Latest CVE Feed
-
7.0
HIGHCVE-2025-62842
An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories. We have already fixed ... Read more
- Published: Jan. 02, 2026
- Modified: Jan. 02, 2026
- Vuln Type: Path Traversal
-
7.0
HIGHCVE-2025-67858
A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`. This issue affects Foomuuri: from ? b... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Injection
-
7.0
HIGHCVE-2025-20779
In display, there is a possible use after free due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS1018408... Read more
- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Race Condition
-
7.0
HIGHCVE-2025-14295
Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web session management component allows an attacker to access ... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cryptography
-
7.0
HIGHCVE-2025-62840
A generation of error message containing sensitive information vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read application data. We have alread... Read more
- Published: Jan. 02, 2026
- Modified: Jan. 02, 2026
- Vuln Type: Information Disclosure
-
7.0
HIGHCVE-2025-15017
A vulnerability exists in serial device servers where active debug code remains enabled in the UART interface. An attacker with physical access to the device can directly connect to the UART interface and, without authentication, user interaction, or exec... Read more
- Published: Dec. 31, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Authentication
-
6.9
MEDIUMCVE-2026-22543
The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authentication
-
6.9
MEDIUMCVE-2025-3660
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains a broken access control vulnerability that allows authenticated users to access other users' pet data by exploiting missing ownership verification. Attackers can send requests to /member/pe... Read more
Affected Products :- Published: Jan. 04, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authorization
-
6.9
MEDIUMCVE-2026-1020
Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory.... Read more
Affected Products : police_statistics_database_system- Published: Jan. 16, 2026
- Modified: Jan. 23, 2026
- Vuln Type: Path Traversal
-
6.9
MEDIUMCVE-2025-3652
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send ... Read more
Affected Products :- Published: Jan. 04, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Information Disclosure
-
6.9
MEDIUMCVE-2025-6225
Kieback&Peter Neutrino-GLT product is used for building management. It's web component "SM70 PHWEB" is vulnerable to shell command injection via login form. The injected commands would execute with low privileges. The vulnerability has been fixed in versi... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Injection
-
6.9
MEDIUMCVE-2021-47754
Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative ... Read more
Affected Products : arunna- Published: Jan. 15, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cross-Site Request Forgery
-
6.9
MEDIUMCVE-2025-66051
Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. Due to CVE-2025-66050, a password for administration ... Read more
- Published: Jan. 09, 2026
- Modified: Jan. 14, 2026
- Vuln Type: Path Traversal
-
6.9
MEDIUMCVE-2019-25290
Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewal... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Server-Side Request Forgery
-
6.9
MEDIUMCVE-2025-15035
Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functional... Read more
Affected Products :- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Path Traversal
-
6.9
MEDIUMCVE-2025-59102
The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs ... Read more
Affected Products :- Published: Jan. 26, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Information Disclosure
-
6.9
MEDIUMCVE-2021-47776
Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRe... Read more
- Published: Jan. 15, 2026
- Modified: Jan. 23, 2026
- Vuln Type: Server-Side Request Forgery
-
6.9
MEDIUMCVE-2026-22188
Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled a... Read more
Affected Products : panda3d- Published: Jan. 07, 2026
- Modified: Jan. 12, 2026
- Vuln Type: Denial of Service
-
6.9
MEDIUMCVE-2025-34171
CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path... Read more
Affected Products :- Published: Jan. 02, 2026
- Modified: Jan. 08, 2026
-
6.9
MEDIUMCVE-2025-66002
An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability allows local users ton perform arbitrary unmounts via smb4k mount helper... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Injection