Information disclosure in AKIN Software's QRMenu (versions 1.05.12 up to the build dated 05.09.2025) allows unauthenticated remote attackers to access other users' or tenants' data by manipulating user-controlled identifiers in requests (IDOR). Reported by Turkey's national CSIRT (USOM); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Hard-coded credentials in Tenda RP3 Pro firmware (versions up to 22.5.7.93) allow local high-privilege attackers to bypass authentication during firmware updates via the force_upgrade.sh script. Public exploit code exists on GitHub. CVSS 7.0 (High) reflects local access requirement with high privileges, making this a lower real-world priority despite the severity rating - exploitation requires an attacker to already have administrative console access to the device.