Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-6155 — Executing a manipulation of the argument pppoeServiceName can lead to os command injection.
A weakness has been identified in Totolink A7100RU 7.4cu.2313. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument pppoeServiceName can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-6154 — Performing a manipulation of the argument wizard results in os command injection.
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wizard results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-6140 — Totolink: Performing a manipulation of the argument FileName results in os command injection.
A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument FileName results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-6139 — Such manipulation of the argument FileName leads to os command injection.
A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-6138 — This manipulation of the argument mac causes os command injection.
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument mac causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-6137 — Tenda: The manipulation of the argument wanmode/PPPOEPassword results in stack-based buffer overflow.
A vulnerability was detected in Tenda F451 1.0.0.7_cn_svn7958. The affected element is the function fromAdvSetWan of the file /goform/AdvSetWan. The manipulation of the argument wanmode/PPPOEPassword results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used. CVSSv3.1 8.8 (HIGH)
CVE-2026-6136 — The manipulation of the argument page leads to stack-based buffer overflow.
A security vulnerability has been detected in Tenda F451 1.0.0.7_cn_svn7958. Impacted is the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. CVSSv3.1 8.8 (HIGH)
CVE-2026-6135 — Executing a manipulation of the argument page can lead to stack-based buffer overflow.
A weakness has been identified in Tenda F451 1.0.0.7_cn_svn7958. This issue affects the function fromSetIpBind of the file /goform/SetIpBind. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 8.8 (HIGH)
CVE-2026-6134 — Performing a manipulation of the argument qos results in stack-based buffer overflow.
A security flaw has been discovered in Tenda F451 1.0.0.7_cn_svn7958. This vulnerability affects the function fromqossetting of the file /goform/qossetting. Performing a manipulation of the argument qos results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. CVSSv3.1 8.8 (HIGH)
CVE-2026-6133 — Tenda: Such manipulation of the argument page leads to stack-based buffer overflow.
A vulnerability was identified in Tenda F451 1.0.0.7_cn_svn7958. This affects the function fromSafeUrlFilter of the file /goform/SafeUrlFilter. Such manipulation of the argument page leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. CVSSv3.1 8.8 (HIGH)
CVE-2026-6132 — Totolink: This manipulation of the argument enable causes os command injection.
A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-6131 — Totolink: The manipulation of the argument command results in os command injection.
A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument command results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-40393 — Mesa: In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in
In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca. CVSSv3.1 8.1 (HIGH)
CVE-2019-25710 — Dolibarr: ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the
Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques. CVSSv3.1 8.2 (HIGH)
CVE-2019-25709 — Codefuture Image_hosting_script: CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application
CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter. CVSSv3.1 9.8 (CRITICAL)
CVE-2019-25705 — Echo: Mirage 3.1 contains a stack buffer overflow vulnerability that allows local attackers to
Echo Mirage 3.1 contains a stack buffer overflow vulnerability that allows local attackers to crash the application or execute arbitrary code by supplying an oversized string in the Rules action field. Attackers can create a malicious text file with a crafted payload exceeding buffer boundaries and paste it into the action field through the Rules dialog to trigger the overflow and overwrite the return address. CVSSv3.1 8.4 (HIGH)
CVE-2019-25701 — Easy: Video to iPod Converter 1.6.20 contains a local buffer overflow vulnerability in the
Easy Video to iPod Converter 1.6.20 contains a local buffer overflow vulnerability in the user registration field that allows local attackers to overwrite the structured exception handler. Attackers can input a crafted payload exceeding 996 bytes in the username field to trigger SEH overwrite and execute arbitrary code with user privileges. CVSSv3.1 8.4 (HIGH)
CVE-2019-25697 — CMSsite: 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database
CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php with malicious cat_id values to extract sensitive database information including usernames and credentials. CVSSv3.1 8.2 (HIGH)
CVE-2019-25695 — R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary
R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by injecting malicious input into the GUI Preferences language field. Attackers can craft a payload with a 292-byte offset and JMP ESP instruction to execute commands like calc.exe when the payload is pasted into the Language for menus and messages field. CVSSv3.1 8.4 (HIGH)
CVE-2019-25691 — Faleemi: Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup
Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field to trigger a buffer overflow and execute arbitrary code via ROP chain gadgets. CVSSv3.1 8.4 (HIGH)
CVE-2019-25689 — HTML5: Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to
HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized key code string. Attackers can craft a malicious payload exceeding 997 bytes and paste it into the KEY CODE field in the Help Register dialog to trigger code execution and spawn a calculator process. CVSSv3.1 8.4 (HIGH)
CVE-2018-25258 — RGui: 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that
RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution. CVSSv3.1 8.4 (HIGH)
CVE-2026-6124 — Tenda: Executing a manipulation of the argument page/menufacturer can lead to stack-based buffer overflow.
A vulnerability was determined in Tenda F451 1.0.0.7. This vulnerability affects the function fromSafeMacFilter of the file /goform/SafeMacFilter of the component httpd. Executing a manipulation of the argument page/menufacturer can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. CVSSv3.1 8.8 (HIGH)
CVE-2026-6123 — Tenda: Performing a manipulation of the argument entrys results in stack-based buffer overflow.
A vulnerability was found in Tenda F451 1.0.0.7. This affects the function fromAddressNat of the file /goform/addressNat of the component httpd. Performing a manipulation of the argument entrys results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. CVSSv3.1 8.8 (HIGH)
CVE-2026-6122 — Such manipulation of the argument page leads to stack-based buffer overflow.
A vulnerability has been found in Tenda F451 1.0.0.7. Affected by this issue is the function frmL7ProtForm of the file /goform/L7Prot of the component httpd. Such manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. CVSSv3.1 8.8 (HIGH)