222069 matches found
EUVD-2026-44541
A security flaw has been discovered in mastergo-design mastergo-magic-mcp up to 0.2.0. This issue affects the function execute of the file src/tools/get-c2d.ts of the component mcpC2d. Performing a manipulation of the argument filePath results in path traversal. The attack requires a local...
CVE-2026-15696
CVE-2026-15696 : Affects Tenda BE12 Pro firmware version 16.03.66.23. The vulnerability lies in the fromVirtualSer function of the file /goform/VirtualSer, where manipulation of the argument page leads to a stack-based buffer overflow. It can be exploited remotely, and the exploit has been disclo...
CVE-2026-15695
Affected software: Tenda BE12 Pro 16.03.66.23. Vulnerable component: function fromDhcpListClient in /goform/DhcpListClient. Root cause: manipulation of the argument page leads to a stack-based buffer overflow. Impact: remote attack with high severity (as reflected in CVSS metrics); attacker can e...
Infoblox NetMRI < 7.6.1 - Unauthenticated Command Injection in get_saml_request
An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur. id: CVE-2025-32813 info: name: Infoblox NetMRI 7.6.1 - Unauthenticated Command Injection in getsamlrequest author: iamnoooob,pdresearch severity: high description: | An issue was discovere...
Hongjing e-HR 2020 - SQL Injection
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /wselfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument...
PHPJabbers Food Delivery Script - SQL Injection
PHPJabbers Food Delivery Script 3.0 has a SQL injection SQLi vulnerability in the "q" parameter of index.php. id: CVE-2023-40748 info: name: PHPJabbers Food Delivery Script - SQL Injection author: ritikchaddha severity: critical description: | PHPJabbers Food Delivery Script 3.0 has a SQL injecti...
Viessmann Vitogate 300 - Remote Code Execution
In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method. id: CVE-2023-45852 info: name: Viessmann Vitogate 300 - Remote Code Execution autho...
WeiYe-Jing datax-web <= 2.1.2 - OS Command Injection
A vulnerability, which was classified as critical, has been found in WeiYe-Jing datax-web 2.1.2. Affected by this issue is some unknown functionality of the file /api/log/killJob of the component HTTP POST Request Handler. The manipulation of the argument processId leads to os command injection...
Ericsson Drutt MSDP - Local File Inclusion
Ericsson Drutt Mobile Service Delivery Platform MSDP 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f dot dot encoded slash in the default URI in the Instance Monitor. id: CVE-2015-2166 info: name: Ericsson Drutt MSDP - Local File Inclusion author: daffainfo severity: mediu...
ADB/Pirelli ADSL2/2+ Wireless Router P.DGA4001N - Information Disclosure
ADB formerly Pirelli Broadband Solutions P.DGA4001N router with firmware PDGTEFSP4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service device restart as demonstrated by a direct request to 1...
Atlassian Confluence <5.8.17 - Information Disclosure
Atlassian Confluence before 5.8.17 contains an information disclsoure vulnerability. A remote authenticated user can read configuration files via the decoratorName parameter to 1 spaces/viewdefaultdecorator.action or 2 admin/viewdefaultdecorator.action. id: CVE-2015-8399 info: name: Atlassian...
NewStatPress <0.9.9 - Cross-Site Scripting
WordPress NewStatPress plugin before 0.9.9 contains a cross-site scripting vulnerability in includes/nspsearch.php. The plugin allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nspsearch page to wp-admin/admin.php. id: CVE-2015-4063 info: nam...
WordPress RobotCPA 5 - Directory Traversal
The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter. id: CVE-2015-9480 info: name: WordPress RobotCPA 5 - Directory Traversal author: daffainfo severity: high description: The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter...
Magento Server Mass Importer - Cross-Site Scripting
Magento Server Mass Importer plugin contains multiple cross-site scripting vulnerabilities which allow remote attackers to inject arbitrary web script or HTML via the 1 profile parameter to web/magmi.php or 2 QUERYSTRING to web/magmiimportrun.php. id: CVE-2015-2068 info: name: Magento Server Mass...
IceWarp Mail Server <11.1.1 - Directory Traversal
IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability. id: CVE-2015-1503 info: name: IceWarp Mail Server 11.1.1 - Directory Traversal author: 0xAkoko severity: high description: IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal...
Joomla! ProDesk 1.0/1.2 - Local File Inclusion
Joomla! Pro Desk Support Center comprodesk component 1.0 and 1.2 allows remote attackers to read arbitrary files via a .. dot dot in the includefile parameter to index.php. id: CVE-2008-6222 info: name: Joomla! ProDesk 1.0/1.2 - Local File Inclusion author: daffainfo severity: medium description:...
WordPress Sniplets 1.1.2 - Local File Inclusion
PHP remote file inclusion vulnerability in modules/syntaxhighlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter. id: CVE-2008-1059 info: name: WordPress Sniplets 1.1.2 - Local File Inclusion autho...
vBulletin <= 4.2.3 - SQL Injection
vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database. id: CVE-2016-6195 info: name:...
nweb2fax <=0.2.7 - Local File Inclusion
nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via the id parameter submitted to comm.php and the varfilename parameter submitted to viewrq.php. id: CVE-2008-6668 info: name: nweb2fax =0.2.7 - Local File Inclusion author: geeknik severity: medium description: nweb2fax...
WordPress Infusionsoft Gravity Forms <=1.5.11 - Cross-Site Scripting
WordPress plugin Infusionsoft 1.5.11 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based...