CVE-2026-43878 WWBN AVideo: Reflected XSS in plugin/Meet/iframe.php via Unescaped `user`/`pass` Parameters Reflected into JavaScript String Literal

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a block. An attacker who sends a victim to a crafted URL can bre...

EUVD-2026-21016

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi...

CVE-2026-31170

The CVE-2026-31170 entry covers ToToLink A3300R firmware 17.0.0cu.557_B20221024 with a vulnerability in /cgi-bin/cstecgi.cgi where the stun-pass parameter allows an attacker to execute arbitrary commands. Reported impact is arbitrary command execution with a high/critical risk posture and potenti...

CVE-2026-31170

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi...

PT-2026-31683

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557 B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi...

EUVD-2026-10260

A security flaw has been discovered in projectworlds Online Art Gallery Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /?pass=1. The manipulation of the argument fnm results in sql injection. The attack may be launched remotely. The exploit has been released to t...

CVE-2026-3757

A security flaw has been discovered in projectworlds Online Art Gallery Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /?pass=1. The manipulation of the argument fnm results in sql injection. The attack may be launched remotely. The exploit has been released to t...

CVE-2026-3757

A security flaw has been discovered in projectworlds Online Art Gallery Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /?pass=1. The manipulation of the argument fnm results in sql injection. The attack may be launched remotely. The exploit has been released to t...

CVE-2026-3757 projectworlds Online Art Gallery Shop pass sql injection

A security flaw has been discovered in projectworlds Online Art Gallery Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /?pass=1. The manipulation of the argument fnm results in sql injection. The attack may be launched remotely. The exploit has been released to t...

CVE-2026-3757

CVE-2026-3757 affects projectworlds Online Art Gallery Shop 1.0. A SQL injection vulnerability exists in an unknown functionality accessed via the file path /?pass=1, caused by manipulation of the fnm argument. The vulnerability is described as exploitable remotely and the exploit has been releas...

CVE-2026-3757 projectworlds Online Art Gallery Shop pass sql injection

A security flaw has been discovered in projectworlds Online Art Gallery Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /?pass=1. The manipulation of the argument fnm results in sql injection. The attack may be launched remotely. The exploit has been released to t...

PT-2026-23968

Name of the Vulnerable Software and Affected Versions projectworlds Online Art Gallery Shop version 1.0 Description A security flaw exists in projectworlds Online Art Gallery Shop. This issue involves a SQL injection impacting an unknown functionality accessible through the file '/?pass=1'. The f...

EUVD-2006-0965

Malware in sbrugna...

CVE-2025-45542

SQL injection vulnerability in the registrationform endpoint of CloudClassroom-PHP-Project v1.0. The pass parameter is vulnerable due to improper input validation, allowing attackers to inject SQL queries...

The vulnerability of the setVpnAccountCfg() function (located in web/cgi-bin/cstecgi.cgi) in the TOTOLINK X5000R router’s microprogramming software allows a malicious actor to execute arbitrary commands.

The vulnerability of the setVpnAccountCfg function located at web/cgi-bin/cstecgi.cgi in the TOTOLINK X5000R router’s microprogramming software is related to the failure to eliminate special elements used in the operating system’s command processing when handling the pass parameter. Exploiting th...

CVE-2024-57017

TOTOLINK X5000R V9.1.0cu.2350B20230313 was discovered to contain an OS command injection vulnerability via the "pass" parameter in setVpnAccountCfg...

CVE-2024-57017

TOTOLINK X5000R V9.1.0cu.2350B20230313 was discovered to contain an OS command injection vulnerability via the "pass" parameter in setVpnAccountCfg...

CVE-2024-57017

Totolink X5000R exposure: OS command injection in setVpnAccountCfg via the pass parameter on firmware V9.1.0cu.2350_B20230313. Root cause appears to be inadequate filtering of input (CNVD entry notes failure to filter constructor special characters/commands). Impact described as arbitrary command...

PT-2024-31202 · Gescen · Gescen

Name of the Vulnerable Software and Affected Versions: Gescen affected versions not specified Description: The issue allows an attacker to send a specially crafted SQL query to the pass parameter and retrieve all the data stored in the database. This is a SQL injection vulnerability...

Gescen SQL注入漏洞

Gescen is an educational platform from the Centros Digitales team in China. Gescen suffers from a SQL injection vulnerability that originates from allowing an attacker to send a specially crafted SQL query to the pass parameter and retrieve all data stored in the database...