CVE-2026-1668

The web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended command execution. An unauthenticated attacker with netwo...

CVE-2026-4164

A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function DeleteMaclist/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack remotely. The exploit h...

EUVD-2025-209041

A Cross-Site Request Forgery CSRF vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with the existing privileges of an authenticated user on the affected device, including the ability to...

EUVD-2026-16080

A security vulnerability has been detected in code-projects Accounting System 1.0. Impacted is an unknown function of the file /myaccount/addcostumer.php of the component Web Application Interface. Such manipulation of the argument costumername leads to cross site scripting. The attack may be...

CVE-2026-4835

A security vulnerability has been detected in code-projects Accounting System 1.0. Impacted is an unknown function of the file /myaccount/addcostumer.php of the component Web Application Interface. Such manipulation of the argument costumername leads to cross site scripting. The attack may be...

CVE-2025-15101

An OS command injection vulnerability in the web management interface of certain ASUS router models allows remote authenticated administrators to execute arbitrary system commands via a crafted parameter. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisor...

CVE-2025-15101

An OS command injection vulnerability in the web management interface of certain ASUS router models allows remote authenticated administrators to execute arbitrary system commands via a crafted parameter. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisor...

CVE-2025-15101

The CVE-2025-15101 entry describes a CSRF vulnerability in the web management interface of certain ASUS routers. Affected component: the web management UI; underlying cause is CSRF that allows actions with the privileges of an authenticated user, potentially enabling execution of system commands ...

CVE-2026-34055

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in library/pnotes.inc.php perform updates and deletes using WHERE id = ? without verifying that the note belongs to a patient the...

PT-2026-28265

Ruckus Unleashed contains a remote code execution vulnerability in the web-based management interface that allows authenticated remote attackers to execute arbitrary code on the system when gateway mode is enabled. Attackers can exploit this vulnerability by sending specially crafted requests...

PT-2026-28385

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.6 Description Open WebUI is an artificial intelligence platform designed for offline operation. A missing access control check when deleting files from a knowledge base allows a user with write access to a...

PT-2026-28189

A security vulnerability has been detected in code-projects Accounting System 1.0. Impacted is an unknown function of the file /my account/add costumer.php of the component Web Application Interface. Such manipulation of the argument costumer name leads to cross site scripting. The attack may be...

PT-2026-28188

Name of the Vulnerable Software and Affected Versions ASUS routers affected versions not specified Description A Cross-Site Request Forgery CSRF issue exists in the Web management interface of ASUS routers. This allows actions to be performed with the privileges of an authenticated user. This...

CVE-2026-34055 OpenEMR has IDOR in Patient Notes Web UI allows unauthorized note access/modification

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in library/pnotes.inc.php perform updates and deletes using WHERE id = ? without verifying that the note belongs to a patient the...

CVE-2026-34055 OpenEMR has IDOR in Patient Notes Web UI allows unauthorized note access/modification

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in library/pnotes.inc.php perform updates and deletes using WHERE id = ? without verifying that the note belongs to a patient the...

CVE-2026-34055

OpenEMR contains an IDOR in the web UI: legacy patient notes updates/deletes in library/pnotes.inc.php use WHERE id = ? without verifying the note belongs to the user’s accessible patient. Multiple web UI callers pass user-controlled note IDs, enabling unauthorized access/modification. Affects ve...

CVE-2026-2483 IBM InfoSphere Information Server Cross-Site Scripting

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2026-1001

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attacke...

EUVD-2026-15437

A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface of an affected device. This vulnerability is due to insufficient validation of user...

CVE-2026-1001

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attacke...