Lucene search
K

27 matches found

NVD
NVD
added 2026/07/01 5:16 a.m.10 views

CVE-2026-7839

UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2" as the admin password via strcpyssavedpassword, 64,...

9.1CVSS0.00374EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/01 3:33 a.m.7 views

EUVD-2026-40885

UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2" as the admin password via strcpyssavedpassword, 64,...

9.1CVSS5.8AI score0.00374EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.11 views

PT-2026-54489

UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2" as the admin password via strcpy ssaved password, 64,...

9.1CVSS5.8AI score0.00374EPSS
Exploits0References10
NVD
NVD
added 2026/06/11 8:16 p.m.19 views

CVE-2026-49973

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...

9.4CVSS0.00543EPSS
Exploits0References5
CVE
CVE
added 2026/06/11 7:4 p.m.27 views

CVE-2026-49973

CVE-2026-49973 affects Hermes WebUI prior to version 0.51.358. The issue is an improper access control in the settings API that allows unauthenticated remote attackers to hijack the initial setup by posting to the /api/settings endpoint using the _set_password parameter without origin restriction...

9.4CVSS5.7AI score0.00543EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/06/11 7:4 p.m.8 views

CVE-2026-49973 Hermes WebUI < 0.51.358 Unauthenticated Password Takeover via /api/settings

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...

9.4CVSS5.5AI score0.00543EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/11 7:4 p.m.31 views

CVE-2026-49973 Hermes WebUI < 0.51.358 Unauthenticated Password Takeover via /api/settings

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...

9.4CVSS0.00543EPSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/20 7:35 p.m.16 views

Malicious code in @elvatis_com/openclaw-cli-bridge-elvatis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ea4d389a7d7fc1ab1598f69441105d1ebe696d9d5d351f805644bded733fe7e When the OpenClaw gateway loads this plugin and starts its proxy server, code paths in dist/index.js lines 1076 and 1093 schedule outbound WhatsApp...

5.9AI score
Exploits0References1
OSV
OSV
added 2026/05/20 7:35 p.m.10 views

MAL-2026-4386 Malicious code in @elvatis_com/openclaw-cli-bridge-elvatis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ea4d389a7d7fc1ab1598f69441105d1ebe696d9d5d351f805644bded733fe7e When the OpenClaw gateway loads this plugin and starts its proxy server, code paths in dist/index.js lines 1076 and 1093 schedule outbound WhatsApp...

5.9AI score
Exploits0References1
Snyk
Snyk
added 2026/05/06 4:59 p.m.6 views

Missing Authentication for Critical Function

Overview github.com/0xJacky/Nginx-UI is a yet another Nginx Web UI, developed by 0xJacky and Hintay. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the POST /api/install endpoint during the initial setup 10 minutes window, which is accessible...

9.8CVSS5.8AI score0.00339EPSS
Exploits1References3
EUVD
EUVD
added 2026/05/06 4:59 p.m.9 views

EUVD-2026-27135

Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/06 12:0 a.m.13 views

Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

An unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; i...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/05 8:21 p.m.9 views

CVE-2026-42221

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References1
NVD
NVD
added 2026/05/04 9:16 p.m.30 views

CVE-2026-42221

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

9.8CVSS0.00346EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/04 8:9 p.m.44 views

CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

8.1CVSS0.00346EPSS
Exploits1References2
OSV
OSV
added 2026/05/04 8:9 p.m.3 views

CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

8.1CVSS7.1AI score0.00346EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/05/04 8:9 p.m.6 views

CVE-2026-42221

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

8.1CVSS5.8AI score0.00346EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/04 8:9 p.m.5 views

CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

8.1CVSS5.8AI score0.00346EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/05/04 12:0 a.m.11 views

Nginx UI 访问控制错误漏洞

Nginx UI is a web interface for Nginx developed by Jacky. In versions 2.0.0 to 2.3.8 of Nginx UI, there was an access control vulnerability. This vulnerability stemmed from the fact that the public/api/install endpoint required no authentication during the first run, allowing unauthenticated...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.17 views

PT-2026-36921

Name of the Vulnerable Software and Affected Versions Nginx UI versions 2.0.0 through 2.3.7 Description An unauthenticated network attacker can claim the initial administrator account on a fresh instance during the first-run setup window. The public endpoint "/api/install" is accessible without...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References13
Rows per page
Query Builder