PT-2026-29642

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

Cisco Integrated Management Controller 跨站脚本漏洞

The Cisco Integrated Management Controller IMC is a set of software developed by Cisco, Inc., used for managing UCS Unified Computing System environments. This software supports HTTP and SSH access, and allows operations such as powering on, powering off, and restarting servers. The Cisco IMC has...

Cisco Integrated Management Controller（IMC） 跨站脚本漏洞

The Cisco Integrated Management Controller IMC is a set of software developed by Cisco, Inc., used for managing UCS Unified Computing System environments. This software supports HTTP and SSH access, and allows operations such as powering on, powering off, and restarting servers. The Cisco IMC has...

PT-2026-29555

Name of the Vulnerable Software and Affected Versions Cisco IMC affected versions not specified Description A flaw exists in the web-based management interface of Cisco IMC that may allow a remote attacker with administrative privileges to perform a stored Cross-Site Scripting XSS attack against ...

PT-2026-29560

A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with admin-level privileges to execute arbitrary code as the root user. This vulnerability is due to improper validation of user-supplied input to the web-based management interface. A...

PT-2026-29561

A vulnerability in the web interface of Cisco Smart Software Manager On-Prem SSM On-Prem could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to the improper transmission of sensitive user information. An attacker could exploit this...

GHSA-XMPV-J7P2-J873 Nautobot: Management of users via REST API does not apply configured password validators

Impact In Nautobot versions prior to 2.4.30 or prior to 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTHPASSWORDVALIDATORS setting which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's...

CVE-2026-5214

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Impacted is the function...

CVE-2026-34203

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTHPASSWORDVALIDATORS setting which defaults to an empty list, i.e., no specific...

EUVD-2025-209145

Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface UI to execute arbitrary operating system commands as the root user on the Socket’s internal system...

CVE-2025-14213

Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface UI to execute arbitrary operating system commands as the root user on the Socket’s internal system...

CVE-2026-5177

A weakness has been identified in Totolink A3300R 17.0.0cu.557b20221024. Affected by this vulnerability is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument rxRate can lead to command injection. The attack may be launched remotely. The exploit...

CVE-2026-4020

Gravity SMTP for WordPress versions up to 2.1.4 exposes a REST endpoint at /wp-json/gravitysmtp/v1/tests/mock-data whose permission_callback always returns true, allowing unauthenticated access. When the ?page=gravitysmtp-settings parameter is used, register_connector_data() populates internal da...

CVE-2026-5176 Totolink A3300R cstecgi.cgi setSyslogCfg command injection

A security flaw has been discovered in Totolink A3300R 17.0.0cu.557b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploit has been release...

PT-2026-29240

Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface UI to execute arbitrary operating system commands as the root user on the Socket’s internal system...

Cato Networks Socket 安全漏洞

Cato Networks Socket is an edge access device from the Israeli company Cato Networks, designed to provide secure network connections and traffic optimization capabilities. Previous versions of Cato Networks Socket 25 contained security vulnerabilities; these vulnerabilities stemmed from command...

CVE-2026-33026

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4...

GHSA-Q6JJ-R49P-94FH AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification

Summary The getapivideofile and getapivideo API endpoints in AVideo return full video playback sources direct MP4 URLs, HLS manifests for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the CustomizeUser::getModeYouTu...

CVE-2026-33028 Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms Mutex and non-atomic file writes, concurrent requests lead to the severe corruption of the prima...

CVE-2026-33029 Nginx UI: DoS via Negative Integer Input in Logrotate Interval

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service DoS. By submitting a negative integer for the rotation interval, the backend enter...