6.9
CVE-2026-4191 - JawherKl node-api-postgres Profile Picture index.js path.extname unrestricted upload
A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and mayβ¦
6.9
CVE-2026-4190 - JawherKl node-api-postgres user.js User.getAll sql injection
A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contβ¦
5.1
CVE-2026-4189 - phpipam Section edit-result.php sql injection
A weakness has been identified in phpipam up to 1.7.4. The impacted element is an unknown function of the file app/admin/sections/edit-result.php of the component Section Handler. Executing a manipulation of the argument subnetOrdering can lead to sql injection. The attack may be launched remotely.β¦
8.7
CVE-2026-4188 - D-Link DIR-619L boa formSchedule stack-based overflow
A security flaw has been discovered in D-Link DIR-619L 2.06B01. The affected element is the function formSchedule of the file /goform/formSchedule of the component boa. Performing a manipulation of the argument curTime results in stack-based buffer overflow. The attack may be initiated remotely. Thβ¦
6.9
CVE-2026-4187 - Tiandy Easy7 Integrated Management Platform Device Identifier UpdateLocalDevInfo.jsp missing authenβ¦
A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Impacted is an unknown function of the file /WebService/UpdateLocalDevInfo.jsp of the component Device Identifier Handler. Such manipulation of the argument username/password leads to missing authentication. The aβ¦
5.1
CVE-2026-4186 - UEditor JSONP Callback controller.php cross site scripting
A vulnerability was determined in UEditor up to 1.4.3.2. This issue affects some unknown processing of the file php/controller.php?action=uploadimage of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated remotelyβ¦
8.8
CVE-2015-20120 - RealtyScript 4.0.2 Multiple Time-based Blind SQL Injection
Next Click Ventures RealtyScript 4.0.2 contains multiple time-based blind SQL injection vulnerabilities that allow unauthenticated attackers to extract database information by injecting SQL code into application parameters. Attackers can craft requests with time-delay payloads to infer database conβ¦
8.7
CVE-2017-20220 - Serviio PRO 1.8 Unauthenticated Password Change via REST API
Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication.
5.1
CVE-2017-20219 - Serviio PRO 1.8 DOM-based Cross-Site Scripting via mediabrowser
Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to documeβ¦
8.5
CVE-2017-20218 - Serviio PRO 1.8 Local Privilege Escalation via Unquoted Path
Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users grouβ¦