8.8
CVE-2026-30711 - Authenticated SQL Injection in Devome GRR Session Handling
Devome GRR v4.5.0 was discovered to contain multiple authenticated SQL injection vulnerabilities in the include/session.inc.php file via the referer and user-agent.
9.8
CVE-2025-67112 - Hardโcoded AESโ256 Key Enables Remote Decryption, Modification, and Privilege Escalation in Freedomโฆ
Use of a hard-coded AES-256-CBC key in the configuration backup/restore implementation of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authenticated users to decrypt, modify, and re-encrypt device configurations, enabling credential manipulatioโฆ
9.8
CVE-2026-30694 - Remote Code Execution via array_filter in DedeCMS v5.7.118 and Earlier
An issue in DedeCMS v.5.7.118 and before allows a remote attacker to execute arbitrary code via the array_filter component
7.5
CVE-2026-30403 -
There is an arbitrary file read vulnerability in the test connection function of backend database management in wgcloud v3.6.3 and before, which can be used to read any file on the victim's server.
9.8
CVE-2025-67114 - Deterministic Credential Generation Exposes Administrative Credentials in Sercomm SCE4255W Small Ceโฆ
Use of a deterministic credential generation algorithm in /ftl/bin/calc_f2 in Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers to derive valid administrative/root credentials from the device's MAC address, enabling authentication bypass aโฆ
7.5
CVE-2026-30404 -
The backend database management connection test feature in wgcloud v3.6.3 has a server-side request forgery (SSRF) vulnerability. This issue can be exploited to make the server send requests to probe the internal network, remotely download malicious files, and perform other dangerous operations.
6.5
CVE-2026-4426 - Libarchive: libarchive: denial of service via malformed iso file processing
A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead โฆ
7.5
CVE-2026-4424 - Libarchive: libarchive: information disclosure via heap out-of-bounds read in rar archive processing
A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR arcโฆ
7.5
CVE-2026-25667 -
ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.
9.8
CVE-2025-67113 -
OS command injection in the CWMP client (/ftl/bin/cwmp) of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers controlling the ACS endpoint to execute arbitrary commands as root via a crafted TR-069 Download URL that is passed unescaped intoโฆ