CVEs

manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability via pickle.loads() on two FastAPI endpoints, combined with a nonce authentication bypass that defaults to an empty string, allowing unauthenticated remote code execution.

LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. The server explicitly refuses to bind to localhost, ensuring these endpoints are always network-exposed.

MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach eval() via register_globals parameters.

MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable is interpolated into a command string within double quotes without escapeshellarg(), queued via safe_exec(), and executed by the web-accessible cycle_execs.php worker via exec().

MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting (XSS) vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without htmlspecialchars().

MajorDoMo (aka Major Domestic Module) contains a stored XSS vulnerability via the unauthenticated /objects/?op=set endpoint. Property values are stored raw and rendered without escaping in the admin panel's property editor, enabling session hijack via cookie exfiltration.

MajorDoMo (aka Major Domestic Module) contains a stored XSS vulnerability through method parameter injection into the shoutbox. Default methods pass attacker-controlled parameters into say(), which stores messages raw. The dashboard widget auto-refreshes every 3 seconds, firing the XSS automatically.

MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The $_GET['parent'] parameter is directly interpolated into multiple SQL queries without sanitization. Admin passwords are stored as unsalted MD5 hashes.

MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method without authentication, allowing an attacker to poison the update URL, serve a malicious tarball, and trigger deployment to the webroot.

MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method is reachable without authentication, enabling recursive deletion of module files, templates, and database records.

SPIP referer_spam plugin <= 1.2.1 is vulnerable to unauthenticated blind SQL injection. Two action handlers take $_GET['url'] and concatenate it raw into SQL LIKE clauses without sql_quote(), securiser_action(), or autoriser().

SPIP tickets plugin <= 4.3.2 is vulnerable to unauthenticated remote code execution. During forum comment preview, raw _request() values are concatenated into the previsu error key, which is rendered via #ENV** (interdire_scripts=false), allowing PHP code injection through SPIP's template eval() chain.

SPIP interface_traduction_objets plugin <= 2.2.1 is vulnerable to authenticated remote code execution. The lang_dest parameter is concatenated raw into _hidden, which skips protege_champ() and renders with interdire_scripts=false, enabling PHP code injection via SPIP's template eval() chain.

SPIP jeux plugin <= 4.1.0 is vulnerable to reflected XSS. The debut_index_jeux and index_jeux parameters are interpolated unsanitized into a single-quoted HTML id attribute, allowing attribute breakout and script injection.

SPIP interface_traduction_objets plugin <= 2.2.1 is vulnerable to authenticated blind SQL injection. The id_parent parameter from _request() is concatenated raw into a sql_getfetsel WHERE clause without intval() or sql_quote().

openDCIM install.php performs no role check before the LDAP configuration form, allowing any authenticated user (or unauthenticated on Docker deployments) to reach Config::UpdateParameter() calls.

openDCIM Config::UpdateParameter() uses string interpolation in SQL queries. PDO with MySQL supports stacked queries, giving full database control via the LDAP configuration form in install.php.

openDCIM report_network_map.php reads the dot config value from fac_Config and passes it directly to exec() without validation. Combined with CVE-2026-28516, an attacker can overwrite the value and achieve RCE.

Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities that allow an authenticated attacker to write arbitrary files to the server filesystem.

AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user.

AVideo versions prior to 20.0 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.

AVideo versions prior to 20.0 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video.

AVideo versions prior to 20.0 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.

AVideo versions prior to 20.0 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.

AVideo versions prior to 20.0 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video.

AVideo versions prior to 20.0 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks.

AVideo versions prior to 20.0 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks.

AVideo versions prior to 20.0 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.

AVideo versions prior to 20.0 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.

ICTBroadcast <= 7.4 is vulnerable to an unauthenticated remote code execution. The /login.php page issues a session cookie, and certain cookie keys are evaluated using shell backticks in server-side code. This allows attackers to inject arbitrary system commands into the cookie, resulting in code execution during session handling, without authentication.

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a reboot-time shell script. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root during device reboot, leading to full system compromise.

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in WISP mode, the 'ssid' parameter is passed unsanitized to system-level scripts. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root, resulting in full device compromise.

A command injection vulnerability affects the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) during WPA2 configuration. The 'key' parameter is interpreted directly by the system shell, enabling attackers to execute arbitrary commands as root. Exploitation requires no authentication and can be triggered during wireless setup.

The PPPoE configuration interface of the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) is vulnerable to command injection via the 'user' parameter. Input is processed unsafely during network setup, allowing attackers to execute arbitrary system commands with root privileges.

A command injection vulnerability exists in the 'passwd' parameter of the PPPoE setup process on the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The input is passed directly to system-level commands without sanitation, enabling unauthenticated attackers to achieve root-level code execution.

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal `date -s` command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.

MagnusBilling 7.3.0 and lower is vulnerable to an unauthenticated stored XSS via the login logs feature. Malicious input submitted as a username during login is stored and later executed in the admin context.

MagnusBilling 7.3.0 and lower contains a stored XSS vulnerability in the Alarm module. Unsanitized message fields can lead to arbitrary JavaScript execution when viewed by an administrator.

Xorcom CompletePBX <= 5.2.35 is vulnerable to authenticated file disclosure, allowing access to sensitive files through crafted requests.

Xorcom CompletePBX <= 5.2.35 contains an authenticated command injection vulnerability, leading to remote code execution via system commands.

Xorcom CompletePBX <= 5.2.35 is affected by a path traversal vulnerability allowing authenticated file deletion and access to arbitrary paths.

Xorcom CompletePBX 5.2.35 is vulnerable to an authenticated reflected XSS, allowing JavaScript injection via crafted input.

Vembu BDRSuite <= 7.5.0.1 is affected by an unauthenticated stored XSS in serverbackupprogress.sgp via the ClientName and BackupName parameters.

Vembu BDRSuite <= 7.5.0.1 contains an unauthenticated stored XSS in restoreprogress.sgp through multiple unsanitized URL parameters.

Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function.

Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the setNetworkCardInfo function.

Vinchin Backup & Recovery v7.2 was discovered to use default MYSQL credentials.

Vinchin Backup & Recovery v7.2 was discovered to be configured with default root credentials.

Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the deleteUpdateAPK function.

Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php.

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the render-document.php component.

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the photo.php component.

SQL Injection vulnerability in DerbyNet v9.0 allows a remote attacker to execute arbitrary code via the where Clause in Award Document Rendering.

SQL Injection vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the where Clause in Racer Document Rendering.

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the checkin.php component.

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the photo-thumbs.php component.

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the ./inc/kiosks.inc component.

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the racer-results.php component.

SQL Injection vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary SQL commands via 'classids' Parameter in ajax/query.slide.next.inc.

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the 'back' Parameter in playlist.php.

Directory Traversal vulnerability in DerbyNet v9.0 allows a remote attacker to execute arbitrary code via the page parameter of the kiosk.php component.

An issue in WWBN AVideo v12.4 through v14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.

Themify Builder < 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue.

Mocodo Online 4.2.6 and below is vulnerable to Remote Code Execution via /web/rewrite.php.

Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, leading to remote code execution (RCE).

MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters.