Buffer overflow in Totolik LR350 firmware allows authenticated remote attackers to achieve full system compromise through malicious SSID parameters in the wizard configuration endpoint. Public exploit code is available for this vulnerability, and no patch has been released, leaving deployed devices at immediate risk. The flaw requires valid credentials but enables complete confidentiality, integrity, and availability violations with network-level access.
Stack-based buffer overflow in Totolink LR350 firmware (version 9.3.5u.6369_B20220309) allows authenticated remote attackers to achieve complete system compromise through manipulation of the ssid parameter in the WiFi configuration function. Public exploit code is available and no patch has been released, leaving affected devices vulnerable to active exploitation. The vulnerability requires valid credentials but poses critical risk due to high-impact consequences including arbitrary code execution.
Unauthenticated remote attackers can exploit a buffer overflow in the WiFi configuration function of Totolink LR350 firmware version 9.3.5u.6369_B20220309 to achieve remote code execution with full system compromise. The vulnerability exists in the ssid parameter handler of /cgi-bin/cstecgi.cgi and requires only network access to trigger, with public exploit code already available. No patch is currently available for affected devices.
Buffer overflow in Totolink LR350 firmware allows authenticated remote attackers to achieve complete system compromise through a malformed SSID parameter in the WiFi guest configuration function. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with network access and valid credentials can execute arbitrary code with full system privileges.
Buffer overflow in TOTOLIK A3700R firmware version 9.1.2u.5822_B20200513 allows authenticated remote attackers to achieve complete system compromise through manipulation of the ssid parameter in the WiFi guest configuration function. Public exploit code exists for this vulnerability and no patch is currently available. An attacker with network access and valid credentials can execute arbitrary code with full system privileges.
Remote code execution in UTT 520W firmware versions through 1.7.7-180627 stems from a buffer overflow in the /goform/formWebAuthGlobalConfig endpoint, allowing authenticated attackers to execute arbitrary code with network access. Public exploit code is available for this vulnerability, and no patches have been released despite vendor notification. The high CVSS score of 8.8 reflects full compromise of confidentiality, integrity, and availability on affected devices.
Remote code execution in UTT 520W firmware 1.7.7-180627 via a buffer overflow in the /goform/ConfigExceptAli endpoint allows authenticated attackers to execute arbitrary code with high privileges. Public exploit code exists for this vulnerability, and no patch is available from the vendor despite early disclosure notification. Affected organizations running vulnerable 520W devices should immediately isolate or replace equipment until a security update becomes available.
Remote code execution in UTT 520W firmware 1.7.7-180627 stems from a buffer overflow in the /goform/ConfigExceptMSN endpoint accessible to authenticated users. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can achieve complete system compromise including data theft, modification, and service disruption.
Buffer overflow in UTT 520W firmware version 1.7.7-180627 allows authenticated remote attackers to execute arbitrary code through the /goform/ConfigExceptQQ endpoint via unsafe string operations. Public exploit code is available and the vendor has not provided a patch despite early notification. This vulnerability affects confidentiality, integrity, and availability with CVSS 8.8 severity.
SQL injection in Koko Analytics for WordPress prior to version 2.1.3 allows unauthenticated attackers to inject malicious SQL through the public tracking endpoint, which gets stored unescaped and executed when administrators export and reimport analytics data. Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary SQL commands including database manipulation and potential data destruction. The vulnerability affects WordPress installations using vulnerable versions of the Koko Analytics plugin and requires administrator interaction with a malicious export file to fully exploit.
Tugtainer versions before 1.16.1 transmit authentication credentials through URL query parameters rather than request bodies, causing passwords to be exposed in server logs, browser history, and proxy logs. This exposure allows attackers with access to these logs or cached data to obtain valid credentials for the Docker container management system. Public exploit code exists for this vulnerability, and a patch is available in version 1.16.1.
