π¨ CVE-2026-30352
A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter.
π@cveNotify
A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter.
π@cveNotify
Gist
CVE-2026-30352 - AutoForge Remote Code Execution via crafted command parameter
CVE-2026-30352 - AutoForge Remote Code Execution via crafted command parameter - gist:e3bdee6c022b36d5ecb98fbf61284931
π¨ CVE-2026-30462
A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal.
π@cveNotify
A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal.
π@cveNotify
GitHub
FUEL-CMS/fuel/modules/fuel/controllers/Blocks.php at master Β· daylightstudio/FUEL-CMS
A CodeIgniter Content Management System. Contribute to daylightstudio/FUEL-CMS development by creating an account on GitHub.
π¨ CVE-2026-38934
Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php
π@cveNotify
Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php
π@cveNotify
GitHub
diskoverdata-cve-writeups/CVE-2026-38934 at main Β· VadlaReddySai/diskoverdata-cve-writeups
Multiple CVEs (CVE-2026-38934, CVE-2026-38935, CVE-2026-38936) discovered in diskover-community including CSRF and XSS vulnerabilities with proof-of-concept and impact analysis. - VadlaReddySai/dis...
π¨ CVE-2026-38935
A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter
π@cveNotify
A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter
π@cveNotify
GitHub
diskoverdata-cve-writeups/CVE-2026-38935 at main Β· VadlaReddySai/diskoverdata-cve-writeups
Multiple CVEs (CVE-2026-38934, CVE-2026-38935, CVE-2026-38936) discovered in diskover-community including CSRF and XSS vulnerabilities with proof-of-concept and impact analysis. - VadlaReddySai/dis...
π¨ CVE-2026-38936
A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter
π@cveNotify
A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter
π@cveNotify
GitHub
diskoverdata-cve-writeups/CVE-2026-38936 at main Β· VadlaReddySai/diskoverdata-cve-writeups
Multiple CVEs (CVE-2026-38934, CVE-2026-38935, CVE-2026-38936) discovered in diskover-community including CSRF and XSS vulnerabilities with proof-of-concept and impact analysis. - VadlaReddySai/dis...
π¨ CVE-2025-60889
Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.
π@cveNotify
Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.
π@cveNotify
Gist
cvd_hpx_20250902.md
GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2026-36356
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
π@cveNotify
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
π@cveNotify
GitHub
GitHub - totekuh/CVE-2026-36356: CVE-2026-36356: MeiG Smart FORGE_SLT711 GoAhead - Unauthenticated OS Command Injection (RCE asβ¦
CVE-2026-36356: MeiG Smart FORGE_SLT711 GoAhead - Unauthenticated OS Command Injection (RCE as root) - totekuh/CVE-2026-36356
π¨ CVE-2023-24215
Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request.
π@cveNotify
Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request.
π@cveNotify
GitHub
cve-disclosures/00_-_CVE-2023-24215.md at main Β· sql3t0/cve-disclosures
Collection of CVEs and security advisories discovered and responsibly disclosed by Sql3t0, including technical details, impact assessment, and mitigation guidance. - sql3t0/cve-disclosures
π¨ CVE-2026-36239
PbootCMS v.3.2.11 contains a code injection vulnerability in its site configuration functionality
π@cveNotify
PbootCMS v.3.2.11 contains a code injection vulnerability in its site configuration functionality
π@cveNotify
GitHub
GitHub - TazmiDev/CVE-2026-36239: CVE-2026-36239 | Authenticated RCE in PbootCMS β€3.2.12
CVE-2026-36239 | Authenticated RCE in PbootCMS β€3.2.12 - TazmiDev/CVE-2026-36239
π¨ CVE-2026-38930
OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the name cookie parameter.
π@cveNotify
OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the name cookie parameter.
π@cveNotify
π¨ CVE-2026-38931
A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.
π@cveNotify
A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.
π@cveNotify
π¨ CVE-2026-36174
GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including network credentials, via monitoring the serial UART interface.
π@cveNotify
GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including network credentials, via monitoring the serial UART interface.
π@cveNotify
GitHub
IoT-Vulnerability-Research-Public/GNCC-GP5-T23/README.md at main Β· BadChemical/IoT-Vulnerability-Research-Public
Independent IoT security research, vulnerability disclosures, and PoCs focusing on firmware analysis, hardware interfaces, and cryptographic flaws. - BadChemical/IoT-Vulnerability-Research-Public
π¨ CVE-2026-36175
An issue in the U-Boot component of GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass authentication and gain root access via interrupting the boot sequence and injecting a crafted string into the kernel boot arguments.
π@cveNotify
An issue in the U-Boot component of GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass authentication and gain root access via interrupting the boot sequence and injecting a crafted string into the kernel boot arguments.
