|
2331
|
7.2 |
HIGH
Network
|
-
|
-
|
ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter. If processing a crafted request sent by a logged-in user, an arbitrary …
|
CWE-78
OS Command
|
CVE-2026-35506
|
2026-05-14 00:47 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2332
|
9.8 |
CRITICAL
Network
|
-
|
-
|
ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.
|
CWE-288
Authentication Bypass Using an Alternate Path or Channel
|
CVE-2026-40621
|
2026-05-14 00:47 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2333
|
9.8 |
CRITICAL
Network
|
-
|
-
|
ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command may be executed. No authenticati…
|
CWE-78
OS Command
|
CVE-2026-42062
|
2026-05-14 00:47 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2334
|
4.8 |
MEDIUM
Network
|
-
|
-
|
Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another adminis…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42948
|
2026-05-14 00:47 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2335
|
4.3 |
MEDIUM
Network
|
-
|
-
|
ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may be…
|
CWE-754
Improper Check for Unusual or Exceptional Conditions
|
CVE-2026-42950
|
2026-05-14 00:47 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2336
|
4.3 |
MEDIUM
Network
|
-
|
-
|
ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to…
|
CWE-344
Use of Invariant Value in Dynamically Changing Context
|
CVE-2026-42961
|
2026-05-14 00:47 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2337
|
8.2 |
HIGH
Network
|
-
|
-
|
nanoMODBUS through v1.22.0 has a stack-based buffer overflow in recv_read_registers_res() in nanomodbus.c. When a client calls nmbs_read_holding_registers() or nmbs_read_input_registers(), the librar…
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-29972
|
2026-05-14 00:46 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2338
|
6.5 |
MEDIUM
Local
|
-
|
-
|
Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 does not block Clang dependency-file generation (via argument injection), which allows attackers to place their code into a plugins directory if the victim …
|
CWE-88
Argument Injection
|
CVE-2026-45181
|
2026-05-14 00:46 |
2026-05-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2339
|
2.2 |
LOW
Local
|
-
|
-
|
GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let syste…
|
CWE-441
Confused Deputy
|
CVE-2026-45182
|
2026-05-14 00:46 |
2026-05-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2340
|
6.5 |
MEDIUM
Local
|
-
|
-
|
Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used.
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-45184
|
2026-05-14 00:46 |
2026-05-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
