5.1
CVE-2026-27756 - SODOLA SL902-SWTGW124AS <= 200.1.20 Reflected XSS in Management Interface
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a reflected cross-site scripting vulnerability in the management interface where user input is not properly encoded before output. Attackers can craft malicious URLs that execute arbitrary JavaScript in the web interface when visiteβ¦
9.3
CVE-2026-27755 - SODOLA SL902-SWTGW124AS <= 200.1.20 Predictable Session ID
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a weak session identifier generation vulnerability that allows attackers to forge authenticated sessions by computing predictable MD5-based cookies. Attackers who know or guess valid credentials can calculate the session identifier β¦
6.9
CVE-2026-27754 - SODOLA SL902-SWTGW124AS <= 200.1.20 MD5 Session Token Generation
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predictable session tokens combined with MD5's collision vulnerabilities to forge valid session cookies and β¦
6.9
CVE-2026-27753 - SODOLA SL902-SWTGW124AS <= 200.1.20 Improper Login Rate Limiting
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interface. Attackers can conduct online password guessing attacks without account lockout or rate limitinβ¦
8.2
CVE-2026-27752 - SODOLA SL902-SWTGW124AS <= 200.1.20 Cleartext Credential Transmission
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit authentication credentials over unencrypted HTTP, allowing attackers to capture credentials. An attacker positioned to observe network traffic between a user and the device can intercept credentials and reuse them to gain administrβ¦
9.3
CVE-2026-27751 - SODOLA SL902-SWTGW124AS <= 200.1.20 Use of Default Credentials
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administrative access to the management interface. Attackers can authenticate using the hardcoded default credentials without password change enforcement to β¦
2
CVE-2026-21619 - Unsafe Deserialization of Erlang Terms in hex_core
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.β¦
8.8
CVE-2019-25497 - osCommerce 2.3.4.1 SQL Injection via currency Parameter
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection β¦
8.8
CVE-2019-25496 - osCommerce 2.3.4.1 SQL Injection via products_id Parameter
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can modify the products_id value in product_info.php requests and append boolean-based SQL injection paylβ¦
8.8
CVE-2019-25495 - osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can send GET requests to product_reviews_write.php with malicious reviews_id values using boolean-based SQβ¦