16844 matches found
CVE-2026-20113
The CVE affects the web-based Cisco IOx application hosting environment management interface in Cisco IOS XE Software. It arises from insufficient input validation and enables a remote, unauthenticated attacker to perform a CRLF injection, potentially injecting or altering log entries and obscuri...
Cisco Catalyst SD-WAN Manager Cross-Site Scripting Vulnerability
A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface of an affected device. This vulnerability is due to insufficient validation of user...
CVE-2026-4760
From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account. Installations based on Panorama Suite 2022-SP1 22.50.005 are vulnerable unless update PS-2210-02-4079 or high...
SUSE CVE-2026-30224
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry default 1 year. A...
SUSE CVE-2026-30225
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low-privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new...
PT-2026-27793
Name of the Vulnerable Software and Affected Versions Cisco Catalyst SD-WAN Manager affected versions not specified Description A flaw exists in the web-based management interface that may allow a remote attacker with valid credentials to perform a cross-site scripting XSS attack against a user...
IBM InfoSphere Information Server 跨站脚本漏洞
IBM InfoSphere Information Server is a data integration platform developed by the American multinational company International Business Machines IBM. This platform can be used to integrate data from various sources. Versions of IBM InfoSphere Information Server 11.7.1.6 and earlier had a cross-si...
PT-2026-27795
Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software affected versions not specified Description A flaw exists in the web-based management interface of the Cisco IOx application hosting environment. This issue could allow a remote attacker with valid administrative...
PT-2026-27796
Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software affected versions not specified Description A flaw exists in the web-based Cisco IOx application hosting environment management interface that could allow a remote attacker to inject carriage return line feed CRLF...
PT-2026-28077
Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attacke...
Cisco Catalyst SD-WAN Manager XSS (cisco-sa-vmanage-xss-ZqkhP9W9)
According to its self-reported version, Cisco SD-WAN Viptela Software is affected by a vulnerability. - A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user ...
CVE-2026-33344 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...
Linux Distros Unpatched Vulnerability : CVE-2026-30924
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also...
Harbor allows the use of the default password for web UI login
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI...
CVE-2026-4404
CVE-2026-4404 affects Harbor
CVE-2026-4497 Totolink WA300 cstecgi.cgi recvUpgradeNewFw os command injection
A vulnerability was determined in Totolink WA300 5.2cu.7112B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and...
Yi Technology YI Home Camera 2 访问控制错误漏洞
The Yi Technology YI Home Camera 2 is an intelligent home camera device developed by China's Yi Technology Company. The version 2.1.120171024151200 of the Yi Technology YI Home Camera 2 has a vulnerability related to access control. This vulnerability stems from a lack of authentication in the...
CVE-2026-32721
A flaw was found in LuCI, the OpenWrt Configuration Interface. A remote attacker can exploit a stored Cross-Site Scripting XSS vulnerability in the wireless scan modal by crafting a malicious Wi-Fi network name SSID. When a user opens the wireless scan modal, the unsanitized SSID is rendered as r...
CVE-2026-30924
qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a...
CVE-2026-30924 qui CORS Misconfiguration: Arbitrary Origins Trusted
qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a...