SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability

SolarWinds Serv-U contains an uncontrolled resource consumption vulnerability that allows specially crafted POST requests using the Content-Encoding: deflate header to crash the Serv-U service without authentication...

CVE-2026-44579

A flaw was found in Next.js. Applications utilizing Partial Prerendering via the Cache Components feature are susceptible to connection exhaustion. A remote attacker can send crafted POST requests to a server action, triggering a request-body handling deadlock. This leaves connections open,...

Sequence of Processor Instructions Leads to Unexpected Behavior

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Sequence of Processor Instructions Leads to Unexpected Behavior through the fielddelete process. An attacker can permanently remove...

PT-2026-44378

The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin operator and manufacturer accounts via crafted POST requests...

NOVUS Automation AirGate 4G firmware 安全漏洞

NOVUS Automation AirGate 4G firmware is an industrial IoT gateway firmware system developed by NOVUS Automation in Brazil. Version 1.1.16 of NOVUS Automation AirGate 4G firmware contains a security vulnerability. This vulnerability stems from improper endpoint access control in the /uci/get/...

CVE-2018-25333

Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the login parameter in login.php. Attackers can submit crafted POST requests with SQL injection payloa...

CVE-2026-30350

Technical details are not publicly available in the provided documents. Monitor updates from primary sources for affected components, exact versions, and remediation guidance.

CVE-2026-3358

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing poststatus validation in the enrollnow and courseenrollment functions. Both enrollment endpoints...

Fedora 42 : cpp-httplib (2026-6ed9c65eaf)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-6ed9c65eaf advisory. Update to 0.37.1 rbhz2445943 - Fixes Denial of Service via malformed Content-Length header CVE-2026-31870 - Reenables 32-bit build Update to 0.37.0...

Denial Of Service (DoS)

github.com/free5gc/pcf is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of crafted POST requests to the NpcfBDTPolicyControl API, which allows an attacker to trigger service disruption...

CVE-2019-25428

CVE-2019-25428 affects Comodo Dome Firewall 2.7.0. Affected component: openvpn_users endpoint. Root cause: reflected cross-site scripting via crafted POST parameters (username, remotenets, explicitroutes, static_ip, custom_dns, custom_domain) enabling arbitrary JavaScript in users’ browsers. Impa...

CVE-2019-25356 Bematech Printer MP-4200 TH Cross-Site Scripting

Bematech formerly Logic Controls, now Elgin MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. Attackers can inject malicious scripts via crafted POST requests with malformed 'admin' and 'person' parameters, allowing execution of arbitrary JavaScript...

CVE-2019-25323

Heatmiser Netmonitor v3.03 is affected by an HTML injection in the outputSetup.htm page via the outputtitle parameter. The vulnerability allows an attacker to craft POST requests to inject arbitrary HTML and potentially alter the web interface’s displayed content. The CVE description specifies a ...

CVE-2019-25316

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. Attackers can exploit the CreateEvent.php endpoint by sending crafted POST requests with XSS payloads to execute arbitrary...

CVE-2020-37125

Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit the vulnerability by sending crafted POST requests with command injection payloads to download a...

CVE-2022-50911

Bitrix24 is affected by CVE-2022-50911 per connected sources, described as an authenticated remote code execution vulnerability. An attacker with valid credentials could abuse the PHP command-line administration interface by sending crafted POST requests to an admin endpoint to execute arbitrary ...

CVE-2018-25134

Synaccess netBooter NP-02x/NP-08x 6.8 contains an authentication bypass vulnerability in the webNewAcct.cgi script that allows unauthenticated attackers to create admin user accounts. Attackers can exploit the missing control check by sending crafted POST requests to create administrative account...

CVE-2025-67173

A Cross-Site Request Forgery CSRF in the page creation/editing function of RiteCMS v3.1.0 allows attackers to arbitrarily create pages via a crafted POST request...

CVE-2023-53878

CVE-2023-53878 — Member Login Script 3.3 involves a client-side desynchronization vulnerability tied to parsing the Content-Length header. The flaw allows attackers to manipulate HTTP request handling by smuggling secondary requests within crafted POST payloads, potentially bypassing server-side ...

CVE-2025-36754

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an...