GHSA-492V-C6PP-MQQV Next.js has a Middleware / Proxy bypass through dynamic route parameter injection

Impact Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected conte...

CVE-2022-50943

A flaw was found in Moodle LMS. An unauthenticated attacker can exploit a cross-site scripting XSS vulnerability by submitting malicious payloads through the search parameter. This allows the attacker to inject JavaScript code, leading to the execution of arbitrary scripts in users' browsers and...

CVE-2026-8265

A security vulnerability has been detected in Tenda AC6 15.03.06.23. Affected by this issue is the function getlogfile of the file /goform/getLogFile of the component httpd. The manipulation of the argument wans.flag leads to os command injection. The attack can be initiated remotely. The exploit...

EUVD-2026-29015

A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The affected element is an unknown function of the file /goform/telnet of the component httpd. The manipulation of the argument lan.ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been...

CVE-2025-65134

In manikandan580 School-management-system 1.0, a reflected cross-site scripting XSS vulnerability exists in /studentms/admin/contact-us.php via the email POST parameter...

CVE-2026-8259

A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The affected element is an unknown function of the file /goform/telnet of the component httpd. The manipulation of the argument lan.ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been...

CVE-2026-8259 Tenda AC6 httpd telnet os command injection

A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The affected element is an unknown function of the file /goform/telnet of the component httpd. The manipulation of the argument lan.ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been...

CVE-2026-8259

CVE-2026-8259 affects Tenda AC6 firmware version 2.0/15.03.06.23, where an unknown function in the HTTPD component’s /goform/telnet endpoint mishandles the lan.ip parameter, leading to an OS command injection. This allows remote exploitation with high impact on confidentiality, integrity, and ava...

CVE-2026-36962

SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the...

jotty·page 路径遍历漏洞

Jotty·Page is a self-hosted inventory and note management application developed by fccview. Versions of Jotty·Page prior to 1.22.0 contained a path traversal vulnerability. This vulnerability stems from unauthorized path traversal in the /api/appIcons/filename route, which could lead to file...

MuuCmf 安全漏洞

MuuCmf is an open-source application development framework created by Dameng100. Version MuuCMF T6 1.9.4.20260115 contains a security vulnerability. This vulnerability stems from the keyword parameter in the /index/controller/Search.php endpoint, which exposes a SQL injection vulnerability. It...

exiftool-vendored 参数注入漏洞

exiftool-vendored is a cross-platform image metadata reading and writing tool developed by PhotoStructure. Versions of exiftool-vendored prior to 35.19.0 had a parameter injection vulnerability. This vulnerability occurred when ExifTool was executed in the “-stayopen True -” mode, where strings...

@workos/authkit-session 输入验证错误漏洞

@workos/authkit-session is an open-source session authentication and token management tool developed by WorkOS. Versions of @workos/authkit-session prior to 0.5.1 contained a vulnerability related to input validation errors. This vulnerability stemmed from insufficient validation of the...

Tenda AC6 命令注入漏洞

Tenda AC6 is a wireless router produced by the Chinese company Tenda. The version Tenda AC6 2.0/15.03.06.23 contains a command injection vulnerability. This vulnerability stems from an unknown function in the httpd component’s file/goform/telnet, which manipulates the parameter lan.ip, potentiall...

PT-2026-39736

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a reflected Cross-Site Scripting XSS vulnerability exists in lista arquivos etapa.php due to improper handling of user-supplied input. The id processo parameter is directly embedded into the HTML without sanitization,...

D-Link DCS-935L 缓冲区错误漏洞

The D-Link DCS-935L is a router produced by D-Link Corporation. Versions of the D-Link DCS-935L prior to 1.10.01 contain a buffer error vulnerability. This vulnerability stems from the operation of the AdminPassword parameter in the SetDeviceSettings function within the HNAP Service component,...

PT-2026-39552

A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The affected element is an unknown function of the file /goform/telnet of the component httpd. The manipulation of the argument lan.ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been...

📄 Car Rental Script 4.0 Cross Site Scripting

Car Rental Script version 4.0 suffers from a cross site scripting vulnerability. Titles: Car-Rental-Script4.0-XSS-Reflected Cross-site scripting reflected Author: nu11secur1ty Date: 05/08/2026 Vendor: https://www.phpjabbers.com/ Software: https://www.phpjabbers.com/car-rental-script/ Reference:...

genie 安全漏洞

Genie is a CLI tool developed by Automagik that automatically converts sentence-based requests into complete pull requests. Version 2.5.27 of Genie has a security vulnerability. This vulnerability stems from command injection in the viewtask parameter of the readTranscriptFromCommit function, whi...

jq 安全漏洞

jq is a lightweight and flexible command-line JSON processor developed by jqlang. Jq versions 1.8.1 and earlier have security vulnerabilities. These vulnerabilities arise from the top-level jq program loaded via the -f parameter being truncated at the first NUL byte. This can result in the...