324 matches found
D-Link DIR-803 - Authentication Bypass
An authentication bypass vulnerability exists in D-Link DIR-803 routers firmware A1 1.04 and earlier. By manipulating the AUTHORIZEDGROUP parameter in /getcfg.php via newline injection, an attacker can retrieve XML configuration containing administrator credentials without authentication. id:...
PYSEC-2026-500 pymetasploit3 vulnerable to command injection in console.run_module_with_output()
Command injection vulnerability in console.runmodulewithoutput in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended...
Astra Linux – Vulnerability in Python 3.11
The imaplib module, when a user-controlled command is passed to it, can have additional commands injected using newlines. Mitigation rejects commands that contain control characters...
Astra Linux – Vulnerability in Python 3.11
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL’s media type...
yt-dlp: Arbitrary code execution via manifest downloads with aria2c
Summary If aria2c is used as an external downloader for a fragmented manifest format such as an HLS/DASH stream, yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code...
EUVD-2026-36640
A content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. A...
CVE-2026-46739
A flaw was found in perl-Net-Statsd. This vulnerability allows an attacker to inject additional statsd metrics due to insufficient validation of metric names and values. Specifically, the software does not properly check for newlines, colons, or pipes in metric names, nor does it ensure that valu...
CVE-2026-41234
Froxlor is open source server administration software. Prior to version 2.3.7, the DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record...
CVE-2026-40281
Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate...
CVE-2026-35517
FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the upstream DNS servers configuration parameter dns.upstreams. This vulnerability allows a...
CVE-2026-41234
Froxlor is open source server administration software. Prior to version 2.3.7, the DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record...
EUVD-2026-34313
Froxlor is open source server administration software. Prior to version 2.3.7, the DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record...
CVE-2026-41234 Froxlor: BIND Zone File Injection via TXT Record Content
Froxlor is open source server administration software. Prior to version 2.3.7, the DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record...
CVE-2026-41234 Froxlor: BIND Zone File Injection via TXT Record Content
Froxlor is open source server administration software. Prior to version 2.3.7, the DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record...
CVE-2026-41234
Froxlor is open source server administration software. Prior to version 2.3.7, the DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record...
CVE-2026-41234
CVE-2026-41234 affects Froxlor prior to 2.3.7, where the DomainZones.add API does not sanitize newline characters in TXT records. An authenticated user with DNS editing enabled can inject newlines into TXT content, causing the TXT value to break out of the line in the generated BIND zone file. Th...
PT-2026-46116
Name of the Vulnerable Software and Affected Versions Froxlor versions prior to 2.3.7 Description The 'DomainZones.add' API endpoint fails to sanitize newline characters within TXT record content. An authenticated customer with DNS editing permissions can inject newlines into TXT record values,...
Exploit for OS Command Injection in Thecodingmachine Gotenberg
POCCVE-2026-42589 Local reproduction lab and nuclei template...
UBUNTU-CVE-2026-45372
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check isfieldvalue is run before decoding, so encode...
python3.14 security update
An update is available for python3.14. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Python is an interpreted, interactive, object-oriented programming...