|
4511
|
- |
|
-
|
-
|
The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands.
|
CWE-77
Command Injection
|
CVE-2026-49196
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4512
|
- |
|
-
|
-
|
Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails.
|
CWE-287
Improper Authentication
|
CVE-2026-49197
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4513
|
- |
|
-
|
-
|
Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors.
|
CWE-284
Improper Access Control
|
CVE-2026-49198
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4514
|
- |
|
-
|
-
|
The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized s…
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-49200
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4515
|
- |
|
-
|
-
|
The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating pers…
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2026-49201
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4516
|
7.5 |
HIGH
Network
|
-
|
-
|
Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk pat…
|
CWE-22
Path Traversal
|
CVE-2026-49128
|
2026-05-29 23:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4517
|
8.2 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verificatio…
|
CWE-307
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-35675
|
2026-05-29 23:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4518
|
6.5 |
MEDIUM
Network
|
apache
|
ignite
|
Relative Path Traversal vulnerability in Apache Ignite REST API.
Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way.
This iss…
|
CWE-23
Relative Path Traversal
|
CVE-2025-48977
|
2026-05-29 23:11 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4519
|
9.8 |
CRITICAL
Network
|
inhandnetworks
|
ir315_firmware
ir302_firmware
ir615_firmware
ir305_firmware
|
A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier…
|
CWE-77
Command Injection
|
CVE-2026-38702
|
2026-05-29 23:09 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4520
|
9.8 |
CRITICAL
Network
|
inhandnetworks
|
ir315_firmware
ir302_firmware
ir615_firmware
ir305_firmware
|
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier…
|
CWE-77
Command Injection
|
CVE-2026-38703
|
2026-05-29 23:09 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
