingVulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well as to gain insight into internal services and workflows, increasing the risk of unauthorized access and elevated privileges when combined with other vulnerabilities. |
|
| CVE-2026-23596 | Feb 17, 2026 |
Unauthenticated Management API Allows Remote Service RestartA vulnerability in the management API of the affected product could allow an unauthenticated remote attacker to trigger service restarts. Successful exploitation could allow an attacker to disrupt services and negatively impact system availability. |
|
| CVE-2026-23595 | Feb 17, 2026 |
Auth Bypass API Allows Privileged Account CreationAn authentication bypass in the application API allows an unauthorized administrative account to be created. A remote attacker could exploit this vulnerability to create privileged user accounts. Successful exploitation could allow an attacker to gain administrative access, modify system configurations, and access or manipulate sensitive data. |