CVE-2026-50085

The Aqara Board service op-test.aqara.com accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS...

EUVD-2026-36474

The Aqara Cloud Production API open-cn.aqara.com/v3.0/open/api would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N 9.6 Critical. When combined with...

VulnCheck KEV: CVE-2025-29635

A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/setprohibiting via the corresponding function, triggering remote command execution...

Apple TV < 18.3 Multiple Vulnerabilities (122072)

According to its banner, the version of Apple TV on the remote device is prior to 18.3. It is therefore affected by multiple vulnerabilities as described in the 122072 %NASLMINLEVEL 80900 C Tenable, Inc. include'compat.inc'; if description scriptid299009; scriptversion"1.2";...

Apple TV < 26.3 Multiple Vulnerabilities (126351)

According to its banner, the version of Apple TV on the remote device is prior to 26.3. It is therefore affected by multiple vulnerabilities as described in the 126351 %NASLMINLEVEL 80900 C Tenable, Inc. include'compat.inc'; if description scriptid299008; scriptversion"1.3";...

Missing Authorization

Overview @frangoteam/fuxa is a Web-based Process Visualization SCADA/HMI/Dashboard software Affected versions of this package are vulnerable to Missing Authorization in the scheduler endpoint. An attacker can gain unauthorized access to create, modify, or delete schedules by sending crafted...

YoSmart YoLink Smart Hub

RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to remotely control other users' smart home devices, intercept sensitive data, and hijack sessions. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation...

CVE-2019-16353

Emerson GE Automation Proficy Machine Edition 8.0 allows an access violation and application crash via crafted traffic from a remote device, as demonstrated by an RX7i device...

TOTOLINK EX200 firmware-upload error handling can activate an unauthenticated root telnet service

Overview A flaw in the firmware-upload error-handling logic of the TOTOLINK EX200 extender can cause the device to unintentionally start an unauthenticated root-level telnet service. This condition may allow a remote authenticated attacker to gain full system access. Description In the End-of-Lif...

CVE-2025-56400

Cross-Site Request Forgery CSRF vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa accoun...

CVE-2025-56400

Cross-Site Request Forgery CSRF vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa accoun...

CVE-2025-63225

The Eurolab ELTS100UBX device firmware version ELTS100v1.UBX is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized...

General Industrial Controls Lynx+ Gateway 访问控制错误漏洞

General Industrial Controls Lynx+ Gateway is an industrial automation gateway from General Industrial Controls India. An access control error vulnerability exists in the General Industrial Controls Lynx+ Gateway, which stems from a lack of critical authentication on the embedded web server, which...

CVE-2025-58083

CVE-2025-58083 affects General Industrial Controls Lynx+ Gateway. The embedded web server lacks critical authentication, enabling remote attackers to reset the device. This is supported by multiple advisories (CISA ICSA-25-317-08, EUVD/EU ENISA, Red Hat/RH CVE pages) describing missing authentica...

CVE-2025-58083 General Industrial Controls Lynx+ Gateway Missing Authentication for Critical Function

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device...

CVE-2025-58083 General Industrial Controls Lynx+ Gateway Missing Authentication for Critical Function

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device...

CVE-2025-47370

Transient DOS when a remote device sends an invalid connection request during BT connectable LE scan...

EUVD-2025-36692

An issue discovered in Dyson App v6.1.23041-23595 allows unauthenticated attackers to control other users' Dyson IoT devices remotely via MQTT...

EUVD-2020-20196

Malware in sbrugna...

EUVD-2019-7126

Malware in sbrugna...