CVE-2026-45560

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrapline app/modules/common/common.py:181-186 and highlightword app/modules/common/common.py:188-192 build raw HTML by string concatenation with no escaping. The frontend...

EUVD-2026-36041

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrapline app/modules/common/common.py:181-186 and highlightword app/modules/common/common.py:188-192 build raw HTML by string concatenation with no escaping. The frontend...

CVE-2026-45560

Roxy-WI exposes a stored XSS vulnerability in the log viewer. In versions <= 8.2.6.4, wrap_line and highlight_word build raw HTML via string concatenation without escaping, and the frontend injects response bodies with .html/.append. An attacker who can reach the public load balancer can injec...

CVE-2026-45560 Roxy-WI: Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrapline app/modules/common/common.py:181-186 and highlightword app/modules/common/common.py:188-192 build raw HTML by string concatenation with no escaping. The frontend...

CVE-2026-45560 Roxy-WI: Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrapline app/modules/common/common.py:181-186 and highlightword app/modules/common/common.py:188-192 build raw HTML by string concatenation with no escaping. The frontend...

CVE-2026-41977

DoS vulnerability in the log service. Impact: Successful exploitation of this vulnerability may affect availability...

Wavlink WL-WN530HG4 M30HG4.V5030.201217 - Information Disclosure

An access control issue in Wavlink WL-WN530HG4 M30HG4.V5030.201217 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials. id: CVE-2022-48166 info: name: Wavlink WL-WN530HG4 M30HG4.V5030.201217 - Information Disclosure author: ritikchaddha...

Riello Netman 204 - SQL Injection

The three endpoints /cgi-bin/dbdatalogw.cgi, /cgi-bin/dbeventlogw.cgi, and /cgi-bin/dbmultimetrw.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way. id: CVE-2024-8877 info: name: Riello Netman 204 - SQL...

All-in-One WP Migration < 7.87 - Unauthenticated Information Disclosure

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to unauthenticated information disclosure due to its error.log file being publicly accessible in versions before 7.87. id: CVE-2024-8852 info: name: All-in-One WP Migration 7.87 - Unauthenticated Information Disclosure...

VMware vRealize Log Insight - Path Traversal

he vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution. id: CVE-2022-31706 info: name: VMware vRealize Log Insight - Path Traversal...

LogDash Activity Log <= 1.1.3 - SQL Injection

The LogDash Activity Log plugin for WordPress is vulnerable to SQL Injection via the username parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

VMware vRealize Log Insight < v8.10.2 - Information Disclosure

VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication. id: CVE-2022-31711 info: name: VMware vRealize Log Insight v8.10.2 - Information Disclosure author: DhiyaneshD...

VMware vRealize Log Insight - Improper Access Control to RCE

The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution. id: CVE-2022-31704 info: name: VMware vRealize Log Insight - Improper Acces...

Wavlink WL-WN533A8 M33A8.V5030.190716 - Information Disclosure

An access control issue in the component /cgi-bin/ExportLogs.sh of Wavlink WL-WN533A8 M33A8.V5030.190716 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials. id: CVE-2022-48164 info: name: Wavlink WL-WN533A8 M33A8.V5030.190716 - Information...

MagnusBilling Login Logs - Cross-Site Scripting

Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is...

Cobbler <3.3.0 - Remote Code Execution

Cobbler before 3.3.0 allows log poisoning and resultant remote code execution via an XMLRPC method. id: CVE-2021-40323 info: name: Cobbler 3.3.0 - Remote Code Execution author: c-sh0 severity: critical description: Cobbler before 3.3.0 allows log poisoning and resultant remote code execution via ...

EUVD-2026-35856

MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction...

EUVD-2026-35867

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

PT-2026-48439

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrap line app/modules/common/common.py:181-186 and highlight word app/modules/common/common.py:188-192 build raw HTML by string concatenation with no escaping. The frontend...

CVE-2026-9751

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...