PT-2026-1110

Name of the Vulnerable Software and Affected Versions Plex Media Server versions through 2025-12-31 Description A non-server device token can retrieve other tokens intended for unrelated access via the clients.plex.tv/devices.xml endpoint. This impacts the Plex Media Server backend. Recommendatio...

appRain CMF 跨站脚本漏洞

appRain CMF is a content management framework from appRain Canada. appRain CMF suffers from a cross-site scripting vulnerability that is caused by improper validation of user input in the /apprain/developer/language/lipsum.xml endpoint. An attacker could use this vulnerability to steal the victim...

PT-2025-35911

Name of the Vulnerable Software and Affected Versions: appRain CMF version 4.0.5 Description: A stored authenticated cross-site scripting XSS issue exists due to insufficient validation of user-supplied data. The vulnerability is present in the /apprain/developer/language/lipsum.xml endpoint...

CVE-2024-55040

Cross Site Scripting vulnerability in Sensaphone WEB600 Monitoring System v.1.6.5.H and before allows a remote attacker to execute arbitrary code via a crafted GET requests to /@.xml, placing payloads in the g7200, g7300, g4601, and g1F02 parameters...

CVE-2024-28722

Cross Site Scripting vulnerability in Innovaphone myPBX v.14r1, v.13r3, v.12r2 allows a remote attacker to execute arbitrary code via the query parameter to the /CMD0/xmlmodes.xml endpoint...

CVE-2023-41194

D-Link DAP-1325 HNAP SetAPLanSettings SubnetMask Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1325 routers. Authentication is not required to exploit this vulnerability...

PT-2024-22540 · Innovaphone · Innovaphone Pbx

Name of the Vulnerable Software and Affected Versions: Innovaphone myPBX versions 12r2 through 14r1 Description: The issue allows a remote attacker to execute arbitrary code via the query parameter to the "/CMD0/xml modes.xml" endpoint. This enables the attacker to perform actions such as injecti...

CVE-2024-28722

Cross Site Scripting vulnerability in Innovaphone myPBX v.14r1, v.13r3, v.12r2 allows a remote attacker to execute arbitrary code via the query parameter to the /CMD0/xmlmodes.xml endpoint...

PT-2022-22666 · Robustel · Robustel R1510

Name of the Vulnerable Software and Affected Versions: Robustel R1510 versions 3.1.16 through 3.3.0 Description: A denial of service issue exists in the web server hashFirst functionality. It can be triggered by a specially-crafted network request, allowing an attacker to send a sequence of...

CVE-2021-26086

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1...

Cisco Data Center Network Manager addGroupNavigation XML External Entity Processing Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Data Center Network Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of requests to the addGroupNavigation SOAP...

PT-2018-2497 · Medion +3 · Medion Lifecloud Nas +3

Name of the Vulnerable Software and Affected Versions: Seagate GoFlex Home affected versions not specified Medion LifeCloud NAS affected versions not specified Netgear Stora affected versions not specified Description: The issue is related to an incorrect restriction of XML links to external...

CVE-2018-13861

Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 of Apr 6 2018 09:10:14 FW 303 allows unauthorized remote attackers to reboot or execute other functions via the "/xml/system/control.xml" URL, using the GET request "?action=reboot" for example...

CVE-2018-13860

MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18 allows unauthorized remote attackers to obtain sensitive information via the "/xml/menu/getObjectEditor.xml" URL, using a "?oid=systemSetup&id=0" or "?oid=systemUsers&id=0" GET...

ASUS Routers CSRF / Information Disclosure Vulnerabilities

ASUS routers suffer from cross site request forgery and information disclosure vulnerabilities. Versions affected include RT-AC55U, RT-AC56R, RT-AC56S, RT-AC56U, RT-AC66U, RT-AC88U, RT-AC66R, RT-AC66U, RT-AC66W, RT-AC68W, RT-AC68P, RT-AC68R, RT-AC68U, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC53U,...