Lucene search
+L

578 matches found

CNNVD
CNNVD
added 2026/04/27 12:0 a.m.12 views

itsourcecode Construction Management System 注入漏洞

itsourcecode Construction Management System is an open-source construction management system developed by itsourcecode. Version 1.0 of the itsourcecode Construction Management System has a SQL injection vulnerability, which stems from the handling of the parameter “address” in the...

7.5CVSS7.2AI score0.00254EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/24 2:5 a.m.29 views

CVE-2026-33078 Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Parameter

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxysectionsave function in app/routes/config/routes.py. The serverip parameter, sourced from the URL path, is passed unsanitized through...

9.3CVSS0.00352EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/04/23 12:0 a.m.11 views

TOTOLINK A3300R 命令注入漏洞

ToToLink A3300R is a router product that provides network connectivity and data transfer. The ToToLink A3300R suffers from a command injection vulnerability that stems from failing to properly validate the input of the url parameter of /cgi-bin/cstecgi.cgi, which can be exploited by an attacker t...

6.5CVSS6.1AI score0.00279EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/13 1:22 p.m.5 views

CVE-2026-6116

A vulnerability has been found in Totolink A7100RU 7.4cu.2313b20191024. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument ip leads to os command injection. Remote exploitation of the attack is...

10CVSS6.8AI score0.01803EPSS
Exploits0References1
CVE
CVE
added 2026/04/10 12:0 a.m.11 views

CVE-2026-31262

CVE-2026-31262 is a Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) version 2.0. The entry states that a remote attacker can obtain sensitive information and execute arbitrary code via a URL parameter. Connected documents consistently describe the issue as XSS in ...

6.1CVSS6.1AI score0.00229EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.7 views

PT-2026-31928

Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform SB2 v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter...

6.1AI score0.00229EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/09 7:27 p.m.20 views

CVE-2026-40077 Beszel has an IDOR in hub API endpoints that read system ID from URL parameter

Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they kno...

3.5CVSS0.00219EPSS
Exploits1References2
CVE
CVE
added 2026/04/07 6:4 p.m.14 views

CVE-2026-39344

ChurchCRM prior to 7.1.0 is affected by a reflected XSS on the login page via the username parameter from the URL. The vulnerability arises from lack of sanitization/encoding, allowing injected scripts to execute in the user’s browser and potentially steal data such as cookies or alter the login ...

8.1CVSS7.2AI score0.00256EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/04/02 6:31 p.m.4 views

EUVD-2026-18408

A vulnerability was detected in Trendnet TEW-657BRM 1.00.1. Affected is the function pingtest of the file /setup.cgi. Performing a manipulation of the argument c4IPAddr results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The...

6.5CVSS6.3AI score0.04778EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/04/02 2:46 p.m.20 views

CVE-2026-34817 Endian Firewall /cgi-bin/smtprouting.cgi ADDRESS BCC Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

6.4CVSS0.00138EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/30 3:30 a.m.8 views

EUVD-2026-17054

A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed...

8.8CVSS5.6AI score0.02483EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/03/26 3:8 p.m.7 views

CVE-2026-2277

The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for...

6.1CVSS5.9AI score0.00265EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/26 6:30 a.m.5 views

EUVD-2026-16108

A security flaw has been discovered in Netcore Power 15AX up to 3.0.0.6938. Affected by this issue is the function setTools of the file /bin/netis.cgi of the component Diagnostic Tool Interface. Performing a manipulation of the argument IpAddr results in os command injection. Remote exploitation ...

9CVSS6.8AI score0.08263EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/03/21 3:27 a.m.34 views

CVE-2026-3478 Content Syndication Toolkit <= 1.3 - Unauthenticated Server-Side Request Forgery via 'url' Parameter

The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the reduxp AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint wpajaxnoprivreduxp that is accessible to...

7.2CVSS0.00272EPSS
Exploits0References7
NVD
NVD
added 2026/03/16 2:19 p.m.7 views

CVE-2026-4172

A vulnerability was detected in TRENDnet TEW-632BRP 1.010B32. This affects an unknown part of the file /pingresponse.cgi of the component HTTP POST Request Handler. The manipulation of the argument pingipaddr results in stack-based buffer overflow. The attack may be performed from remote. The...

8.6CVSS0.00612EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.7 views

PT-2026-25783

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the ping ipaddr parameter ...

5.1CVSS5.9AI score0.00155EPSS
Exploits0References2
NVD
NVD
added 2026/03/12 12:16 a.m.8 views

CVE-2026-3966

A vulnerability was detected in 648540858 wvp-GB28181-pro up to 2.7.4-20260107. Affected by this vulnerability is the function getDownloadFilePath of the file /src/main/java/com/genersoft/iot/vmp/media/abl/ABLMediaNodeServerService.java of the component IP Address Handler. The manipulation of the...

6.5CVSS0.00206EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/03/11 7:8 a.m.9 views

CVE-2026-0489

Due to insufficient validation of user-controlled input in the URLs query parameter. SAP Business One Job Service could allow an unauthenticated attacker to inject specially crafted input which upon user interaction could result in a DOM-based Cross-Site Scripting XSS vulnerability. This issue ha...

6.1CVSS5.8AI score0.00215EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/07 5:27 a.m.42 views

CVE-2026-30828 Wallos: SSRF via url parameter leading to File Traversal

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2...

8.7CVSS0.00533EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/07 5:27 a.m.5 views

CVE-2026-30828

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2...

8.7CVSS5.7AI score0.00533EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder