Command injection in Tenda HG10 firmware allows remote attackers with high privileges to execute arbitrary system commands via the sysCmd parameter in /boaform/formSysCmd. Public exploit code exists for this vulnerability, and no patch is currently available. An authenticated attacker can exploit this to achieve limited unauthorized access and potential system compromise.
Unsafe deserialization in Bolo Solo up to version 2.6.4 through the SnakeYAML component allows authenticated attackers to execute arbitrary code remotely via the importMarkdownsSync function. Public exploit code exists for this vulnerability and no patch is currently available. Authenticated users with access to the backup functionality can trigger this flaw to compromise affected systems.
Improper authorization in SourceCodester Pet Grooming Management Software 1.0 allows authenticated users to manipulate the group_id parameter in the user management component, potentially gaining unauthorized access to restricted functionality. An attacker with valid credentials can exploit this remotely, and public exploit code is already available. The vulnerability currently lacks a patch from the vendor.
House Rental And Property Listing Project versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).
Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log. [CVSS 3.2 LOW]
Dir-823X Firmware versions up to 250416 is affected by improper restriction of excessive authentication attempts (CVSS 3.7).
Command injection in Tenda AC21 firmware versions 1.1.1.1/1.dmzip/16.03.08.16 allows authenticated remote attackers to execute arbitrary commands via the dmzIp parameter in the mDMZSetCfg function. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.
A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. [CVSS 2.4 LOW]