Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.
TinaCMS CLI dev server combines a permissive CORS policy (Access-Control-Allow-Origin: *) with path traversal to enable drive-by attacks. A remote attacker can enumerate, write, and delete files on a developer's machine simply by having them visit a malicious webpage. PoC available.
Unauthenticated access to Honeywell IQ4x building controller HMI. CVSS 10.0.
Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.
A second RCE vulnerability in Veeam Backup & Replication allows any authenticated domain user to execute code on the Backup Server with scope change. Same impact as CVE-2026-21666 but through a different attack vector.
Veeam Backup & Replication allows an authenticated domain user to achieve remote code execution on the Backup Server. With a scope change to CVSS 9.9, a compromised domain account can fully take over the backup infrastructure.
Yet another Veeam Backup & Replication RCE vulnerability allowing authenticated domain users to execute code on the Backup Server with scope change (CVSS 9.9). Part of a cluster of related Veeam vulnerabilities disclosed together.
SGLang's multimodal generation module deserializes untrusted data with pickle.loads() over an unauthenticated ZMQ broker, enabling remote code execution. Any attacker who can reach the ZMQ port can execute arbitrary Python code on the ML inference server.
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated RCE through pickle deserialization in the disaggregation module's inter-process communication. Same class of vulnerability as CVE-2026-3059 in a different code path.
QNAP Hyper Data Protector before 2.3.1.455 contains hard-coded credentials that allow remote unauthenticated attackers to gain unauthorized access to backup management functions, potentially compromising all backed-up data across the organization.
GL-iNet GL-AR300M16 v4.3.11 has a command injection in the set_config function, adding to the growing list of injection vulnerabilities in this device. This is the fourth distinct command injection CVE for this router model.
GL-iNet GL-AR300M16 v4.3.11 contains another command injection vulnerability, this time via the module parameter in the M.get_system_log function. Part of a series of command injection flaws in this router model.
GL-iNet GL-AR300M16 v4.3.11 has multiple command injection vulnerabilities in the set_upgrade function through seven different parameters. Each parameter provides an independent code execution vector on the router.
GL-iNet GL-AR300M16 router (v4.3.11) is vulnerable to command injection through the string port parameter in the enable_echo_server function. Unauthenticated attackers can execute arbitrary commands on the router.
D-Link DIR-513 router (v1.10) has a stack buffer overflow in the curTime parameter of formSetWizardSelectMode. This is an end-of-life router with no expected patch, meaning exploitation will remain possible indefinitely.
Trane Tracer SC, SC+, and Concierge building automation controllers use broken cryptographic algorithms that allow attackers to bypass authentication and gain root access. These are critical building management systems controlling HVAC in commercial facilities.
Veeam Backup & Replication allows Backup Administrators to achieve RCE in high-availability deployments. While requiring admin-level access, the scope change to the HA infrastructure makes this critical for organizations running Veeam in HA mode.