St. Joe ERP system - SQL Injection

A SQL injection vulnerability exists in the St. Joe ERP system "圣乔ERP系统" that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it into...

CVE-2026-36611

CVE-2026-36611 affects Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909. When the device processes UPnP POST requests on port 1900 without a SOAPAction header, it returns 128 bytes of uninitialized memory, exposing internal data to unauthenticated adjacent-network attackers. The NVD/NVD-d...

CVE-2026-36613

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers...

CVE-2026-36613

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers...

CVE-2026-44579

A flaw was found in Next.js. Applications utilizing Partial Prerendering via the Cache Components feature are susceptible to connection exhaustion. A remote attacker can send crafted POST requests to a server action, triggering a request-body handling deadlock. This leaves connections open,...

CVE-2026-35716

A stack-based buffer overflow in the motionprivacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or...

Sequence of Processor Instructions Leads to Unexpected Behavior

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Sequence of Processor Instructions Leads to Unexpected Behavior through the fielddelete process. An attacker can permanently remove...

EUVD-2026-33309

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and...

PT-2026-44797

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client id and client secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to...

Suprema BioStar 安全漏洞

Suprema BioStar is a web-based, open-integrated security platform developed by the South Korean company Suprema. It offers comprehensive features for access control, attendance management, visitor management, and video log maintenance. Versions 2.9.8, 2.9.10, and 2.9.11 of Suprema BioStar contain...

CVE-2026-8980 Privilege Escalation

The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin operator and manufacturer accounts via crafted POST requests...

PT-2026-44378

The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin operator and manufacturer accounts via crafted POST requests...

free5GC 安全漏洞

free5GC is an open-source project for the 5th generation 5G mobile core network. Versions of free5GC prior to 4.2.2 contained security vulnerabilities. These vulnerabilities stemmed from SMF failing to include the necessary inbound OAuth2 middleware when mounting UPI management routing groups. Th...

CVE-2018-25381

Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filtertypeid, filterpidid, and filtersearch parameters in POST reques...

CVE-2018-25381

Joomla Responsive Portfolio 1.6.1 is affected by an SQL injection via POST parameters filter_type_id, filter_pid_id, and filter_search. The vulnerability allows authenticated attackers to execute arbitrary SQL commands and potentially extract credentials and server details. Reported CVSS v4.0/bas...

CVE-2018-25380 Joomla Component eXtroForms 2.1.5 SQL Injection via filter parameters

Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filtertypeid, filterpidid, and filtersearch parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL...

CVE-2018-25351

Joomla! Component EkRishta 2.10 contains an error-based SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the username parameter. Attackers can submit POST requests to the login endpoint with SQL injection payloads ...

UserSpice 安全漏洞

UserSpice is an open-source PHP framework for user management and identity authentication. Version 4.3.24 of UserSpice contains a security vulnerability that stems from username enumeration. This vulnerability could allow unauthenticated attackers to discover valid usernames by sending POST...

MAL-2026-4627 Malicious code in onboardconnect-agent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9c17efe362ab4daf81f1ee7efe462a256ba325562a255906102d10d4a9ee87e5 The package's dist/setup.js script performs an HTTPS POST to https://oc-worker-tenant-api.wpolanco.workers.dev carrying values read from process.env,...

MAL-2026-4387 Malicious code in @euqns/nudge-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b1e494fee8148b95f98e5de04cc4ecd78ed793ff2d019ae672e2b22d2debc3b The package ships dist/setup.js which performs HTTP POST requests at install time to a hardcoded external endpoint at...