H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with an…

D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via msp_info.htm.

DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerability via the name parameter in the run_command function.

RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerability via the username parameter at /resource/runlogin.php.

In the Linux kernel, the following vulnerability has been resolved: media: aspeed: Fix memory overwrite if timing is 1600x900 When capturing 1600x900, system could crash when system memory usage is tight. The way to reproduce this issue: 1. Use 1600x900 to display on host 2. Mount ISO through 'V…

Sourcecodester Simple Forum Website v1.0 has a SQL injection vulnerability in /php-sqlite-forum/?page=manage_user&id=.

RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerability via the articleid parameter at /default/article.php.

DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerability via the value parameter in the filter_string function.

D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via sub47A60C function in the upgrade_filter.asp file

tgt (aka Linux target framework) before 1.0.93 attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1, and thus the sequence of challenges is always identical.