CVE-2026-4480

A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by...

FastNetMon 安全漏洞

FastNetMon is a high-performance DDoS detector/sensor developed by Pavel Odintsov. It is built using multiple packet capture engines. Versions of FastNetMon Community Edition 1.2.9 and earlier contained a security vulnerability. This vulnerability stemmed from the log function in the MikroTik...

CVE-2026-48687

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The log function in src/juniperplugin/fastnetmonjuniper.php lines 117-118 constructs shell commands by concatenating the $msg parameter directly into exec calls:...

Lumiverse 参数注入漏洞

Lumiverse is a full-featured AI chat application suite developed by Prolix OCs’ individual developers. Versions of Lumiverse prior to 0.9.7 contained a parameter injection vulnerability. This vulnerability occurred when the toSmbPath call failed, resulting in a fallback to dirname/basename...

PT-2026-43193

A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The impacted element is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument fwUrl/magicid results in os command injection. It is possible to initiate...

PT-2026-43300

Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python checks.yml embeds $ github.event.pull request.title directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script run tests model gen...

TOTOLINK CA750-PoE 操作系统命令注入漏洞

TOTOLINK CA750-PoE is a wireless network access device produced by TOTOLINK Corporation. Version 6.2c.510 of TOTOLINK CA750-PoE contains a vulnerability related to operating system command injection. This vulnerability arises from improper handling of the PIN parameter in the setWiFiWpsConfig...

PT-2026-43192

A security vulnerability has been detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Such manipulation of the argument FileName leads to os command injection. The attack may be performe...

CVE-2026-48687

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The log function in src/juniperplugin/fastnetmonjuniper.php lines 117-118 constructs shell commands by concatenating the $msg parameter directly into exec calls:...

Unauthenticated Remote Code Execution

Description Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. This leads to a remote code execution vulnerability. Print servers configured with "printing...

Lumiverse 操作系统命令注入漏洞

Lumiverse is a full-featured AI chat application suite developed by Prolix OCs’ individual developers. Versions of Lumiverse prior to 0.9.7 contained an operating system command injection vulnerability. This vulnerability stemmed from the Spindle extension’s build pipeline, which called bun insta...

luci-app-https-dns-proxy 命令注入漏洞

Luci-app-https-dns-proxy is an OpenWrt DNS-over-HTTPS proxy with a web management interface, developed by Stan Grishin. Versions of Luci-app-https-dns-proxy dated back to December 29, 2025, and earlier have a command injection vulnerability. This vulnerability stems from command injection in the...

vowpal_wabbit 安全漏洞

vowpalwabbit is an open-source fast online machine learning system developed by Vowpal Wabbit. There is a security vulnerability in vowpalwabbit, which stems from directly embedding PR titles into bash strings within the workflow. This could lead to arbitrary command execution...

PT-2026-43261

A vulnerability was identified in Das Parking Management System 停车场管理系统 6.2.0. This affects the function xp cmdshell of the file ParkingRecord/ExportParkingRecords of the component API Endpoint. The manipulation of the argument Value leads to sql injection. It is possible to initiate the attack...

TOTOLINK N300RH 安全漏洞

TOTOLINK N300RH is a long-range wireless router produced by TOTOLINK Corporation. Version 6.1c.1353B20190305 of TOTOLINK N300RH contains a security vulnerability. This vulnerability stems from improper handling of parameters in the setPasswordCfg function of the file/cgi-bin/cstecgi.cgi within th...

PT-2026-43248

A vulnerability has been found in Totolink N300RH 6.1c.1353 B20190305. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely...

CVE-2026-48687

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The log function in src/juniperplugin/fastnetmonjuniper.php lines 117-118 constructs shell commands by concatenating the $msg parameter directly into exec calls:...

CVE-2026-48695

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The log function in src/mikrotikplugin/fastnetmonmikrotik.php lines 107-108 constructs shell commands by concatenating the $msg parameter directly into exec calls:...

CVE-2026-48695

CVE-2026-48695: FastNetMon Community Edition

Important: kernel-livepatch-6.12.83-113.160

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags "Dirty Frag" and other issues in Amazon Linux kernels: https://aws.amazon.com/security/security-bulletins/2026-027-aws/ CVE-2026-43284 In the Linux kernel, the...