CVE-2026-5851

Totolink A7100RU device (firmware 7.4cu.2313_b20191024) is affected by a vulnerability in the CGI Handler: /cgi-bin/cstecgi.cgi, function setUPnPCfg. Manipulating the enable argument enables an OS command injection, allowing remote exploitation. The issue is rated Critical (CVSS up to 9.8/10 in t...

CVE-2026-5850

A vulnerability was identified in Totolink A7100RU 7.4cu.2313b20191024. This affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru leads to os command injection. Remote exploitation of the attack is possible...

PT-2026-31593

Name of the Vulnerable Software and Affected Versions Totolink A7100RU version 7.4cu.2313 b20191024 Description A vulnerability exists in the Totolink A7100RU device that allows for remote operating system command injection. This is due to a flaw in the setWiFiEasyCfg function within the...

PT-2026-31605

Name of the Vulnerable Software and Affected Versions WAGO PLC versions affected versions not specified Description An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are...

PT-2026-31723

Name of the Vulnerable Software and Affected Versions Totolink A7100RU version 7.4cu.2313 b20191024 Description A vulnerability exists in the Totolink A7100RU device. The setDmzCfg function within the CGI Handler component, specifically in the /cgi-bin/cstecgi.cgi file, is susceptible to OS comma...

EUVD-2026-20623

A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might...

Arbitrary Command Injection

Overview @idachev/mcp-javadc is a Model Context Protocol MCP server for Java decompilation Affected versions of this package are vulnerable to Arbitrary Command Injection via the HTTP Interface component when processing the jarFilePath argument. An attacker can execute arbitrary operating system...

CVE-2026-5802 idachev mcp-javadc HTTP os command injection

A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might...

CVE-2026-35484

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadpreset allows reading any .yaml file on the server filesystem. The parsed YAML key-value pairs including passwords, API keys, connection...

CVE-2025-50650

A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inadequate validation of input size in the routesstatic parameter in the /router.asp endpoint...

Incorrect Authorization

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Incorrect Authorization in the WebUI JSON endpoints due to weaker permission checks than those enforced by the core API. An attacker can perform unauthorize...

LobeHub 安全漏洞

LobeHub is an open-source AI dialogue framework developed by LobeHub. Versions of LobeHub prior to 2.1.48 contained security vulnerabilities. These vulnerabilities stemmed from the WebAPI authentication layer, which trusted client control headers that had only been XOR-encrypted. This allowed...

MCP Java Decompiler Server 操作系统命令注入漏洞

MCP Java Decompiler Server is a Java bytecode decompilation server developed by Ivan Dachev. Versions of MCP Java Decompiler Server 1.2.4 and earlier had a vulnerability related to operating system command injection. This vulnerability stemmed from the handling of the parameter jarFilePath in the...

VulGD: A LLM-Powered Dynamic Open-Access Vulnerability Graph Database

Software vulnerabilities continue to pose significant threats to modern information systems, requiring a timely and accurate risk assessment. Public repositories, such as the National Vulnerability Database and CVE details, are regularly updated, but predominantly utilize relational data models...

CVE-2026-5741

CVE-2026-5741 affects suvarchal/docker-mcp-server up to version 0.1.0. The vulnerability is in src/index.ts functions stop_container, remove_container, and pull_image of the HTTP Interface component, enabling remote command injection. Public exploit exists and could be used for attacks; project h...

GHSA-FH64-R2VC-XVHR MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface

MLflow is vulnerable to Stored Cross-Site Scripting XSS caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actio...

EUVD-2026-19608

MLflow is vulnerable to Stored Cross-Site Scripting XSS caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actio...

MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface

MLflow is vulnerable to Stored Cross-Site Scripting XSS caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actio...

EUVD-2026-19676

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature webserver.api.clipw that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config...

CVE-2026-35486

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get with zero validation — no scheme check, no IP filtering, no hostname allowlist. An attacker can access clo...