D-Link DIR-895L router has command injection in the DHCP daemon via the hostname parameter during lease renewal. Any device requesting a DHCP lease with a malicious hostname achieves root code execution on the router. PoC available.
Sangfor O&M Management System (through 3.0.8) has a second command injection in /isomp-protocol/protocol/getCmd, also via sessionPath. Public exploit with higher EPSS (1.2%) than the first vulnerability.
EDIMAX BR-6208AC V2 router allows command injection through the pppUserName field via system() without sanitization. PoC available.
Sangfor Operation and Maintenance Management System (through 3.0.8) has OS command injection in /isomp-protocol/protocol/getHis via the sessionPath parameter. Public exploit available, vendor unresponsive.
BeeS Software BET Portal has SQL injection in the login functionality, allowing unauthenticated attackers to bypass authentication and extract database contents. PoC available.
Operation And Maintenance Management System versions up to 3.0.8. is affected by command injection (CVSS 8.8).
In Yonyou YonBIP v3 and before, the LoginWithV8 interface in the series data application service system is vulnerable to path traversal, allowing unauthorized access to sensitive information within the system [CVSS 7.5 HIGH]
Vida V1 Pro Firmware versions up to 2.0.7 is affected by uncontrolled resource consumption (CVSS 7.5).
fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file. [CVSS 7.5 HIGH]
** Disputed ** An Information Disclosure vulnerability in CouchCMS 2.4 allow an Admin user to read arbitrary files via traversing directories back after back. It can Disclosure the source code or any other confidential information if weaponize accordingly. [CVSS 6.5 MEDIUM]
Unauthenticated command injection via the hostname field enabling remote code execution with CVSS 10.0 and scope change. A separate vulnerability from CVE-2025-64090.
Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compr...
Fastjson before 1.2.48 has a well-known autoType deserialization vulnerability enabling JNDI injection and RCE. Exploited in the wild since 2023 through GodzillaWebShell. Maximum CVSS 10.0 with scope change.
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can...
Salesforce Uni2TS time series forecasting library (through 1.2.0) has a code injection vulnerability that allows leveraging executable code in non-executable files across all platforms.
Vivotek IP7137 camera ships without any admin password by default, and users are not informed they should set one. End-of-life product with no expected fix – all deployed cameras are likely exposed.
Frontend Admin by DynamiApps WordPress plugin (through 3.28.25) allows unauthenticated privilege escalation to administrator via insufficient role validation. Attackers can register as admins and take full control of the site.
Cross-site scripting in GitLab CE/EE (18.6 before 18.6.3 and 18.7 before 18.7.1) lets an unauthenticated attacker run arbitrary JavaScript in the browser of a logged-in victim who is lured to a specially crafted webpage, enabling session theft and actions performed as that authenticated user. The flaw carries a critical CVSS 9.6 with a scope change, reflecting impact that crosses from the vulnerable component into the victim's authenticated session. No public exploit identified at time of analysis, and EPSS is very low (0.04%, 12th percentile), but the vendor-confirmed nature and HackerOne report indicate a credible, validated issue.
Cross-site scripting (XSS) in MediaWiki's GrowthExperiments extension (versions 1.39, 1.43, 1.44, 1.45) allows authenticated attackers to inject malicious scripts through improper input validation, with public exploit code available. An attacker with user privileges can exploit this vulnerability to perform actions on behalf of other users or steal sensitive information due to the low complexity attack vector and user interaction requirement. A patch is available for affected installations.
Cross-site scripting (XSS) in MediaWiki's Wikibase extension allows authenticated attackers to inject malicious scripts through improper input handling during page generation, affecting versions 1.39, 1.43, 1.44, and 1.45. Exploitation requires user interaction and results in limited confidentiality and integrity impact within the affected application context. A patch is available and public exploit code exists for this vulnerability.
Frontend Admin by DynamiApps (through 3.28.25) also allows unauthenticated deletion of arbitrary posts, pages, products, taxonomy terms, and user accounts due to missing capability checks.
