GeoVision LPC2011/LPC2211 Web Interface privilege escalation vulnerability

Summary A privilege escalation vulnerability exists in the Web Interface functionality of LPC2011/LPC2211 versions: 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability. Confirmed Vulnerable Versions The...

CVE-2026-45062 FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...

CVE-2026-45062 FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...

CVE-2026-45062

CVE-2026-45062 affects FrankenPHP (versions 1.11.2–1.12.2). The vulnerability arises in the CGI path splitting logic (splitPos in cgi.go), where fallback matching uses golang.org/x/text/search with ignore-case, and engages when the request path contains non-ASCII bytes. Two flaws enable an attack...

CVE-2026-7125

A vulnerability was identified in Totolink A8000RU 7.1cu.643b20200521. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge leads to os command injection. The attack may be initiated remotely. T...

CVE-2026-7834

A security vulnerability has been detected in EFM ipTIME NAS1dual 1.5.24. This issue affects the function getcsrfwhites of the file /cgi/advanced/miscmain.cgi. Such manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and...

CVE-2026-9533 Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os command injection

A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The impacted element is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument fwUrl/magicid results in os command injection. It is possible to initiate...

CVE-2026-9512

A security flaw has been discovered in Totolink CA750-PoE 6.2c.510. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument admuser/admpass results in os command injection. The attack can b...

TOTOLINK A8000RU 操作系统命令注入漏洞

The TOTOLINK A8000RU is a wireless router from China's Gion Electronics TOTOLINK. The Totolink A8000RU version 7.1cu.643b20200521 suffers from an OS command injection vulnerability that originates from the operation of the parameter enabled of the function setOpenVpnCfg in the file...

FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...

GHSA-3G8V-8R37-CGJM FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

Summary The splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the...

PT-2026-39571

A security flaw has been discovered in D-Link DNS-320 2.06B01. This affects the function delete/rename/copy/move/chmod/chown of the file /cgi-bin/webfile mgr.cgi. The manipulation results in os command injection. The attack may be performed from remote. The exploit has been released to the public...

CVE-2026-7244 Totolink A8000RU CGI cstecgi.cgi setWiFiEasyGuestCfg os command injection

A security flaw has been discovered in Totolink A8000RU 7.1cu.643b20200521. The impacted element is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge results in os command injection. It is possible to launch the...

CVE-2026-7125

The CVE-2026-7125 entry concerns Totolink A8000RU (7.1cu.643_b20200521). Affected component: CGI Handler, function setWiFiEasyCfg in /cgi-bin/cstecgi.cgi. Root cause is manipulation of the argument merge leading to OS command injection; the issue is exploitable remotely. Public exploit is cited. ...

CVE-2026-31166

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi...

EUVD-2026-25239

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the password parameter to /cgi-bin/cstecgi.cgi...

CVE-2026-31178

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi...

CVE-2026-31178

ToToLink A3300R firmware v17.0.0cu.557_B20221024 is vulnerable via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi, enabling arbitrary command execution. The CVE-2026-31178 entry lists network-based access with high impact to confidentiality, integrity, and availability. Connected sources conf...

PT-2026-34715

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557 B20221024 allowing attackers to execute arbitrary commands via the recHour parameter to /cgi-bin/cstecgi.cgi...

CVE-2026-31174

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi...