Dragonfly

This hub aggregates every CVE we track for Dragonfly, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Dragonfly.

• CVE-2026-24124Dragonfly Manager Job API Allows Unauthenticated Access9.8Jan 22, 2026
• CVE-2025-59410Dragonfly tiny file download uses hard coded HTTP protocol3.7Sep 17, 2025
• CVE-2025-59354Dragonfly has weak integrity checks for downloaded files5.3Sep 17, 2025
• CVE-2025-59353Manager generates mTLS certificates for arbitrary IP addresses7.5Sep 17, 2025
• CVE-2025-59352Dragonfly allows arbitrary file read and write on a peer machine9.8Sep 17, 2025
• CVE-2025-59351Dragonfly possibly panics due to nil pointer dereference when using variables created alongside an error5.3Sep 17, 2025
• CVE-2025-59350Timing attacks against Proxy’s basic authentication are possible5.3Sep 17, 2025
• CVE-2025-59349Directories created via os.MkdirAll are not checked for permissions3.3Sep 17, 2025
• CVE-2025-59348Dragonfly incorrectly handles a task structure’s usedTraffic field7.5Sep 17, 2025
• CVE-2025-59347Dragonfly Manager makes requests to external endpoints with disabled TLS authentication6.5Sep 17, 2025
• CVE-2025-59346Dragonfly server-side request forgery vulnerability5.3Sep 17, 2025
• CVE-2025-59345Dragonfly did not enable authentication for some Manager’s endpoints9.1Sep 17, 2025
• CVE-2025-52935Integer Overflow or Wraparound vulnerability in dragonflydb/dragonfly8.8Jun 23, 2025
• CVE-2025-26269DragonflyDB Dragonfly through 1.28.2 (fixed in 1.29.0) allows authenticated users to cause a denial of service (daemon crash) via a Lua library command that references a large negative integer.3.3Apr 17, 2025
• CVE-2025-26268DragonflyDB Dragonfly before 1.27.0 allows authenticated users to cause a denial of service (daemon crash) via a crafted Redis command. The validity of the scan cursor was not checked.3.3Apr 17, 2025