|
2961
|
- |
|
-
|
-
|
Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files.
|
CWE-78
OS Command
|
CVE-2026-50206
|
2026-06-5 00:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2962
|
- |
|
-
|
-
|
The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity.
|
CWE-22
Path Traversal
|
CVE-2026-50207
|
2026-06-5 00:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2963
|
- |
|
-
|
-
|
High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could decrypt network traffic.
|
CWE-330
Use of Insufficiently Random Values
|
CVE-2026-50208
|
2026-06-5 00:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2964
|
- |
|
-
|
-
|
Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.
|
CWE-732
Incorrect Permission Assignment for Critical Resource
|
CVE-2026-50209
|
2026-06-5 00:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2965
|
- |
|
-
|
-
|
The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption.
|
CWE-200
Information Exposure
|
CVE-2026-50210
|
2026-06-5 00:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2966
|
- |
|
-
|
-
|
Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers.
|
CWE-134
Use of Externally-Controlled Format String
|
CVE-2026-50211
|
2026-06-5 00:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2967
|
- |
|
-
|
-
|
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service.
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-50212
|
2026-06-5 00:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2968
|
- |
|
-
|
-
|
The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings.
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2026-50213
|
2026-06-5 00:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2969
|
8.2 |
HIGH
Network
|
-
|
-
|
All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. At…
|
CWE-89
SQL Injection
|
CVE-2019-25726
|
2026-06-5 00:00 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2970
|
9.8 |
CRITICAL
Network
|
-
|
-
|
WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Attackers…
|
CWE-22
Path Traversal
|
CVE-2019-25727
|
2026-06-5 00:00 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
