CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521, affecting the setRemoteCfg function in the /cgi-bin/cstecgi.cgi file of the Web Management Interface. Manipulating the enable argument can lead to OS command injection.
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521 in the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi of the Web Management Interface. Manipulating the argument enable results in os command injection.
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521, affecting the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi of the Web Management Interface. Manipulation of the argument provider leads to OS command injection.
A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521, concerning the setScheduleCfg function in the /cgi-bin/cstecgi.cgi file of the Web Management Interface. Manipulating the mode argument can lead to OS command injection.
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521 in the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi in the Web Management Interface. Manipulating the argument resetFlags leads to OS command injection.
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521, affecting the setLanguageCfg function in the /cgi-bin/cstecgi.cgi file of the Web Management Interface. Manipulation of the lang argument leads to OS command injection.
A vulnerability was identified in Totolink A8000RU version 7.1cu.643_b20200521 affecting the function setTracerouteCfg in the file /cgi-bin/cstecgi.cgi of the Web Management Interface. Manipulation of the argument command leads to OS command injection.
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521, affecting the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the Web Management Interface. Manipulation of the argument ip results in OS command injection.
Dolibarr ERP CRM version 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
userSpice version 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint.
Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.
Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
Deserializacja nieufnych danych w Microsoft Planetary Computer Pro umożliwia nieautoryzowanemu atakującemu ujawnienie informacji przez sieć.
Microsoft Copilot has improper neutralization of special elements used in commands, leading to command injection vulnerability. This allows an unauthorized attacker to perform tampering over a network.
Azure Orbital Spatio has an unrestricted file upload vulnerability that allows an unauthorized attacker to execute code over a network.
Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.
A vulnerability in Microsoft Azure Active Directory B2C allows authentication bypass using an alternate path or channel, enabling an unauthorized attacker to elevate privileges over a network.
Microsoft Power Pages has a command injection vulnerability due to improper neutralization of special elements. This allows an unauthorized attacker to execute code over a network.
All versions of PCManFM-Qt starting from 1.1.0 have an issue where a regular file's path passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call causes PCManFM-Qt to delegate to a different program without user confirmation. This could lead to code execution or circumventing network namespace restrictions.
Typebot is a chatbot builder tool that in versions 3.15.2 and prior has a vulnerability allowing unauthenticated users to perform a Server-Side Request Forgery (SSRF) attack by supplying a custom typebot definition with server-side code blocks. The fetch function in the isolated environment does not validate the URL, allowing SSRF mitigations to be bypassed.

