824 matches found
CVE-2025-34132
A command injection vulnerability exists in LILIN Digital Video Recorder DVR devices prior to firmware version 2.0b6020200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvrbox fails to properly sanitize input, allowing remote attackers to inject and execute...
CVE-2025-34132 LILIN DVR Command Injection via NTPUpdate in dvr_box
A command injection vulnerability exists in LILIN Digital Video Recorder DVR devices prior to firmware version 2.0b6020200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvrbox fails to properly sanitize input, allowing remote attackers to inject and execute...
CVE-2025-42966
SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability ...
CVE-2025-42966
CVE-2025-42966 affects SAP NetWeaver XML Data Archiving Service. The vulnerability is an insecure Java deserialization flaw exploitable by an authenticated attacker with administrative privileges via a crafted serialized Java object. This can impact confidentiality, integrity, and availability of...
CVE-2025-48882
PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard libxml extension and the LIBXMLDTDLOAD flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability...
CVE-2025-48882 PHPOffice Math allows XXE when processing an XML file in the MathML format
PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard libxml extension and the LIBXMLDTDLOAD flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability...
CVE-2022-45688
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service DoS via crafted JSON or XML data...
CVE-2022-27669
An unauthenticated user can use functions of XML Data Archiving Service of SAP NetWeaver Application Server for Java - version 7.50, to which access should be restricted. This may result in an escalation of privileges...
CVE-2021-32925
admin/userimport.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities...
CVE-2020-23585
A remote attacker can conduct a cross-site request forgery CSRF attack on OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OPV3.3.1-191028. The vulnerability is due to insufficient CSRF protections for the "mgmconfigfile.asp" because of which attacker can create a crafted "csrf for...
CVE-2020-7480
A CWE-94: Improper Control of Generation of Code 'Code Injection' vulnerability exists in Andover Continuum All versions, which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data...
CVE-2015-20067
The WP Attachment Export WordPress plugin before 0.2.4 does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress...
CVE-2019-8158
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data...
CVE-2019-4391
HCL AppScan Standard is vulnerable to XML External Entity Injection XXE attack when processing XML data...
Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to bypass signature validation in XML data [CVE-2025-29774] [CVE-2025-29775]
Summary Node.js module xml-crypto is used by IBM App Connect Enterprise Certified Container for handling XML data. IBM App Connect Enterprise Certified Container operands are vulnerable to signature validation bypass. This bulletin provides patch information to address the reported vulnerability ...
CVE-2023-35815
DevExpress before 23.1.3 has a data-source protection mechanism bypass during deserialization on XML data...
CVE-2023-35815
DevExpress before 23.1.3 has a data-source protection mechanism bypass during deserialization on XML data...
CVE-2023-35815
DevExpress before 23.1.3 has a data-source protection mechanism bypass during deserialization on XML data...
CVE-2023-35815
DevExpress before 23.1.3 has a data-source protection mechanism bypass during deserialization on XML data...
PT-2025-18085 · Devexpress · Devexpress
Name of the Vulnerable Software and Affected Versions: DevExpress versions prior to 23.1.3 Description: The issue concerns a data-source protection mechanism bypass during the deserialization of XML data. This means that the normal protections in place to safeguard data sources can be circumvente...