CVE-2025-26343

CVE-2025-26343 affects Q-Free MaxTime Suite (

CVE-2025-26339

A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP...

CVE-2025-26339

CVE-2025-26339 affects Q-Free MaxTime: a missing authentication issue in maxtime/handleRoute.lua for MaxTime versions prior to or equal to 2.11.0. An unauthenticated remote attacker can impact device confidentiality, integrity, and availability via crafted HTTP requests. Remediation per PT-2025-7...

PT-2025-7147 · Q Free · Q-Free Maxtime

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier Description: The issue is related to improper input validation, allowing an authenticated remote attacker to modify system configuration via crafted HTTP requests. This can be achieved by sending...

Q-Free MAXTIME Suite 安全漏洞

Q-Free MAXTIME Suite is a software suite for local traffic signal management from Q-Free. A security vulnerability exists in Q-Free MAXTIME Suite version 2.11.0 and prior versions that stems from a missing authorization in maxprofile/users/routes.lua. An attacker can exploit the vulnerability to...

CVE-2025-24470

An Improper Resolution of Path Equivalence vulnerability CWE-41 in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests...

CVE-2024-27781

An improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all...

CVE-2024-27781

An improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all...

CVE-2024-27780

Multiple Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerabilities CWE-79 in FortiSIEM 7.1 all versions, 7.0 all versions, 6.7 all versions incident page may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests...

CVE-2024-27780

Fortinet FortiSIEM is affected by a cross-site scripting vulnerability (CWE-79) in the incident page due to improper neutralization of input. Affected products: FortiSIEM versions 6.7 through 7.1. An authenticated attacker could trigger the XSS via crafted HTTP requests. There is no public detail...

CVE-2024-40584

An improper neutralization of special elements used in an OS command 'OS Command Injection' vulnerability CWE-78 in Fortinet FortiAnalyzer version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15 and 6.2.2 through 6.2.13, Fortinet FortiManager version 7.4.0...

CVE-2025-24470

An Improper Resolution of Path Equivalence vulnerability CWE-41 in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests...

CVE-2025-24470

An Improper Resolution of Path Equivalence vulnerability CWE-41 in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests...

Azure Linux 3.0 Security Update: python-webob (CVE-2024-42353)

The version of python-webob installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-42353 advisory. - WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header...

CVE-2025-25069

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained...

CVE-2024-43779

An information disclosure vulnerability exists in the Vault API functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to reading vaults that have been previously disabled, possibly leaking sensitive credentials. An attacker can send a series of HTTP...

CVE-2024-9643

The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to...

CVE-2024-39272

A cross-site scripting xss vulnerability exists in the dataset upload functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to an arbitrary html code. An attacker can send a series of HTTP requests to trigger this vulnerability...

CVE-2024-43779

An information disclosure vulnerability exists in the Vault API functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to reading vaults that have been previously disabled, possibly leaking sensitive credentials. An attacker can send a series of HTTP...

CVE-2021-40423

A denial of service vulnerability exists in the cgiserver.cgi API command parser functionality of Reolink RLC-410W v3.0.0.13620121102. A specially-crafted series of HTTP requests can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability...