CVE-2026-48842

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuserquery plugin via a pregreplace backslash escape bypass...

Roundcube Webmail SQL注入漏洞

Roundcube Webmail is Roundcube open source a browser-based open source IMAP client, which supports address book management, message search, spell checking and so on. Roundcube Webmail 1.6.x versions prior to 1.6.16 and 1.7.x versions prior to 1.7.1 SQL injection vulnerability , the vulnerability...

CVE-2026-33432 Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without...

EUVD-2026-5712

WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication...

WeKan 注入漏洞

WeKan is an open-source dashboard application developed by WeKan. Versions of WeKan prior to 8.19 contained a injection vulnerability. This vulnerability stemmed from the fact that the username provided during LDAP authentication was entered without proper escaping, and thus incorporated into the...

VulnCheck KEV: CVE-2025-64328

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the...

CVE-2025-8693

Zyxel DX3300-T0 firmware versions prior to 5.50(ABVY.6.3)C0 are affected by a post-authentication command-injection vulnerability in the priv parameter that could allow an authenticated attacker to execute OS commands. The PT-2025-47237 entry confirms the affected firmware range and the impact. R...

CVE-2025-12764

pgAdmin = 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS...

CVE-2025-64328

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the...

CVE-2024-48705

Wavlink AC1200 with firmware versions M32A3V1410230602 and M32A3V1410240222 are vulnerable to a post-authentication command injection while resetting the password. This vulnerability is specifically found within the "setsysadm" function of the "adm.cgi" binary, and is due to improper santization ...

CVE-2012-10059

Dolibarr ERP/CRM contains a post-authenticated OS command injection in its database backup feature. In versions <= 3.1.1 and

AZL-58604 CVE-2025-24912 affecting package wpa_supplicant for versions less than 2.10-3

hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail...

CVE-2024-9200

A post-authentication command injection vulnerability in the "host" parameter of the diagnostic function in Zyxel VMG4005-B50A firmware versions through V5.15ABQA.2.2C0 could allow an authenticated attacker with administrator privileges to execute operating system OS commands on a vulnerable devi...

UBUNTU-CVE-2020-28021

Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file which indirectly leads to remote code execution as root via AUTH= in a MAIL FROM command...

CVE-2018-11106

NETGEAR has released fixes for a pre-authentication command injection in requesthandler.php security vulnerability on the following product models: WC7500, running firmware versions prior to 6.5.3.5; WC7520, running firmware versions prior to 2.5.0.46; WC7600v1, running firmware versions prior to...

Mukashi: A New Mirai IoT Botnet Variant Targeting Zyxel NAS Devices

A new version of the infamous Mirai botnet is exploiting a recently uncovered critical vulnerability in network-attached storage NAS devices in an attempt to remotely infect and control vulnerable machines. Called "Mukashi," the new variant of the malware employs brute-force attacks using differe...

VulnCheck KEV: CVE-2020-9054

Multiple Zyxel network-attached storage NAS devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code...

Discuz! 6.0.0 0Day vulnerabilities-vulnerability warning-the black bar safety net

Sources: bad wolf safety net // Allows the program in a registerglobals = off environment work $onoff = functionexists'iniget' ? iniget'registerglobals' : getcfgvar'registerglobals'; if $onoff != 1 @extract$POST, EXTRSKIP; @extract$GET, EXTRSKIP; $self = $SERVER'PHPSELF'; $disfunc =...