Skip to main content
CVE-2026-0841 HIGH POC This Week

Remote code execution in UTT 520W firmware via stack-based buffer overflow in the /goform/formPictureUrl endpoint allows authenticated attackers to achieve complete system compromise. The vulnerability stems from unsafe use of strcpy() when processing the importpictureurl parameter and lacks an available patch. Public exploit code exists for this high-severity issue affecting firmware version 1.7.7-180627.

Buffer Overflow 520w Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0840 HIGH POC This Week

Remote code execution in UTT 520W firmware (version 1.7.7-180627) via a stack buffer overflow in the /goform/formConfigNoticeConfig endpoint allows unauthenticated attackers to execute arbitrary code with full system privileges. Public exploit code exists for this vulnerability and the vendor has not released a patch despite early notification. An attacker can trigger the overflow by manipulating the timestart parameter through a network request.

Buffer Overflow 520w Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0838 HIGH POC This Week

Remote code execution in UTT 520W firmware 1.7.7-180627 via buffer overflow in the wireless configuration endpoint allows authenticated attackers to achieve complete system compromise with high integrity and availability impact. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early disclosure notification. The flaw requires network access but no user interaction, making it readily exploitable in environments where administrative credentials are available or compromised.

Buffer Overflow 520w Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0837 HIGH POC This Week

Remote code execution in UTT 520W Firmware 1.7.7-180627 via buffer overflow in the /goform/formFireWall endpoint allows authenticated attackers to achieve full system compromise through a malicious GroupName parameter. Public exploit code exists for this vulnerability and the vendor has not released a patch despite early notification. The attack requires only network access and valid credentials, presenting significant risk to affected deployments.

Buffer Overflow 520w Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0839 HIGH POC This Week

Remote code execution in UTT 520W Firmware 1.7.7-180627 via buffer overflow in the /goform/APSecurity endpoint allows authenticated attackers to achieve full system compromise through manipulation of the wepkey1 parameter. Public exploit code exists for this vulnerability and the vendor has not released a patch despite early notification. The high CVSS score of 8.8 reflects the critical nature of this remotely exploitable flaw affecting confidentiality, integrity, and availability.

Buffer Overflow 520w Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0836 HIGH POC This Week

Remote code execution in UTT 520W firmware versions up to 1.7.7-180627 allows authenticated attackers to execute arbitrary code through a buffer overflow in the /goform/formConfigFastDirectionW endpoint via the ssid parameter. Public exploit code exists for this vulnerability and the vendor has not released a patch despite early notification. Attackers with valid credentials can achieve complete system compromise with high impact on confidentiality, integrity, and availability.

Buffer Overflow 520w Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-68493 HIGH PATCH This Week

Struts versions up to 2.2.1 is affected by improper restriction of xml external entity reference (CVSS 8.1).

Apache Struts XXE
NVD HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-0850 LOW POC Monitor

Intern Membership Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 4.7).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-0842 LOW Monitor

Flycatcher Toys smART Sketcher versions up to 2.0 lack authentication in the Bluetooth Low Energy interface, allowing unauthenticated attackers on the local network to manipulate device functionality and potentially access sensitive data. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. No patch is currently available.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-0843 LOW Monitor

SQL injection in jjjfood and jjjshop_food PHP applications through the latitude parameter in /index.php/api/product.category/index allows authenticated attackers to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite notification. Affected installations up to version 20260103 should implement immediate mitigation measures.

PHP SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15505 LOW Monitor

A vulnerability was found in Luxul XWR-600 versions up to 4.0.1. is affected by cross-site scripting (xss) (CVSS 2.4).

XSS
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-15506 LOW PATCH Monitor

A vulnerability was found in AcademySoftwareFoundation OpenColorIO versions up to 2.5.0. is affected by buffer overflow (CVSS 3.3).

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy