MajorDoMo home automation platform is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method without authentication due to improper use of gr() (which reads from $_REQUEST), allowing attackers to redirect update URLs and push malicious code packages.
MajorDoMo home automation platform allows unauthenticated remote code execution through the admin panel's PHP console. An include order bug in panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the PHP code execution functionality in inc_panel_ajax.php.
Unauthenticated OS command injection in MajorDoMo via rc/index.php. EPSS 41.7% — the $param variable is passed unsanitized to shell commands. PoC available.
Unauthenticated stack-based buffer overflow in /cgi-bin/api.values.get HTTP API endpoint. EPSS 41.1% indicates very high exploitation probability. Patch available.
Command injection in ZoneMinder v1.36.34 video surveillance system via web/views/image.php. Unsanitized user input enables unauthenticated remote code execution. PoC available.
Missing authentication in CodeAstro Membership Management System 1.0 delete_members.php allows unauthenticated deletion of member records. PoC available.
Buffer overflow in MailCarrier 2.51 POP3 server via USER command allows remote attackers to execute arbitrary code. Network-exploitable without authentication. PoC available.
Buffer overflow in Ayukov NFTP client 1.71 in SYST command handling allows remote FTP servers to execute arbitrary code on connecting clients. PoC available.
Buffer overflow in ChaosPro 2.0 fractal generator via configuration file path handling allows code execution through crafted configuration files. PoC available.
Insecure default telnet credentials in UTT HiPER 810 router firmware v1.5.0. Default credentials are publicly known, enabling unauthenticated access to the router management. PoC available.
SQL injection in code-projects Community Project Scholars Tracking System 1.0 admin user management. Allows database compromise via admin panel. PoC available.
Buffer overflow in WMV to AVI MPEG DVD Convertor 4.6.1217 allows code execution via crafted media files. PoC available.
SQL injection in CodeAstro Membership Management System 1.0 via ID parameter in print_membership_card.php enables unauthenticated database access. PoC available.
Incorrect access control in SourceCodester Customer Support System 1.0 allows unauthenticated access to AJAX dispatcher, enabling full system compromise. PoC available.
Remote Code Execution in InvoicePlane self-hosted invoicing application through code injection. PoC and patch available.
Missing authentication on multiple admin action scripts in ProjectWorlds Online Time Table Generator allows unauthenticated users to perform administrative operations. PoC available.
Arbitrary code execution in the NLTK (Natural Language Toolkit) Python library affects all versions through its data downloader: the _unzip_iter function in nltk/downloader.py calls zipfile.extractall() with no path validation, so a malicious data package can drop attacker-controlled Python files (e.g. __init__.py) that execute automatically on import. Any application that downloads NLTK data from an attacker-influenced source is exposed to full remote code execution. Publicly available exploit code exists (huntr.com bounty), EPSS is modest at 0.57% (68th percentile), and there is no public exploit identified as actively exploited in CISA KEV.
Scholars Tracking System versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
PHPGurukul Hospital Management System v4.0 contains a Privilege Escalation vulnerability. A low-privileged user (Patient) can directly access the Administrator Dashboard and all sub-modules (e.g., User Logs, Doctor Management) by manually browsing to the /admin/ directory after authentication. [CVSS 8.8 HIGH]
Centova Cast 3.2.11 contains a file download vulnerability that allows authenticated attackers to retrieve arbitrary system files through the server.copyfile API endpoint. [CVSS 8.8 HIGH]
Aida64 Engineer 6.10.5200 contains a buffer overflow vulnerability in the CSV logging configuration that allows attackers to execute malicious code by crafting a specially designed payload. [CVSS 9.8 CRITICAL]
Control Center PRO 6.2.9 contains a stack-based buffer overflow vulnerability in the user creation module's username field that allows attackers to overwrite Structured Exception Handler (SEH). [CVSS 8.4 HIGH]
Unauthenticated SQL injection in MajorDoMo's commands module allows remote attackers to extract database contents including unsalted MD5 password hashes without authentication, enabling credential compromise and admin panel access. The vulnerability stems from unsanitized $_GET parameters in SQL queries accessible via the /objects/?module=commands endpoint, and public exploit code is available. Affected versions lack a patch and impact both MajorDoMo and PHP installations running this software.
SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL statements through POST parameters 'idtyp' and 'idgremium'. [CVSS 8.2 HIGH]
gSOAP 2.8 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP path traversal techniques. [CVSS 7.5 HIGH]
Crystal Live HTTP Server 6.01 contains a directory traversal vulnerability that allows remote attackers to access system files by manipulating URL path segments. [CVSS 7.5 HIGH]
Online Time Table Generator versions up to 1.0 is affected by missing authentication for critical function (CVSS 7.5).
Unauthenticated attackers can read arbitrary files from InvoicePlane servers through path traversal in the Guest controller's file retrieval function, potentially exposing database credentials and other sensitive configuration data. This vulnerability affects InvoicePlane versions up to 1.6.3 and has public exploit code available. Version 1.6.4 resolves the issue.
Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer contains a denial of service vulnerability in the admin configuration page. [CVSS 7.5 HIGH]
Missing authentication and authorization in print_membership_card.php in CodeAstro Membership Management System 1.0 allows unauthenticated attackers to access membership card data of arbitrary users via direct requests with a manipulated id parameter, resulting in insecure direct object reference (IDOR). [CVSS 7.5 HIGH]
Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list directories outside the configured root by exploiting a string prefix matching flaw in path validation. An attacker can craft requests with path traversal sequences to enumerate sensitive directories if the target path shares a common prefix with the configured root directory. Public exploit code exists for this vulnerability.
FileOptimizer 14.00.2524 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the FileOptimizer32.ini configuration file. [CVSS 7.5 HIGH]
Foscam Video Management System 1.1.4.9 contains a denial of service vulnerability in the username input field that allows attackers to crash the application. Attackers can overwrite the username with a 520-byte buffer of repeated 'A' characters to trigger an application crash during device login. [CVSS 7.5 HIGH]
ScadaApp for iOS 1.1.4.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer in the Servername field. Attackers can paste a 257-character buffer during login to trigger an application crash on iOS devices. [CVSS 7.5 HIGH]
Unauthenticated module deletion in Majordomo's market module allows remote attackers to completely disable installations through a series of GET requests. The vulnerability stems from improper authentication checks that expose the uninstall functionality without requiring credentials, enabling attackers to iteratively remove all modules and associated files. Public exploit code exists for this high-severity flaw, and no patch is currently available.
XMedia Recode 3.4.8.6 contains a denial of service vulnerability that allows attackers to crash the application by loading a specially crafted .m3u playlist file. Attackers can create a malicious .m3u file with an oversized buffer to trigger an application crash when the file is opened. [CVSS 7.5 HIGH]
iSmartViewPro 1.3.34 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the camera ID input field. Attackers can paste a 257-character buffer into the camera DID and password fields to trigger an application crash on iOS devices. [CVSS 7.5 HIGH]
Wmv To Avi Mpeg Dvd Wmv Convertor versions up to 4.6.1217 is affected by stack-based buffer overflow (CVSS 7.5).
Video Conferencing with Zoom WordPre versions up to 4.6.6 is affected by improper authentication (CVSS 7.5).
MajorDomo's shoutbox feature is vulnerable to stored XSS due to unsanitized user input in the /objects/?method= endpoint, allowing unauthenticated attackers to inject malicious scripts that persist in the database. When administrators access the auto-refreshing dashboard, the stored payload executes automatically, enabling session hijacking and cookie theft. Public exploit code exists for this vulnerability, and no patch is currently available.
MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to inject stored XSS payloads that execute when administrators access the property editor, with public exploit code available. The vulnerability is compounded by session cookies lacking HttpOnly protection, enabling attackers to enumerate properties via the /api.php/data/ endpoint and hijack admin sessions through JavaScript exfiltration.
mayswind ezbookkeeping versions 1.2.0 and earlier contain a critical vulnerability in JSON and XML file import processing. [CVSS 6.5 MEDIUM]
Hospital Management System versions up to 4.0 is affected by authorization bypass through user-controlled key (CVSS 6.5).
Hospital Management System versions up to 4.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).
IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. [CVSS 6.4 MEDIUM]
ipPulse 1.92 contains a denial of service vulnerability that allows local attackers to crash the application by providing an oversized input in the Enter Key field. Attackers can generate a 256-byte buffer of repeated 'A' characters to trigger an application crash when pasting the malicious content. [CVSS 6.2 MEDIUM]
IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. [CVSS 6.1 MEDIUM]
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]
IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. [CVSS 6.1 MEDIUM]
Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. [CVSS 6.1 MEDIUM]