16830 matches found
The vulnerability in the web interface of Qtech switches, related to incorrect processing of cookie files, allows attackers to elevate their privileges to the level of administrators.
A vulnerability in the web interface of Qtech switches, related to improper handling of cookie files. Exploiting this vulnerability can allow a remote attacker to elevate their privileges to the level of an administrator...
CVE-2025-49834
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py opendenoise function. denoiseinpdir and denoiseoptdir take user input, which is passed to the opendenoise function, which concatenates the user...
CVE-2025-49835 GHSL-2025-047: GPT-SoVITS Command Injection vulnerability
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py openasr function. asrinpdir and a number of other variables takes user input, which is passed to the openasr function, which concatenates the...
CVE-2025-34115
An authenticated command injection vulnerability exists in OP5 Monitor through version 7.1.9 via the 'cmdstr' parameter in the commandtest.php endpoint. A user with access to the web interface can exploit the 'Test this command' feature to execute arbitrary shell commands as the unprivileged web...
CVE-2025-34105
A stack-based buffer overflow vulnerability exists in the built-in web interface of DiskBoss Enterprise versions 7.4.28, 7.5.12, and 8.2.14. The vulnerability arises from improper bounds checking on the path component of HTTP GET requests. By sending a specially crafted long URI, a remote...
CVE-2025-34115 OP5 Monitor <= 7.1.9 Authenticated Command Execution via command_test.php
An authenticated command injection vulnerability exists in OP5 Monitor through version 7.1.9 via the 'cmdstr' parameter in the commandtest.php endpoint. A user with access to the web interface can exploit the 'Test this command' feature to execute arbitrary shell commands as the unprivileged web...
CVE-2025-34115
An authenticated command injection vulnerability exists in OP5 Monitor through version 7.1.9 via the 'cmdstr' parameter in the commandtest.php endpoint. A user with access to the web interface can exploit the 'Test this command' feature to execute arbitrary shell commands as the unprivileged web...
PT-2025-29556 · Op5 · Op5 Monitor
Name of the Vulnerable Software and Affected Versions: OP5 Monitor versions through 7.1.9 Description: An authenticated command injection vulnerability exists in OP5 Monitor. A user with access to the web interface can exploit the 'Test this command' feature to execute arbitrary shell commands as...
CVE-2025-7574 LB-LINK BL-WR9000 Web Interface lighttpd.cgi restore improper authentication
A vulnerability, which was classified as critical, was found in LB-LINK BL-AC1900, BL-AC2100AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. Affected is the function reboot/restore of the file /cgi-bin/lighttpd.cgi of the component Web Interface. The manipulation leads to...
CVE-2025-7574
The CVE-2025-7574 affects LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000, up to version 20250702. The Web Interface’s /cgi-bin/lighttpd.cgi reboot/restore function is susceptible to improper authentication, enabling remote exploitation. Public disclosures exist; ...
CVE-2025-7574 LB-LINK BL-WR9000 Web Interface lighttpd.cgi restore improper authentication
A vulnerability, which was classified as critical, was found in LB-LINK BL-AC1900, BL-AC2100AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. Affected is the function reboot/restore of the file /cgi-bin/lighttpd.cgi of the component Web Interface. The manipulation leads to...
The vulnerability of the sub_410DDC() function in the web interface of the D-Link DIR-825 router’s microprogramming software allows a hacker to execute arbitrary code.
The vulnerability of the sub410DDC function in the web interface of the D-Link DIR-825 router’s microprogramming software is related to the reading of data beyond the buffer boundaries in memory during the processing of the language parameter. Exploiting this vulnerability allows a remote attacke...
The vulnerability in the FTP server’s web interface of Wing allows a hacker to elevate their privileges and execute arbitrary code.
The vulnerability of the FTP server’s web interface in Wing involves the insertion of a zero byte %00 into the user’s username string during the processing of the loginok.html endpoint. Exploiting this vulnerability allows an attacker to enhance their privileges and execute arbitrary code...
Cross-site Scripting (XSS)
Overview roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the interaction between URLs and issue tracker templates. An attacker can execute arbitrary scripts...
CVE-2025-50121
A CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability exists that could cause unauthenticated remote code execution when a malicious folder is created over the web interface HTTP when enabled. HTTP is disabled by default...
CVE-2025-47811
In Wing FTP Server through 7.4.4, the administrative web interface listening by default on port 5466 runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands i.e., through the web console or the task scheduler, and they are...
CVE-2025-52950
A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface. Numerous endpoints on the Juniper Security Director appliance do not validate authorization and...
CVE-2025-52950
A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface. Numerous endpoints on the Juniper Security Director appliance do not validate authorization and...
CVE-2025-52950 Juniper Security Director: Insufficient authorization for multiple endpoints in web interface
A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface. Numerous endpoints on the Juniper Security Director appliance do not validate authorization and...
CVE-2025-52950
Juniper Networks Security Director has a Missing Authorization vulnerability (CVE-2025-52950) where an unauthenticated network-based attacker can read or tamper with sensitive resources through the web interface. The issue arises from endpoints that do not validate authorization, allowing access ...