CVE-2026-7705 JD Cloud JDCOS Service jdcap set_iptv_info command injection

A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability affects the function setiptvinfo of the file /jdcap of the component Service Interface. Executing a manipulation of the argument vid can lead to command injection. It is possible to launch the attack remotely. The exploit has...

CVE-2026-33746

Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...

CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users

Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...

CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users

Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...

D-Link DIR-825和D-Link DIR-825R 操作系统命令注入漏洞

D-Link DIR-825 and D-Link DIR-825R are products of D-Link Corporation from China. The D-Link DIR-825 is a router, while the D-Link DIR-825R is a wireless router. Both models, D-Link DIR-825 and D-Link DIR-825R, in their version 1.0.5/4.5.1, have a vulnerability related to operating system command...

Linux Distros Unpatched Vulnerability : CVE-2026-30928

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances...

UBUNTU-CVE-2026-30928

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

Insertion of Sensitive Information Into Sent Data

Overview Glances is an A cross-platform curses-based monitoring tool Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the self.config.asdict function, which returns the entire configuration including sensitive values without filtering for th...

GHSA-22M3-C7VP-49FJ IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links

Impact An attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it ...

CVE-2026-2563 JingDong JD Cloud Box AX6600 jdcapp_rpc controlDevice get_status privileges management

A vulnerability was identified in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. Affected is the function setstcreenendeabledstatus/getstatus of the file /f/service/controlDevice of the component jdcapprpc. The manipulation leads to Remote Privilege Escalation. It is possible to initiate the...

CVE-2026-2561

A vulnerability was found in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This affects the function webgetddnsuptime of the file /jdcapi of the component jdcwebrpc. Performing a manipulation results in Remote Privilege Escalation. The attack is possible to be carried out remotely. The exploit...

PT-2026-8352

A vulnerability was found in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This affects the function web get ddns uptime of the file /jdcapi of the component jdcweb rpc. Performing a manipulation results in Remote Privilege Escalation. The attack is possible to be carried out remotely. The...

UBUNTU-CVE-2024-54192

An issue inTcpreplay v4.5.1 allows a local attacker to cause a denial of service via a crafted file to the tcpeditdltgetplugin function at src/tcpedit/plugins/dltutils.c...

CVE-2024-54192

An issue inTcpreplay v4.5.1 allows a local attacker to cause a denial of service via a crafted file to the tcpeditdltgetplugin function at src/tcpedit/plugins/dltutils.c...

Azure Linux 3.0 Security Update: puppet (CVE-2015-1029)

The version of puppet installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2015-1029 advisory. - The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlie...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-000876)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000876 advisory. The iowarriorprobe function in drivers/usb/misc/iowarrior.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service NULL...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-003031)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003031 advisory. The digiportinit function in drivers/usb/serial/digiacceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service...

CVE-2020-24601

In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName", "alias" in the import certificate trusted page...

CVE-2025-10749 Microsoft Azure Storage for WordPress <= 4.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Media Deletion

The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to missing capability checks on the 'azure-storage-media-replace' AJAX action. This makes it possible for authenticated...

GHSA-9RVM-P3QM-F4VV Smidge is vulnerable to Path Traversal

A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Handler. The manipulation of the argument Version leads to path traversal. Remote exploitation of the attack is possible. Upgrading to version 4.6.0 is...