CVE-2026-36829

An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and...

EUVD-2026-30953

An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and...

Panabit PAP-XM320 路径遍历漏洞

Panabit PAP-XM320 is an enterprise-level network traffic management and bandwidth control gateway device developed by Panabit Corporation. Versions of Panabit PAP-XM320 prior to v7.7 contain a path traversal vulnerability. This vulnerability stems from the use of a file system existence check bas...

PT-2026-41951

Name of the Vulnerable Software and Affected Versions Panabit PAP-XM320 versions prior to 7.8 Description An authentication bypass exists in the embedded HTTP server. The server validates session cookies by performing a filesystem existence check based on a user-controlled cookie value. Due to a...

camel-http: Apache Camel: Information disclosure and authentication bypass in embedded HTTP/management servers

A flaw was found in the Apache Camel embedded HTTP server and embedded management server camel-platform-http-main. When authentication is enabled and a non-root context path is configured, the authentication handler incorrectly matches only the exact configured path, not its subpaths. This allows...

HP Printer Cross-Site Request Forgery (CVE-2009-0940)

Multiple cross-site request forgery CSRF vulnerabilities in the HP Embedded Web Server EWS on HP LaserJet Printers, Edgeline Printers, and Digital Senders allow remote attackers to hijack the intranet connectivity of arbitrary users for requests that 1 print documents via unknown vectors, 2 modif...

HP Printer Weak Password Requirement (CVE-2009-0941)

The HP Embedded Web Server EWS on HP LaserJet Printers, Edgeline Printers, and Digital Senders has no management password by default, which makes it easier for remote attackers to obtain access. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for...

CVE-2026-1997

Certain HP OfficeJet Pro printers may expose information if Cross‑Origin Resource Sharing CORS is misconfigured, potentially allowing unauthorized web origins to access device resource. CORS is disabled by default on Pro‑class devices and can only be enabled by an administrator through the Embedd...

CVE-2026-1997

Certain HP OfficeJet Pro printers may expose information if Cross‑Origin Resource Sharing CORS is misconfigured, potentially allowing unauthorized web origins to access device resource. CORS is disabled by default on Pro‑class devices and can only be enabled by an administrator through the Embedd...

CVE-2026-1997

CVE-2026-1997 affects HP OfficeJet Pro printers where misconfigured Cross‑Origin Resource Sharing (CORS) could allow unauthorized web origins to access device resources. CORS is disabled by default on Pro‑class devices and should remain disabled unless explicitly required; the CVSSv4 base score i...

PT-2026-7329

Certain HP OfficeJet Pro printers may expose information if Cross‑Origin Resource Sharing CORS is misconfigured, potentially allowing unauthorized web origins to access device resource. CORS is disabled by default on Pro‑class devices and can only be enabled by an administrator through the Embedd...

CVE-2026-2203 Tenda AC8 Embedded Httpd Service fast_setting_wifi_set buffer overflow

A flaw has been found in Tenda AC8 16.03.33.05. Affected by this vulnerability is an unknown functionality of the file /goform/fastsettingwifiset of the component Embedded Httpd Service. This manipulation of the argument timeZone causes buffer overflow. Remote exploitation of the attack is...

CVE-2026-23738 The Asterisk embedded web server 's /httpstatus page echos user supplied values(cookie and query string) without sanitization

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using aststrappend. The...

CVE-2018-18894

Certain older Lexmark devices C, M, X, and 6500e before 2018-12-18 contain a directory traversal vulnerability in the embedded web server...

CVE-2021-31718

The server in npupnp before 4.1.4 is affected by DNS rebinding in the embedded web server including UPnP SOAP and GENA endpoints, leading to remote code execution...

CVE-2025-58083

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device...

CVE-2025-59780

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to send GET requests to obtain sensitive device information...

CVE-2025-58083

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device...

CVE-2025-59780

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to send GET requests to obtain sensitive device information...

General Industrial Controls Lynx+ Gateway 访问控制错误漏洞

General Industrial Controls Lynx+ Gateway is an industrial automation gateway from General Industrial Controls India. An access control error vulnerability exists in the General Industrial Controls Lynx+ Gateway, which stems from a lack of critical authentication on the embedded web server, which...