Remote attackers can read arbitrary files from SiYuan servers (versions prior to 3.5.4) by exploiting server-side HTML rendering in the markdown feature. The path traversal vulnerability (CWE-22) requires no authentication and has low attack complexity, making it trivially exploitable. A public exploit exists and EPSS scoring indicates 9% exploitation probability (25th percentile), suggesting limited but active reconnaissance. Vendor patch available in version 3.5.4.
Denial of service and potential remote code execution affects FreeRDP RDP clients prior to version 3.21.0, where deleting an offscreen bitmap leaves the gdi->drawing pointer referencing freed memory and subsequent update packets trigger a use-after-free (CWE-416). A malicious or compromised RDP server can drive a connected client into the freed-memory access, reliably crashing it and potentially corrupting the heap for code execution depending on allocator state. Publicly available exploit code exists, though EPSS exploitation probability is low (0.17%, 38th percentile) and the issue is not listed in CISA KEV.
Client-side denial of service in the FreeRDP RDP client (X11 frontend) prior to version 3.21.0 lets a malicious or compromised RDP server crash the connecting client and potentially corrupt its heap. The flaw is a double-free of the cursor pixel buffer in xf_Pointer_New: on an allocation/setup failure the function frees cursorPixels, and a later pointer_free call invokes xf_Pointer_Free which frees the same buffer again (CWE-416 use-after-free/double-free). Publicly available exploit code exists and an EPSS of 0.17% indicates currently low probability of widespread exploitation; impact is rated availability-only (VA:H), though the description notes heap-corruption could escalate to code execution depending on allocator behavior.
Denial of service (and potential code execution) in FreeRDP RDP clients before 3.21.0 lets a malicious or compromised RDP server overflow a client-side heap buffer during ClearCodec band decoding. By supplying crafted band coordinates that drive writes past the destination surface buffer, the server crashes the connecting client and may corrupt the heap. Publicly available exploit code exists; EPSS is low (0.15%, 35th percentile) and the issue is not in CISA KEV, indicating no confirmed active exploitation.
Denial of service and potential remote code execution in the FreeRDP client (all versions prior to 3.21.0) stems from a heap buffer overflow in the RDPGFX ClearCodec decoder (libfreerdp/codec/clear.c). A malicious or compromised RDP server can send crafted residual data that triggers out-of-bounds heap writes during color output on the connecting client, crashing it and potentially corrupting the heap. Publicly available exploit code exists and the GitHub advisory marks it exploitable, but the EPSS probability is low (0.15%, 35th percentile) and it is not listed in CISA KEV.
Client-side heap buffer overflow in FreeRDP before version 3.21.0 lets a malicious or compromised RDP server crash connecting clients and potentially corrupt heap memory. The flaw lives in the planar codec's `freerdp_bitmap_decompress_planar`, which fails to bound-check decoded bitmap dimensions before RLE decompression, yielding a denial-of-service with a speculative code-execution path. Publicly available exploit code exists via the GitHub Security Advisory, though EPSS exploitation probability remains low (0.15%) and it is not on CISA KEV.
Denial of service and potential heap corruption in the FreeRDP client (all versions prior to 3.21.0) arises in the graphics pipeline's gdi_SurfaceToSurface path, where destination-rectangle clamping does not match the actual copy size. A malicious or compromised RDP server can drive a connected client into a heap buffer overflow, reliably crashing it and, depending on allocator state and heap layout, opening a path to code execution. Publicly available exploit code exists, but EPSS exploitation probability is low (0.13%, 33rd percentile) and the issue is not listed in CISA KEV.
Client-side heap buffer overflow in FreeRDP's ClearCodec decoder (versions prior to 3.21.0) lets a malicious or compromised RDP server corrupt a connecting client's memory. When `glyphData` is present, `clear_decompress` invokes `freerdp_image_copy_no_overlap` without validating the destination rectangle, producing an out-of-bounds read/write via crafted RDPGFX surface updates. Publicly available exploit code exists (per the GitHub Security Advisory), but it is not listed in CISA KEV and EPSS is low (0.13%, 33th percentile); confirmed impact is denial of service with a residual, allocator-dependent code-execution risk.
