2.7
CVE-2026-0925 - Tanium addressed an improper input validation vulnerability in Discover.
Tanium addressed an improper input validation vulnerability in Discover.
7.1
CVE-2026-24435 - Tenda W30E V2 Permissive CORS Allows Cross-origin Data Access
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in combination with Access-Control-Allow-Credentials: true, alloβ¦
2.1
CVE-2026-24439 - Tenda W30E V2 Lacks X-Content-Type-Options Header
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable scrβ¦
4
CVE-2025-57784 - Tomahawk authentication timing attack due to usage of 'strcmp'
Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client.
5.1
CVE-2026-24432 - Tenda W30E V2 Missing CSRF Protections for Administrative Actions
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggeredβ¦
6.5
CVE-2025-57785 - Double free in XSLT in 'show_index'
A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution.
5.3
CVE-2025-57783 - Improper header parsing may lead to request smuggling
Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver.
5.1
CVE-2020-36960 - Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting
Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<script>alert(document.cookie)</script>' to execute arbitrary JavaScript when the profile is viewed byβ¦
8.5
CVE-2020-36959 - IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path
IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the STacSV service to inject malicious code that would execute with LocalSystem account pβ¦
8.5
CVE-2020-36958 - Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path
Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Kite\KiteService.exe' to inject malicious executables and escalate prβ¦