The WiFi Extender WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) contains an unprotected UART interface exposed through accessible PCB pads, allowing information disclosure through direct hardware access. An attacker with physical access to the device can connect to the UART pins to read sensitive data, firmware contents, or configuration information without authentication. No CVSS score, EPSS metric, or KEV status is currently available, but a proof-of-concept and detailed security research have been published, confirming the vulnerability's practical exploitability.
aaPanel v7.57.0 contains a path validation vulnerability that allows local file inclusion (LFI) attacks, enabling attackers to read sensitive files and disclose confidential information. The vulnerability affects the aaPanel control panel application and requires local or proximal access to exploit. While no CVSS score or EPSS data is currently available, the presence of public references and vulnerability research repositories suggests active researcher interest and potential proof-of-concept availability.
A Regular Expression Denial of Service (ReDoS) vulnerability exists in aaPanel v7.57.0's VirtualHost configuration handling and parser component, allowing attackers to trigger catastrophic backtracking in regex pattern matching through specially crafted input. This vulnerability affects the aaPanel web server control panel management system, enabling unauthenticated or authenticated attackers to exhaust server resources and cause service unavailability. The vulnerability has been documented in public repositories including the mbiesiad vulnerability research project, indicating proof-of-concept or technical details may be available.
This vulnerability enables arbitrary SQL command execution in Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 through malicious Report Definition Language (RDL) files uploaded to SQL Server Reporting Services. An attacker with the 'Add Reporting Services Reports' privilege can upload a crafted RDL file containing raw SQL queries; if the file is already loaded and executable by the user, this privilege is not required. Upon report generation, arbitrary SQL commands execute in the underlying database, potentially allowing data exfiltration, linked server access, or operating system command execution depending on SQL Server service account permissions. A proof-of-concept has been documented in public repositories, indicating active research and potential exploitation risk.