8.7
CVE-2023-7307 - Sangfor Behavior Management System XML External Entity Injection
Sangfor Behavior Management System (also referred to as DC Management System in Chinese-language documentation) contains an XML external entity (XXE) injection vulnerability in the /src/sangforindex endpoint. A remote unauthenticated attacker can submit crafted XML data containing external entity dβ¦
10
CVE-2024-13984 - Qi'anxin TianQing Management Center rptsvr Arbitrary File Upload
QiAnXin TianQing Management Center versions up to and including 6.7.0.4130 contain a path traversal vulnerability in the rptsvr component that allows unauthenticated attackers to upload files to arbitrary locations on the server. The /rptsvr/upload endpoint fails to sanitize the filename parameter β¦
10
CVE-2024-13981 - LiveBos UploadFile.do Arbitrary File Upload
LiveBOS, an object-oriented business architecture middleware suite developed by Apex Software Co., Ltd., contains an arbitrary file upload vulnerability in its UploadFile.do;.js.jsp endpoint. This flaw affects the LiveBOS Server component and allows unauthenticated remote attackers to upload crafteβ¦
10
CVE-2024-13980 - H3C Intelligent Management Center (iMC) /byod/index.xhtml RCE
H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged javax.faces.ViewState parameters,β¦
10
CVE-2025-34163 - Dongsheng Logistics Software Unauthenticated Arbitrary File Upload
Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request.β¦
10
CVE-2018-25115 - D-Link DIR-110/412/600/615/645/815 RCE via service.cgi
Multiple D-Link DIR-series routers, including DIR-110, DIR-412, DIR-600, DIR-610, DIR-615, DIR-645, and DIR-815 firmware version 1.03, contain a vulnerability in the service.cgi endpoint that allows remote attackers to execute arbitrary system commands without authentication. The flaw stems from imβ¦
10
CVE-2023-7309 - Dahua Smart Park Integrated Management Platform Front-End Arbitrary File Upload
A path traversal vulnerability exists in the Dahua Smart Park Integrated Management Platform (also referred to as the Dahua Smart Campus Integrated Management Platform), affecting the SOAP-based GIS bitmap upload interface. The flaw allows unauthenticated remote attackers to upload arbitrary files β¦
10
CVE-2024-13985 - Dahua EIMS capture_handle.action RCE
A command injection vulnerability in Dahua EIMS versions prior to 2240008 allows unauthenticated remote attackers to execute arbitrary system commands via the capture_handle.action interface. The flaw stems from improper input validation in the captureCommand parameter, which is processed without sβ¦
9.3
CVE-2025-34162 - Bian Que Feijiu Intelligent Emergency and Quality Control System SQL Injection via GetLyfsByParams
An unauthenticated SQL injection vulnerability exists in the GetLyfsByParams endpoint of Bian Que Feijiu Intelligent Emergency and Quality Control System, accessible via theΒ /AppService/BQMedical/WebServiceForFirstaidApp.asmx interface. The backend fails to properly sanitize user-supplied input in β¦
10
CVE-2025-34160 - AnyShare ServiceAgent API Unauthenticated RCE
AnyShare contains a critical unauthenticated remote code execution vulnerability in the ServiceAgent API exposed on port 10250. The endpoint /api/ServiceAgent/start_service accepts user-supplied input via POST and fails to sanitize command-like payloads. An attacker can inject shell syntax that is β¦