Information disclosure in the Grandstream GXP1628 IP phone (firmware 1.0.4.130 and earlier) exposes sensitive directories and files because directory listing is enabled on the device web interface, letting attackers browse and retrieve files that should be protected. The flaw (CWE-548) can leak configuration data, credentials, or other sensitive artifacts stored on the device. Publicly available exploit code exists, though EPSS remains low at 0.31% (22nd percentile) and it is not listed in CISA KEV.
SQL injection in Z-Push IMAP backend allows unauthenticated remote attackers to access, modify, or delete data in linked third-party databases via malicious username values in basic authentication headers. Exploitation requires non-default IMAP_FROM_SQL_QUERY configuration. Publicly available exploit code exists (GitHub PR #161 demonstrates the vulnerability). CVSS 7.9 with network attack vector and no authentication required, though attack complexity increases due to the specific configuration prerequisite. Affects Z-Push versions before 2.7.6.
A buffer overflow vulnerability exists in the web service of multiple TP-Link router models including TL-WR841N v11, TL-WR842ND v2, and TL-WR494N v3, caused by missing input validation in /userRpm/WlanNetworkRpm.htm. An unauthenticated remote attacker can exploit this to crash the web service and cause a denial-of-service condition. The vulnerability has a low exploitation likelihood with EPSS score of 0.06% and affects products that are no longer supported by TP-Link.
HTTP Request Splitting in DECE Software Geodi before GEODI Setup 9.0.146 allows remote unauthenticated attackers to inject CRLF sequences into HTTP requests, enabling cache poisoning, response splitting, and cross-site scripting against downstream consumers. The flaw is network-reachable with low attack complexity and no authentication, and Turkey's national CERT (USOM) issued advisory TR-25-0182 covering the issue. No public exploit identified at time of analysis and EPSS probability is low at 0.22% (45th percentile).
Unauthenticated sensitive information disclosure in Grandstream UCM6510 unified communications appliances (firmware v.1.0.20.52 and earlier) exposes data via the Login function at the /cgi and /webrtccgi CGI endpoints. The CVSS vector (PR:N/UI:N/AV:N) confirms exploitation requires no authentication or user interaction from any network position. A public proof-of-concept is available on GitHub; EPSS is low at 0.40% (32nd percentile) suggesting limited opportunistic scanning activity to date, but internet-exposed deployments are concretely at risk from targeted reconnaissance.
Unlimited brute-force authentication attempts against Grandstream UCM6510 IP PBX firmware v1.0.20.52 and earlier allow unauthenticated network attackers to enumerate and compromise user accounts through credential stuffing or dictionary attacks. The device imposes no rate limiting, lockout, or CAPTCHA mechanism on login attempts (CWE-307), making full account takeover feasible against any account with a weak or guessable password. No public exploit confirmation via CISA KEV exists, though a researcher-published GitHub gist documents the issue and EPSS sits at a low 0.28% (20th percentile), suggesting limited observed exploitation at this time.
Cross-site scripting in DECE Software Geodi before version 9.0.146 allows authenticated low-privileged remote attackers to inject malicious scripts that execute in other users' browsers, crossing a security scope boundary (S:C). The CVSS vector confirms network-accessible exploitation requiring only low-privilege authentication and victim interaction, making it a realistic internal threat vector in multi-user deployments. No public exploit code identified at time of analysis and EPSS of 0.13% (32nd percentile) signals low exploitation probability, though the scope change elevates post-exploitation impact potential beyond the attacker's own session.