PT-2026-6875

Name of the Vulnerable Software and Affected Versions O2OA versions prior to 9.0.0 Description A flaw exists in O2OA up to version 9.0.0 related to XML external entity reference. The issue is located within the HTTP POST Request Handler component, specifically in the file /x program...

Prototype Pollution

Overview @builder.io/qwik-city is a The meta-framework for Qwik. Affected versions of this package are vulnerable to Prototype Pollution via the formToObj function, which processes form field names with dot notation but does not properly sanitize dangerous property names. An attacker can modify t...

CVE-2026-0918 Null Pointer Dereference in Tapo SmartCam HTTP Service on TP-Link Tapo C220 & C520WS

The Tapo C100 v5, C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated...

CVE-2025-12387

CVE-2025-12387 affects the Pix-Link LV-WR21Q router. The vulnerability resides in the router’s language module and can be triggered by sending a specially crafted HTTP POST with a non-existing language parameter, causing the admin panel to fail to serve lang.js and leading to a DoS of the adminis...

CVE-2025-12387 Denial of Service in Pix-Link LV-WR21Q

A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service DoS by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes...

PT-2026-4913

A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service DoS by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes...

CVE-2026-1414

A vulnerability was determined in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This impacts the function getInformation of the file /equipment/getInformation of the component HTTP POST Request Handler. Executing a manipulation of the argument fortEquipmentIp can lead...

CVE-2026-1413

A vulnerability was found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function portValidate of the file /fort/ipandport/portvalidate of the component HTTP POST Request Handler. Performing a manipulation of the argument port results in command...

CVE-2026-1414

CVE-2026-1414 affects Sangfor Operation and Maintenance Security Management System (up to version 3.0.12). The vulnerability resides in the HTTP POST Request Handler for /equipment/get_Information, where tampering with the fortEquipmentIp argument can trigger a command injection. The issue can be...

CVE-2026-1413

Sangfor Operation and Maintenance Security Management System up to 3.0.12 contains a command injection in the HTTP POST Request Handler’s portValidate function, located in /fort/ip_and_port/port_validate. An attacker can remotely manipulate the port argument to execute arbitrary commands. Multipl...

CVE-2026-1412

A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. The impacted element is an unknown function of the file /fort/audit/getclipimg of the component HTTP POST Request Handler. Such manipulation of the argument frame/dirno leads to command...

MiracleLinux 4 : piranha-0.8.6-4.2.0.1.AXS4 (AXSA:2014-348:01)

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2014-348:01 advisory. Various tools to administer and configure the Linux Virtual Server as well as heartbeating and failover components. The LVS is a dynamically adjusted kernel...

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-2025-55182 Proof of concept exploit for CVE-2025-55182...

CVE-2025-40978

Stored Cross-Site Scripting XSS vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to ‘/ticket/x/conversion’, using the ‘replydescription’ parameter...

CVE-2023-43847

Incorrect access control in the outlet control function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote authenticated users to control all the outlets as if they were the administrator via HTTP POST requests...

CVE-2023-43848

Incorrect access control in the firewall management function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote authenticated users to alter local firewall settings of the device as if they were the administrator via HTTP POST request...

CVE-2021-41917

webTareas version 2.4 and earlier allows an authenticated user to store arbitrary web script or HTML by creating or editing a client name in the clients section, due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the platform users and...

CVE-2021-22050

ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests...

CVE-2016-10790

cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net SEC-192...

CVE-2022-26258

D-Link DIR-820L 1.05B03 was discovered to contain remote command execution RCE vulnerability via HTTP POST to get set ccp...