CVE Notify
19.3K subscribers
4 photos
203K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
🚨 CVE-2023-36998
The NextEPC MME <= 1.0.1 (fixed in commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) contains a stack-based buffer overflow vulnerability in the Emergency Number List decoding method. An attacker may send a NAS message containing an oversized Emergency Number List value to the MME to overwrite the stack with arbitrary bytes. An attacker with a cellphone connection to any base station managed by the MME may exploit this vulnerability without having to authenticate with the LTE core.

🎖@cveNotify
🚨 CVE-2024-57041
A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile.

🎖@cveNotify
🚨 CVE-2024-48417
Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Cross Site Scripting (XSS) in : /bin/goahead via /goform/setStaticRoute, /goform/fromSetFilterUrlFilter, and /goform/fromSetFilterClientFilter.

🎖@cveNotify
🚨 CVE-2024-48418
In Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06, the request /goform/fromSetDDNS does not properly handle special characters in any of user provided parameters, allowing an attacker with access to the web interface to inject and execute arbitrary shell commands.

🎖@cveNotify
🚨 CVE-2024-48419
Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 suffers from Command Injection issues in /bin/goahead. Specifically, these issues can be triggered through /goform/tracerouteDiagnosis, /goform/pingDiagnosis, and /goform/fromSysToolPingCmd Each of these issues allows an attacker with access to the web interface to inject and execute arbitrary shell commands, with "root" privileges.

🎖@cveNotify
🚨 CVE-2024-34896
An issue in Nedis SmartLife Video Doorbell (WIFICDP10GY), Nedis SmartLife IOS v1.4.0 causes users who are disconnected from a previous peer-to-peer connection with the device to still have access to live video feed.

🎖@cveNotify
🚨 CVE-2024-34897
Nedis SmartLife android app v1.4.0 was discovered to contain an API key disclosure vulnerability.

🎖@cveNotify
🚨 CVE-2024-57598
A floating point exception (divide-by-zero) vulnerability was discovered in Bento4 1.6.0-641 in function AP4_TfraAtom() of Ap4TfraAtom.cpp which allows a remote attacker to cause a denial of service vulnerability.

🎖@cveNotify
🚨 CVE-2025-22936
An issue in Smartcom Bulgaria AD Smartcom Ralink CPE/WiFi router SAM-4G1G-TT-W-VC, SAM-4F1F-TT-W-A1 allows a remote attacker to obtain sensitive information via the Weak default WiFi password generation algorithm in WiFi routers.

🎖@cveNotify
🚨 CVE-2020-35546
Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings.

🎖@cveNotify
🚨 CVE-2025-25968
DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the 'file' parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.

🎖@cveNotify
🚨 CVE-2025-26201
Credential disclosure vulnerability via the /staff route in GreaterWMS <= 2.1.49 allows a remote unauthenticated attackers to bypass authentication and escalate privileges.

🎖@cveNotify
🚨 CVE-2025-25783
An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file.

🎖@cveNotify
🚨 CVE-2025-25784
An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file.

🎖@cveNotify
🚨 CVE-2025-25789
FoxCMS v1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the index() method at \controller\Sitemap.php.

🎖@cveNotify
🚨 CVE-2025-25790
An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers to execute arbitrary code via uploading a crafted Zip file.

🎖@cveNotify
🚨 CVE-2025-25792
SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the isopen parameter at admin_weixin.php.

🎖@cveNotify