PT-2026-46001

Mercusys AC12G EU V1 with firmware AC12GEU V1 200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers...

CVE-2026-36613

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 is affected by a vulnerability where HTTP POST requests to undefined paths return 128 bytes of uninitialized internal buffer contents, exposing server state to unauthenticated adjacent network attackers. Affected component: the device’s HTT...

Apache Solr - Deserialization of Untrusted Data

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side. id:...

Likeshop < 2.5.7.20210311 - Arbitrary File Upload

A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an...

MAL-2026-4723 Malicious code in weavedb-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c25ff456baf684075b65ecf808bbfe36cbf91811fb4b04b70c13a3dd9d8a9403 package.json declares "preinstall": "./tools/setup", where tools/setup is a 976KB stripped Linux x86-64 ELF binary sha256...

Malicious code in json-to-simple-graphql-schema (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9998f4fd6abaaefcf6bd610ce0b558f0e1eb22c9d4dae07a111c27cc7f7322c The package contains a poc.js script that collects host reconnaissance data os.hostname, os.platform, output of whoami via childprocess and POSTs it ...

Malicious code in clawpro-diagnostics-metrics-cls (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d176cad00849132cb8df7ca53ac064e1980cea09bfe9b25836a78b4719b08ea The package's dist/index.js contains hardcoded HTTP POST calls targeting http://metadata.tencentyun.com along with reads of process.platform and...

CVE-2026-9422

Technical details (affected product/version, vulnerable component, root cause, impact, patches) are not publicly available in the provided documents. Monitor for updates.

CVE-2026-9422 KLiK SocialMediaWebsite HTTP POST Request Parameter injection

A vulnerability was identified in KLiK SocialMediaWebsite 1.0. This issue affects some unknown processing of the component HTTP POST Request Parameter Handler. Such manipulation leads to injection. The attack can be launched remotely. The exploit is publicly available and might be used...

Malicious code in openmct-couch-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ce8eff366d17efa64bf8605941d009d01cf7a24aaf011af30faec449fc4a2e28 On npm install, the package's preinstall script runs node index.js and then curls the output of hostname && whoami to...

Malicious code in ezymail (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c The package advertises itself as a Gmail/SMTP sender library. The README documents that callers pass their SMTP user and pass Gmail App Password to a...

Malicious code in cdp-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dbf55b093e3a93e8d3f536101e62e09cf7e86636cd42813d02f518138cbcb8ed The package ships cdpinject.js, which combines childprocess, fs, http/https, and base64 encoding to gather system information and exfiltrate it over...

EUVD-2026-27386

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

CVE-2026-7412

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

Astra Linux - уязвимость в php7.3, php8.1

In PHP versions 8.1. before 8.1.30, and 8.2. before 8.2.24, as well as 8.3. before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could result in legitimate data not being processed. This could allow malicious attackers to control a portion of the submitted dat...

VulnCheck KEV: CVE-2023-3793

A vulnerability was found in Weaver e-cology. It has been rated as critical. This issue affects some unknown processing of the file filelFileDownloadForOutDoc.class of the component HTTP POST Request Handler. The manipulation of the argument fileid with the input 1+WAITFOR+DELAY leads to sql...

CVE-2026-28525

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoosemultipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing...

PT-2026-34874

AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this...

CVE-2026-28525

SWUpdate contains an integer underflow in the multipart upload parser (mongoose_multipart.c) that enables unauthenticated remote denial of service. An attacker can trigger an underflow in mg_http_multipart_continue_wait_for_chunk() by sending a crafted HTTP POST to /upload with a malformed multip...

CVE-2026-28525 SWUpdate Integer Underflow in Multipart Upload Parser

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoosemultipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing...