9.3
CVE-2026-26369 - JUNG eNet SMART HOME server 2.2.1/2.3.1 Privilege Escalation via setUserGroup
eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate their acβ¦
8.7
CVE-2026-26368 - JUNG eNet SMART HOME server 2.2.1/2.3.1 Account Takeover via resetUserPassword
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without β¦
7.1
CVE-2026-26367 - JUNG eNet SMART HOME server 2.2.1/2.3.1 Arbitrary User Deletion via deleteUserAccount
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce roleβ¦
9.3
CVE-2026-26366 - JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials
eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials (user:user, admin:admin) that remain active after installation and commissioning without enforcing a mandatory password change. Unauthenticated attackers can use these default credentials to gain administrative access to sensitivβ¦
0.0
CVE-2008-20003 -
This CVE has the been REJECTED and will not be published by the CNA.
4.8
CVE-2019-25377 - OPNsense 19.1 Reflected XSS via system_advanced_sysctl.php
OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. Attackers can craft POST requests with script payloads in the value parameter to execute JavaScript in the contβ¦
5.1
CVE-2019-25376 - OPNsense 19.1 Reflected XSS via proxy endpoint
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL β¦
5.1
CVE-2019-25375 - OPNsense 19.1 Reflected XSS via monit interface
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parametβ¦
5.1
CVE-2019-25374 - OPNsense 19.1 Reflected XSS via vpn_ipsec_settings.php
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. Attackers can craft POST requests with JavaScript payloads in the passthrough_networks parameter to exeβ¦
5.1
CVE-2019-25373 - OPNsense 19.1 Stored XSS via firewall_rules_edit.php
OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. Attackers can send POST requests to firewall_rules_edit.php with script payloads in the category field to executeβ¦