SQL injection in itsourcecode Courier Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via manipulation of the ID parameter in /edit_branch.php. The vulnerability has publicly disclosed exploit code available and affects confidentiality, integrity, and availability of the underlying database.
SQL injection in itsourcecode Construction Management System 1.0 allows remote unauthenticated attackers to manipulate the address parameter in /locations.php, enabling arbitrary database queries with confidentiality and integrity impact. Publicly available exploit code exists, increasing real-world risk despite the moderate CVSS score of 6.9.
SQL injection in itsourcecode Construction Management System 1.0 allows remote unauthenticated attackers to manipulate the code parameter in /execute1.php, enabling database query manipulation and potential data exfiltration or modification. Publicly available exploit code exists, increasing real-world risk despite the moderate CVSS score of 6.9.
SQL injection in itsourcecode Construction Management System 1.0 via the code parameter in /execute.php allows remote unauthenticated attackers to execute arbitrary SQL queries and potentially access or modify database contents. The vulnerability has a publicly available exploit and is confirmed to have a low confidentiality, integrity, and availability impact according to CVSS v4.0 scoring.
SQL injection in code-projects Inventory Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter in the Login component, leading to unauthorized database access and potential data exfiltration. The vulnerability has a publicly available exploit and CVSS 6.9 score reflecting low confidentiality, integrity, and availability impact without scope expansion. EPSS data unavailable, but public exploit availability elevates practical risk.
Remote SQL injection in CodePanda Source canteen_management_system 1.0 allows unauthenticated attackers to manipulate the Username parameter in /api/login.php, enabling arbitrary database queries. Public exploit code is available. The vulnerability affects confidentiality and integrity with low impact scope, making it a practical attack vector for credential harvesting or data exfiltration from the canteen management database.
A vulnerability was found in code-projects Online Lot Reservation System up to 1.0. This affects the function readfile of the file /download.php. The manipulation of the argument File results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used.
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.
NASA Earth Observing System Data and Information System (EOSDIS) MODAPS v8.1 was discovered to contain a SQL injection vulnerability in the category parameter. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauthenticated SQL injection in Directorist Booking WordPress plugin allows remote attackers to extract sensitive database contents and cause limited denial of service. The vulnerability affects all versions prior to 3.0.2 and can be exploited remotely with low complexity and no authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). Patchstack has published details confirming the vulnerability exists in version 2.4.1 and earlier, with a vendor-released patch available in version 3.0.2. No CISA KEV listing or public exploit code identified at time of analysis.
A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed.
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user accessing the uploaded file URL will execute the embedded JavaScript in their browser.
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content.
A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument HTTP results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.
OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'enable' parameter in the setUPnPCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC confirmed), increasing immediate risk for exposed devices. EPSS data not available, but CVSS 8.9 with network vector (AV:N), no authentication (PR:N), and low complexity (AC:L) indicates trivial remote exploitation against default configurations.
OS command injection in Totolink A8000RU 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'wizard' parameter in the setWizardCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists (CVSS E:P), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector (AV:N), no authentication (PR:N), low complexity (AC:L), and published POC indicates elevated real-world risk for internet-exposed devices.
The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1.
Authenticated attackers with Subscriber-level privileges can escalate to Administrator role in Highland Software Custom Role Manager for WordPress via profile update exploitation. The hscrm_save_user_roles() function lacks capability checks on the personal_options_update hook, allowing low-privilege users to modify arbitrary user roles including their own. Version 1.0.1 released with authorization fixes. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided, no CISA KEV listing identified, indicating limited widespread exploitation despite the severity of self-service privilege escalation to site administrator.
Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.
The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges.
Command injection in LogonTracer versions prior to 2.0.0 allows authenticated users to execute arbitrary OS commands on the server. LogonTracer, a JPCERT/CC-developed log analysis tool for investigating lateral movement in Windows Active Directory environments, contains an insufficiently sanitized input handler that permits shell command injection. Authentication is required (PR:L), but once logged in, attackers can achieve complete system compromise with high confidentiality, integrity, and availability impact (VC:H/VI:H/VA:H). No active exploitation confirmed at time of analysis, though the CVSS 4.0 score of 8.7 and low attack complexity (AC:L) indicate significant risk for organizations running vulnerable versions.
