Unknown · CVSS Not scored
OCS Inventory 2.9.1 is affected by Cross Site Scripting (XSS). To exploit the vulnerability, the attacker needs to manipulate the name of some device on your computer, such as a printer, replacing the device name with some malicious code that allows the execution of Stored Cross-site Scripting (XSS).
Published Feb 11, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the web server or increase the attack surface.
Published Feb 9, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.article.kit.ArticleNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.
Published Jan 26, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.page.PageNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.
Published Jan 26, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress 4.2.0 is vulnerable to remote code execution via io.jpress.web.admin._TemplateController#doInstall. The admin panel provides a function through which attackers can install templates and inject some malicious code.
Published Jan 26, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress 4.2.0 is vulnerable to RCE via io.jpress.web.admin._TemplateController#doUploadFile. The admin panel provides a function through which attackers can upload templates and inject some malicious code.
Published Jan 26, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress v 4.2.0 is vulnerable to RCE via io.jpress.module.product.ProductNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.
Published Jan 26, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
IrfanView 4.59 is vulnerable to buffer overflow via the function at address 0x413c70 (in 32bit version of the binary). The vulnerability triggers when the user opens malicious .tiff image.
Published Mar 23, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations.
Published Mar 30, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies.
Published Mar 30, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet is function turned on.
Published Mar 30, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks.
Published Mar 30, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication.
Published Mar 30, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An attacker can upload or transfer files of dangerous types to the OpenDocMan 1.4.4 portal via add.php using MIME-bypass, which may be automatically processed within the product's environment or lead to arbitrary code execution.
Published Mar 18, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
Published Sep 8, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress v4.2.0 allows users to register an account by default. With the account, user can upload arbitrary files to the server.
Published Jan 19, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress v4.2.0 is vulnerable to command execution via io.jpress.web.admin._AddonController::doUploadAndInstall.
Published Jan 13, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress v4.2.0 admin panel provides a function through which attackers can modify the template and inject some malicious code.
Published Jan 13, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information.
Published May 5, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
ASUS AC68U <=3.0.0.4.385.20852 is affected by a buffer overflow in blocking.cgi, which may cause a denial of service (DoS).
Published Mar 23, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Asus RT-AC68U <3.0.0.4.385.20633 and RT-AC5300 <3.0.0.4.384.82072 are affected by a buffer overflow in blocking_request.cgi.
Published Mar 23, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET. No authentication is required.
Published Jan 13, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Emerson Dixell XWEB-500 products are affected by information disclosure via directory listing. A potential attacker can use this misconfiguration to access all the files in the remote directories. Note: the product has not been supported since 2018 and should be removed or replaced.
Published Feb 14, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note: the product has not been supported since 2018 and should be removed or replaced.
Published Feb 14, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Certain Starcharge products are affected by Improper Input Validation. The affected products include: Nova 360 Cabinet <= 1.3.0.0.7b102 - Fixed: Beta1.3.0.1.0 and Titan 180 Premium <= 1.3.0.0.6 - Fixed: 1.3.0.0.9.
Published Dec 22, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Certain Starcharge products are vulnerable to Directory Traversal via main.cgi. The affected products include: Nova 360 Cabinet <=1.3.0.0.6 - Fixed: 1.3.0.0.9 and Titan 180 Premium <=1.3.0.0.7b102 - Fixed: Beta1.3.0.1.0.
Published Dec 22, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script.
Published Feb 1, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
ASG technologies ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cross Site Scripting (XSS).
Published Jun 17, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cleartext Storage of Sensitive Information in a Cookie.
Published Jun 17, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE).
Published Jun 17, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Multiple Tenda devices are affected by authentication bypass, such as AC15V1.0 Firmware V15.03.05.20_multi?AC5V1.0 Firmware V15.03.06.48_multi and so on. an attacker can obtain sensitive information, and even combine it with authenticated command injection to implement RCE.
Published Jan 28, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A memory leakage flaw exists in the class PerimeterGenerator of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. Specially crafted stl files can exhaust available memory. An attacker can provide malicious files to trigger this vulnerability.
Published Mar 1, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An information exposure issue has been discovered in Opmantek Open-AudIT 4.2.0. The vulnerability allows an authenticated attacker to read file outside of the restricted directory.
Published Jan 3, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters.
Published Mar 11, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the service is running under SYSTEM privileges) and manipulate it to execute malicious executable without any validation from a remote location and gain SYSTEM privileges
Published Apr 29, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privileges.
Published Apr 29, 2022 · Updated Jul 9, 2026
High · CVSS 7.5
A buffer overflow in the component /Enclave.cpp of Electronics and Telecommunications Research Institute ShieldStore commit 58d455617f99705f0ffd8a27616abdf77bdc1bdc allows attackers to cause an information leak via a crafted structure from an untrusted operating system.
Published May 9, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters.
Published Mar 17, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows an unauthenticated remote attacker to upload a maliciously crafted PHP via photo upload.
Published Mar 17, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Stored XSS in Add New Employee Form in Sourcecodester Employee Daily Task Management System 1.0 Allows Remote Attacker to Inject/Store Arbitrary Code via the Name Field.
Published May 9, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.
Published Dec 1, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Fluxbb v1.4.12 is affected by a Cross Site Scripting (XSS) vulnerability.
Published Jan 4, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp.
Published Apr 7, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the updateVersion function in /cgi-bin/luci/api/wireless.
Published May 4, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the checkNet function in /cgi-bin/luci/api/auth.
Published May 4, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the runPackDiagnose function in /cgi-bin/luci/api/diagnose.
Published May 4, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the doSwitchApi function in /cgi-bin/luci/api/switch.
Published May 4, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the switchFastDhcp function in /cgi-bin/luci/api/diagnose.
Published May 4, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the setSessionTime function in /cgi-bin/luci/api/common..
Published May 4, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Zepl Notebooks before 2021-10-25 are affected by a sandbox escape vulnerability. Upon launching Remote Code Execution from the Notebook, users can then use that to subsequently escape the running context sandbox and proceed to access internal Zepl assets including cloud metadata services.
Published Feb 25, 2022 · Updated Jul 9, 2026