A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. [CVSS 8.8 HIGH]
GestSup through version 3.2.60 fails to implement CSRF protections, enabling attackers to forge requests that execute actions with a victim's privileges when they visit a malicious site. An unauthenticated attacker can exploit this to create privileged administrative accounts by targeting logged-in users, with no patch currently available to remediate the vulnerability.
This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device. [CVSS 8.6 HIGH]
Kiro IDE versions before 0.6.18 are vulnerable to command injection when processing maliciously named workspace folders in the GitLab Merge-Request helper, allowing local attackers with user interaction to execute arbitrary commands with high impact on confidentiality, integrity, and availability. The vulnerability requires local access and user interaction to open a crafted workspace, but no patch is currently available and exploitation requires minimal complexity. Users should restrict workspace access and avoid opening untrusted workspace folders until an update is released.
Improper output encoding in MediaWiki's Approved Revs extension through magic word replacement allows unauthenticated attackers to manipulate input data and conduct content injection attacks. Affected versions 1.39, 1.43, 1.44, and 1.45 are vulnerable to this network-accessible flaw that requires user interaction, and public exploit code exists. A patch is available to remediate the vulnerability.
A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. [CVSS 8.2 HIGH]
GestSup versions before 3.2.60 allow authenticated attackers to execute SQL injection attacks through insufficiently sanitized filtering and sorting parameters in the asset list functionality, potentially enabling unauthorized database access or modification. The vulnerability requires valid credentials to exploit but has no available patch, leaving affected installations vulnerable to data breach or manipulation depending on database permissions.
GestSup prior to version 3.2.60 is vulnerable to SQL injection in the ticket creation feature, allowing authenticated attackers to execute arbitrary database queries through unsanitized user input. An attacker with valid credentials can read or modify sensitive database contents depending on the database permission level. No patch is currently available.
Authenticated attackers can exploit SQL injection in GestSup's search functionality (versions before 3.2.60) to manipulate database queries and access or modify sensitive data. The vulnerability stems from insufficient input validation on user-controlled search parameters in SQL statements. With no patch currently available, affected organizations should implement database access controls and monitor for suspicious search activity.
Galaxy Store versions up to 4.6.02 contains a vulnerability that allows attackers to execute arbitrary script (CVSS 7.8).
Arbitrary code execution in the Android PROCA driver before the January 2026 security update results from a use-after-free vulnerability accessible to local attackers with basic privileges. An attacker with local access can exploit this memory safety flaw to execute arbitrary code with elevated privileges on affected devices. No patch is currently available for this high-severity vulnerability.
Android versions up to 15.0 contains a vulnerability that allows attackers to execute the privileged APIs (CVSS 7.8).
A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. [CVSS 7.6 HIGH]
Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, potentially compromising user privacy and security. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected t...
This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database. [CVSS 7.5 HIGH]
Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functionality.This issue affects Archer AXE75 v1.6: ≤ build 20250107. [CVSS 7.3 HIGH]
Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. [CVSS 7.2 HIGH]
Frontend Admin by DynamiApps (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. [CVSS 7.2 HIGH]
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
The Eventin - Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. [CVSS 7.2 HIGH]
The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting. [CVSS 6.8 MEDIUM]
Arbitrary code execution in Android's DualDAR component prior to the January 2026 security patch stems from a use-after-free memory vulnerability that can be exploited by local attackers with elevated privileges. An attacker with high-level device access could leverage this flaw to execute arbitrary code with system-level permissions. No patch is currently available, leaving affected devices vulnerable until the SMR January 2026 Release 1 update is deployed.
A DLL hijacking vulnerability in Axtion ODISSAAS ODIS v1.8.4 allows attackers to execute arbitrary code via a crafted DLL file. [CVSS 6.5 MEDIUM]
Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. [CVSS 6.5 MEDIUM]
The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. [CVSS 6.5 MEDIUM]
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. [CVSS 6.5 MEDIUM]
A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack. [CVSS 6.5 MEDIUM]