π@cveNotify
GitHub
IoT-Vulnerability-Research-Public/GNCC-GP5-T23/README.md at main Β· BadChemical/IoT-Vulnerability-Research-Public
Independent IoT security research, vulnerability disclosures, and PoCs focusing on firmware analysis, hardware interfaces, and cryptographic flaws. - BadChemical/IoT-Vulnerability-Research-Public
π¨ CVE-2026-36176
GNCC GP5 v7.1.76 was discovered to store pre-signed Backblaze B2 upload URLs (PUT requests) in plaintext to the serial console. This allows physically-proximate attackers to extract these active tokens to perform unauthorized operations via monitoring the serial UART interface.
π@cveNotify
GNCC GP5 v7.1.76 was discovered to store pre-signed Backblaze B2 upload URLs (PUT requests) in plaintext to the serial console. This allows physically-proximate attackers to extract these active tokens to perform unauthorized operations via monitoring the serial UART interface.
π@cveNotify
GitHub
IoT-Vulnerability-Research-Public/GNCC-GP5-T23/README.md at main Β· BadChemical/IoT-Vulnerability-Research-Public
Independent IoT security research, vulnerability disclosures, and PoCs focusing on firmware analysis, hardware interfaces, and cryptographic flaws. - BadChemical/IoT-Vulnerability-Research-Public
π¨ CVE-2026-36178
The factory reset functionality in GNCC GP5 v7.1.76 fails to clear sensitive cryptographic material in the JFFS2 configuration partition, possibly allowing attackers to recover and obtain sensitive user data.
π@cveNotify
The factory reset functionality in GNCC GP5 v7.1.76 fails to clear sensitive cryptographic material in the JFFS2 configuration partition, possibly allowing attackers to recover and obtain sensitive user data.
π@cveNotify
GitHub
IoT-Vulnerability-Research-Public/GNCC-GP5-T23/README.md at main Β· BadChemical/IoT-Vulnerability-Research-Public
Independent IoT security research, vulnerability disclosures, and PoCs focusing on firmware analysis, hardware interfaces, and cryptographic flaws. - BadChemical/IoT-Vulnerability-Research-Public
π¨ CVE-2026-36180
A lack of runtime integrity in GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass file system read-only protections and modify system files and binaries for the duration of a boot session via a bind-mount attack.
π@cveNotify
A lack of runtime integrity in GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass file system read-only protections and modify system files and binaries for the duration of a boot session via a bind-mount attack.
π@cveNotify
GitHub
IoT-Vulnerability-Research-Public/GNCC-GP5-T23/README.md at main Β· BadChemical/IoT-Vulnerability-Research-Public
Independent IoT security research, vulnerability disclosures, and PoCs focusing on firmware analysis, hardware interfaces, and cryptographic flaws. - BadChemical/IoT-Vulnerability-Research-Public
π¨ CVE-2026-36182
GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing attackers to obtain root credentials and privileges via a bruteforce attack.
π@cveNotify
GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing attackers to obtain root credentials and privileges via a bruteforce attack.
π@cveNotify
GitHub
IoT-Vulnerability-Research-Public/GNCC-GP5-T23/README.md at main Β· BadChemical/IoT-Vulnerability-Research-Public
Independent IoT security research, vulnerability disclosures, and PoCs focusing on firmware analysis, hardware interfaces, and cryptographic flaws. - BadChemical/IoT-Vulnerability-Research-Public
π¨ CVE-2026-14763
A flaw has been found in code-projects Hotel and Tourism Reservation 1.0. This affects an unknown function of the file /admin/tour_reserves.php of the component Tour Reservations Page. This manipulation of the argument tour causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
π@cveNotify
A flaw has been found in code-projects Hotel and Tourism Reservation 1.0. This affects an unknown function of the file /admin/tour_reserves.php of the component Tour Reservations Page. This manipulation of the argument tour causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
π@cveNotify
π¨ CVE-2026-14764
A vulnerability has been found in code-projects Hotel and Tourism Reservation 1.0. This impacts an unknown function of the file /admin/add_event.php of the component Event Management Page. Such manipulation of the argument fdetails leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
A vulnerability has been found in code-projects Hotel and Tourism Reservation 1.0. This impacts an unknown function of the file /admin/add_event.php of the component Event Management Page. Such manipulation of the argument fdetails leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
π¨ CVE-2024-40582
Pentaminds CuroVMS v2.0.1 was discovered to contain exposed sensitive information.
π@cveNotify
Pentaminds CuroVMS v2.0.1 was discovered to contain exposed sensitive information.
π@cveNotify
Medium
Exploiting VMS Vulnerabilities to Access Confidential DataβββCVE-2024β40582 & CVE-2024β40583
TALE OF CUROVMSβββversionβββ2.0.1
π¨ CVE-2024-40583
Pentaminds CuroVMS v2.0.1 was discovered to contain exposed credentials.
π@cveNotify
Pentaminds CuroVMS v2.0.1 was discovered to contain exposed credentials.
π@cveNotify
Medium
Exploiting VMS Vulnerabilities to Access Confidential DataβββCVE-2024β40582 & CVE-2024β40583
TALE OF CUROVMSβββversionβββ2.0.1