Cross-site Scripting (XSS)

opencode-ai is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of LLM-generated markdown that allows arbitrary HTML and JavaScript to be injected into the DOM, which allows an attacker to execute malicious scripts in the local web interface origin...

CVE-2026-0629

Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device,...

CVE-2026-0629

CVE-2026-0629 affects TP-Link VIGI cameras (local web interface) where an authentication bypass in the password-recovery flow lets an attacker on the LAN reset the admin password by manipulating client-side state. The vulnerability allows full admin access and device control, per multiple sources...

CVE-2026-0629 Authentication Bypass in Password Recovery Feature via Local Web App on Multiple VIGI Cameras

Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device,...

PT-2026-3270

Name of the Vulnerable Software and Affected Versions TP-Link VIGI Cameras affected versions not specified Description An authentication bypass issue exists in the password recovery feature of the local web interface of TP-Link VIGI cameras. This allows an attacker on the Local Area Network LAN t...

CVE-2025-1385

When the library bridge feature is enabled, the clickhouse-library-bridge exposes an HTTP API on localhost. This allows clickhouse-server to dynamically load a library from a specified path and execute it in an isolated process. Combined with the ClickHouse table engine functionality that permits...

CVE-2023-5935

When configuring Arc e.g. during the first setup, a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of...

CVE-2023-5935

CVE-2023-5935 affects Arc prior to v1.6.0. During initial/configuration time, Arc exposes a local web interface without authentication. A local attacker or malware active at that window can extract sensitive information or alter Arc’s configuration, and may achieve arbitrary code execution via a ...

Missing authentication for local web interface in Arc before v1.6.0

Summary When configuring Arc e.g. during the first setup, a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. Impact A malicious local user or process,...

Command injection

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection'. An unauthorized user with privileged access to the...

Abode Systems, Inc. iota All-In-One Security Kit web interface /action/ipcamSetParamPost double-free vulnerability

Talos Vulnerability Report TALOS-2022-1565 Abode Systems, Inc. iota All-In-One Security Kit web interface /action/ipcamSetParamPost double-free vulnerability October 20, 2022 CVE Number CVE-2022-32574 SUMMARY A double-free vulnerability exists in the web interface /action/ipcamSetParamPost...

VulnCheck KEV: CVE-2018-6961

VMware SD-WAN Edge by VeloCloud contains a command injection vulnerability in the local web UI component. Successful exploitation of this issue could result in remote code execution...

CVE-2018-6961

VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be removing this service from the product in future...