CVE-2026-2719

The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Exceptions' setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

WordPress Weaver Show Posts plugin <= 1.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Additional Classes to Wrap Posts' Widget Setting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'Additional Classes to Wrap Posts' Widget Setting vulnerability discovered by Muqsith Barru - TCC in WordPress Plugin Weaver Show Posts versions = 1.8.1...

CVE-2026-3971

A vulnerability has been found in Tenda i3 1.0.0.62204. Affected by this vulnerability is the function formwrlSSIDset of the file /goform/wifiSSIDset. The manipulation of the argument index/GO leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has bee...

EUVD-2018-18170

Malware in sbrugna...

CVE-2025-11297

A vulnerability was found in Belkin F9K1015 1.00.10. This issue affects some unknown processing of the file /goform/formSetLanguage. Performing a manipulation of the argument webpage results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public an...

(Pwn2Own) QNAP QHora-322 access_setting HTTP Request Smuggling Vulnerability

This vulnerability allows network-adjacent attackers to smuggle arbitrary HTTP requests on affected installations of QNAP QHora-322 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within th...

CVE-2024-53287

Improper neutralization of input during web page generation 'Cross-site Scripting' vulnerability in VPN Setting functionality in Synology Router Manager SRM before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified...

CVE-2024-28551

Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the ssid parameter of formfastsettingwifiset function...

CVE-2022-26998

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the wps setting function via the wpsenroleepin parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request...

CVE-2022-1896

The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletredhtml capability is disallowed...

CVE-2025-4474

The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fedadminsettingformfunction function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the...

WordPress plugin Slider by 10Web 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2025-25758

An issue in KukuFM Android v1.12.7 11207 allows attackers to access sensitive cleartext data via the android:allowBackup="true" in the ANdroidManifest.xml...

The vulnerability of the qmc_hdlc_framer_set_carrier() function in the drivers/net/wan/fsl_qmc_hdlc.c module of the Linux kernel allows a hacker to cause a service failure.

The vulnerability of the qmchdlcframersetcarrier function in the drivers/net/wan/fslqmchdlc.c module of the Linux kernel leads to mutual locking issues. Exploiting this vulnerability could allow a attacker to cause a service failure...

CVE-2025-22367 Mennekes smart/premium charges systems, Command injection in time setting

The authenticated time setting capability of the firmware for Mennekes Smart / Premium Chargingpoints can be abused for command execution because OS command are improperly neutralized when certain fields are passed to the underlying OS...

XWiki Commons 安全漏洞

XWiki Commons is a technology library shared by several other top XWiki projects. A security vulnerability exists in XWiki Commons, which stems from the Document script API directly returning a DocumentAuthors allowing any author of a document to be set...

CVE-2023-27135

TOTOlink A7100RU V7.4cu.2313B20191024 was discovered to contain a command injection vulnerability via the enabled parameter at /setting/setWanIeCfg...

The vulnerability of the SetIPv4FirewallSettings() function in the web interface for managing D-Link DIR-1935 router microprogramming software allows a hacker to execute arbitrary code.

The vulnerability of the SetIPv4FirewallSettings function in the web interface for managing D-Link DIR-1935 router microprogramming software is related to the failure of the system to properly validate the input data entered by the user when processing the IPv4FirewallRule element. Exploiting thi...

When setting font with malicous data by ioctl cmd PIO_FONTkernel will write memory out of bounds.

...

CVE-2022-26998

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the wps setting function via the wpsenroleepin parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request...