CVE-2019-25447 OrientDB 3.0.17 Cross-Site Request Forgery

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes,...

CVE-2019-25447 OrientDB 3.0.17 Cross-Site Request Forgery

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes,...

CVE-2019-25447

CVE-2019-25447 concerns OrientDB 3.0.17 GA Community Edition. The connected sources describe cross-site request forgery vulnerabilities that allow an attacker to perform unauthorized actions by crafting requests to endpoints such as /database/, /command/, and /document/. Attackers can create or d...

CVE-2026-23612

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXBIPs parameter to...

CVE-2026-25715

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all...

CVE-2026-24455

The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...

CVE-2026-26049

The web management interface of the device renders the passwords in a plaintext input field. The current password is directly visible to anyone with access to the UI, potentially exposing administrator credentials to unauthorized observation via shoulder surfing, screenshots, or browser form...

CVE-2026-26049 Jinan USR IOT Technology Limited (PUSR) USR-W610 Insufficiently Protected Credentials

The web management interface of the device renders the passwords in a plaintext input field. The current password is directly visible to anyone with access to the UI, potentially exposing administrator credentials to unauthorized observation via shoulder surfing, screenshots, or browser form...

CVE-2026-26049

CVE-2026-26049 affects the Jinan USR IOT USR-W610 embedded web interface. The vulnerability is that the web UI renders the administrator password in a plaintext input field, making the current password directly visible to anyone with UI access and enabling credential exposure via shoulder surfing...

CVE-2026-24455 Jinan USR IOT Technology Limited (PUSR) USR-W610 Cleartext Transmission of Sensitive Information

The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...

CVE-2026-24455

CVE-2026-24455 affects the embedded web interface of the Jinan USR IOT USR-W610. The interface does not support HTTPS/TLS and relies on HTTP Basic Authentication, meaning credentials are encoded but not encrypted and can be captured by anyone on the same network. Impact described in sources inclu...

CVE-2026-25715

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all...

CVE-2026-25715

CVE-2026-25715 affects the embedded web management interface of the Jinan USR IOT USR-W610. The vulnerability allows an administrator username/password to be set to blank values, enabling authentication with empty credentials over HTTP(S) web management and Telnet. This effectively disables authe...

CVE-2026-25232

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches including the default branch by sending a direct POST request, completely bypassing th...

CVE-2026-2823

A vulnerability was detected in Comfast CF-E7 2.6.0.9. The impacted element is the function sub41ACCC of the file /cgi-bin/mbox-config?method=SET&section=ntptimezone of the component webmggnt. Performing a manipulation of the argument timestr results in command injection. The attack is possible t...

Exploit for CVE-2026-2670

exploit-CVE-2026-2670 CVE-2026-2670 – Advantech WISE-6610...

Jinan USR IOT USR-W610 安全漏洞

Jinan USR IOT USR-W610 is a serial-to-Ethernet converter produced by Jinan USR IOT. There is a security vulnerability in the Jinan USR IOT USR-W610; this vulnerability stems from the web management interface displaying passwords in plain text, which may lead to credential exposure...

Jinan USR IOT USR-W610 安全漏洞

Jinan USR IOT USR-W610 is a serial-to-Ethernet converter developed by Jinan USR IOT. There is a security vulnerability in the Jinan USR IOT USR-W610. This vulnerability stems from the fact that the embedded Web interface of the device does not support HTTPS/TLS authentication and uses HTTP basic...

CVE-2026-26953

Pi-hole Admin Interface (web UI for Pi-hole) versions 6.0+ expose a Stored HTML Injection in the active sessions table of the API settings page. The vulnerability arises because the rowCallback reads data.x_forwarded_for and directly concatenates it into HTML inserted via jQuery .html(), allowing...

CVE-2026-26953 Pi-hole Web Interface has Stored HTML Injection via X-Forwarded-For Header in Active Sessions Table

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...