Total
3944 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1125 | 1 Dlink | 2 Dir-823x, Dir-823x Firmware | 2026-01-30 | 7.5 HIGH | 7.3 HIGH |
| A weakness has been identified in D-Link DIR-823X 250416. Affected by this issue is the function sub_412E7C of the file /goform/set_wifidog_settings. Executing a manipulation of the argument wd_enable can lead to command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-1414 | 1 Sangfor | 1 Operation And Maintenance Security Management System | 2026-01-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was determined in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This impacts the function getInformation of the file /equipment/get_Information of the component HTTP POST Request Handler. Executing a manipulation of the argument fortEquipmentIp can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-1413 | 1 Sangfor | 1 Operation And Maintenance Security Management System | 2026-01-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function portValidate of the file /fort/ip_and_port/port_validate of the component HTTP POST Request Handler. Performing a manipulation of the argument port results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. | |||||
| CVE-2026-1412 | 1 Sangfor | 1 Operation And Maintenance Security Management System | 2026-01-30 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. The impacted element is an unknown function of the file /fort/audit/get_clip_img of the component HTTP POST Request Handler. Such manipulation of the argument frame/dirno leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-1688 | 2026-01-30 | 7.5 HIGH | 7.3 HIGH | ||
| A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-1687 | 2026-01-30 | 7.5 HIGH | 7.3 HIGH | ||
| A weakness has been identified in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2025-6775 | 1 Xiaoyunjie | 1 Openvpn-cms-flask | 2026-01-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function create_user of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The patch is named e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component. | |||||
| CVE-2026-1638 | 2026-01-30 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2026-1625 | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the argument action_value results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2026-1624 | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security vulnerability has been detected in D-Link DWR-M961 1.1.47. The affected element is an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-1623 | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2025-1946 | 1 Hzmanyun | 1 Education And Training System | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in hzmanyun Education and Training System 2.1. It has been rated as critical. Affected by this issue is the function exportPDF of the file /user/exportPDF. The manipulation of the argument id leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-24010 | 1 Horilla | 1 Horilla | 2026-01-29 | N/A | 8.0 HIGH |
| Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue. | |||||
| CVE-2025-1947 | 1 Hzmanyun | 1 Education And Training System | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in hzmanyun Education and Training System 2.1.3. This affects the function scorm of the file UploadImageController.java. The manipulation of the argument param leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-1601 | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-1150 | 1 Totolink | 2 Lr350, Lr350 Firmware | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2026-1149 | 1 Totolink | 2 Lr350, Lr350 Firmware | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | |||||
| CVE-2026-1546 | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the argument barCodes leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-1326 | 1 Totolink | 2 Nr1800x, Nr1800x Firmware | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-1327 | 1 Totolink | 2 Nr1800x, Nr1800x Firmware | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | |||||