Unknown · CVSS Not scored
A Remote Code Execution (RCE) vulnerability exists in Algorithmia MSOL all versions before October 10 2021 of SaaS. Users can register for an account and are allocated a set number of credits to try the product. Once users authenticate, they can proceed to create a new, specially crafted Algorithm and subsequently launch remote code execution with their desired result.
Published Mar 1, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Remote Code Execution (RCE) vulnerability exists in Zepl Notebooks all previous versions before October 25 2021. Users can register for an account and are allocated a set number of credits to try the product. Once users authenticate, they can proceed to create a new organization by which additional users can be added for various collaboration abilities, which allows malicious user to create new Zepl Notebooks with various languages, contexts, and deployment scenarios. Upon creating a new notebook with specially crafted malicious code, a user can then launch remote code execution.
Published Mar 3, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
ShowMyPC 3606 on Windows suffers from a DLL hijack vulnerability. If an attacker overwrites the file %temp%\ShowMyPC\-ShowMyPC3606\wodVPN.dll, it will run any malicious code contained in that file. The code will run with normal user privileges unless the user specifically runs ShowMyPC as administrator.
Published Jul 17, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
FiberHome ONU GPON AN5506-04-F RP2617 is affected by an OS command injection vulnerability. This vulnerability allows the attacker, once logged in, to send commands to the operating system as the root user via the ping diagnostic tool, bypassing the IP address field, and concatenating OS commands with a semicolon.
Published Dec 16, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
TOTOLINK EX1200T V4.1.2cu.5215 contains a denial of service vulnerability in function RebootSystem of the file lib/cste_modules/system which can reboot the system.
Published Jun 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in the function setDiagnosisCfg of the file lib/cste_modules/system.so to control the ipDoamin.
Published Jun 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
TOTOLINK EX1200T V4.1.2cu.5215 is affected by a command injection vulnerability that can remotely execute arbitrary code.
Published May 31, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Cross Site Scripting (XSS) vulnerability exists in Chikista Patient Management Software 2.0.2 in the first_name parameter in (1) patient/insert, (2) patient_report, (3) appointment_report, (4) visit_report, and (5) bill_detail_report pages. .
Published Mar 31, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Kreado Kreasfero 1.5 does not properly sanitize uploaded files to the media directory. One can upload a malicious PHP file and obtain remote code execution.
Published Jun 14, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the plaintext console username and password for a printer.
Published Feb 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the username and email address of all users.
Published Feb 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to reassign drivers for any printer.
Published Feb 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to multiple reflected cross site scripting vulnerabilities. Attacker controlled input is reflected back in the page without sanitization.
Published Feb 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below do not sanitize user input resulting in pre-auth remote code execution.
Published Feb 1, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use user-controlled input to craft a URL, resulting in a Server Side Request Forgery (SSRF) vulnerability.
Published Feb 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use a hardcoded APP_KEY value, leading to pre-auth remote code execution.
Published Jan 31, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to SQL Injection, which may allow an attacker to access additional audit records.
Published Feb 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below deserializes attacker controlled leading to pre-auth remote code execution.
Published Jan 31, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
The WAN configuration page "wan.htm" on D-Link DIR-615 devices with firmware 20.06 can be accessed directly without authentication which can lead to disclose the information about WAN settings and also leverage attacker to modify the data fields of page.
Published Aug 23, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8 · CISA KEV
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
Published Nov 5, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
TP-Link Archer A7 Archer A7(US)_V5_210519 is affected by a command injection vulnerability in /usr/bin/tddp. The vulnerability is caused by the program taking part of the received data packet as part of the command. This will cause an attacker to execute arbitrary commands on the router.
Published Aug 23, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Broken or Risky Cryptographic Algorithm exists in AnonAddy 0.8.5 via VerificationController.php.
Published Dec 15, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.
Published Apr 28, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Maharashtra State Electricity Board Mahavitara Android Application 8.20 and prior is vulnerable to remote account takeover due to OTP fixation vulnerability in password rest function
Published Dec 7, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PEEL Shopping CMS 9.4.0 is vulnerable to authenticated SQL injection in utilisateurs.php. A user that belongs to the administrator group can inject a malicious SQL query in order to affect the execution logic of the application and retrive information from the database.
Published Jun 15, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A cross-site scripting (XSS) vulnerability exists in Mini CMS V1.11. The vulnerability exists in the article upload: post-edit.php page.
Published Jun 13, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
SmartBear CodeCollaborator v6.1.6102 was discovered to contain a vulnerability in the web UI which would allow an attacker to conduct a clickjacking attack.
Published Mar 7, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
Published Nov 13, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A misconfiguration in HTTP/1.0 and HTTP/1.1 of the web interface in TP-Link AX10v1 before V1_211117 allows a remote unauthenticated attacker to send a specially crafted HTTP request and receive a misconfigured HTTP/0.9 response, potentially leading into a cache poisoning attack.
Published Dec 17, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An HTTP request smuggling attack in TP-Link AX10v1 before v1_211117 allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet.
Published Dec 8, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A path traversal attack in web interfaces of Netgear RAX35, RAX38, and RAX40 routers before v1.0.4.102, allows a remote unauthenticated attacker to gain access to sensitive restricted information, such as forbidden files of the web application, via sending a specially crafted HTTP packet.
Published Dec 9, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A reflected cross-site-scripting attack in web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to execute code in the device of the victim via sending a specific URL to the unauthenticated victim.
Published Feb 10, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An HTTP smuggling attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet.
Published Feb 9, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A DoS attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to reboot the router via sending a specially crafted URL to an authenticated victim. The authenticated victim need to visit this URL, for the router to reboot.
Published Feb 9, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote unauthenticated attacker to DoS via sending a specially crafted HTTP packet.
Published Nov 19, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request.
Published Nov 19, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.
Published Mar 25, 2022 · Updated Jul 9, 2026
High · CVSS 8.8
The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute code in this manner.
Published Mar 25, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.
Published Mar 25, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the secure flag set.
Published Jun 14, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the HttpOnly flag set.
Published Jun 14, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.
Published Sep 15, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution.
Published Apr 11, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.
Published Mar 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API.
Published Mar 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter.
Published Mar 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP.
Published Mar 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter.
Published Mar 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. This issue is caused by an incomplete fix in CVE-2021-35463.
Published Mar 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script.
Published Mar 2, 2022 · Updated Jul 9, 2026