CVE-2026-21837

HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover...

SEH utnserver Pro/ProMAX/INU-100 20.1.22 - Cross-Site Scripting

A vulnerability was found in utnserver Pro, utnserver ProMAX, and INU-100 version 20.1.22 and earlier, affecting the device description parameter in the web interface. This flaw allows stored cross-site scripting XSS, enabling attackers to inject JavaScript code. The attack can be executed remote...

Fortinet FortiOS - Open Redirect/Cross-Site Scripting

FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login." id: CVE-2016-3978 info: name: Fortin...

Kramer VIAware - Privilege Escalation and Remote Code Execution

Kramer VIAware, all tested versions, allow privilege escalation and remote code execution due to misconfigured sudo permissions. Attackers can execute arbitrary system commands remotely if the web interface is accessible, due to vulnerabilities in the handling of privileged operations through...

D-Link Routers - Local File Inclusion

D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /...

FOGProject <= 1.5.10.1673 - Authentication Bypass

FOGProject version 1.5.10.1673 suffers from an authentication bypass vulnerability that allows unauthenticated users to access the management interface without proper authentication. This can lead to unauthorized access to system configuration, host management, and potentially database informatio...

OfficeWeb365 Indexs Interface - Arbitrary File Read

There is any file reading in the officeWeb365 Indexs interface. id: CVE-2024-37728 info: name: OfficeWeb365 Indexs Interface - Arbitrary File Read author: DhiyaneshDK severity: high description: | There is any file reading in the officeWeb365 Indexs interface. impact: | Unauthenticated attackers...

TP-Link Archer A20 v3 Router - Cross-site Scripting

The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting XSS due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router's web page renders the directory listing and executes arbitrary JavaScript embedded in the URL...

Ganglia Web Interface (v3.7.3 - v3.7.6) - Cross-Site Scripting

A cross-site scripting XSS vulnerability in the component /master/header.php of Ganglia-web v3.73 to v3.76 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "tz" parameter. id: CVE-2024-52762 info: name: Ganglia Web Interface v3.7.3 - v3.7.6 -...

Aquatronica Controller System <= 5.1.6 - Information Disclosure

Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit...

Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting

PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute...

Evertz SDVN 3080ipx-10G - Unauthenticated Arbitrary Command Injection

The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and register license among...

Tattile Camera < 1.181.5 - Default Login

Tattile Smart+, Vega, and Basic device families firmware = 1.181.5 contain a broken authentication caused by default credentials not forced to be changed, letting attackers with management interface access gain administrative privileges. id: CVE-2026-26341 info: name: Tattile Camera 1.181.5 -...

Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials

Sitecore Experience Manager XM and Experience Platform XP versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access...

Multiple Thrive Themes < 2.0.0 - Arbitrary File Upload

Thrive “Legacy” Rise by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Squared by...

OpenVPN Access Server 2.1.4 - CRLF Injection

CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATHINFO to sessionstart/. id:...

ChangeDetection.io <= v0.50.33 - Stored XSS via Watch API

changedetection.io = 0.50.34 contains a stored cross site scripting caused by insufficient security checks in the Watch update API, letting attackers execute arbitrary JavaScript when users preview malicious links, exploit requires user interaction id: CVE-2025-62780 info: name: ChangeDetection.i...

Ganglia Web Interface (v3.7.3 - v3.7.5) - Cross-Site Scripting

A cross-site scripting XSS vulnerability in the component /graphallperiods.php of Ganglia-web v3.73 to v3.75 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "g" parameter. id: CVE-2024-52763 info: name: Ganglia Web Interface v3.7.3 - v3.7.5 -...

Progress Kemp LoadMaster - Command Injection

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution. id: CVE-2024-1212 info: name: Progress Kemp LoadMaster - Command Injection author: DhiyaneshDK severity: critical description: | Unauthenticated remote...

FatPipe WARP/IPVPN/MPVPN - Authorization Bypass

FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain a missing authorization caused by lack of access control in the web management interface, letting remote attackers access sensitive URLs, exploit requires no authentication. id: CVE-2021-27858 info: name:...