Improper verification of cryptographic signatures in Cesanta Mongoose versions up to 7.20 allows remote attackers to bypass GCM authentication tag validation in the mg_aes_gcm_decrypt function. The vulnerability has high attack complexity and requires no user interaction, but provides only integrity impact (not confidentiality or availability). Publicly available exploit code exists, and vendor has released patched version 7.21.
Command injection in Tenda F453 firmware up to version 1.0.0.3 allows authenticated remote attackers to execute arbitrary system commands via the TendaTelnet function in the /goform/telnet endpoint. The vulnerability has publicly available exploit code and may be actively used against deployed devices. Attack requires low-privilege authentication but carries significant risk due to the telnet service's direct command execution capability.
Server-side request forgery (SSRF) in devlikeapro WAHA up to version 2026.3.4 allows authenticated remote attackers to forge requests from the server via the media.controller.ts API endpoint, enabling potential reconnaissance, internal resource access, and lateral movement attacks. Publicly available exploit code exists and the vendor has not responded to disclosure efforts.
Server-side request forgery (SSRF) in AiraHub2 allows authenticated remote attackers to manipulate the connect_stream_endpoint and sync_agents functions in AiraHub.py, enabling arbitrary HTTP requests to internal or external systems. The vulnerability affects multiple endpoints and has publicly available exploit code; however, the vendor has not responded to disclosure attempts and uses a rolling release model, making patch status unclear.
Server-side template injection in AstrBot Dashboard API (version 4.22.1 and earlier) allows remote authenticated attackers with high privileges to execute arbitrary template code via the create_template function, leading to information disclosure and potential code execution. Publicly available exploit code exists, and the vendor has not yet responded to disclosure despite early notification.
Server-side request forgery (SSRF) in Pagekit up to version 1.0.18 allows authenticated high-privilege administrators to manipulate the url parameter in the /index.php/admin/system/update/download endpoint, enabling them to force the server to make arbitrary HTTP requests to internal or external systems. Publicly available exploit code exists, and the vendor did not respond to early disclosure efforts.
SQL injection in JiZhiCMS up to version 2.5.6 allows authenticated high-privileged administrators to execute arbitrary SQL queries via the sqls parameter in the /index.php/admins/Sys/addcache.html endpoint. The vulnerability is remotely exploitable and publicly available exploit code exists, though the low CVSS score (4.7) reflects the requirement for high-level administrative authentication, limiting real-world attack surface.
Stored cross-site scripting (XSS) in projeto-siga SIGA 11.0.3.18 allows authenticated remote attackers to inject malicious scripts via the Nome/Descrição parameter in the /sigawf/app/responsavel/novo endpoint. Successful exploitation requires user interaction (UI:R) and an authenticated session (PR:L), limiting impact to information disclosure (I:L). Public exploit code is available, though exploitation remains constrained by authentication and user interaction requirements.
SQL injection vulnerability in Zod CUID Data Type Handler affects versions up to 4.3.6, allowing authenticated remote attackers to manipulate input validation logic in the regex component and execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept code available; the vendor was contacted early but provided no response, and no patch has been issued as of analysis time.
Reflected cross-site scripting (XSS) in Datacom DM4100 version 1.3.6.1.4.1.3709 allows remote attackers with high administrative privileges to inject malicious scripts via the VLAN Name parameter on the VLAN Page, exploitable only with user interaction. Public exploit code is available, and the vendor has not responded to early disclosure notifications.
Cross-site scripting (XSS) in Datacom DM4100 version 1.3.6.1.4.1.3709 allows authenticated remote attackers to inject malicious scripts via manipulation of the Name parameter in the Ethernet Configuration Page. The vulnerability requires high-privilege administrative access and user interaction to trigger, limiting real-world impact despite public exploit availability. Vendor has not responded to disclosure.
Cross-site scripting (XSS) vulnerability in BIVOCOM TR321 version 21.1.1.50 allows authenticated remote attackers with high privileges to inject malicious scripts via manipulation of the Network Name SSID parameter in the Wireless Setting component. The vulnerability requires user interaction to trigger and has limited integrity impact. Exploit code has been publicly published, though the vendor has not responded to disclosure attempts.
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 Build 86345 via the Owner parameter on the New RMON Statistics Page allows authenticated remote attackers to inject malicious scripts. The vulnerability requires user interaction (clicking a crafted link) and high-privilege access to exploit, limiting real-world risk despite public exploit availability. The vendor has not responded to disclosure attempts.
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 10.1.0F-86345 allows authenticated remote attackers with high privileges to inject malicious scripts via the Owner parameter on the New RMON History Page, requiring user interaction to execute. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.
Stored cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 86345 allows authenticated remote attackers to inject malicious scripts via the Description parameter in the rmon event Tab component. The vulnerability requires high-privilege authentication and user interaction to trigger, limiting practical exploitation scope. Public exploit code is available; however, the low CVSS score (2.4) reflects the authentication barrier and limited confidentiality/availability impact.
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 10.1.0F Build 86345 allows high-privileged authenticated users to inject malicious scripts via the User name parameter in the New User Page (/index.asp), affecting only the injecting user's session due to session-scoped impact. Public exploit code is available, but exploitation requires administrative credentials and user interaction (form submission), significantly limiting real-world attack surface despite the remote attack vector.