Windows UPnP Device Host Remote Code Execution Vulnerability

Use after free in Universal Plug and Play upnp.dll allows an unauthorized attacker to execute code over a network...

CVE-2026-36603

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrary...

CVE-2026-36603

Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) is affected by a UPnP IGD issue: 15 of 18 UPnP actions are exposed without authentication on port 1900, with UPnP enabled by default via the admin interface. This allows any unauthenticated LAN device to create arbitrary port forwarding...

CVE-2026-36602

CVE-2026-36602 affects the Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909. The issue arises in UPnP GetStatusInfo handling, which discloses kernel memory layout. An unauthenticated attacker on an adjacent network can obtain a raw MIPS KSEG0 kernel pointer, exposing kernel memory ...

EUVD-2026-22503

Use after free in Windows Universal Plug and Play UPnP Device Host allows an authorized attacker to elevate privileges locally...

CVE-2026-32214

Improper access control in Universal Plug and Play upnp.dll allows an authorized attacker to disclose information locally...

CVE-2026-32077 Windows UPnP Device Host Elevation of Privilege Vulnerability

...

PT-2026-32781

Name of the Vulnerable Software and Affected Versions Windows Universal Plug and Play UPnP Device Host affected versions not specified Description An untrusted pointer dereference in the Windows Universal Plug and Play UPnP Device Host allows an authorized attacker to elevate privileges locally,...

CVE-2026-3622

CVE-2026-3622 affects TL-WR841N v14's UPnP component, where improper input validation triggers an out-of-bounds read that can crash the UPnP service and cause a Denial-of-Service. Affected builds include EN_0.9.1 4.19 Build 260303 Rel.42399n (V14_260303) and US_0.9.1.4.19 Build 260312 Rel. 49108n...

CVE-2026-4214

A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This issue affects the function...

CVE-2025-13942

A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17ABUP.15.1C0 could allow a remote attacker to execute operating system OS commands on an affected device by sending specially crafted UPnP SOAP requests...

CVE-2026-2548

A flaw has been found in WAYOS FBM-220G 24.10.19. This affects the function sub40F820 of the file rc. Executing a manipulation of the argument upnpwaniface/upnpssdpinterval/upnpmaxage can lead to command injection. The attack can be executed remotely. The vendor was contacted early about this...

CVE-2021-47854

DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEARCH packets with oversized UUID payloads to trigger buffer overflow conditions on the target devi...

CVE-2021-47854

DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEARCH packets with oversized UUID payloads to trigger buffer overflow conditions on the target devi...

DD-WRT security vulnerabilities

DD-WRT is an open-source alternative firmware based on Linux, developed by DD-WRT. It is suitable for various WLAN routers and embedded systems. Version DD-WRT 45723 contains a security vulnerability, which stems from a buffer overflow in the UPNP network discovery service. This vulnerability cou...

MiracleLinux 8 : gupnp-1.0.6-2.el8 (AXSA:2021-2196:02)

The remote MiracleLinux 8 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2021-2196:02 advisory. gupnp: allows DNS rebinding which could result in tricking browser into triggering actions against local UPnP services CVE-2021-33516 Tenable has extracted t...

CVE-2025-11676

CVE-2025-11676 affects TP-Link TL-WR940N V6 (UPnP modules). The issue is an improper input validation vulnerability that allows unauthenticated adjacent attackers to cause a denial-of-service, affecting TL-WR940N V6

Tenda AC8 安全漏洞

Tenda AC8 is a wireless router from Tenda, a Chinese company. A buffer overflow vulnerability exists in Tenda AC8 Hardware version v03.03.10.01, which originates from a boundary error in the UPnP service when handling untrusted input. An attacker can exploit this vulnerability to execute arbitrar...

CVE-2025-61498

A buffer overflow in the UPnP service of Tenda AC8 Hardware v03.03.10.01 allows attackers to cause a Denial of Service DoS via supplying a crafted packet...

CVE-2025-11327

A security vulnerability has been detected in Tenda AC18 15.03.05.196318. This vulnerability affects unknown code of the file /goform/SetUpnpCfg. The manipulation of the argument upnpEn leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been...