107 matches found
CVE-2026-50212
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service...
CVE-2026-50212
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service...
EUVD-2026-34224
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service...
CVE-2026-50212
CVE-2026-50212 concerns weak validation logic in the device dissociation API routines, allowing a remote attacker to forcefully unbind unrelated user endpoints and cause denial of service. The NVD entry cites a CVSS v4.0 base score of 7.1 (HIGH), adjacent attack vector, low complexity, no user in...
CVE-2026-50212 Arbitrary Remote Device Unbinding
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service...
CVE-2026-50212 Arbitrary Remote Device Unbinding
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service...
PT-2026-46164
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service...
CVE-2026-35079
The CVE-2026-35079 entry describes an issue in the ugw-restore method where a remote attacker with user privileges can delete arbitrary local files due to insufficient validation of user-controlled input. The vulnerability is assessed with high severity (CVSS 4.0: base 7.2; CVSS 3.1: base 8.1), r...
PT-2026-41840
Name of the Vulnerable Software and Affected Versions Piotnet Addons for Elementor Pro versions prior to 7.1.71 Description Missing file type validation in the pafe ajax form builder function allows unauthenticated attackers to upload arbitrary files to the server. The plugin employs an incomplet...
CVE-2026-7652
The LatePoint WordPress plugin (up to version 5.5.0) is vulnerable to Account Takeover via a Weak Password Recovery Mechanism in the unauthenticated guest booking flow. The root cause is save_connected_wordpress_user() propagating a LatePoint customer’s email to its linked WordPress user via wp_u...
CVE-2026-44313
Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery SSRF vulnerability in the fetchTitleAndHeaders function allows authenticated users to make arbitrary HTTP requests to internal...
CVE-2026-34415 Xerte Online Toolkits File Upload RCE via elfinder Connector
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authenticati...
CVE-2026-34719 Zammad has a Server-side request forgery (SSRF) via webhooks
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses — only the URL scheme HTTP/HTTPS as well as the hostname was checked. This could end up in retrieving...
Endian Firewall DATE Parameter OS Command Injection Vulnerability (CNVD-2026-18422)
Endian Firewall is a network security firewall system from Endian. An operating system command injection vulnerability exists in the Endian Firewall DATE parameter, which stems from incomplete regular expression validation of the DATE parameter in /cgi-bin/logsopenvpn.cgi, and can be exploited by...
Endian Firewall DATE Parameter OS Command Injection Vulnerability
Endian Firewall is a network security firewall system from Endian. An operating system command injection vulnerability exists in the Endian Firewall DATE parameter, which stems from incomplete regular expression validation of the DATE parameter in /cgi-bin/logsids.cgi, and can be exploited by an...
EUVD-2026-18268
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logsfirewall.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open call, which allows command injection due to an incomplet...
CVE-2026-34793 Endian Firewall /cgi-bin/logs_firewall.cgi DATE Perl Command Injection
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logsfirewall.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open call, which allows command injection due to an incomplet...
Endian Firewall 操作系统命令注入漏洞
Endian Firewall is a network security firewall system from Endian. An operating system command injection vulnerability exists in the Endian Firewall DATE parameter, which stems from incomplete regular expression validation of the DATE parameter in /cgi-bin/logssmtp.cgi, and can be exploited by an...
PT-2026-29411
XenForo before 2.2.17 and 2.3.1 allows open redirect via a specially crafted URL. The getDynamicRedirect function does not adequately validate the redirect target, allowing attackers to redirect users to arbitrary external sites using crafted URLs containing newlines, user credentials, or host...
CVE-2026-33284
GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches...