|
3001
|
6.5 |
MEDIUM
Network
|
totolink
|
a3300r_firmware
|
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the user parameter to /cgi-bin/cstecgi.cgi.
|
CWE-77
Command Injection
|
CVE-2026-31172
|
2026-04-25 00:12 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3002
|
6.5 |
MEDIUM
Network
|
totolink
|
a3300r_firmware
|
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi.
|
CWE-77
Command Injection
|
CVE-2026-31174
|
2026-04-25 00:12 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3003
|
9.8 |
CRITICAL
Network
|
totolink
|
a3300r_firmware
|
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi.
|
CWE-77
Command Injection
|
CVE-2026-31175
|
2026-04-25 00:12 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3004
|
9.8 |
CRITICAL
Network
|
topsecgroup
|
tianxin_internet_behavior_management_system
|
Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supply…
|
CWE-78
OS Command
|
CVE-2021-4473
|
2026-04-25 00:12 |
2026-04-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3005
|
6.5 |
MEDIUM
Network
|
totolink
|
a3300r_firmware
|
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun_user parameter to /cgi-bin/cstecgi.cgi.
|
CWE-77
Command Injection
|
CVE-2026-31176
|
2026-04-25 00:12 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3006
|
9.8 |
CRITICAL
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` para…
|
CWE-77
Command Injection
|
CVE-2026-41304
|
2026-04-25 00:11 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3007
|
9.3 |
CRITICAL
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `cu…
|
CWE-78
OS Command
|
CVE-2026-41064
|
2026-04-25 00:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3008
|
5.4 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override …
|
CWE-79
Cross-site Scripting
|
CVE-2026-41063
|
2026-04-25 00:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3009
|
6.5 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the U…
|
CWE-22
Path Traversal
|
CVE-2026-41062
|
2026-04-25 00:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3010
|
5.4 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor,…
|
CWE-79
Cross-site Scripting
|
CVE-2026-41061
|
2026-04-25 00:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
