ajenti 访问控制错误漏洞

ajenti is an open-source Linux and BSD-based modular server management panel developed by ajenti. Versions of ajenti prior to 2.2.13 contained a security vulnerability related to access control. This vulnerability allowed unverified users to access servers, potentially enabling them to execute...

CVE-2025-69771

CVE-2025-69771 is a Cross-Site Scripting (XSS) vulnerability in the subtitle loading function of the asbplayer Chrome Extension (version 1.14.0). The issue allows an attacker to host a crafted .srt subtitle file that executes arbitrary JavaScript in the active streaming platform’s context, bypass...

CVE-2019-25435

Sricam DeviceViewer 3.12.0.1 contains a local buffer overflow vulnerability in the user management add user function that allows authenticated attackers to execute arbitrary code by bypassing data execution prevention. Attackers can inject a malicious payload through the Username field in User...

CVE-2018-25158

Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files with image headers in the social myfiles section, rename them to PHP extensions, and execute...

CVE-2026-21345

Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current...

PT-2026-7411

Name of the Vulnerable Software and Affected Versions Azure AI Language Authoring SDK version 1.0.0 Description A flaw exists in the Azure AI Language Authoring SDK that allows an unauthorized attacker to execute code over a network. This is due to the deserialization of untrusted data. The issue...

GIGABYTE MacroHub 安全漏洞

GIGABYTE MacroHub is an open-source recording software developed by GIGABYTE of Taiwan, China. GIGABYTE MacroHub has a security vulnerability, which stems from improper permissions when launching external applications. This vulnerability may allow authenticated local attackers to execute arbitrar...

PYSEC-2026-1 A single post-release of dydx-v4-client contained obfuscated multi-stage loader

A PyPI user account compromised by an attacker and was able to upload a malicious version 1.1.5.post1 of the dydx-v4-client package. This version contains a highly obfuscated multi-stage loader that ultimately executes malicious code on the host system. While the final payload is not visible...

CVE-2026-0521

A reflected cross-site scripting XSS vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through...

EUVD-2025-206683

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 tmpserver modules allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code. The vulnerability arises from improper validation of a packet field whose offset is used to determine...

GHSA-7G56-FWXJ-CM23 FUXA contains an Unrestricted File Upload vulnerability

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files such as the SQLite user...

CVE-2020-37100

Sync Breeze Enterprise 12.4.18 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the...

PT-2026-5847

Disk Sorter Enterprise 12.4.16 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with...

FUXA 安全漏洞

FUXA is a web-based process visualization software developed by frangoteam. Version 1.2.7 of FUXA contains a security vulnerability. This vulnerability stems from the lack of an authentication mechanism for the/api/upload API endpoints. This allows unauthorized remote attackers to upload arbitrar...

EUVD-2025-206705

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files such as the SQLite user...

CVE-2020-37062

DHCP Turbo 4.61298 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can place malicious executables in the service path to gain elevated privileges when the service starts...

CVE-2020-37055

SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations to gain elevated access...

CVE-2020-37045

CVE-2020-37045 affects Veritas NetBackup 7.0. The vulnerability is an unquoted service path in the NetBackup INET Daemon (bpinetd.exe under C:\Program Files\Veritas\NetBackup\bin). This unquoted path can be exploited by local users to execute arbitrary code with elevated LocalSystem privileges. E...

Popcorn Time code-related vulnerabilities

Popcorn Time is an open-source, multi-platform free software BitTorrent client developed by Popcorn Time. Version 6.2.1.14 of Popcorn Time contains a code vulnerability caused by an unquoted service path. This vulnerability could allow local non-privileged users to execute code and gain system...

CVE-2020-37016 BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path

BarcodeOCR 19.3.6 contains an unquoted service path vulnerability that allows local attackers to execute code with elevated privileges during system startup. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will run with LocalSystem...