CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-9406
Critical

A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521, affecting the setRemoteCfg function in the /cgi-bin/cstecgi.cgi file of the Web Management Interface. Manipulating the enable argument can lead to OS command injection.

CVE-2026-9405
Critical

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521 in the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi of the Web Management Interface. Manipulating the argument enable results in os command injection.

CVE-2026-9404
Critical

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521, affecting the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi of the Web Management Interface. Manipulation of the argument provider leads to OS command injection.

CVE-2026-9388
Critical

A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521, concerning the setScheduleCfg function in the /cgi-bin/cstecgi.cgi file of the Web Management Interface. Manipulating the mode argument can lead to OS command injection.

CVE-2026-9387
Critical

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521 in the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi in the Web Management Interface. Manipulating the argument resetFlags leads to OS command injection.

CVE-2026-9386
Critical

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521, affecting the setLanguageCfg function in the /cgi-bin/cstecgi.cgi file of the Web Management Interface. Manipulation of the lang argument leads to OS command injection.

CVE-2026-9385
Critical

A vulnerability was identified in Totolink A8000RU version 7.1cu.643_b20200521 affecting the function setTracerouteCfg in the file /cgi-bin/cstecgi.cgi of the Web Management Interface. Manipulation of the argument command leads to OS command injection.

CVE-2026-9384
Critical

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521, affecting the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the Web Management Interface. Manipulation of the argument ip results in OS command injection.

CVE-2018-25357
Critical

Dolibarr ERP CRM version 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.

CVE-2018-25350
Critical

userSpice version 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint.

CVE-2026-47280
Critical

Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.

CVE-2026-42901
Critical

Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.

CVE-2026-41104
Critical

Deserializacja nieufnych danych w Microsoft Planetary Computer Pro umożliwia nieautoryzowanemu atakującemu ujawnienie informacji przez sieć.

CVE-2026-41090
Critical

Microsoft Copilot has improper neutralization of special elements used in commands, leading to command injection vulnerability. This allows an unauthorized attacker to perform tampering over a network.

CVE-2026-40412
Critical

Azure Orbital Spatio has an unrestricted file upload vulnerability that allows an unauthorized attacker to execute code over a network.

CVE-2026-40411
Critical

Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.

CVE-2026-33843
Critical

A vulnerability in Microsoft Azure Active Directory B2C allows authentication bypass using an alternate path or channel, enabling an unauthorized attacker to elevate privileges over a network.

CVE-2026-23652
Critical

Microsoft Power Pages has a command injection vulnerability due to improper neutralization of special elements. This allows an unauthorized attacker to execute code over a network.

CVE-2026-48700
Critical

All versions of PCManFM-Qt starting from 1.1.0 have an issue where a regular file's path passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call causes PCManFM-Qt to delegate to a different program without user confirmation. This could lead to code execution or circumventing network namespace restrictions.

CVE-2026-33712
Critical

Typebot is a chatbot builder tool that in versions 3.15.2 and prior has a vulnerability allowing unauthenticated users to perform a Server-Side Request Forgery (SSRF) attack by supplying a custom typebot definition with server-side code blocks. The fetch function in the isolated environment does not validate the URL, allowing SSRF mitigations to be bypassed.

PreviousPage 67 of 558Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS