Critical · CVSS 9.8
An Incorrect Access Control issue in SAMPMAX com.sampmax.homemax 2.1.2.7 allows a remote attacker to obtain sensitive information via the firmware update process.
Published Oct 11, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.1
An issue in GIANT MANUFACTURING CO., LTD RideLink (tw.giant.ridelink) 2.0.7 allows a remote attacker to obtain sensitive information via the firmware update process.
Published Oct 11, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process.
Published Oct 11, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
An issue in Shelly com.home.shelly 1.0.4 allows a remote attacker to obtain sensitive information via the firmware update process
Published Oct 11, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process.
Published Oct 11, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
An issue in Fermax Asia Pacific Pte Ltd com.fermax.vida 2.4.6 allows a remote attacker to obtain sensitve information via the firmware update process.
Published Oct 11, 2024 · Updated Jul 5, 2026
High · CVSS 8.2
An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to obtain sensitive information via the firmware update process.
Published Oct 11, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.1
An issue in BURG-WCHTER KG de.burgwachter.keyapp.app 4.5.0 allows a remote attacker to obtain sensitve information via the firmware update process.
Published Oct 11, 2024 · Updated Jul 5, 2026
Medium · CVSS 5.3
A directory listing issue in the baserCMS plugin in D-ZERO CO., LTD. BurgerEditor and BurgerEditor Limited Edition before 2.25.1 allows remote attackers to obtain sensitive information by exposing a list of the uploaded files.
Published Oct 11, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.1
A reflected cross-site scripting (XSS) vulnerability in Elaine's Realtime CRM Automation v6.18.17 allows attackers to execute arbitrary JavaScript code in the web browser of a user via injecting a crafted payload into the dialog parameter at wrapper_dialog.php.
Published Oct 7, 2024 · Updated Jul 5, 2026
High · CVSS 8.8
SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the lack to sanitisation. The application takes arbitrary value from "X-Forwarded-For" header and appends it to a SQL INSERT statement directly, leading to SQL Injection.
Published Oct 15, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service (ReDOS) via supplying a crafted string.
Published Oct 8, 2024 · Updated Jul 5, 2026
High · CVSS 7.7
Directory Traversal in /SASStudio/sasexec/sessions/{sessionID}/workspace/{InternalPath} in SAS Studio 9.4 allows remote attacker to access internal files by manipulating default path during file download. NOTE: this is disputed by the vendor because these filesystem paths are allowed for authorized users.
Published Oct 30, 2024 · Updated Jul 5, 2026
High · CVSS 8.8
Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. NOTE: this is disputed by the vendor because file upload is allowed for authorized users.
Published Oct 30, 2024 · Updated Jul 5, 2026
High · CVSS 8.8
SQL injection vulnerability in /SASStudio/sasexec/sessions/{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute arbitrary SQL commands via the POST body request. NOTE: this is disputed by the vendor because SQL statement execution is allowed for authorized users.
Published Oct 30, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
An Insecure Direct Object Reference (IDOR) vulnerability in appointment-detail.php in Phpgurukul's Beauty Parlour Management System v1.1 allows unauthorized access to the Personally Identifiable Information (PII) of other customers.
Published Oct 31, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
Phpgurukul Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in admin/index.php via the the username parameter.
Published Oct 31, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection via the tid parameter to admin/queries.php.
Published Oct 31, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.1
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection in add-teacher.php via the mobile number or email parameter.
Published Oct 31, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.1
Projectworlds Online Admission System v1 is vulnerable to SQL Injection in index.php via the 'a_id' parameter.
Published Oct 31, 2024 · Updated Jul 5, 2026
High · CVSS 8.4
Incorrect access control in the firmware update and download processes of Sylvania Smart Home v3.0.3 allows attackers to access sensitive information by analyzing the code and data within the APK file.
Published Oct 24, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
Neye3C v4.5.2.0 was discovered to contain a hardcoded encryption key in the firmware update mechanism.
Published Oct 24, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
Incorrect access control in the firmware update and download processes of Neye3C v4.5.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.
Published Oct 24, 2024 · Updated Jul 5, 2026
Medium · CVSS 5.3
Vilo 5 Mesh WiFi System <= 5.16.1.33 lacks authentication in the Boa webserver, which allows remote, unauthenticated attackers to retrieve logs with sensitive system.
Published Oct 21, 2024 · Updated Jul 5, 2026
Medium · CVSS 4.3
Vilo 5 Mesh WiFi System <= 5.16.1.33 is vulnerable to Information Disclosure. An information leak in the Boa webserver allows remote, unauthenticated attackers to leak memory addresses of uClibc and the stack via sending a GET request to the index page.
Published Oct 21, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.1
A Command Injection vulnerability in Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, authenticated attackers to execute arbitrary code by injecting shell commands into the name of the Vilo device.
Published Oct 21, 2024 · Updated Jul 5, 2026
Medium · CVSS 5.3
A Directory Traversal vulnerability in the Boa webserver of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to enumerate the existence and length of any file in the filesystem by placing malicious payloads in the path of any HTTP request.
Published Oct 21, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.6
Vilo 5 Mesh WiFi System <= 5.16.1.33 is vulnerable to Insecure Permissions. Lack of authentication in the custom TCP service on port 5432 allows remote, unauthenticated attackers to gain administrative access over the router.
Published Oct 21, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.6
A Buffer Overflow vulnerability in the local_app_set_router_wifi_SSID_PWD function of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via a password field larger than 64 bytes in length.
Published Oct 21, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.6
A Buffer Overflow vulnerability in the local_app_set_router_wan function of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via pppoe_username and pppoe_password fields being larger than 128 bytes in length.
Published Oct 21, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.6
A Buffer Overflow in the Boa webserver of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via exceptionally long HTTP methods or paths.
Published Oct 21, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.6
A Buffer Overflow vulnerabilty in the local_app_set_router_token function of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via sscanf reading the token and timezone JSON fields into a fixed-length buffer.
Published Oct 21, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
An issue in YESCAM (com.yescom.YesCam.zwave) 1.0.2 allows a remote attacker to obtain sensitive information via the firmware update process.
Published Oct 11, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.1
An issue in Revic Optics Revic Ops (us.revic.revicops) 1.12.5 allows a remote attacker to obtain sensitive information via the firmware update process.
Published Oct 11, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.1
An issue in SWITCHBOT INC SwitchBot (com.theswitchbot.switchbot) 5.0.4 allows a remote attacker to obtain sensitive information via the firmware update process.
Published Oct 11, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
An issue in WoFit v.7.2.3 allows a remote attacker to obtain sensitive information via the firmware update process
Published Oct 11, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.1
An issue in C-CHIP (com.cchip.cchipamaota) v.1.2.8 allows a remote attacker to obtain sensitive information via the firmware update process.
Published Oct 11, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
An issue in almando GmbH Almando Play APP (com.almando.play) 1.8.2 allows a remote attacker to obtain sensitive information via the firmware update process
Published Oct 11, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
An issue in almaodo GmbH appinventor.ai_google.almando_control 2.3.1 allows a remote attacker to obtain sensitive information via the firmware update process
Published Oct 11, 2024 · Updated Jul 5, 2026
Medium · CVSS 5.4
A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.
Published Oct 16, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.1
A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.
Published Oct 16, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
SQL Injection vulnerability in OpenHIS v.1.0 allows an attacker to execute arbitrary code via the refund function in the PayController.class.php component.
Published Oct 11, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.1
Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover.
Published Oct 7, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
A loop hole in the payment logic of Sparkshop v1.16 allows attackers to arbitrarily modify the number of products.
Published Oct 9, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
An arbitrary file upload vulnerability in the ProductAction.entphone interface of Zhejiang University Entersoft Customer Resource Management System v2002 to v2024 allows attackers to execute arbitrary code via uploading a crafted file.
Published Oct 11, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.6
OnlineNewsSite v1.0 is vulnerable to Cross Site Scripting (XSS) which allows attackers to execute arbitrary code via the Title and summary fields in the /admin/post/edit/ endpoint.
Published Oct 7, 2024 · Updated Jul 5, 2026
High · CVSS 7.1
Krayin CRM v1.3.0 is vulnerable to Cross Site Scripting (XSS) via the organization name field in /admin/contacts/organizations/edit/2.
Published Oct 7, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe.
Published Oct 7, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe.
Published Oct 7, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.1
Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.
Published Oct 7, 2024 · Updated Jul 5, 2026