14 matches found
CVE-2026-44775
Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with AllowAnonymous, allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Sin...
CVE-2026-44775
Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with AllowAnonymous, allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Sin...
EUVD-2026-31936
Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with AllowAnonymous, allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Sin...
CVE-2026-29058 AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration e.g., configuration...
GHSA-9J26-99JH-V26Q WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
Impact An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration e.g., configuration secrets, internal keys, credentials, and service disruption...
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
Impact An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration e.g., configuration secrets, internal keys, credentials, and service disruption...
CVE-2021-47802
Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without...
CVE-2021-47802 Tenda D151 & D301 - Configuration Download
Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without...
CVE-2021-47802
Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without...
EUVD-2026-3650
Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without...
CVE-2021-47802
CVE-2021-47802 affects Tenda D151 and D301 routers. The issue is an unauthenticated configuration download vulnerability reachable via /goform/getimage, permitting remote attackers to retrieve router configuration data, including admin credentials. The provided connected sources corroborate the v...
Tenda D301和Tenda D151 访问控制错误漏洞
Tenda D301 is a wireless router.Tenda D151 is a wireless router. An access control error vulnerability exists in the Tenda D301 and Tenda D151 that stems from the presence of an unauthenticated configuration download on the /goform/getimage endpoint, which can be exploited by an attacker to cause...
PT-2023-31535 · Unknown · Usememos/Memos
Name of the Vulnerable Software and Affected Versions: usememos/memos versions prior to 0.15.1 Description: The issue is related to Cross-Site Request Forgery CSRF in the usememos/memos repository. It affects the getimage endpoint. No information is provided about the estimated number of...
Album Lock 路径遍历漏洞
Album Lock is an application by Staral Wang personal developer. It is used to hide photos and videos. A path traversal vulnerability exists in Album Lock version 4.0, which stems from some unknown functionality of the file /getImage, where the operation parameter filePaht leads to path traversal...