Missing Authorization

Overview @frangoteam/fuxa is a Web-based Process Visualization SCADA/HMI/Dashboard software Affected versions of this package are vulnerable to Missing Authorization in the scheduler endpoint. An attacker can gain unauthorized access to create, modify, or delete schedules by sending crafted...

YoSmart YoLink Smart Hub

RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to remotely control other users' smart home devices, intercept sensitive data, and hijack sessions. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation...

TOTOLINK EX200 firmware-upload error handling can activate an unauthenticated root telnet service

Overview A flaw in the firmware-upload error-handling logic of the TOTOLINK EX200 extender can cause the device to unintentionally start an unauthenticated root-level telnet service. This condition may allow a remote authenticated attacker to gain full system access. Description In the End-of-Lif...

CVE-2025-56400

Cross-Site Request Forgery CSRF vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa accoun...

CVE-2025-56400

Cross-Site Request Forgery CSRF vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa accoun...

EUVD-2025-36692

An issue discovered in Dyson App v6.1.23041-23595 allows unauthenticated attackers to control other users' Dyson IoT devices remotely via MQTT...

CVE-2025-59449

The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacke...

CVE-2025-25523

Buffer overflow vulnerability in Trendnet TEG-40128 Web Smart Switch v11.00.023 due to the lack of length verification, which is related to the mobile access point setup operation. The attacker can directly control the remote target device by successfully exploiting this vulnerability...

CVE-2025-25523

Buffer overflow vulnerability in Trendnet TEG-40128 Web Smart Switch v11.00.023 due to the lack of length verification, which is related to the mobile access point setup operation. The attacker can directly control the remote target device by successfully exploiting this vulnerability...

CVE-2023-4617

Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. This issue affects Govee Home applications on Android and iOS in...

Iranian Hackers Using SimpleHelp Remote Support Software for Persistent Access

The Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems. While the nation-state group has previously employed ScreenConnect, RemoteUtilities, and Syncro, a new analysis from Group-IB h...

CVE-2018-11316

The UPnP HTTP server on Sonos wireless speaker products allow unauthorized access via a DNS rebinding attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker...

Design/Logic Flaw

The UPnP HTTP server on Sonos wireless speaker products allow unauthorized access via a DNS rebinding attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker...

CVE-2018-11314

The External Control API in Roku and Roku TV products allow unauthorized access via a DNS Rebind attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker...

Xxe

The External Control API in Roku and Roku TV products allow unauthorized access via a DNS Rebind attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker...

CVE-2018-11316

The CVE-2018-11316 entry concerns Sonos wireless speaker devices whose UPnP HTTP server can be abused via a DNS rebinding attack. The affected component is the Sonos UPnP web server; the underlying issue is lack of access restriction allowing unauthorized control and information exfiltration from...

CVE-2018-11316

The UPnP HTTP server on Sonos wireless speaker products allow unauthorized access via a DNS rebinding attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker...

CVE-2018-11314

The External Control API in Roku and Roku TV products allow unauthorized access via a DNS Rebind attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker...

CVE-2018-11314

CVE-2018-11314 affects Roku and Roku TV External Control API. The vulnerability enables unauthorized remote control via DNS rebinding, potentially exposing privileged device and network information. Documented impact includes remote device control and data exfiltration on affected Roku platforms;...

CVE-2018-11315

The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat theat request that accesses a device purchased in the Spring of 2018, and sets a...