10
CVE-2025-34060 - Monero Forum Remote Code Execution via Arbitrary File Read and Cookie Forgery
A PHP objection injection vulnerability exists in the Monero Projectโs Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks usingโฆ
8.7
CVE-2025-34059 - Dahua Smart Cloud Gateway Registration Management Platform SQL Injection
An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements anโฆ
8.7
CVE-2025-34058 - Hikvision Streaming Media Management Server Default Credentials and Authenticated Arbitrary File Reโฆ
Hikvision Streaming Media Management Server v2.3.5 uses default credentials that allow remote attackers to authenticate and access restricted functionality. After authenticating with these credentials, an attacker can exploit an arbitrary file read vulnerability in the /systemLog/downFile.php endpoโฆ
8.3
CVE-2025-34066 - AVTECH IP camera, DVR, and NVR Devices Unauthenticated Information Disclosure
An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks.
6.9
CVE-2025-34065 - AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via /nobody URL Path
An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devicesโ streamd web server. The strstr() function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls.
9.4
CVE-2025-34056 - AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution
An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without prโฆ
9.4
CVE-2025-34055 - AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution
An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed direcโฆ
10
CVE-2025-34054 - AVTECH DVR Devices Unauthenticated Command Injection
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root.
6.9
CVE-2025-34053 - AVTECH IP camera, DVR, and NVR Devices Authentication Bypass via .cab Path Manipulation
An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devicesโ streamd web server. The strstr() function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints.
6.9
CVE-2025-34052 - AVTECH IP camera, DVR, and NVR Devices Unauthenticated Information Disclosure
An unauthenticated information disclosure vulnerability exists in AVTECH IP cameras, DVRs, and NVRs via Machine.cgi?action=get_capability. Sensitive internal device information such as firmware version, MAC address, and codec support can be accessed without authentication.