Buffer overflow in Moxa Secure Router's HTTPS management interface allows unauthenticated remote attackers to crash the web service via specially crafted requests with malformed length parameters. Exploitation causes denial-of-service requiring device reboot, with no confidentiality or integrity impact. CVSS 8.7 reflects high availability impact to the vulnerable component only. No public exploit code identified at time of analysis, and no evidence of active exploitation (not in CISA KEV).
Atom table exhaustion in plug_cowboy 2.0.0-2.8.0 allows remote denial of service via HTTP/2. Unauthenticated attackers can crash the Erlang VM by sending HTTP/2 requests with unique :scheme pseudo-header values, permanently filling the non-garbage-collected atom table until the system_limit is reached. Affects only HTTP/2 connections; HTTP/1.1 is not vulnerable. CVSS 8.7 (High) with network attack vector, low complexity, and no required privileges. No active exploitation confirmed (not in CISA KEV), but exploit is trivial given the publicly documented attack mechanism in the GitHub advisory.
Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Content Designer interface, which bypasses the intended expression sandbox through JavaScript prototype manipulation. This may grant direct access to backend resources (Lambda environment variables, OpenSearch indices, S3 objects, DynamoDB tables) that are not exposed through normal administrative interfaces. We recommend you upgrade to version 7.3.0 or above.
When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model - the sub-router is mounted at _path_* and the authentication handler is registered inside the sub-router at the resolved path - this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information. This issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2.
SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to approximately 19,000 possible values. An unauthenticated attacker can use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors to forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content.
The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application - for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack - can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.
In the Linux kernel, the following vulnerability has been resolved: mm/kasan: fix double free for kasan pXds kasan_free_pxd() assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case of powerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache named pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just directly pass the start of the pxd table which is passed as the 1st argument. This fixes the below double free kasan issue seen with PMEM: radix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages ================================================================== BUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20 Free of addr c0000003c38e0000 by task ndctl/2164 CPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARY Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeries Call Trace: dump_stack_lvl+0x88/0xc4 (unreliable) print_report+0x214/0x63c kasan_report_invalid_free+0xe4/0x110 check_slab_allocation+0x100/0x150 kmem_cache_free+0x128/0x6e0 kasan_remove_zero_shadow+0x9c4/0xa20 memunmap_pages+0x2b8/0x5c0 devm_action_release+0x54/0x70 release_nodes+0xc8/0x1a0 devres_release_all+0xe0/0x140 device_unbind_cleanup+0x30/0x120 device_release_driver_internal+0x3e4/0x450 unbind_store+0xfc/0x110 drv_attr_store+0x78/0xb0 sysfs_kf_write+0x114/0x140 kernfs_fop_write_iter+0x264/0x3f0 vfs_write+0x3bc/0x7d0 ksys_write+0xa4/0x190 system_call_exception+0x190/0x480 system_call_vectored_common+0x15c/0x2ec ---- interrupt: 3000 at 0x7fff93b3d3f4 NIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000 REGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392) MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48888208 XER: 00000000 <...> NIP [00007fff93b3d3f4] 0x7fff93b3d3f4 LR [00007fff93b3d3f4] 0x7fff93b3d3f4 ---- interrupt: 3000 The buggy address belongs to the object at c0000003c38e0000 which belongs to the cache pgtable-2^9 of size 4096 The buggy address is located 0 bytes inside of 4096-byte region [c0000003c38e0000, c0000003c38e1000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:c0000003bfd63e01 flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff) page_type: f5(slab) raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected [ 138.953636] [ T2164] Memory state around the buggy address: [ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953661] [ T2164] >c0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953669] [ T2164] ^ [ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953692] [ T2164] ================================================================== [ 138.953701] [ T2164] Disabling lock debugging due to kernel taint
Memory corruption in Foxit PDF Reader and Foxit PDF Editor allows local attackers to crash the application or potentially execute arbitrary code through specially crafted PDF files with malformed form field hierarchies. The vulnerability triggers when parsing logic misidentifies non-signature data as valid signatures, causing invalid memory writes during internal data structure construction. User interaction is required to open the malicious PDF document. No active exploitation has been identified at time of analysis, though the local attack vector and high CVSS score (7.8) warrant attention for endpoint security in environments handling untrusted PDF files.
