CVE-2025-65128

CVE-2025-65128 affects Shenzhen Zhibotong Electronics ZBT WE2001 (version 23.09.27). The web management API lacks authentication, allowing unauthenticated attackers on the local network to modify router and network configurations by calling operations ending with *_nocommit and providing the expe...

CVE-2025-65127

A lack of session validation in the web API component of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote unauthenticated attackers to access administrative information-retrieval functions intended for authenticated users. By invoking "get" operations, attackers can obtain device...

CVE-2026-2146

A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible t...

CVE-2026-25632 EPyT-Flow has unsafe JSON deserialization (__type__)

EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer myloadfromjson that supports a type field...

CVE-2025-13192

The CVE-2025-13192 entry describes a generic SQL Injection in the WordPress plugin “Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers” for versions up to 2.2.0. Root cause: insufficient escaping and inadequate query preparation on user-supplied par...

CVE-2026-1457

An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges...

Exploit for CVE-2026-1457

CVE-2026-1457: TP-Link VIGI C385 Authenticated Remote Code Exe...

CVE-2026-1457

An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges...

CVE-2026-1457

An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges...

CVE-2026-1457 Authenticated RCE Vulnerability Due to Buffer Overflow on TP-Link VIGI C385

An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges...

EUVD-2026-4967

An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges...

CVE-2026-1457 Authenticated RCE Vulnerability Due to Buffer Overflow on TP-Link VIGI C385

An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges...

CVE-2026-1457

CVE-2026-1457 is an authenticated buffer-overflow vulnerability in the TP-Link VIGI C385 V1 Web API (input sanitization flaw) that can cause memory corruption and allow remote code execution with elevated privileges. Affected product: TP-Link VIGI C385 V1. Impact: authenticated attackers may exec...

TP-Link VIGI C385 security vulnerabilities

The TP-Link VIGI C385 is a surveillance camera produced by the TP-Link company. The TP-Link VIGI C385 V1 version has a security vulnerability. This vulnerability stems from buffer handling defects in the Web API, along with insufficient input cleaning, which may lead to memory corruption and remo...

CVE-2016-15057

UNSUPPORTED WHEN ASSIGNED Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability in Apache Continuum. This issue affects Apache Continuum: all versions. Attackers with access to the installations REST API can use this to invoke arbitrary commands on the...

CVE-2016-15057

UNSUPPORTED WHEN ASSIGNED Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability in Apache Continuum. This issue affects Apache Continuum: all versions. Attackers with access to the installations REST API can use this to invoke arbitrary commands on the...

WordPress LearnPress - WordPress LMS Plugin plugin <= 4.3.2.4 - Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API vulnerability

WordPress LearnPress - WordPress LMS Plugin plugin = 4.3.2.4 - Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API vulnerability discovered by andrea bocchetti in WordPress Plugin LearnPress versions = 4.3.2.4...

Synology DiskStation Manager Improper Control of Dynamically-Managed Code Resources (CVE-2024-5401)

Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager DSM before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller DSMUC before 3.1.4-23079 allows remote authenticated users to obtain privileges witho...

Synology DiskStation Manager Cross-Site Request Forgery (CVE-2024-45538)

Cross-Site Request Forgery CSRF vulnerability in WebAPI Framework in Synology DiskStation Manager DSM before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller DSMUC before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors. This plugin only works wit...

Missing Authentication for Critical Function

Overview @mcpjam/inspector is a MCPJam Inspector Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the connect route in the HTTP API. An attacker can execute arbitrary commands on the host system by sending a crafted HTTP request containing...