CVE-2026-31172

The CVE-2026-31172 entry concerns ToToLink A3300R firmware, version 17.0.0cu.557_B20221024. The issue is a command injection in the CGI interface: attacker-controlled input in the user parameter to /cgi-bin/cstecgi.cgi can lead to arbitrary command execution on the device. According to the NVD en...

CVE-2026-27613 CGI Parameter Injection (Bypass of STRICT_CGI_PARAMS and EscapeShellParam)

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific CGI executable in use, the impact i...

EUVD-2026-8763

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific CGI executable in use, the impact i...

CVE-2025-13562

A vulnerability was identified in D-Link DIR-852 1.00. This issue affects some unknown processing of the file /gena.cgi. Such manipulation of the argument service leads to command injection. The attack can be executed remotely. The exploit is publicly available and might be used. This vulnerabili...

CVE-2025-60691

A stack-based buffer overflow exists in the httpd binary of Linksys E1200 v2 routers Firmware E1200v2.0.11.001us.tar.gz. The applycgi and blockcgi functions copy user-supplied input from the "url" CGI parameter into stack buffers v36, v29 using sprintf without bounds checking. Because these buffe...

CVE-2025-12241 TOTOLINK A3300R POST Parameter cstecgi.cgi setLanguageCfg stack-based overflow

A vulnerability was detected in TOTOLINK A3300R 17.0.0cu.557B20221024. This impacts the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. The manipulation of the argument lang results in stack-based buffer overflow. It is possible to launch the atta...

CVE-2025-10546 Cross-Site Scripting (XSS) Vulnerability in PPC XPON ONT Wi-Fi Router

This vulnerability exist in PPC 2K15X Router, due to improper input validation for the Common Gateway Interface CGI parameters at its web management portal. A remote attacker could exploit this vulnerability by injecting malicious JavaScript into the vulnerable parameter, leading to a reflected...

CVE-2025-26008

In Telesquare TLR-2005KSH 1.1.4, an unauthorized stack overflow vulnerability exists when requesting admin.cgi parameter with setSyncTimeHost...

CVE-2025-26002

Telesquare TLR-2005KSH 1.1.4 is affected by an unauthorized stack overflow vulnerability when requesting the admin.cgi parameter with setSyncTimeHost...

CVE-2025-26010

Telesquare TLR-2005KSH 1.1.4 allows unauthorized password modification when requesting the admin.cgi parameter with setUserNamePassword...

CVE-2024-32353

CVE-2024-32353 affects TOTOLINK X5000R firmware version 9.1.0cu.2350_B20230313. A command injection exists in the setSSServer API at /cgi-bin/cstecgi.cgi via the port parameter, caused by inadequate input filtering of command characters. Impact is high (arbitrary command execution) with CVSSv3.1:...

CVE-2024-25851

Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the configsequence parameter in otherpara of cgitest.cgi...

CVE-2021-40680

There is a Directory Traversal vulnerability in Artica Proxy 4.30.000000 SP206 through SP255, and VMware appliance 4.30.000000 through SP273 via the filename parameter to /cgi-bin/main.cgi...

Mageia: Security Advisory (MGASA-2014-0488)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Eldy Awstats Path Traversal Vulnerability

Eldy Awstats is Eldy personal developer of a log analysis tool applied to Web sites. The software supports analyzing Web, WAP, proxy, streaming server, FTP, mail server log files on all operating systems such as IIS 5.0 +, Apache, etc. It displays all Web statistics including: visitors, pages,...

CVE-2020-25849

MailGates and MailAudit products contain Command Injection flaw, which can be used to inject and execute system commands from the cgi parameter after attackers obtain the user’s access token...

Karel IP Phone IP1211 Web Management Panel Directory Traversal

Exploit Title: Karel IP Phone IP1211 Web Management Panel - Directory Traversal Exploit Author: Berat Gokberk ISLER Date: 2020-09-01 CVE: N/A Type: Webapps Vendor Homepage: https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon Version: IP1211 Details Directory traversal vulnerability on the Karel...

CVE-2020-9022

An issue was discovered on Xirrus XR520, XR620, XR2436, and XH2-120 devices. The cgi-bin/ViewPage.cgi user parameter allows XSS...

Cross site scripting

On D-Link DI-524 V2.06RU devices, multiple Stored and Reflected XSS vulnerabilities were found in the Web Configuration: /spap.htm, /smap.htm, and /cgi-bin/smap, as demonstrated by the cgi-bin/smap RC parameter...

CVE-2019-10662

Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI...