2026-04-13
2026-04-13 04:16Z
CRIT

CVE-2026-6155 — Executing a manipulation of the argument pppoeServiceName can lead to os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6155

A weakness has been identified in Totolink A7100RU 7.4cu.2313. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument pppoeServiceName can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-13
2026-04-13 04:16Z
CRIT

CVE-2026-6154 — Performing a manipulation of the argument wizard results in os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6154

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wizard results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-13
2026-04-13 01:16Z
CRIT

CVE-2026-6140 — Totolink: Performing a manipulation of the argument FileName results in os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6140

A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument FileName results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-13
2026-04-13 01:16Z
CRIT

CVE-2026-6139 — Such manipulation of the argument FileName leads to os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6139

A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-13
2026-04-13 00:16Z
CRIT

CVE-2026-6138 — This manipulation of the argument mac causes os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6138

A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument mac causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-13
2026-04-13 00:16Z
HIGH

CVE-2026-6137 — Tenda: The manipulation of the argument wanmode/PPPOEPassword results in stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6137

A vulnerability was detected in Tenda F451 1.0.0.7_cn_svn7958. The affected element is the function fromAdvSetWan of the file /goform/AdvSetWan. The manipulation of the argument wanmode/PPPOEPassword results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119VNDTendaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-13
2026-04-13 00:16Z
HIGH

CVE-2026-6136 — The manipulation of the argument page leads to stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6136

A security vulnerability has been detected in Tenda F451 1.0.0.7_cn_svn7958. Impacted is the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-13
2026-04-13 00:16Z
HIGH

CVE-2026-6135 — Executing a manipulation of the argument page can lead to stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6135

A weakness has been identified in Tenda F451 1.0.0.7_cn_svn7958. This issue affects the function fromSetIpBind of the file /goform/SetIpBind. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-12
2026-04-12 23:16Z
HIGH

CVE-2026-6134 — Performing a manipulation of the argument qos results in stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6134

A security flaw has been discovered in Tenda F451 1.0.0.7_cn_svn7958. This vulnerability affects the function fromqossetting of the file /goform/qossetting. Performing a manipulation of the argument qos results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-12
2026-04-12 23:16Z
HIGH

CVE-2026-6133 — Tenda: Such manipulation of the argument page leads to stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6133

A vulnerability was identified in Tenda F451 1.0.0.7_cn_svn7958. This affects the function fromSafeUrlFilter of the file /goform/SafeUrlFilter. Such manipulation of the argument page leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119VNDTendaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-12
2026-04-12 23:16Z
CRIT

CVE-2026-6132 — Totolink: This manipulation of the argument enable causes os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6132

A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-12
2026-04-12 23:16Z
CRIT

CVE-2026-6131 — Totolink: The manipulation of the argument command results in os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6131

A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument command results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-12
2026-04-12 19:16Z
HIGH

CVE-2026-40393 — Mesa: In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40393

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca. CVSSv3.1 8.1 (HIGH)

CWECWE 787VNDMesaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-12
2026-04-12 13:16Z
HIGH

CVE-2019-25710 — Dolibarr: ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25710

Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques. CVSSv3.1 8.2 (HIGH)

CWECWE 89VNDDolibarrTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-04-12
2026-04-12 13:16Z
CRIT

CVE-2019-25709 — Codefuture Image_hosting_script: CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25709

CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter. CVSSv3.1 9.8 (CRITICAL)

CWECWE 552VNDImageVNDCodefutureTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-12
2026-04-12 13:16Z
HIGH

CVE-2019-25705 — Echo: Mirage 3.1 contains a stack buffer overflow vulnerability that allows local attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25705

Echo Mirage 3.1 contains a stack buffer overflow vulnerability that allows local attackers to crash the application or execute arbitrary code by supplying an oversized string in the Rules action field. Attackers can create a malicious text file with a crafted payload exceeding buffer boundaries and paste it into the action field through the Rules dialog to trigger the overflow and overwrite the return address. CVSSv3.1 8.4 (HIGH)

CWECWE 787VNDEchoTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-12
2026-04-12 13:16Z
HIGH

CVE-2019-25701 — Easy: Video to iPod Converter 1.6.20 contains a local buffer overflow vulnerability in the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25701

Easy Video to iPod Converter 1.6.20 contains a local buffer overflow vulnerability in the user registration field that allows local attackers to overwrite the structured exception handler. Attackers can input a crafted payload exceeding 996 bytes in the username field to trigger SEH overwrite and execute arbitrary code with user privileges. CVSSv3.1 8.4 (HIGH)

CWECWE 787VNDEasyTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-12
2026-04-12 13:16Z
HIGH

CVE-2019-25697 — CMSsite: 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25697

CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php with malicious cat_id values to extract sensitive database information including usernames and credentials. CVSSv3.1 8.2 (HIGH)

CWECWE 89VNDCmssiteTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-04-12
2026-04-12 13:16Z
HIGH

CVE-2019-25695 — R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25695

R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by injecting malicious input into the GUI Preferences language field. Attackers can craft a payload with a 292-byte offset and JMP ESP instruction to execute commands like calc.exe when the payload is pasted into the Language for menus and messages field. CVSSv3.1 8.4 (HIGH)

CWECWE 787TYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-12
2026-04-12 13:16Z
HIGH

CVE-2019-25691 — Faleemi: Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25691

Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field to trigger a buffer overflow and execute arbitrary code via ROP chain gadgets. CVSSv3.1 8.4 (HIGH)

CWECWE 787VNDFaleemiTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-12
2026-04-12 13:16Z
HIGH

CVE-2019-25689 — HTML5: Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25689

HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized key code string. Attackers can craft a malicious payload exceeding 997 bytes and paste it into the KEY CODE field in the Help Register dialog to trigger code execution and spawn a calculator process. CVSSv3.1 8.4 (HIGH)

CWECWE 787VNDHtml5TYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-12
2026-04-12 13:16Z
HIGH

CVE-2018-25258 — RGui: 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2018-25258

RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution. CVSSv3.1 8.4 (HIGH)

CWECWE 434VNDRguiTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-12
2026-04-12 09:16Z
HIGH

CVE-2026-6124 — Tenda: Executing a manipulation of the argument page/menufacturer can lead to stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6124

A vulnerability was determined in Tenda F451 1.0.0.7. This vulnerability affects the function fromSafeMacFilter of the file /goform/SafeMacFilter of the component httpd. Executing a manipulation of the argument page/menufacturer can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119VNDTendaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-12
2026-04-12 09:16Z
HIGH

CVE-2026-6123 — Tenda: Performing a manipulation of the argument entrys results in stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6123

A vulnerability was found in Tenda F451 1.0.0.7. This affects the function fromAddressNat of the file /goform/addressNat of the component httpd. Performing a manipulation of the argument entrys results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119VNDTendaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-12
2026-04-12 08:16Z
HIGH

CVE-2026-6122 — Such manipulation of the argument page leads to stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6122

A vulnerability has been found in Tenda F451 1.0.0.7. Affected by this issue is the function frmL7ProtForm of the file /goform/L7Prot of the component httpd. Such manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119TYPVulnerability
8.8
CVSS v3.1
94
Edit Score