Cf-E7 Firmware versions up to 2.6.0.9 contains a vulnerability that allows attackers to command injection (CVSS 6.3).
Command injection in Comfast CF-E7 firmware versions 2.6.0.9 and earlier allows remote authenticated attackers to execute arbitrary commands through the timestr parameter in the NTP timezone configuration function. Public exploit code exists for this vulnerability, and the vendor has not provided patches despite early notification. An attacker with valid credentials can achieve remote code execution with medium impact on confidentiality, integrity, and availability.
A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. [CVSS 5.4 MEDIUM]
Improper access controls in the Sales endpoint of Yeqifu Warehouse allow authenticated remote attackers to manipulate sales records through the addSales, updateSales, and deleteSales functions, potentially compromising data integrity and confidentiality. Public exploit code exists for this vulnerability, and no patch is currently available despite early notification to the developers.
Improper access controls in the Customer Endpoint of yeqifu Warehouse allow authenticated remote attackers to manipulate customer data through the addCustomer, updateCustomer, and deleteCustomer functions. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch. An attacker with valid credentials can achieve unauthorized information disclosure, modification, and denial of service with low attack complexity.
Improper access controls in the Cache Sync Handler of yeqifu Warehouse allow authenticated remote attackers to manipulate cache operations (deleteCache, removeAllCache, syncCache) and achieve unauthorized modification or denial of service. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.
Improper access controls in the Inport Endpoint of yeqifu Warehouse allow authenticated remote attackers to manipulate critical functions (addInport, updateInport, deleteInport) and gain unauthorized access to sensitive data or operations. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects Java-based deployments with network access to the warehouse application.
SQL injection in JeecgBoot versions up to 3.9.1 allows authenticated remote attackers to manipulate the keyword parameter in the dictionary loading endpoint, potentially enabling unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed over the network with low complexity.
A weakness has been identified in detronetdip E-commerce 1.0.0. This affects the function get_safe_value of the file utility/function.php. [CVSS 3.5 LOW]
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory. [CVSS 3.7 LOW]
Connections versions up to 7.0 contains a vulnerability that allows attackers to obtain limited information when a single piece of internal metadata is returned (CVSS 3.5).
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. [CVSS 3.3 LOW]
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. [CVSS 2.7 LOW]
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal.
Missing authorization in Dromara RuoYi-Vue-Plus up to version 5.5.3 allows authenticated remote attackers to delete workflow instances without proper access controls via the SaServletFilter component. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. The flaw enables low-impact compromise of workflow data integrity with network accessibility and minimal attack complexity.
A vulnerability has been found in rachelos WeRSS we-mp-r versions up to 1.4.8. is affected by cross-site scripting (xss) (CVSS 3.5).
A vulnerability was identified in wren-lang wren up to 0.4.0. This affects the function peekChar of the file src/vm/wren_compiler.c of the component Source File Parser. [CVSS 3.3 LOW]