FreeRDP versions before 3.21.0 contain a buffer overflow in FastGlyph parsing where a malicious Remote Desktop server can crash the client by sending specially crafted glyph data that bypasses length validation. A remote attacker can exploit this vulnerability without authentication to cause denial of service, and public exploit code exists. The vulnerability affects FreeRDP clients connecting to untrusted or compromised RDP servers, with no patch currently available for most deployments.
WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-va...
ChatterBot versions through 1.2.10 suffer from denial-of-service vulnerabilities due to improper connection pool management that allows attackers to exhaust database connections through concurrent requests to the get_response() method, causing persistent service unavailability. Public exploit code exists for this vulnerability, which affects all deployments of the affected ChatterBot versions and requires manual service restart to recover. ChatterBot 1.2.11 addresses this issue.
Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through subproject names displayed in the Roadmap view, affecting all users who view the compromised roadmap. An attacker with project creation or modification privileges can craft a malicious project name that executes in victims' browsers when they access the Roadmap, potentially leading to session hijacking or credential theft. No patch is currently available; mitigation is only present in versions 16.6.5 and 17.0.0 through HTTP security headers.
Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicious scripts into web pages through the render_grouped_scopes function, enabling cross-site scripting (XSS) attacks against hex.pm users. The vulnerability affects hexpm versions from October 2025 through January 19, 2026, and currently has no available patch. Attackers can exploit this via a simple network request requiring only user interaction, potentially compromising user sessions or stealing sensitive data.
The @fastify/express plugin prior to version 4.0.3 allows authenticated attackers to bypass path-based middleware restrictions by submitting URL-encoded characters in requests, such as using /%61dmin instead of /admin. While the middleware engine fails to match the encoded path, the underlying Fastify router correctly decodes it and routes the request to handlers, enabling unauthorized access to protected endpoints. This affects Node.js applications using vulnerable versions of the plugin.
Middleware path-matching bypass in @fastify/middie before version 9.1.0 allows authenticated attackers to access protected endpoints by using URL-encoded characters in requests, as the middleware engine fails to decode paths while the underlying router does. An attacker with valid credentials can exploit this inconsistency to circumvent middleware security controls and access restricted functionality. This vulnerability requires low privileges and network access, with no patch currently available.
Devolutions Server versions 2025.3.1 through 2025.3.12 contain an authorization bypass in the virtual gateway component that allows authenticated attackers with high privileges to circumvent IP-based deny rules. This vulnerability could enable attackers to access restricted resources or bypass network-level security controls. No patch is currently available.
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. [CVSS 7.5 HIGH]
A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. [CVSS 7.5 HIGH]
HarfBuzz::Shaper for Perl versions before 0.032 contain a null pointer dereference in the bundled HarfBuzz library that allows remote attackers to cause a denial of service without authentication or user interaction. The vulnerability affects applications using vulnerable versions of the library and results in service unavailability. No patch is currently available.
ESPHome versions 2025.9.0 through 2025.12.6 are vulnerable to a denial-of-service attack via integer overflow in the API protobuf decoder, affecting all supported microcontroller platforms (ESP32, ESP8266, RP2040, LibreTiny). Unauthenticated attackers can crash ESPHome devices by sending specially crafted packets with large field length values to bypass bounds checking when API encryption is disabled. Upgrade to version 2025.12.7 or later to remediate.
An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions up to 6.5 is affected by improper certificate validation (CVSS 7.4).
OnboardLite's user migration feature in the admin dashboard is vulnerable to stored cross-site scripting, allowing authenticated attackers to inject malicious scripts that execute when administrators process Discord account migrations. This vulnerability affects versions prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f and could enable session hijacking or credential theft targeting privileged users. No patch is currently available.
Insecure Direct Object Reference (IDOR) in teklifolustur_app PHP application allows authenticated users to access and view quotes belonging to other users by manipulating the offer_id parameter, due to insufficient authorization validation. An attacker with valid credentials can enumerate and read sensitive quote data from other organization members without proper access controls. No patch is currently available for this vulnerability.