CVE-2025-30044 RCE on uhcapache user permissions

In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstatsimple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection...

CVE-2026-3422

U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized content...

EUVD-2026-9130

A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editormarkitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can lead to code injection. It is possible to launch the attack...

PUB-A-454078934

In multiple places, there is a possible out of bounds write due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-21659

Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion LFI vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise. This issue affects...

CVE-2026-3262

A vulnerability has been found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected is an unknown function of the component Administrative Interface. Such manipulation leads to execution after redirect. The attack may be launched remotely. The exploit has been...

SUSE CVE-2026-28364

In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization runtime/intern.c enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock function, which performs unbounded memcpy operation...

EUVD-2026-9019

Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion LFI vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise. This issue affects...

CVE-2026-21658

Johnson Controls Frick Controls Quantum HD is affected by CVE-2026-21658, an unauthenticated remote code execution (code injection) vulnerability caused by insufficient validation of input parameters. The issue allows code execution before authentication, impacting Quantum HD versions up to 10.22...

CVE-2026-21657

CVE-2026-21657 : Johnson Controls Frick Controls Quantum HD (versions 10.22 and earlier) contains an unauthenticated code injection flaw due to insufficient input validation in certain parameters, enabling code generation/execution before authentication. Multiple sources (NVD/Red Hat/EUVD/NVD eco...

CVE-2026-28364

CVE-2026-28364 affects OCaml runtimes prior to 4.14.3 and 5.x prior to 5.4.1. The issue is a buffer over-read in Marshal deserialization (runtime/intern.c) caused by missing bounds validation in readblock(), which uses unbounded memcpy() calls with attacker-controlled lengths from crafted Marshal...

CVE-2026-3273

A vulnerability was identified in Tenda F453 1.0.0.3. Affected by this vulnerability is the function formWrlsafeset of the file /goform/AdvSetWrlsafeset of the component httpd. Such manipulation of the argument mitssidindex leads to buffer overflow. The attack can be executed remotely. The exploi...

CVE-2026-25196 Copeland XWEB and XWEB Pro OS Command Injection

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the Wi-Fi SSID and/or password fields can lead to remote code execution when the configuration is...

CVE-2026-25721 Copeland XWEB and XWEB Pro OS Command Injection

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the server username and/or password fields of the restore action in the API V1 route...

EUVD-2026-8903

A vulnerability has been found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected is an unknown function of the component Administrative Interface. Such manipulation leads to execution after redirect. The attack may be launched remotely. The exploit has been...

PT-2026-22386

Name of the Vulnerable Software and Affected Versions mcp-atlassian affected versions not specified Description The software contains a critical unauthenticated remote code execution RCE and server-side request forgery SSRF issue. The RCE is a result of arbitrary file write, leading to arbitrary...

CVE-2026-3264 go2ismail Free-CRM Administrative redirect

A vulnerability was determined in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Affected by this issue is some unknown functionality of the component Administrative Interface. Executing a manipulation can lead to execution after redirect. The attack can be executed remotely...

CVE-2026-3264 go2ismail Free-CRM Administrative redirect

A vulnerability was determined in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Affected by this issue is some unknown functionality of the component Administrative Interface. Executing a manipulation can lead to execution after redirect. The attack can be executed remotely...

CVE-2026-22206

SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote cod...

CVE-2026-3262 go2ismail Asp.Net-Core-Inventory-Order-Management-System Administrative redirect

A vulnerability has been found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected is an unknown function of the component Administrative Interface. Such manipulation leads to execution after redirect. The attack may be launched remotely. The exploit has been...