GHSA-H2FW-RFH5-95R3 Apache Tomcat - CGI security constraint bypass

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1...

CVE-2025-46701 Apache Tomcat: Security constraint bypass for CGI scripts

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1...

CVE-2025-46701

CVE-2025-46701 affects Apache Tomcat GCI servlet; security constraint bypass via pathInfo handling. Public advisories confirm affected branches: Tomcat 11.x up to 11.0.6, 10.x up to 10.1.40, 9.x up to 9.0.104. Remediation versions listed: 11.0.7, 10.1.41, 9.0.105. Debian/DSA and Amazon Linux advi...

CVE-2025-46701 Apache Tomcat: Security constraint bypass for CGI scripts

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1...

WAVLINK WL-WN579A3 /cgi-bin/qos.cgi Component Command Injection Vulnerability

WAVLINK WL-WN579A3 is a high performance dual-band wireless card from China RuiYin WAVLINK. The WAVLINK WL-WN579A3 suffers from a command injection vulnerability that originates from unfiltered input in the /cgi-bin/qos.cgi component, no details of the vulnerability are provided at this time...

CVE-2025-41441

Mailform Pro CGI prior to 4.3.4 generates error messages containing sensitive information, which may allow a remote unauthenticated attacker to obtain coupon codes. This vulnerability only affects products that use the coupon feature...

CVE-2025-41441

Mailform Pro CGI prior to 4.3.4 generates error messages containing sensitive information, which may allow a remote unauthenticated attacker to obtain coupon codes. This vulnerability only affects products that use the coupon feature...

Mailform Pro CGI generating error messages containing sensitive information

Overview Mailform Pro CGI provided by SYNCK GRAPHICA contains a vulnerability listed below. Generation of error message containing sensitive information CWE-209 - CVE-2025-41441 Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...

PT-2025-22903 · Unknown · Mailform Pro Cgi

Name of the Vulnerable Software and Affected Versions: Mailform Pro CGI versions prior to 4.3.4 Description: The issue allows a remote unauthenticated attacker to obtain coupon codes due to error messages containing sensitive information. This only affects products that use the coupon feature...

JVN#39546799: Mailform Pro CGI generating error messages containing sensitive information

Mailform Pro CGI provided by SYNCK GRAPHICA contains a vulnerability listed below. Generation of error message containing sensitive information CWE-209 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 3.7...

ALSA-2025:8131 Moderate: ruby security update

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fixes: net-imap: Net::IMAP vulnerable to possible DoS by memory exhaustion CVE-2025-25186 CGI: Denial of Service in CGI::Cookie.parse...

Netcore多款产品 注入漏洞

Netcore NBR1005GPEV2 and so on are products of China Leike Netcore.Netcore NBR1005GPEV2 is a full gigabit multi-WAN port POE-powered enterprise AP management multifunctional wired router.Netcore B6V2 is a full gigabit wireless router.Netcore COVER5 is an enterprise-class router. An injection...

CVE-2024-43027

DrayTek Vigor 3900 before v1.5.1.5Beta, DrayTek Vigor 2960 before v1.5.1.5Beta and DrayTek Vigor 300B before v1.5.1.5Beta were discovered to contain a command injection vulnerability via the action parameter at cgi-bin/mainfunction.cgi...

CVE-2024-52025

Netgear XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 was discovered to contain a stack overflow via the pppoelocalip parameter at geniepppoe.cgi. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted POST request...

CVE-2024-42061

A reflected cross-site scripting XSS vulnerability in the CGI program "dynamicscript.cgi" of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50W series firmware versions from V4.16 through V5.38, and USG20W-VPN seri...

CVE-2024-22113

Open redirect vulnerability in Access analysis CGI An-Analyzer released in 2023 December 31 and earlier allows a remote unauthenticated attacker to redirect users to arbitrary websites and conduct phishing attacks via a specially crafted URL...

CVE-2024-6108

A vulnerability was found in Genexis Tilgin Home Gateway 322AS0500-03051305. It has been classified as problematic. Affected is an unknown function of the file /vood/cgi-bin/voodview.cgi?act=index⟨=EN of the component Login. The manipulation of the argument errmsg leads to basic cross site...

CVE-2024-3274

UNSUPPORTED WHEN ASSIGNED A vulnerability has been found in D-Link DNS-320L, DNS-320LW and DNS-327L up to 20240403 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/info.cgi of the component HTTP GET Request Handler. The manipulation...

CVE-2024-42744

In TOTOLINK X5000r v9.1.0cu.2350b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in setModifyVpnUser. Authenticated Attackers can send malicious packet to execute arbitrary commands...

CVE-2024-42743

In TOTOLINK X5000r v9.1.0cu.2350b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in setSyslogCfg . Authenticated Attackers can send malicious packet to execute arbitrary commands...