Use-after-free in Linux kernel driver core allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system via race condition in device-driver binding operations. The vulnerability stems from inconsistent locking in driver_match_device() function calls, specifically affecting driver_override functionality where device_lock was not held during bind_store() and __driver_attach() operations. EPSS probability is very low (0.02%, 5th percentile), indicating minimal real-world exploitation observed. No active exploitation confirmed - no CISA KEV listing identified. Patch available in kernel 7.0+ and backport commit dc23806a7c47.
Buffer overflow in TH1520 AON firmware protocol driver allows local authenticated attackers with low privileges to execute arbitrary code and gain elevated system access. The vulnerability stems from unsafe pointer arithmetic when accessing the 'mode' field through the 'resource' pointer with unchecked offsets in the T-HEAD firmware driver. Patches available across stable kernel branches (6.18.23, 6.19.13, 7.0) with low EPSS score (0.02%) indicating minimal observed exploitation attempts, though CVSS 7.8 reflects high impact if exploited on affected T-HEAD TH1520 systems.
Use-after-free in Foxit PDF Reader and Foxit PDF Editor allows arbitrary code execution when specially crafted PDF documents trigger UI refresh operations after comment deletion via scripting. Local attackers can deliver malicious PDFs and achieve code execution with high integrity and confidentiality impact once a user opens the file. CVSS 7.8 indicates high severity but requires user interaction, limiting automated exploitation. No public exploit code or active exploitation confirmed at time of analysis.
Use-after-free in Foxit PDF Reader and Foxit PDF Editor allows local attackers to execute arbitrary code or crash the application via specially crafted PDF documents. When scripts modify document structures, the software fails to maintain valid object references during page information queries, enabling pointer dereference of freed memory. Successful exploitation requires user interaction to open a malicious PDF file, achieving high confidentiality, integrity, and availability impact with CVSS 7.8. No active exploitation or public exploit code identified at time of analysis, though CVSS vector indicates low attack complexity once victim interaction occurs.
Sensitive data exposure in Templately WordPress plugin ≤3.6.1 allows authenticated attackers to retrieve embedded sensitive information via network requests. The vulnerability exhibits scope change (S:C) indicating potential cross-boundary impact, with high confidentiality impact but no integrity or availability effects. CVSS 7.7 severity driven by network accessibility and low attack complexity. No CISA KEV listing indicates no confirmed widespread exploitation. Reported by Patchstack's audit team with reference to their vulnerability database entry.
Timing attack against Spring Boot DevTools remote secret comparison allows adjacent network attackers to recover the shared secret and achieve remote code execution by uploading malicious classes. Affects Spring Boot 2.7.x through 4.0.x when DevTools remote feature is enabled. Attacker must be on same network segment (AV:A) and overcome high attack complexity (timing-based cryptographic weakness), but requires no authentication or user interaction. CVSS 7.5 severity reflects adjacent vector limitation; real-world risk depends heavily on whether DevTools remote restart is enabled in production (not recommended practice) and network segmentation. No confirmed active exploitation (not in CISA KEV). Vendor-released patches available across all affected branches.
Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minnify.
Unauthenticated directory traversal in Pro-Bit versions before 1.77.4 exposes sensitive directories and subdirectories to remote attackers without authentication. The vulnerability allows direct access to protected file system locations via network requests, enabling unauthorized information disclosure. EPSS score of 0.02% (6th percentile) indicates low observed exploitation probability in the wild, and no CISA KEV listing exists at time of analysis, suggesting limited active exploitation despite the CVSS 7.5 severity rating.
Denial of service in MERCURY MIPC252W IP camera firmware 1.0.5 Build 230306 Rel.79931n allows remote unauthenticated attackers to crash the device via malformed RTSP SETUP request. Exploitation triggers a null pointer dereference in the RTSP service during Transport header parsing, forcing an automatic reboot. EPSS score of 0.01% indicates very low observed exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis beyond the researcher's GitHub documentation.
A path traversal vulnerability in the UI/static component of leonvanzyl autocoder commit 79d02a allows attackers to read arbitrary files via sending crafted URL path containing traversal sequences.
