Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue in the handler function in /goform/telnet of Tenda FH1206 v02.03.01.35 allows attackers to execute arbitrary commands via a crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Incorrect access control in TOTOLINK LR350 V9.3.5u.6369_B20220309 allows attackers to obtain the apmib configuration file, which contains the username and the password, via a crafted request to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Incorrect access control in TOTOLINK N350RT V9.3.5u.6139_B20201216 allows attackers to obtain the apmib configuration file, which contains the username and the password, via a crafted request to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue in the handler function in /goform/telnet of Tenda FH1201 v1.2.0.14 (408) allows attackers to execute arbitrary commands via a crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Projectworlds Online Examination System v1.0 is vulnerable to SQL Injection via the subject parameter in feed.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
zkvyper is a Vyper compiler. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Command injection vulnerability in Asus RT-N15U 3.0.0.4.376_3754 allows a remote attacker to execute arbitrary code via the netstat function page. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to load an arbitrary Windows. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an attacker to load an arbitrary Windows. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.