UTT HiPER 810 router firmware 1.7.4 has a stack buffer overflow in the /goform/setNat endpoint's strcpy function, enabling remote attackers to execute arbitrary code.
SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code execution through crafted knowledge base entries.
Movary has a third input validation vulnerability that allows authenticated users to delete arbitrary files from the server, potentially causing data loss or service disruption.
Movary has a second input validation vulnerability allowing authenticated users to write arbitrary files on the server, enabling code execution through web shell upload.
Movary movie tracking application has an input validation flaw that allows authenticated users to read arbitrary files from the server, potentially exposing configuration files and secrets.
HotCRP conference review software version 3.1 has an inadequate input sanitization flaw (CVSS 9.9) that allows authenticated users to execute arbitrary code on the server through crafted submissions.
OpenStack keystonemiddleware 10.5 through 10.9 has an authentication spoofing vulnerability (CVSS 9.9) allowing attackers to bypass Keystone token validation and access any OpenStack service as any user.
MyTube self-hosted video downloader has an authorization bypass (CVSS 9.8) that allows unauthenticated access to administrative functions in versions 1.7.65 and prior.
Arcane Docker management interface prior to 1.13.2 has missing authentication, allowing unauthenticated attackers to manage Docker containers, images, and networks on the host.
Devolutions Server 2025.3.1 through 2025.3.6 contains a SQL injection vulnerability in the remote sessions component that allows attackers to manipulate database queries.
Altium 365 workspace endpoints had overly permissive CORS policies that allow unauthorized cross-origin access to workspace data, potentially exposing proprietary PCB designs and engineering data.