EUVD-2026-25314

radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2cmdstr. Attackers can inject shell metacharacters throu...

CVE-2026-6942 radare2-mcp <=1.6.0 OS Command Injection via Shell Metacharacter Bypass

radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2cmdstr. Attackers can inject shell metacharacters throu...

CVE-2025-59784

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. This vulnerability can only be exploited after authenticating with administrator privileges...

CVE-2023-53880

Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScri...

Lucee 跨站脚本漏洞

Lucee is a high performance open source CFML server written in Java by Lucee Open Source. A cross-site scripting vulnerability exists in Lucee version 5.4.2.17, which stems from the presence of reflective cross-site scripting in the management interface parameters, which could lead to the injecti...

CVE-2025-60690

A stack-based buffer overflow exists in the getmergeipaddr function of the httpd binary on Linksys E1200 v2 routers Firmware E1200v2.0.11.001us.tar.gz. The function concatenates up to four user-supplied CGI parameters matching 03 into a fixed-size buffer a2 without bounds checking. Remote attacke...

In the Dark about Shadow APIs?

I’m often asked about shadow APIs and shadow API parameters—even by people with a lot of experience in the API development space...

CVE-2024-5399

Openfind Mail2000 does not properly filter parameters of specific API. Remote attackers with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the remote server...

H3C Magic R200 缓冲区错误漏洞

H3C Magic R200 is a wireless router device. H3C Magic R200 doping.asp has a buffer overflow vulnerability in the handling of INTF parameters, which can be exploited by remote attackers to submit special requests that can crash the service program or execute arbitrary code in the application conte...

ZTE F680 Input Validation Error Vulnerability

ZTE F680 is an external antenna dual-band GPON home gateway device from ZTE Corporation ZTE, China. A security vulnerability exists in the ZTE F680 version V9.0.10P1N6, which originates from incorrect access control. An attacker can exploit the vulnerability to tamper with program interface...

Sophos Web Appliance v4. 2. 1. 3 remote code execution vulnerability

Multiple parameters to the web interface are unsafely handled and can be used to run operating system commands, such as: POST /index.php?c=logs HTTP/1.1 Host: redacted User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.10; rv:46.0 Gecko/20100101 Firefox/46.0 Accept: text/javascript, text/html,...

KTorrent PHP Code Injection Vulnerability

kTorrent is a bt client under kde, integrated with bt seed search function. KTorrent has a PHP code injection vulnerability. Allow remote attackers to execute arbitrary PHP code through this interface only beautiful parameters of the PHP script...

Sql injection

SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters...