Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 79.3%.
The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an authentication bypass vulnerability via specially crafted requests to the management console. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 19.7%.
Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/actions.php via the $_POST array. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Screensavercc component in eLux RP before 5.5.0 allows attackers to bypass intended configuration restrictions and execute arbitrary commands with root privileges by inserting commands in a local. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
D-Link DIR-615 before v20.12PTb04 has a second admin account with a 0x1 BACKDOOR value, which might allow remote attackers to obtain access via a TELNET connection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.