qui 安全漏洞

qui is a lightweight multi-instance web management interface developed by autobrr. Versions of qui prior to 1.14.1 have security vulnerabilities, which stem from overly permissive CORS policies. These vulnerabilities could lead to cross-domain request forgery and information leakage...

VulnCheck KEV: CVE-2026-27944

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to...

Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability

Cisco Secure Firewall Management Center FMC Software and Cisco Security Cloud Control SCC Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root...

EUVD-2026-12870

A Cross-Site Scripting XSS vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter o...

CVE-2026-32632 Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding

Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary Host headers and does not apply TrustedHostMiddleware or an equivalent...

CVE-2026-30695

A Cross-Site Scripting XSS vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter o...

CVE-2026-32596 Glances exposes the REST API without authentication

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials passwords, API keys,...

CVE-2026-32596

CVE-2026-32596 describes an information-disclosure in Glances prior to 4.5.2, where starting the web server with the default command (glances -w) runs without authentication and exposes a REST API over the network. This allows remote attackers to access sensitive system information, including ful...

CVE-2026-32596 Glances exposes the REST API without authentication

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials passwords, API keys,...

EUVD-2026-12685

A vulnerability was identified in TRENDnet TEW-824DRU 1.010B01/1.04B01. The impacted element is the function sub420A78 of the file applysec.cgi of the component Web Interface. Such manipulation of the argument Language leads to cross site scripting. It is possible to launch the attack remotely. T...

CVE-2026-4354

A vulnerability was identified in TRENDnet TEW-824DRU 1.010B01/1.04B01. The impacted element is the function sub420A78 of the file applysec.cgi of the component Web Interface. Such manipulation of the argument Language leads to cross site scripting. It is possible to launch the attack remotely. T...

CVE-2026-30703

A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A HW V2.1, FW LFMZX28040922V1.02. The adm.cgi endpoint improperly sanitizes user-supplied input provided to a command-related parameter in the sysCMD functionality...

CVE-2026-30702

The WiFi Extender WDR201A HW V2.1, FW LFMZX28040922V1.02 implements a broken authentication mechanism in its web management interface. The login page does not properly enforce session validation, allowing attackers to bypass authentication by directly accessing restricted web application endpoint...

CVE-2026-27895

LDAP Account Manager LAM is a webfrontend for managing entries e.g. users, groups, DHCP settings stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type including .php files can be uploaded. With...

CVE-2026-30695

A Cross-Site Scripting XSS vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter o...

PT-2026-26109

A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A HW V2.1, FW LFMZX28040922V1.02. The adm.cgi endpoint improperly sanitizes user-supplied input provided to a command-related parameter in the sysCMD functionality...

Zucchetti Axess 安全漏洞

Zucchetti Axess is a series of personnel access management systems developed by the Italian company Zucchetti. There is a security vulnerability in Zucchetti Axess, which stems from improper handling of user input for the dirBrowse parameter in the web configuration interface for the...

Yuner Yipu WiFi Extender WDR201A 安全漏洞

Yuner Yipu WiFi Extender WDR201A is a WiFi signal amplifier produced by the Chinese company Yuner Yipu. There is a security vulnerability present in the Yuner Yipu WiFi Extender WDR201A. This vulnerability stems from the improper handling of user input related to command parameters in the sysCMD...

PT-2026-26088

A Cross-Site Scripting XSS vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter o...

PT-2026-26107

The web interface of the WiFi Extender WDR201A HW V2.1, FW LFMZX28040922V1.02 contains hardcoded credential disclosure mechanisms in the form of Server Side Include within multiple server-side web pages, including login.shtml and settings.shtml. These pages embed server-side execution directives...