An issue in the /store/items/search endpoint of Agent Protocol server commit e9a89f allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
OS command injection in Tenda HG3 router version 2.0 allows authenticated remote attackers to execute arbitrary commands with device privileges via the 'countrystr' parameter in /boaform/formCountrystr endpoint. Public exploit code exists (CVSS 4.0 E:P modifier confirms POC availability), enabling authenticated attackers to fully compromise router confidentiality, integrity, and availability. EPSS data unavailable; not currently in CISA KEV catalog, suggesting exploitation may be targeted rather than widespread despite public POC.
Buffer overflow in Tenda F456 router firmware version 1.0.0.5 allows authenticated remote attackers to achieve code execution via crafted requests to the /goform/WrlclientSet endpoint. The vulnerability exists in the fromWrlclientSet function of the httpd component. Public exploit code is available on GitHub, increasing practical exploitation risk despite requiring low-privilege authentication (CVSS 7.4, EPSS data not provided).
Buffer overflow in Tenda F456 router firmware 1.0.0.5 allows authenticated remote attackers to execute arbitrary code or crash the device via crafted HTTP requests to the /goform/Natlimit endpoint. Public exploit code exists on GitHub (Litengzheng/vuldb_new), demonstrating practical exploitability. EPSS data unavailable, but with POC published and AV:N/AC:L indicating straightforward network exploitation, this poses significant risk to internet-exposed router management interfaces with weak or default credentials.
Remote code execution in Tenda F456 router firmware 1.0.0.5 allows authenticated attackers to trigger buffer overflow via crafted mit_linktype parameter to /goform/QuickIndex endpoint in httpd service. Public exploit code exists on GitHub (Litengzheng/vuldb_new), enabling memory corruption with high impact to confidentiality, integrity, and availability. CVSS 7.4 reflects low attack complexity with network access requiring only low-privilege authentication. No vendor patch identified at time of analysis.
Remote authenticated attackers can execute arbitrary code on Tenda F456 router version 1.0.0.5 via buffer overflow in the DhcpListClient function of the httpd component. Exploitation requires low-privilege HTTP authentication and targets the web management interface. A public proof-of-concept exploit exists on GitHub (Litengzheng/vuldb_new), enabling straightforward weaponization. EPSS data unavailable, but the combination of remote attack vector, low complexity (AC:L), and publicly disclosed exploit code indicates elevated real-world exploitation risk for internet-exposed devices with default or weak credentials.
Remote authenticated buffer overflow in Tenda F456 1.0.0.5 httpd allows attackers to compromise router integrity and availability via crafted WrlExtraSet requests. Exploitation occurs through the formWrlExtraSet function when manipulating the 'Go' parameter at /goform/WrlExtraSet endpoint. Public exploit code is available on GitHub (Litengzheng/vuldb_new), enabling straightforward weaponization. CVSS 7.4 (High) with CVSS v4.0 Exploit Maturity: Proof-of-Concept confirms exploitability. While requiring low-privilege authentication (PR:L), the network attack vector (AV:N) and low complexity (AC:L) make this accessible to remote attackers with basic router credentials, commonly obtained via credential stuffing or default password exploitation.
Remote authenticated buffer overflow in Tenda F456 1.0.0.5 router allows complete device compromise via the DHCP server configuration handler. A low-privileged attacker can send a crafted HTTP request with malicious 'dips' parameter to /goform/GstDhcpSetSer, triggering a buffer overflow in the httpd service that enables arbitrary code execution with full system control. Public exploit code is available on GitHub (EPSS exploitation probability data not provided, not listed in CISA KEV at time of analysis).
Stack-based buffer overflow in D-Link DIR-825 firmware 3.00b32's nmbd NetBIOS service allows adjacent network attackers to achieve complete device compromise without authentication. Public exploit code exists (SSVC: POC confirmed), though EPSS probability remains low (0.03%, 7th percentile) indicating limited observed exploitation attempts. This vulnerability affects end-of-life hardware no longer receiving vendor security updates, creating permanent risk for deployed devices.
Insecure preserved inherited permissions vulnerability in Cerberus FTP Server on Windows allows Privilege Escalation.This issue has been resolved in Cerberus FTP Server: 2026.1