WordPress plugin ultimate-member 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

CVE-2026-6158 Totolink N300RH upgrade.so setUpgradeUboot os command injection

A flaw has been found in Totolink N300RH 6.1c.1353B20190305. Affected is the function setUpgradeUboot of the file upgrade.so. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used...

CVE-2026-6158

A flaw has been found in Totolink N300RH 6.1c.1353B20190305. Affected is the function setUpgradeUboot of the file upgrade.so. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used...

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the FileTypeParser class. This is triggered when the ASF WMV/WMA parser receives input including an ASF sub-header with a size value of 0. An attacker can interrupt service with a 55-byte payload. Remediation Upgrade...

PT-2026-7002

Name of the Vulnerable Software and Affected Versions D-Link DWR-M921 version 1.1.50 Description A flaw exists in D-Link DWR-M921 version 1.1.50 that allows for command injection. The issue stems from manipulating the fota url argument within the file /boafrm/formLtefotaUpgradeFibocom. This...

CVE-2025-15191

CVE-2025-15191 affects D-Link DWR-M920 devices ≤ 1.1.50. The issue is a command injection in the function sub_4155B4 of /boafrm/formLtefotaUpgradeFibocom caused by manipulated fota_url, enabling remote exploitation. Public PoCs/exploits exist. Remediation in public advisories recommends upgrading...

EUVD-2025-3739

Malicious code in bioql PyPI...

EUVD-2023-24445

Malicious code in bioql PyPI...

EUVD-2024-36100

Malicious code in bioql PyPI...

EUVD-2025-30909

Malicious code in bioql PyPI...

EUVD-2025-26310

Malicious code in bioql PyPI...

CVE-2025-29084

SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Upgrade.php file...

CVE-2025-29084

SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Upgrade.php file...

CVE-2025-29084

CSZ-CMS v1.3.0 is affected by a SQL injection in the Upgrade.php file (execSqlFile), enabling a remote attacker to execute arbitrary code. The vulnerability is associated with CVE-2025-29084 and is described consistently across NVD/Red Hat/CNNVD/CVE listings, with no public patch/version details ...

PT-2025-39187

Name of the Vulnerable Software and Affected Versions CSZ-CMS version 1.3.0 Description A SQL Injection issue exists in CSZ-CMS version 1.3.0. This allows a remote attacker to execute arbitrary code through the execSqlFile function located in the Upgrade.php file. The vulnerability is triggered b...

CVE-2025-10441

A vulnerability was found in D-Link DI-8100G, DI-8200G and DI-8003G 17.12.20A1/19.12.10A1. Affected by this issue is the function sub433F7C of the file versionupgrade.asp of the component jhttpd. The manipulation of the argument path results in os command injection. The attack may be launched...

CVE-2025-10441

CVE-2025-10441 affects D-Link DI-8100G/DI-8200G/DI-8003G (versions 17.12.20A1 and 19.12.10A1) where the function sub_433F7C in version_upgrade.asp of the jhttpd component mishandles the path argument, resulting in an OS command injection. The issue can be exploited remotely without user interacti...

CVE-2025-9745

A security vulnerability has been detected in D-Link DI-500WF 14.04.10A1T. The impacted element is an unknown function of the file /versionupgrade.asp of the component jhttpd. The manipulation of the argument path leads to os command injection. The attack may be initiated remotely. The exploit ha...

TOTOLINK CA300-PoE 命令注入漏洞

TOTOLINK CA300-PoE is a wireless access point from China's Gion Electronics TOTOLINK. A command injection vulnerability exists in the TOTOLINK CA300-PoE upgrade.so file, which stems from the parameter FileName of the file upgrade.so failing to correctly filter construct command special characters...

CVE-2024-38492

This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file...